I don't think it's unfair at all. Security and privacy were, after all, Diaspora's raison d'etre. And, as we all know (and Diaspora demonstrated, yet again) security is not something that can be bolted on afterwards, but has to be baked in from the start; otherwise you are looking at a rewrite.

"Amateurish failure" pretty much nails it, if you ask me, and if the Diaspora guys were working for me, I'd be showing them the door as quickly as I could manage it. That may sound harsh, but it's the voice of hard-earned experience.

> Security and privacy were, after all, Diaspora's raison d'etre.

The irony of its all is that Facebook's privacy issues has nothing to do with open/closed source. They can open they're entire source-tree tomorrow, it wouldn't make them more privacy-oriented than now. It's not how they collect the information or how they store it, but what they do with it and with whom they share it.

>"Amateurish failure" pretty much nails it

I think part of the problem here is, as much as those guys have good intention, the whole affair was ill-handled from the start. From the get-go, asking for money before showing any effort made me sceptical of the whole affair. The amount of exposure and money they got, without anything even resembling code, or implementation details was absurd. And then, what they initially came up with could've been done by a few software devs working on their free time, and was riddled by security issues. My advice to those guys is to use the money and hire some good programmers, which is what most startup guys do.

None of the problems he outlined were a result of getting Diaspora out the door faster, but simply basic ignorance of security issues. attr_accessible, adding a current_user. to db queries and so on doesn't take any time at all, and should be in muscle memory for any seasoned Rails developer.

If they can't deal with beginner level stuff, how well do you think they will do with much harder problems like XSS?

Edit: Actually I really want to drive this point home: you wouldn't write a TODO for any of these things because it would take you as long to write the TODO as it would take to fix them.

It was not my impression, from speaking with the developers, that I was wasting their time by informing them of things they already knew.

Regardless, the purpose of publishing this isn't to grind Diaspora's nose in it. It is to help someone -- profs, students, or (scarily) someone who gets paid for this -- avoid shipping software in this state in the future.

The initial release contained every amateurish security hole in the book. The errors were the sort of one might see in a WordPress plugin written by someone with three months PHP experience. I wouldn't call those a 'TODO' since I can't even write a basic PHP or Django page without doing the basics like sanitizing going towards the database or making sure the user owns a photo before deleting it. The fact that the Diaspora team didn't do any of that shows that they had precious little experience. Not sure why anyone would want to build upon something written by absolute amateurs - in the past, that is how the world ended up with WordPress and PHP.