In grepping my feeds, I noticed something interesting about Diaspora finally hitting some recent publicity since my last check in. For those not in the know, Diaspora is meant to be a replacement for Facebook. The idea is good, basically take everything you could bitch about privacy issues on FB, fix it and roll it out with a distributed system that gives you as much control as possible over your stuff. I agree with Mark Zuckerberg (the FB guy) that Diaspora is a cool idea, really it is because of the decentralisation.
From what I’ve been reading about their first code drop however, I must say that it does not seem to be off to a very good start. A system that, to my knowledge touts privacy and security (compared to Facebook) as one of it’s strong points, obviously should not premier with more leaky holes than a Windows 98 demonstration. As much as I would like to crack a joke at that old relic, I can’t help but think how well Bill Gates took that incident in public. Old farts and fellow history lovers might see the inner-humour in that comparison. (Yes I used ’98.)
Being able to get a lot more eyes on target and the freedom in which fixes may flow, is one virtue of open source development, especially if you have enough people with a vested “Interest” in the projects outcome. There are many people who would like to see something like Diaspora succeed, and among them surely, more than a couple people willing to contribute aid towards that end. In a closed source environment, problems like that found in Diaspora would have only been findable by playing around with the release, and consequentially only fixed by the original developers a long time after attacks went wild. Like wise investors would be a different sort. Yes, even power users do glance at how their software works, let along crackers. Of those who really are looking closely, most are probably the dregs of the Internet or paid for the job, and either way it would be bad to bank business on the kindness of others. To my knowledge the only profit in finding exploits, is what you can slurp out of saps before it gets patched.
In the first article I checked out, some of the (now fixed) defects highlighted from Disporas code base were just blaringly, “WHAT THE FUCK WERE YOU THINKING!?” kind of problems. In the least, several of them are on my heads internal list of “No, No” to check before wrapping up. It makes me think the masterminds behind implementing the thing, were woefully unprepared for the task: web development is no easy task—and it is best if you take an anal approach to security early on, in my honest opinion.
The thing that irks me however, is who should be fixing those kind of things? Most of what I’ve seen highlighted should have been fixed before the code even left the developers workstation, if you go by my coding ethic. That gives my mind a moment to think about student-programmers, but this isn’t a rant; yet. Any way you slice it however, it is no the whole wide world of Open Sources job to be fixing everybody else’s code! Before you put your name on it, geeze, make sure it smells like a roll before you get rolled. I don’t mean to say anything against the developers… but this is looking like the start of an epic failure. Sadly.