I knew guys who only studied databases or only studied HTML+JavaScript+CSS. And we all expected that this level of specialization was common and even desirable! Wow. Looking back now, how silly of us. Where did we get this idea? Certainly not from anyone with significant experience in industry. We had one professor with significant industry experience... from the days of IBM mainframes. She was the head of the department. She ran two classes a year, in "software engineering", basically "technical writing and project management". They were good classes, the most like the "real world" of any of our courses, but only 50% of the students took it and it represented maybe 10% of our studies for those of us who did.
Yes, the CS degree is about preparing students for CS graduate programs. But there was never a suggestion that perhaps the CS degree was not what we needed. Or maybe there was a suggestion, one, from some guy on Teh Intarwebs, against every other person in positions of respect around us. We were consistently told that the CS degree was the path to a software development degree. Yes, internships. They are very important. We don't do enough of them. We certainly need more of an apprenticeship model. I suspect that the development of good programmers would work in a culinary school model more than a research school model.
College graduates are basically the first level of competency worth training to become developers, or at least are supposed to be (let's just stick to ideal situations right now, with no wind resistance and infinite point masses). It's like in the martial arts, we say that black-belt is where the learning begins. Once you reach black-belt/BSCS, you have only acquired the tools that you need to start learning.
Every programmer I've known thought he was a super hacker by the time he got out of college. Me included. I see it in the interviews I conduct, also. There is an air of arrogance. There is a sense of shock and personal assault when pointing out their errors. They haven't yet grocked that the code is not them. They haven't yet learned that the errors are inevitable, that it is only time and experience that teaches us how to avoid them, that programming is about the pursuit of eventual perfection and not the dogmatic defense of yesterday's code.
So one of two things happens. Either the degreed programmer shucks his hubris and finds humility, or he becomes a leech on his coworkers (and my use of the masculine pronoun is no mistake, the female programmers I've known don't have this pathology). Unfortunately, the latter is apparently indistinguishable from the former for most management types. Haha, but digging on the liberal arts majors aside, most people who come out of college with a BS in CS do not want to make programming their wake-to-sleep life. They want it to be their 9-to-5 career, and leeching is the easier route to that.
The kids mean well, I'm sure they are quite intelligent, and they've got heart. But a startup was probably the worst first endeavor for them. I think it's better to go through your male-programmer-humiliation on someone else's dollar. They're basically going into more debt to learn how to be programmers now that they've gotten out of college. They could have been earning a salary to learn how to be programmers.
Diaspora is also a somewhat unusual case. For most consumer web startups, the back button is a much bigger threat than security vulnerabilities in the early stages. Once you've iterated a lot have a better idea of what you're actually building, one of the first steps is usually to hire coders who are much better than you. In Diaspora's case, it's unclear to me whether their vision is a business or an open-source project - in the latter case then having stronger coders lead the effort is more important.
Whether that media campaign was orchestrated by the developers, or their investors, or just surfaced naturally as some news stories tend to do, I think this attention didn't really help matters when it came to putting a group of inexperienced graduates together to create what potentially should be a rival to a multi billion dollar company in one summer.
They should have been given more time and let to lead more of a low profile than the charade that's taken place over the past few months
This is referred to in the Dreyfus Model of Skill Acquistion. It refers to a space in time where we are advanced enough to not be a novice, but not advanced to realize our own lack of expertise. Merlinn Mann refers to it as being an "advanced beginner". The problem with this stage is that's it's impossible to rationalize until you've escaped it - that or you use metacognition - with awareness of said likely ineptitude because of posts like this.
http://en.wikipedia.org/wiki/Dreyfus_model_of_skill_acquisit...
I'm pretty sure that's what just happened.
Sure there's a lot they have to learn, but there's no reason why they won't be able to learn by doing. They clearly have all of the funding and motivation they need to get to the point of having a stable release. I'm glad the author (of this blog post) submitted a patch, and hopefully momentum on this project will continue to grow, as more experienced developers offer their advice and expertise.
edit: Also, I'm not sure if "startup" is the best thing to call Diaspora. Given the fact that they're already well funded, and working towards the public good, they might be better off incorporating as a nonprofit, similar to what the Miro guys did (http://participatoryculture.org/).
Actually not awesome, because for the rest of your programming career you will realize that your code is terrible.
But awesome because that's when you leave the womb and start down the road to being a good programmer.
Wasn't Linus Torvalds a college student when he released linux? For that matter, Facebook was written by a college student. Some college students can do amazing things. Also, this is just a pet peeve of mine, but don't diminish college students by calling them "kids." Many may be young, but they are adults.
I think the problem is that four undergrads were given a quarter million dollars to compete with the largest website on the internet and people expected anything but disaster.
Some people are just really good. And a startup makes them even better, and much faster than if they had decided to be "apprentices" or "interns" forever.
The thing about Diaspora is that UNLIKE Facebook or many other startups, its source code is on the internet for all to see. Do you think the original Facebook (written in PHP) didn't have security holes that would be transparent upon reading the source code? For that matter, do you think today's Facebook source would withstand attack if posted on the internet tomorrow?
The question answers itself.
If it achieves its potential, Diaspora will be hardened to a considerable extent because of the scrutiny that open source provides. This is not the time to slam these kids as wet behind the ears undergrads. Their code is pretty good for something written in 3 months. And if you really are that much wiser than them, they are accepting patches.
I don't know. It seems like they are earning their "male-programmer-humiliation" in the most efficient way possible. If having an article about how atrociously buggy your code is at the top of Hacker News doesn't teach one instant humility, nothing will.
Many startups are started/coded by young programmers in or fresh out of college -- people who probably haven't really earned their 'black-belt' in programming through time and experience. This would lead you to believe that many startups (even relatively successful ones) have plenty of bad/buggy code under the hood, but they have the benefit of not being out there under the scrutiny of public eye.
That said, if you're a young (and thus, probably somewhat inexperienced) coder, it would seem you can get stuck in the conundrum of wanting to have enough experience to write good code, but also wanting to go for starting a company while you're still young. Would love to hear opinions/thoughts on how to solve that conundrum.
I haven't read the code myself, but the OP is claiming "really, really bad security holes", and calls out the encryption code.
Security is not something that can be bolted on after the fact; it needs to be baked in from the start, in a product like this. And, remember, security/privacy was Diaspora's raison d'etre.
No one expects the first code dump to be polished, or feature-complete. But if there are serious flaws there, of the magnitude described, pointing it out isn't just "trash talk."
In fact, this is how it happens in the vast majority of cases, including the case of Facebook.
I'm afraid that Diaspora might be in an impossible position. If they release something early, they'll get a lot of bad press from knuckleheads like this one that the quality is no good. If they release late, everyone will be clamoring over the wasted $250k in the interim, demanding: "when will we see something?".
Now growing it over time, standing up to public scrutiny, hardening, balancing, monetizing -- those are much harder problems. Getting code out? Not really, in my opinion.
Their code is out there, they have openly said it is full of bugs and they now have a hell of a lot of eyes, They will get a massive benefit from this being opened early and it really isnt their problem if people refuse to ignore all their and everyone elses advice and give out their banks password
And may I add, I think it is really great that many public seeds are being deployed, this is the only and best way to test a social federated network, pre-alpha or not.
There's some stuff that good/experienced developers do upfront naturally. There are some security, design and performance things that are clearly a case of bad development versus "this is an early release".
Fundamentals.
"Fundamentals" are things like: there's no identifiable data model, the code is pure spaghetti and structure is a fleeting concept.
From my very quick scan of their code, it's readable, the parts of the data model I looked at are fairly obvious (thanks Rails), dependencies are identified, crypto seems fairly localised. Correction of bugs seems definitely doable. Extra features shouldn't require a total refactoring. Looks good to me for an alpha drop.
Next up: posts criticising the spelling in the comments in the Diaspora code.
The fact is, the implementation is obviously problematic. I won't go as far as saying that the design is flawed, although some security vulnerabilities are certainly pointing that way. It's obvious that Diaspora's developers are inexperienced, and therefore could use all the help they can get from us. This is one point in favour of an early release, in my book. On the other hand, early design and implementation decisions have profound implications during the lifespan of a project (this is especially true when it comes to security), and I will not trust my personal details to Diaspora in its current form; the project still has a (very) long way to go before being technically up-to-date.
This is hiring a bunch of interns (with near zero experience) to implement your product, giving them three months, and then being shocked -- SHOCKED, when the code is not professional grade quality.
I was shocked when everyone and their brother was willing to shell out money to a group of completely unproven college students to produce a distributed open source 'Facebook Clone', that is also 'private'. My inclination is that the 'distributed' and 'private' parts of the description push it into the oxymoron tier of product specifications. I would have expected this alone to give people pause about what the architecture would be (somehow it didn't).
Honestly, at least they have produced something, and for the most part, it works. Hopefully they haven't burned through too much of the $250,000 that they started with. 3 months of development time is honestly nothing.
Presumably, they could get comments on this, throw the entire thing away, re-write while fixing the various issues, and be well beyond where they are now in another three months. (If this is as bad as Steve says, I hope this is the case). Presumably the development will go faster because previously they were learning and developing at the same time (presumably).
Hacking together a prototype that you then throw away is a perfectly reasonable development model. I'm impressed (and pleased) that they have produced anything.
They mention at least two large cost items - luxr (basically consulting by Janice Fraser, it says around $10k on the company page) and pivotal labs. Pivotal is the huge one, I once got a quote from them on a project I was working on and they basically said they don't do less than 6 figures. So unless they got some kind of insider discount, the back-of-the-napkin math says at least half of their cash is gone.
Whether it was worth it or not is a separate matter. As a resume builder for a young team: sure, why not, you could do a lot worse. As a product for end users: you might support their cause, it depends on whether you're 1) a Facebook-hating neckbeard-sporting privacy nut - excuse me, libertarian, or 2) willing to cut them slack on an early release because there's some interesting technical challenge they're tackling.
For everyone else: no thanks, Facebook's fine and we'll stick with the real thing.
What exactly is so abnormal about being concerned with Facebook's privacy problems? Particularly, what issues are normal to be concerned about and what issues make one a "neckbeard-sporting privacy nut"?
I don't think that the second system effect applies, specifically given that it isn't elegant or successful yet. (In fact, most of the comments are that it is inelegant and a failure).
Second system effect mostly reflects the evils of redesigning a perfectly good working product.
(Well, I have more than zero experience... maybe I'm overqualified)
Judging from the noise their release makes here on HN i think the diaspora guys did well opening up their repo 'early'.
And to steve: i think you hold 'professional programmers' (which i interpret as programmer that get paid) waaay too high..
Their entire reason for existing is "Facebook but private". At the moment, they are delivering on that like ROT13Snap delivers on secure backup. And due to a programming bug, ROT13 was applied twice, and indexes are on in Apache. It is a cluster flop.
Strange thing is, the advantage Facebook had is that it launched to a small audience initially with very limited functionality.
it took me 2 minutes to find out what BCC means. for those also wondering: http://www.bingocardcreator.com/ sorry but BCC is not open source so i call it a bad comparison. commercial software is different. the thousands of diaspora end-users you talk of are probably quite aware they are guinnee-pigs of a facebook counter project.
"facebook but private", sorry but again i dont think you get diaspora as it is more like "facebook but distributed".
calling diaspora a "flop" is like calling mozilla before 1.0 a flop: it's open source (something you dont seem to get), its out there for _anyone_ to play with freely, to collaborate on, to learn from...
OTOH, they themselves seemed to have said it's not MVP either, so I think that's okay.
I'm still concerned about the longer-term viability using the reasoning of "This many basic mistakes doesn't bode well", but time will tell.
I wish them the best of luck.
What I meant was more of "someone who's knowledgeable about their craft," but you're absolutely right anyway.
