My Ruby experience is limited (extremely limited); that said, the biggest problem here doesn't seem to be their understanding of their development platform, but rather, of basic security concerns.
What further concerns me is this: even if they do fix each and every security hole that's been exposed, the basic underlying function of this is that each node in the greater Diaspora network is trusted by the other nodes, correct? And further, nodes can be created and joined to the cloud by anybody.
In principle, this is no different than P2P networks. But P2P networks don't generally intentionally store private information!
As I used to say back when part of my job was breaking into so-called secure computers: if I have physical access to the machine it's only a matter of time. And the same is true for encrypted data. Once it's on a malicious users' machine, it's only a matter of time.*
(* yes I'm aware strong enough encryption makes the 'time' value rather large, but brute force is the last-resort option. If you have a node running on your box, what's to stop you from sniffing legitimate traffic and ferreting out the key?)
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs
What further concerns me is this: even if they do fix each and every security hole that's been exposed, the basic underlying function of this is that each node in the greater Diaspora network is trusted by the other nodes, correct? And further, nodes can be created and joined to the cloud by anybody.
In principle, this is no different than P2P networks. But P2P networks don't generally intentionally store private information!
As I used to say back when part of my job was breaking into so-called secure computers: if I have physical access to the machine it's only a matter of time. And the same is true for encrypted data. Once it's on a malicious users' machine, it's only a matter of time.*
(* yes I'm aware strong enough encryption makes the 'time' value rather large, but brute force is the last-resort option. If you have a node running on your box, what's to stop you from sniffing legitimate traffic and ferreting out the key?)
--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs