I agree. I've read the article, and read the summary, and the comments, trying to see if something was out of context. Somehow it seems lost on the guy that by writing a very in depth article, generating 75 comments, and some publicity, controversy, is what OSS is all about. Transparency, openness. So he inadvertently, it seems, is part of the OSS process. The same process that brings us highly secure OS like Open BSD. Do not depend on the OSS community? He's a little ignorant in that regard, that's all I can surmise.
Now, what is a little strange to me is that Diaspora is trying to stick to the hard release date. Again using the example of Linux, they should release it when it's done and no sooner (something to that effect). To me, this application is a hybrid, part OSS, part driven by VCs, i.e. the folks putting up the seed money. Maybe that is behind the author's confusion about OSS in the point above.
I agree with the other posters here, they should scrap it, rewrite it from the ground up following good security principles. I mean, we certainly wouldn't want to switch from the fairly secure fb to totally insecure fb-clone.

Ok, .NET fans, keep punting. I guess the next answer will be it's the fault of the testers, for not envisioning this scenario. Which is a decent answer too, but I think the original commenter had it right about checked exceptions.

I'm all for .NET, I love how I can create a web service quickly, and I've been impressed to see how it has been quietly building up to a solid base, and there are folks building good apps around it like Roy Osherove's TypeMock, even though Rails gets all the fanfare. but fall in the middle for checked exceptions, having seen massively stupid apps with 2/3 of the code handling the exception in every method, and other apps turning an exception into an unchecked exception. Use them, with care.

The argument, way back when, against checked was, "we are good, smart programmers, don't treat us stupid, we will document the exceptions so if you should trap it (or turn off dev mode, or whatever the latest excuse is), you can, otherwise leave us alone." But then you have other folks out there, the lean developers, saying forget about documentation, just code it. (As an aside, I think the future will be massively un-maintainable web apps being tossed because the original developers have long gone, and unless you have an deep understanding like DHH, forget about figuring out the code, meanwhile well-document but dull C code will carry on)

The counter-argument, as proven by this very very very costly example is, a little reminder doesn't hurt.

there will always be a system administrator with the technical ability to snoop data stored or in transfer. The only reason you can slam Google here is because they actually caught the guy.

Not always, if security is properly implemented. Google implemented poor controls, and had no idea he was doing this. There can be preventative controls and monitoring and auditing, they implemented neither, they only figured this out when the parents complained.

Their security is poor, simple as that. Now granted, many companies probably have lousy controls also, and the hackers (internal and external) seem to be always a step ahead, _however_ there are companies that are doing this right, Google is not one of them.

I'm thankful for the UK government in photographing this individual and keeping him out of the U.S. Our country will be safer. Sending a threatening e-mail is one step away from a threatening action for these unhinged individuals. Hopefully he will be monitored. The U.K. is a terrorist hotspot with many immigrants from Pakistan, India, Africa plotting their nefarious deeds.

We need to be super-vigilant these days, with radio hotheads like Limbaugh making inflammatory comments, who knows when some crazy will take him up on it? Don't be 'embarrassed', these actions must be nipped in the bud. No appeasement here, that did not work with the Nazis. Sorry for the heavy hand, but America must be kept safe. We must fight them over there, so we are safe behind our sovereign borders.

Interesting you mention PostgreSQL. There was a recent presentation on InfoQ by Andres Kutt, one of the architects of Skype, and they use PostgreSQL quite heavily (and are also contributors), and also put business logic in the databases. He was initially against this, but it's worked out well. They have use some other interesting components from PostrgeSQL, such as their messaging system. Worth seeing:

Learnings from Five Years as a Skype Architect