>Diaspora — a FAILtale perspective

>I was talking with some friends this morning about Diaspora, the social networking project that’s gotten some attention in the press lately. We were kicking around a couple of its pros and cons, and I promised that I would write a quick brief about it – one that I started a few hours ago and, after some thought, have re-crafted into a blog post… Without further ado, here is my (preliminary!) perspective on the project:

From a purely conceptual point of view: 

Diaspora is a platform that allows you to share your social content in a place under your control. Like Facebook, Flickr, and other socnets, you have a “central place” for seeing what your friends are up to, sharing photos and what not; unlike other socnets, that central place isn’t run by someone else.

From a semi-technical point of view: 

the point of a social network is to share information. The easiest way to do that is to have all that information sitting in one place, in one single format, in one single repository. The concept that Diaspora brings to the table is not necessarily new: don’t centralize the content but rather the feed to the content. If you look at it that way, Diaspora is little more than a fancy CMS — but then again, so are social networks in general. The interesting thing is, Diaspora has the “social network” branding that’s made it (and its more traditional peers) that much more popular.

From a technical point of view: 

though the concept is not novel, the need is clearly there. Moxie Marlinspike gave a talk at Defcon this year which pretty much summed up the problem: the price of the comforts and practicality of today’s technology is privacy — Diaspora, as well as Marlinspike’s own project, Googlesharing, intend to spare us of this costly sacrifice. Such endeavors would hopefully make secure sharing of information more accessible to non-technical socnet-savvy folks who care about their privacy — and this may be more people than we think. From what I’ve come to understand, Diaspora’s proposal is an application of the peer-to-peer model to social networks. This does have several benefits beyond those highlighted above — for instance, Diaspora’s “infrastructure” would grow organically as it gains momentum, since most (if not all) of the content is hosted on users’ equipment.

From an infosec point of view: 

I would definitely love to move to a model that allows me to better control my private information — but I’d be careful to make sure that I’m not jumping out of the frying pan into the fire. Here are a few things to consider:

  • Most people don’t really know the first things about setting up a server environment which, judging by the FAQ, is a necessity. Unless you’re an IT puke, that means you’ll either be configuring your machine badly or not configuring it at all. Diaspora might propose a hosting service à la WordPress in the future, which to me kind of sounds like it defeats the purpose.
  • Owning your own decentralized seed is kind of like having a puppy: it doesn’t just take care of itself. It’s hard enough to get regular users to update their antivirus, let alone patch and maintain a server…
  • The biggest advantage of Diaspora is that, since your content is under your control, you can yank it off the ‘net whenever you damn well please. However, this sort of assumes that all seeds that connect to yours are benign, doesn’t it? What if one of your friends’ seeds has been compromised?
  • Decentralization of the infrastructure means that it is both harder to keep the environment consistent and practically impossible to perform adequate monitoring. If Diaspora issues a security patch, how will they insure that it gets applied within a reasonably short period of time? How can Diaspora pro-actively track and repel attacks if they’re unable to analyze data? It seems likely that this sort of support is not in the roadmap.
  • The environment is under user control – so what if you were to write a malicious seed in python (or even Diaspora’s native language, RoR) that collected data from people that have friended you? How sweet would it be to drop a BeEF hook in your page, log a few passwords, portscan people’s networks, or maybe even heap spray your “friends”? And who’s going to catch you at work?

That pretty much sums it up for me. All things said, I think it’s a wonderful idea, and sincerely hope that the work bears fruit. I’ll be looking into the source code and trying to contribute as soon as I get my ass in gear!!!

A few links related to the project:

>Private browsing and forensics


Ever wondered whether the “private browsing” feature in your browser actually works?  

This article may shed some light on this topic for you. On a sour note, I’m completely shocked that Microsoft’s implementation of private browsing leaves something to be desired.

From a privacy advocate and defensive security perspective, I’m all for private browsing, both in the private and corporate world, and here’s the main reason: cookies, cached files and the like represent a significant security issue and a potential data leak. If your company uses webmail or an intranet and you’re consulting confidential files on the fly, that data gets stored locally on a machine. This constitutes a risk at the enterprise level that trumps the need for a forensically viable audit trail.

Private browsing isn’t a panacea, though: since data is stored in memory, malware that is already installed on the PC could scrape memory in search of interesting data (credit card numbers, credentials, etc etc.) — and not just malware, either. If you were at the European SANS forensics summit this year, you might have heard this guy talk about retrieving the contents of a machine’s memory using forensics tools.  Nor does it protect the user against a traditional network sniffer / MITM attack. Finally, it assumes that you actually bother to close your browser to clear that memory of sensitive data.

A lot of this is abstract for the layperson, so let’s provide a real-world scenario:

Let’s say you work for a pharma company and you’re waiting for a flight.  You’re bored, so you go to an internet café and open up your webmail. Your teammate’s sent you the latest draft of that report you’ve been working on, internally disclosing the findings of your latest research. You review the document, and fire her back an e-mail with your comments; you then leave the café and proceed to your gate. 

Risk #1: the PC you use isn’t an enterprise PC: to quote a memorable Mike Myers film, it’s the village bicycle of IT — everyone’s had a ride. What’s the café’s policy on updating its A/V? Is there regular maintenance? Does the machine get re-ghosted after every use? Is there a slot for a USB drive (and therefore a vector of infection)? Is the network traffic being sniffed (i.e. monitored)? It all depends on the owner of the café — there aren’t any laws or standards that oblige internet café owners to comply to basic security measures. For this risk, no amount of “private browsing” can help you – you may as well have broadcast your enterprise password and files on facebook.

Risk #2: that report you just looked as has pretty much become public property the minute you opened it up on that public machine. Not only can subsequent users of that PC retrieve your report, but the law will not be on your side (“you should have known better” will be the de facto response). Private browsing can help you there, provided that you close the browser, because the data is stored in memory and not on disk.

Risk #3: how often do people forget to log off? Very often. As a matter of fact, I don’t think there’s a single person on this planet that’s used a computer and has never, ever forgotten to log off. And yet, if you forget to log off when you walk away from that public PC, all of your company’s past, present and future secrets could be compromised. Ever heard of the switchblade USB key? It retrieves cached passwords very nicely, and almost instantaneously. Very difficult to use: you insert the key in the computer, wait thirty seconds, pull it out — voilà, passwords du jour. In this scenario as well, private browsing can be extremely useful, because it doesn’t allow cached passwords to be written to the disk.

So there you have it, straight from the horse’s mouth: private browsing may well make forensics more difficult, but it doesn’t make it impossible. That is an acceptable risk to me, given that it mitigates enterprise and personal risk of a security breach.