>Diaspora — a FAILtale perspective

>I was talking with some friends this morning about Diaspora, the social networking project that’s gotten some attention in the press lately. We were kicking around a couple of its pros and cons, and I promised that I would write a quick brief about it – one that I started a few hours ago and, after some thought, have re-crafted into a blog post… Without further ado, here is my (preliminary!) perspective on the project:

From a purely conceptual point of view: 

Diaspora is a platform that allows you to share your social content in a place under your control. Like Facebook, Flickr, and other socnets, you have a “central place” for seeing what your friends are up to, sharing photos and what not; unlike other socnets, that central place isn’t run by someone else.

From a semi-technical point of view: 

the point of a social network is to share information. The easiest way to do that is to have all that information sitting in one place, in one single format, in one single repository. The concept that Diaspora brings to the table is not necessarily new: don’t centralize the content but rather the feed to the content. If you look at it that way, Diaspora is little more than a fancy CMS — but then again, so are social networks in general. The interesting thing is, Diaspora has the “social network” branding that’s made it (and its more traditional peers) that much more popular.

From a technical point of view: 

though the concept is not novel, the need is clearly there. Moxie Marlinspike gave a talk at Defcon this year which pretty much summed up the problem: the price of the comforts and practicality of today’s technology is privacy — Diaspora, as well as Marlinspike’s own project, Googlesharing, intend to spare us of this costly sacrifice. Such endeavors would hopefully make secure sharing of information more accessible to non-technical socnet-savvy folks who care about their privacy — and this may be more people than we think. From what I’ve come to understand, Diaspora’s proposal is an application of the peer-to-peer model to social networks. This does have several benefits beyond those highlighted above — for instance, Diaspora’s “infrastructure” would grow organically as it gains momentum, since most (if not all) of the content is hosted on users’ equipment.

From an infosec point of view: 

I would definitely love to move to a model that allows me to better control my private information — but I’d be careful to make sure that I’m not jumping out of the frying pan into the fire. Here are a few things to consider:

  • Most people don’t really know the first things about setting up a server environment which, judging by the FAQ, is a necessity. Unless you’re an IT puke, that means you’ll either be configuring your machine badly or not configuring it at all. Diaspora might propose a hosting service à la WordPress in the future, which to me kind of sounds like it defeats the purpose.
  • Owning your own decentralized seed is kind of like having a puppy: it doesn’t just take care of itself. It’s hard enough to get regular users to update their antivirus, let alone patch and maintain a server…
  • The biggest advantage of Diaspora is that, since your content is under your control, you can yank it off the ‘net whenever you damn well please. However, this sort of assumes that all seeds that connect to yours are benign, doesn’t it? What if one of your friends’ seeds has been compromised?
  • Decentralization of the infrastructure means that it is both harder to keep the environment consistent and practically impossible to perform adequate monitoring. If Diaspora issues a security patch, how will they insure that it gets applied within a reasonably short period of time? How can Diaspora pro-actively track and repel attacks if they’re unable to analyze data? It seems likely that this sort of support is not in the roadmap.
  • The environment is under user control – so what if you were to write a malicious seed in python (or even Diaspora’s native language, RoR) that collected data from people that have friended you? How sweet would it be to drop a BeEF hook in your page, log a few passwords, portscan people’s networks, or maybe even heap spray your “friends”? And who’s going to catch you at work?

That pretty much sums it up for me. All things said, I think it’s a wonderful idea, and sincerely hope that the work bears fruit. I’ll be looking into the source code and trying to contribute as soon as I get my ass in gear!!!

A few links related to the project: