Monday, December 22, 2014
A bunch of tech commentators on Hacker News are talking about how easy it is to read Facebook source code, which they say could pose a risk to the social media site.
Users can literally look inside snapshots of Facebook's digital world because its engineers dumped a load of information in Pastebin, which is a platform for storing and sharing text.
The discussion is a reaction to a recent post on the Sinthetic Labs blog. A guy called Nathan Malcolm explains how, in 2013, he was fixing "a few bugs" while using software development tools and "ended up finding about a lot more about Facebook's internals that I intended". Sinthetic Labs is a security research group.
Malcolm says all he did was Google an error message and ended up finding a specific link to a Pastebin post. As he investigated further, he stumbled across various pieces of data that paint a picture of what Facebook looks like behind the scenes -- in a digital sense, anyway.
He found what looked to be names, commands, and other "interesting information". As you'll see in an example below, the code probably won't mean much to most people, but letting it roam free on the internet "probably wasn't the smartest move," Malcolm says.
When discussing some of the files (not the image above), Malcolm explains:
"The person who, likely, posted this was "emir". This may be the person's first name, or it could be their first initial and then their surname (E. Mir). It's clear this output was intended to be seen by another engineer at Facebook, so posting it on Pastebin probably wasn't the smartest move. This person may have made other slip ups which could make them a target if an attacker sees an opportunity."
Malcolm concedes that his findings don't really pose a direct threat to Facebook, but suggests the resources could in extreme circumstances.
He even found Facebook's password for MySQL -- the open source database management system. Crucially, Malcolm says Facebook's servers are heavily firewalled, so the information is effectively useless unless "you manage to break into Facebook's servers," he notes.
Overall, lots of people appear simply amazed at how easy it is to see this stuff. One comment on Hacker News says that "while some leaks may not even be effective outside Facebook's internet network, having actual code that may be in production does pose a risk. The possibility to see where, for instance, data isn't fully sanitized, or where information being fetched might not require proper authentication is more worrying".
Another person mentions another source of files. They say: "I'm amazed at how many username or passwords are freely available via github search." The bottom line is, "If you do not want someone to find it - do not publish it online."
Google is laying the groundwork for a version of Android that would be built directly into cars, sources said, allowing drivers to enjoy all the benefits of the internet without even plugging in their smartphones.
The move is a major step up from Google's current Android Auto software, which comes with the latest version of its smartphone operating system and requires a phone to be plugged into a compatible car with a built-in screen to access streaming music, maps and other apps.
Google, however, has never provided details or a timeframe for its long-term plan to put Android Auto directly into cars. The company now plans to do so when it rolls out the next version of its operating system, dubbed Android M, expected in a year or so, two people with knowledge of the matter said.
The sources declined to be identified because they were not authorized to discuss the plans publicly.
"It provides a much stronger foothold for Google to really be part of the vehicle rather than being an add-on," said Thilo Koslowski, vice president and automotive practice leader of industry research firm Gartner, who noted that he was unaware of Google's latest plans in this area.
If successful, Android would become the standard system powering a car's entertainment and navigation features, solidifying Google's position in a new market where it is competing with arch-rival Apple. Google could also potentially access the valuable trove of data collected by a vehicle.
Direct integration into cars ensures that drivers will use Google's services every time they turn on the ignition, without having to plug in the phone. It could allow Google to make more use of a car's camera, sensors, fuel gauge and internet connections that come with some newer car models.
Analysts said Google's plan could face various technical and business challenges, including convincing automakers to integrate its services so tightly into their vehicles.
Google declined to comment.
Technology companies are racing to design appliances, wristwatches and other gadgets that connect to the internet. Automobiles are a particularly attractive prospect because Americans spend nearly 50 minutes per day on average on their commute, according to US Census data.
Apple unveiled its CarPlay software in March and Google has signed on dozens of companies, including Hyundai, General Motors Co and Nissan Motor Co, for its Open Automotive Alliance and its Android Auto product.
Android Auto and CarPlay both currently "project" their smartphone apps onto the car's screen. Many of the first compatible cars with this smartphone plug-in functionality are expected to be on display at the upcoming Consumer Electronics Show in Las Vegas next month and to go on sale in 2015.
By building Android into a car, Google's services would not be at risk of switching off when a smartphone battery runs out of power, for example.
"With embedded it's always on, always there," said one of the sources, referring to the built-in version of Android Auto. "You don't have to depend on your phone being there and on."
Google's software could potentially connect to other car components, allowing, for example, a built-in navigation system like Google Maps to detect when fuel is low and provide directions to the nearest gas stations.
By tapping into the car's components, Google could also gain valuable information to feed its data-hungry advertising business model. "You can get access to GPS location, where you stop, where you travel everyday, your speed, your fuel level, where you stop for gas," one of the sources said.
But the source noted that Android would need major improvements in performance and stability for carmakers to adopt it. In particular, Android Auto would need to power-up instantly when the driver turns the car on, instead of having to wait more than 30 seconds, as happens with many smartphones.
Automakers might also be wary of giving Google access to in-car components that could raise safety and liability concerns, and be reluctant to give Google such a prime spot in their vehicles.
"Automakers want to keep their brand appeal and keep their differentiation," said Mark Boyadjis, an analyst with industry research firm IHS Automotive. "Automakers don't want to have a state of the industry where you get in any vehicle and it's just the same experience wherever you go."
About Dilips Techno Blog
A Daily Blog for Latest Reviews on Technology | Gadgets | Mobile | Laptop | Software and Hardware Reviews | Social Media | Games | Hacking and security | Tips and Tricks | Many more....