Edit: I see jlgbecom already made a similar point below.
More than the fact that the code isn't production ready (by a long shot it seems), I'm just surprised the released anything at all. Perhaps spending all that money on those consultants was a good thing for them. I doubt they would've been able to get by on their own given what was released and the hype they set in motion. It's a lot to live up to. They made some really bold claims.
Just goes to show that you can't just talk the talk and watch your dreams come true.
Thank God that our industry isn't lousy with ambitious but inexperienced twenty-somethings. If we let them run amok, we'd get crapware like MS-DOS and computers like the Apple II.
My point is that their problem is other peoples' expectations. Their ambition set the bar before they'd written a single line of code. Had they been more humble and waited to ask for a handout afte they had released what they have now I don't think there would be half as many articles hitting HN about how crappy their software is.
I think that they released something is great. I would never put some one down for having ambitions and aspirations to follow them. I would simply advise that they keep those ambitions to themselves and let their actions speak for them.
http://opensource.appleseedproject.org
"Feel free to try to get it running on your machines and use it, but we give no guarantees. We know there are security holes and bugs..."
.............................
................................................
Still waiting.........................
Yeas, it's made some rookie mistakes. Yes, there's a load of things they shouldn't be trusting on postback (silly things like not checking the owner of an object on 'delete' commands).
That's not bad code, that's a bad implementation. That's not knowing what to trust and what not trust cause they've never been screwed up the ass by it yet.
But bad code? No.
The implementations are problems, they need this shit pointed out to them. That is all.
Steve and Patio11 are doing some serious damage to a good project for no apparent reason apart from self promotion. I want to call them nasty names, I really, really do.
Rather than type a bunch of replies to everyone, here's some random thoughts:
1. Release early, release often is great. But when your product's main focus is "a private social network where you control your data" and other people can do anything they'd like with your account...
2. If this was just unpolished, I wouldn't say anything. But like patio11 is saying, this has been covered by major news outlets, and many non-technical people are getting involved. This is a plea to pay attention to the fact that it's pre-alpha software.
3. The mistakes are beyond amateur. This isn't "omg it's not perfect," this is "I can't believe they didn't even apply the basics." The reason that this matters is that it doesn't bode well for the future of the project. If they can't even get this correct, how am I supposed to trust them later?
4. I only complain because I care. I want this project to succeed, and I really like a lot about the interface, actually. But that doesn't mean I won't call a spade a spade.
Can you pinpoint them? I don't think it makes sense not to at this point..
For example: http://github.com/diaspora/diaspora/blob/master/app/controll...
There's no check to see if this is your photo or not. And before you mention it, the before_filter only checks if they're logged in, not permissions.
There are many, many similar things to this. Check out lib/encryptor.rb and shudder. I'm no security expert, but...
I've always been saying that making a distributed social network is much easier than "solving" privacy and security for such a thing. First of all, try even defining what it means to privately share things with people on the internet. Then, realize that most solutions (such as diaspora) will actually EXACERBATE the privacy problem, by making you trust the hosting services of all your friends instead of just facebook.
That said, after diaspora was announced it made me think about whether it's possible to ensure privacy in principle. Meaning, is it possible to only trust YOUR hosting company and friends, and cut out every other middleman from being able to snoop your data?
I came up with something which I think would be very useful, and I actually submitted a provisional patent for the technology, which basically enables distributed AND private social networking using just today's web browsers.
If you want to check it out or get involved, see http://myownstream.com . This is an open-source offshoot of a social network I'm building, which I hope to release next year. You can see the roadmap there, but so far it's been going really well :)
It's just a coincidence that these guys are also from NYU.
they didn't appear to use pbkdf2 or similar to derive their crypto keys, so that isn't good. but at least they didn't make up their own algorithm (though maybe they're making their own crypto protocol--hopefully not--i couldn't tell from the code).
it's very easy to say "this sucks", it's harder to say "this sucks and here's why" and it's even harder to say "this suck and here's why and here's how i do it in my deployed product"
The 'here's why' part gets tricky with security stuff. I don't want to be complicit in people trashing accounts. And if you read, I did submit patches.
