oda: Chrome tab with a sad face on blue-violet field field (degoogle)
2011-08-26 01:17 am

De-Googlefication: Checkout, Android App Queries

I really haven't been getting much done, but I got a little bit done tonight, at least.

Here are some links to excellent blogs by people also doing the same thing:

Another very helpful tool is the Dashboard, which can show you where Google is storing your data.

Google Checkout

On the plus side, this had a nice little summary of all of my Android purchases, so I ended up not having to dig through my gmail box as I had feared.

On the minus side, I cannot fully delete my data! I tried deleting my credit card, and while it deleted the credit card number it refuses to delete the address and phone number attached to that card. If I try to edit it, then it tells me I need a valid card number to do so. I tried various permutations including re-entering my card to see if I could then remove the address data, but it does a credit card verification against the number, so I simply cannot edit the data away or delete it. Did anyone ever test card deletion? This is a serious privacy failure.

I'm going to leave this on hold here with the credit card still in place, since I might end up getting credits as part of my app transfer process, and come back to it later.

Android Apps

Having received my app summary via Google Checkout, I used the 'Contact Vendor' links to send mail inquiring the best way to transfer an app off of a Google account, so that I can re-download it even without the account attached on my phone and still receive future updates. This has to be done individually to each vendor.

New Google Account

Given that I might need to transfer apps to a new Google account, I have set up a new GMail account so I have a place to send them. I used an invite and didn't need to authenticate SMS. Remember to check 'Always use HTTPS' under General settings. I also like to turn chat off and set it to only let people chat with me if I explicitly allow it.

Buzz: It appears to be turned on, but I don't yet have a profile set up. It throws a 404 if I try to disable it from GMail without a profile.
oda: diaspora* icon (stylized asterisk) on a blue-violet field (diaspora)
2011-08-26 03:41 am

Pondering Diaspora's Security

I really love Diaspora, but I have some significant reservations about recommending it to any users who are concerned about the privacy or integrity of their data. I would be thrilled if I were confident enough in it to be able to recommend Diaspora freely. However, I do not yet know enough about its internal structure to feel that I can do it in good faith.

Right now Google+ is having a great many privacy issues and is suspending users right and left in the #nymwars, which means that there are many people looking around for a new home. Diaspora is a strong contender. It's got great basic functionality and a clean UI that Google+ seems to have cribbed from. The privacy model on Diaspora is also great. It's the security that I'm worried about. Users need to know that their data can't be read by anyone they haven't authenticated to read it, and that it can't be deleted or modified by anyone but themselves.

Personally, I also love Dreamwidth, but I know that some people want the ease of commenting that Diaspora has, where all of the comments are kept in a stream, unlike Dreamwidth's more post-centric model. So I want to have somewhere to send people who want that instead, or who want to be able to run their own servers.

We're almost a year out from the Security Lessons Learned From The Diaspora Launch. How is the software doing now, security-wise?

When I go look at The Official Diaspora Wiki there is an empty red link pointing to Security Architecture Proposal. This is not exactly comforting. When is the Security Architecture Proposal due to be posted?

I know that the problems exposed in the review have since been patched, but is Diaspora moving forward in a way that avoids new problems? Has anyone examined the inter-server protocols for security flaws? Where would I go to look for more information on this? I'm not a coder, so I can't simply read the code, but I can usually follow higher level reviews done by coders or architects, and I would love to see a newer security review if such exists.

In my experience, security is immensely easier to maintain if it is built into software from the ground up. This is from the perspective of a system administrator, not a developer, but I have always found it easier to maintain software that started out with the intention of being secure. One example is sendmail vs. postfix. Sendmail started out very permissive, and as abusers figured out how to manipulate it, it became more secure in response. However it has always been troublesome to maintain and more likely to need patching, because that security wasn't part of its core design. Postfix was designed for security from the ground up, and is much less difficult to maintain.

Another issue that was exposed in the early code review was the lack of a design document or commented code. Again, I am not a coder, but I know that documentation is the heart's blood of any team project, and absolutely critical for being able to maintain code. Where is Diaspora as far as documentation goes?

(Mirrored to Google+) (Mirrored to Diaspora)