Facebook wannabe Diaspora hit on security issues

Testers of an early version of the source code say it's full of holes

The open-source project called Diaspora is being pitched as a secure and more privacy-friendly alternative to Facebook, but it is already running into early criticism over security issues by those who say they have tested it.

The team behind Diaspora this week released a pre-Alpha version of their source code on the open-source hosting site GitHub. The code is designed to spur development activity around the platform.
The code release was accompanied by a warning that it is by no means bug free. "We know there are security holes and bugs, and your data is not yet fully exportable," Diaspora said in announcing the Alpha release.
Even with that caveat, though, early reviewers have been unsparing in their criticism of Diaspora's security features -- or lack thereof.
"Basically, the code is really, really bad," Steve Klabnik, CTO of CloudFab, wrote in his blog. "I don't mean to rain on anyone's parade, but there are really, really bad security holes" in the code.
Diaspora was born earlier this year largely in response to privacy issues related to Facebook's data collection and usage practices. The effort is being spearheaded by four New York University students: Daniel Grippi, Maxwell Salzberg, Raphael Sofaer and Ilya Zhitomirskiy.
In the months since the effort began, it has attracted growing interest from Internet users and more than $200,000 in donations on sites such as Kickstarter. It has also received considerable attention from mainstream media such as the New York Times which ran a lengthy profile soon after Diaspora was launched.
The basic premise behind Diaspora is that it will allow users to have social networking functionality similar to that offered by Facebook, but with far greater control over personal data.
According to a description on the project's Web site, Diaspora will allow users to set up 'seeds' or personal servers, that they can use to store their personal data and share it directly with their friends instead of routing it through a centralized hub as with Facebook. "Friend another seed and the two of you can synchronize over a direct and secure connection instead of through a superfluous hub," the site says. "Our real social lives do not have central managers, and our virtual lives do not need them."
But initial reviews and comments on sites such as GitHub, Y-Combinator and Slashdot suggest that many are disappointed over the quality of the code released so far.
Klabnik himself described security errors in the code as the sort that a professional programmer would not make. In an interview, Klabnik said the sort of errors he discovered are of the sort that allows anyone to change another user's name, password, profile, images and other details easily. "There's nothing you can't do to someone else's account," he said.
While it's natural to expect some errors in pre-release code, the sort of flaws present in Diaspora, and the sheer number of them, is unusual, he said. "The whole point of this is Facebook doesn't protect privacy. If that's the goal, people have a reasonable expectation that this would be better."
Meanwhile, Patrick McKenzie, a blogger and software developer based in Japan, has been using Twitter to warn users to stay away from early versions of Diaspora because it is "screamingly unsafe." McKenzie said he has so far discovered at least five major vulnerabilities, with the first one found less than five minutes after he downloaded the source code.
The sort of security issues he discovered include cross-site scripting flaws, code injection vulnerabilities as well as authentication and authorization flaws. The fact that the code is freely available to anyone on the Internet means that many people will install and use it without being aware of the security issues, he said.
On GitHub, reviewers have so far raised more than 140 issues, several of them dealing with security concerns such as cross-site scripting errors and code-injection errors.
Diaspora did not respond to e-mailed requests for comment. However, the project has its share of supporters. Many of those commenting on the release of the Alpha code said that bugs being uncovered in code at this stage are not all that uncommon.
"This code was released to developers as an incomplete preview," cilantro said on Y-Combinator. "I'm not sure why people are holding it to the same standards as a finished product that's being released to end users. Seems like a pretext to talk trash."
Read more about Web 2.0 and Web Apps in Computerworld's Web 2.0 and Web Apps Topic Center.

Obama set to crack down on illegal software sales

U.S. President Barack Obama's administration will seek to aggressively enforce its intellectual property laws by putting pressure on countries that don't shut down piracy Web sites and by requiring all government contractors to check for illegal software, the White House announced.

The White House Office of the U.S. Intellectual Property Enforcement Coordinator, in a 65-page report released Tuesday, said the U.S. government will also step up its efforts to identify foreign Web sites trafficking in pirated goods and will create a database of intellectual property investigations to be shared among law enforcement agencies.

The U.S. government will also seek to protect U.S. intellectual property (IP) through trade agreements, including the controversial Anti-Counterfeiting Trade Agreement, the report said. Several digital rights groups have complained that officials from the U.S. and other countries have drafted ACTA in secret.

"I say to those that are suffering from infringement, 'Help is on the way,'" said Victoria Espinel, the White House intellectual property enforcement coordinator. "We understand the problems that you face, and we will work to make things better."

Copyright pirates and counterfeiters should beware, Espinel added during a news conference. "To those who have, for too long, abused the rights of American creators, I have a warning for you," she said. "We are committed to putting you out of business."

Vice President Joe Biden compared IP infringement to a theft where a burglar breaks the window of a store and steals the products inside. "Piracy is theft, clean and simple," he said. "It's smash and grab."

Counterfeit medications and vehicle parts are dangerous and need to be kept out of the U.S., Biden added. "We just want to make it real clear," he said. "We're going after people, we're going after the Web sites, we're going to go after those folks ... who sell us things that in fact have the effect of putting the lives of Americans in jeopardy."

If other governments fail to shut down Web sites that U.S. officials have identified as dealing in pirated goods, the White House will be vocal, Biden said. "We're going to be as public as we possibly can" about other governments that do not cooperate, he said.

The U.S. government will also provide training to local and state law enforcement officials on IP enforcement, and it will provide seminars and training programs for foreign governments, according to the new report. The report recommends new requirements that medical products contain electronic tags to make it more difficult for counterfeit products to be sold.

The report, called the Joint Strategic Plan on Intellectual Property Enforcement, also encouraged Web content owners, Internet service providers, advertisers and other online businesses to work together to reduce copyright violations.

Earlier this year, the U.S. Department of Justice launched an IP enforcement task force, and in April, the agency announced 15 new assistant U.S. attorney positions and 20 new Federal Bureau of Investigation agents to be focused on domestic and international IP crimes.

The U.S. Chamber of Commerce and the Information Technology Industry Council (ITI), a tech trade group, both praised the new report.

"Stated simply, globally-recognized IP enforcement standards will play a significant role in creating new jobs and driving growth well into the future," Dean Garfield, ITI's president and CEO, said in a statement.

But the Computer and Communications Industry Association (CCIA), another tech trade group, said it had major questions about the new IP enforcement efforts. The White House's IP efforts should focus on keeping dangerous products away from consumers and should take care not to hurt the U.S. Internet and tech industries, CCIA said.

"A proper enforcement strategy would ensure that legitimate innovation is not being squashed by an overly broad, overly zealous crackdown," CCIA president and CEO Ed Black said in a statement. "Balanced intellectual property will promote innovation, investment, and civic discourse, while ensuring that intellectual property rightsholders are fairly treated."