And they are making up their own protocol. It's currently not documented.
Go Steve!
Github issue #8: "Facebook has a majority market share"
Just wanted to say good on you for fixing bugs and contributing to Diaspora! Unfortunately I don't even know enough Ruby to understand what I'm looking at, but I'm excited about the project - they've definitely got a good resource in you! Is there any indication that they switched to Ruby during this Summer? I swear it was originally going to be in PHP, but I can't find any mention of that now. Could the oversights in the code be due to this being the first piece of Ruby the team has written?
And it's infinitely better than the alternative, of getting everything right first time, because that's impossible. Something is better than nothing. Live it!
My guess is that it was a much bigger piece of crap. A PHP crap. And guess who wrote it? Harvard undergrads. ^_^
All I got from it was they have security problems. What exactly? where exactly?
"Really, Really, Really Bad" is really subjective. When stating a problem try to be concrete and objective and give examples. For instance, if you think someones cooking is a bit off and you are a chef, say you need a little more salt or pepper or whatever the case maybe. A chef can't simply say it is really, really, really bad, leave such comments to amateurs who don't know what exactly they are experiencing and how exactly to fix it.
If you don't really have the time to address each particular concern then give them a reference to some security books that are essential when developing something like this.
As it stands the community is no better off before than when you wrote this. You should have written an article about "10 security books that are a must read to prevent diaspora mistakes".[I would appreciate it if someone who is knowledge about this wrote something like this]
Looking through the code, it looks like Diaspora is really just putting a front end and "aspects" on top of OStatus. I think it might be good at this point to just scrap the Diaspora code and start over from the basics with a good OStatus-based reference implementation in Rails.
If it survives, I might do this... I think their approach is fine for rolling out a private enterprise FB or creating an alternative hosting solution, but I'd like to see an even more decentralized solution. Ruby isn't a good choice of language for mobile, or native compiled "IJW out of the box" deployable solutions.
I enjoyed building and playing with the code, and I hope that there is a much improved version in the future.
I thought the idea of a developer release was to do exactly this.
I'm putting it down to envy: these guys have shipped some pre-alpha code that's interesting to a large number of people.
Excellent marketing in the open source community for developer eyeballs, perhaps not so good in terms of end-user experiences, but that's not the point at this stage, numbers will be low and the perceptions of the dumb early-adopters (of pre-alpha distributed social networking code, ffs) shouldn't leak too badly into the mainstream.
However, people are now eating the dogfood, and I expect to see fairly rapid improvements in the code: not unexpected for an alpha drop in my experience.
To the people who are moaning, would you like others to see your alpha code and laugh bitterly about you being a young (or old for that matter) upstart?
1. Most of the XSS errors should be handled by Rails 3 auto-escaping. I'm not certain why this isn't happening. It may be a simple HAML config error or bug.
2. The session key should be moved out of the Git repo.
3. Most of the authorization can be done by reaching through the current user's associations. For example "current_user.photos.destroy" would prevent users from destroying other's photos.
I'm not defending the developers here and agree these should not have gotten past them. My point is these problems can be fixed in a few days, and thanks to open source, there are many eyes looking at the code to find additional security issues.
* literal SQL without escaping (They use Mongo it turns out)
* 10,000 lines of controller action (The biggest one is Photo#create, but far from huge). PS: They use carrierwave, which is AWESOME.
* giant business logic in the views (They use haml and the code is clean).
* Not escaping user's input (OK, there are places where they forgot to put it).
Their code is far from shit. Easily improvable as they gain more developers. Aren't we too quick to judge?
I believe they will get an amazing quantity of outside work.
It's this kind of code bashing that makes it difficult and intimidating for newbies to break into development. Think twice before you lambast younger, less experienced programmers on the internet. What a shame.
If it was a piece of crappy software that I wrote and put it on Github, I am going to get criticize to the point that it's worthless, I'm not sure where is the open source spirit going this way.
Nothing to see here.
