Ben Laurie blathering

The Tragedy of the Uncommons

An interesting phenomenon seems to be emerging: ultra-hyped projects are turning out to be crap. I am, of course, speaking of Haystack and Diaspora (you should follow these links, I am not going to go over the ground they cover, much).

The pattern here is that some good self-promoters come up with a cool idea, hype it up to journalists, who cannot distinguish it from the other incomprehensible cool stuff we throw at them daily, who duly write about how it’ll save the world. The interesting thing is what happens next. The self-promoters now have to deliver the goods. But, for some reason, rather than enlisting the help of experts to assist them, they seem to be convinced that because they can persuade the non-experts with their hype they can therefore build this system they have been hyping. My instatheory[1] is that it’d dilute their fame if they shared the actual design and implementation. They’ve got to save the world, after all. Or we could be more charitable and follow Cialdini: it seems humans have a strong drive to be consistent with their past actions. Our heroes have said, very publicly, that they’re going to build this thing, so now they have a natural tendency to do exactly what they said[2].

But the end result, in my sample of two, is disastrous. Haystack has completely unravelled as fundamentally flawed. Diaspora seems to be deeply rooted in totally insecure design. I hope I am preaching to the choir when I say that security is not something that should be bolted on later, and that the best way to do security design is to have the design reviewed as widely as possible. In both Haystack and DIaspora’s cases that could, and should, have been a full public review. There is no excuse for this, it wastes a vast amount of enthusiasm and energy (and money) on ultimately destructive goals.

I don’t have any great ideas on how to fix this, though. Yes, reporters getting expert assistance will help. Many of the experts in the security field are quite outspoken, it isn’t hard to track them down. In Diaspora’s case, perhaps one could have expected that Kickstarter would take a more active role in guidance and mentoring. Or if they already do, get it right.

Natural selection gets you every time.

BTW, if any journalists are reading this, I am absolutely happy to take a call to explain, in English, technological issues.

[1] I love this word. Ben Hyde introduced me to it.

[2] This is known as “consistency” in the compliance trade.


  1. You’re essentially describing the Dunning–Kruger effect…

    Comment by cat — 26 Sep 2010 @ 4:37

  2. Actually, I’m pretty sure I’m not, but I like your style.

    Comment by Ben — 26 Sep 2010 @ 4:39

  3. People support what they help build…people do not necessarily support what they hype.

    Comment by Liza Sperling — 26 Sep 2010 @ 6:30

  4. In Diaspora’s case, there is a full public review of what is acknowledged by the creators as currently alpha software:

    Comment by Joe — 26 Sep 2010 @ 20:00

  5. I never hyped up Diaspora. I just don’t believe in their goals.

    Systems don’t become hardened overnight.

    Expectations (even yours) are way too high.

    Yeah, these guys should have built in security from the start, but that’s not what will doom them.

    Twitter’s system isn’t all that secure, either, as we found out this morning (no, I don’t like goats) and Facebook was down for a few hours last week. All systems have bugs and problems. Twitter has had many many failures in its first four years of life (we make fun of them, ala the Fail Whale).

    I would rather cocky developers focus on solving unsolved problems, not on trying to get people to switch from an existing system (history shows that’s very difficult unless you have a system that’s dramatically better to move to).

    The press does like stories of David vs. Goliath, which this appeared to be to many of them, though. In those cases they aren’t going to think about the facts, just the narrative. They won’t call you for security guidance, in other words. Why not? It’ll ruin their story.

    Comment by Robert Scoble — 26 Sep 2010 @ 20:04

  6. I’d appreciate reports of whatever insecurities you found in Diaspora. Maybe you could email us at

    Comment by Raphael Sofaer — 27 Sep 2010 @ 6:53

  7. You missed one salient fact: the press thought (and maybe still thinks) that the authors of the programs *are* the security experts. How is the press to know that someone is an expert? If you’re not Bruce Schneier, how can they rate your credibility?

    Comment by Paul Hoffman — 27 Sep 2010 @ 14:39

  8. Like to avoid the Sisyphean security challenge. Has anyone authored an excellent book or blog on practical strategies and techniques for secure web framework development?

    Comment by clibou — 28 Sep 2010 @ 2:36

  9. there are no more journalists, so they will not be reading this.

    Comment by Anonymous — 14 Oct 2010 @ 1:18

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress