![\"\"](\"http:\/\/www.readwriteweb.com\/images\/diaspora_logo.jpg\" "\\"diaspora*"){kind=logo}
It was a summer to remember for the founders of Diaspora, the “privacy-aware, personally-controlled, open-source, do-it-all social network”. Talk about being in the right place at the right time …<\/p>\nIt was a summer to remember for the founders of Diaspora, the “privacy-aware, personally-controlled, open-source, do-it-all social network”. Talk about being in the right place at the right time …<\/p>\n
Back in the firestorm about Facebook privacy last May, the four NYU students raised $200,000 for their project on Kickstarter.\u00c2\u00a0 Since then they’ve moved to San Francisco, gotten free office space at Pivotal Labs, gone to Burning Man<\/a> … and on September 15, released their software to the community<\/a>.<\/p>\n Congratulations! And as summer turns into fall, it’s a great time to assess their progress.<\/p>\n To start with, kudos to them for hitting their target date — something I don’t think they’ve gotten enough credit for. At the beginning of the summer, they said they’d have something available to turn over the community in three months, and voila, here it is. While it’s clearly at a very early stage, they’ve got some decent functionality.\u00c2\u00a0 As somebody who’s been there a bunch of times, I’m\u00c2\u00a0 impressed with what they’ve accomplished. People who haven’t ever developed ambitious software from scratch have no idea how challenging this is.<\/p>\n Now that Diaspora’s released their code, they’re getting lots of feedback at a relatively early stage.\u00c2\u00a0 With an open source code base, people can get involved, and judging from the discussions on Hacker<\/a> News<\/a>, Slashdot<\/a>, and the Google<\/a> groups<\/a>, mailing list, there’s a lot of interest and even their critics hope they’ll succeed.\u00c2\u00a0\u00c2\u00a0 It’s a good first step.<\/p>\n However, they’ve cut a few corners to get there.<\/p>\n After Dan Goodin quoted him in The Register<\/em><\/a> as saying “The bottom line is currently there is nothing that you cannot do to someone\u00e2\u20ac\u2122s Diaspora account, absolutely nothing,” Patrick McKenzie went into more detail yesterday in Security lessons learned from the Diaspora Launch<\/a>.\u00c2\u00a0 It’s great reading if you’re a programmer or just curious about why most software today is so insecure.\u00c2\u00a0 Steve Klabnik has more<\/a>. \u00c2\u00a0 On Slashdot<\/a>, pedantic_bore notes “there are virtually no comments or design docs” — and after downloading the code, I only see a few specifications and tests.\u00c2\u00a0 Ouch.<\/p>\n This was probably the right tradeoff for Diaspora to make over the summer.\u00c2\u00a0 If the guys had spent all their time becoming security experts, they couldn’t have gotten as far as they have.\u00c2\u00a0 There’s a huge amount of value in giving people something to play with even if it’s insecure. We took a similar approach at Qworky late last year when we decided to build a security-free “preview” release, knowing we’d have to reimplement from scratch.<\/p>\n Still, it’s very challenging to make software truly secure unless you focus on security and quality from the very beginning. It doesn’t seem like Diaspora’s had a thorough external security review so there are likely to be problems lurking in their architecture and protocols.*\u00c2\u00a0 And when I asked some security experts for suggestions about what Diaspora should do next (see the first comment), they came back with sensible suggestions like threat modeling, a security review, and secure coding training for developers — none of which currently show up on Diaspora’s roadmap<\/a> and project management systems<\/a>.\u00c2\u00a0\u00c2\u00a0 Not good.<\/p>\n It’s easy to be skeptical.\u00c2\u00a0 Retrofitting security and reliability is notoriously difficult and not a lot of fun; will they prioritize it?\u00c2\u00a0\u00c2\u00a0 There are quite a few other privacy-friendly open-source social networks being developed, with Appleseed, OneSocialWeb, elgg, Crabgrass, and others farther along than Diaspora.\u00c2\u00a0 Can they build on their excitement so far and fault ahead?<\/p>\n They certainly have a chance.\u00c2\u00a0 There’s not very much code yet (just a few thousand lines) so if they start to focus on it now they have a decent chance of cleaning it up — or at worst, it won’t take long to rewrite.\u00c2\u00a0 See the comments for more discussion of the options.<\/p>\n![\"security](\"http:\/\/farm5.static.flickr.com\/4107\/5017464689_5a76c5c7df.jpg\")
<\/a><\/p>\n
![\"perhaps](\"http:\/\/farm5.static.flickr.com\/4144\/5018927216_f27a8e76ef.jpg\")
<\/a><\/p>\n