Lots and Lots of Google Phone Rumors: HTC, Android, and even Yahoo in the mix

The pace of rumors and leaks around the fabled Google Phone is picking up, suggesting that Google is making a real push to launch something early next year and is no longer trying to keep everyone quiet.

Yesterday CrunchGear got confirmation from a senior (and anonymous) HTC exec that they’ve created some twenty devices for Google to test and are shooting for a Q1 2008 launch.

Today Engadget is focused on the operating system side of things. They note that Google quietly acquired Android, a creator of mobile phone operating systems, in 2005. And that the Android team, led by founder Andy Rubin (former cofounder of Danger) is leading the effort to write the Google Phone operating system.

The two rumors fit together nicely. Engadget says Google is likely shopping its OS to handset makers. HTC would certainly be one of the manufacturers that they would be talking to. And the huge success of the iPhone may have spurred Google to kick things into high gear. That would involve adding a lot of new people to the team, and the leaks we’re starting to see are the predictable result.

Google’s effort is different than the iPhone. They look to be focused mostly on the OS and layering Google applications like Maps and Gmail on top of that, while simultaneously talking to device manufacturers about a number of devices. Apple, instead, took a much more holistic approach in creating the iPhone. Google’s product likely won’t appeal to the mainstream audience that the iPhone attracts…but it probably won’t have a $500 price tag, either.

And just to throw another tidbit out there - the HTC exec that was mentioned on CrunchGear yesterday said Yahoo is on a parallel track as Google, and has actually been working on custom phones for longer than Google. We may be seeing a Yahoo phone next year, too.

Facebook Source Code Leaked

We just received a tip that the source code for the Facebook main index page has been leaked and published on a blog called Facebook Secrets. There are at least two possible ways that the source code got out - the first is that a Facebook developer has sent it out, or the more likely option that a security hole or other method has been used on either one of the Facebook servers or in their source code repository to reveal the code. The blog that published the code only has a single post on it, so it was created exclusively to publish this code - meaning that whoever is behind this both isn’t taking credit for the hole and doesn’t want to be associated with it. While there is no certain way to verify if the code is actually from Facebook, by taking a quick look through the code and by double-checking some paths that have been referenced, we can say with some certainty that this seems to be both real and also a recent version of the main Facebook page.

There are a number of clear ramifications here. The first is that the code can be used by outsiders to better understand how the Facebook application works, for the purposes of finding further security holes or bugs that could be exploited. Since Facebook is a closed source application, without access to the code security holes are usually found through a process of black-box testing, whereby an external party will probe the application in an attempt to work out how the application behaves and to try and find potential race conditions. In closed source applications it is common that developers rely on the closed nature of the application to obfuscate poor design elements and the structure of the application. An attacker getting access to the source code more often than not leads to further security holes being discovered. It is for these reasons that it is often claimed that open source software is more secure than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure.

The second implication with this leak is that the source code reveals a lot about the structure of the application, and the practices that Facebook developers follow. From just this single page of source code a lot can be said and extrapolated about the rest of the Facebook application and platform. For instance, the structure doesn’t follow any object oriented development practices, and it seems that the application is one large PHP file with a large number of custom functions living in the same namespace (they also seem to be using the Smarty templating engine).

This leak is not good news for Facebook, as it raises the question of how secure a Facebook users private data really is. If the main source code for a site can be leaked, then it can be said that almost anything is possible. Facebook has become such a success and has such a high profile that it has become a magnet for attacks against its systems. Most large scale applications suffer a breach at some point or another, since the odds are always stacked in favor of attackers, but companies can respond in a number of ways and the hope here is that Facebook will handle this situation gracefully. I don’t doubt that Facebook will pursuit this case with a lot of energy to both find the cause of why the code has leaked as well as to find who was responsible. They will also need to take some very quick short term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems. At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform and give a potential attacker a good head start.

Update: Facebook have sent us an official response (and Brandee Barker from Facebook has left a comment below): “A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further.” It seems that the cause was apache and mod_php sending back un-interpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue). It is also apparent that other pages have been revealed, and that this problem has occured before, but only now has somebody actually posted the code online.