01
Apr 08

New Digs! (Correction)

After publication, I was made aware of some errors in my original post. I have included a corrected version below.

As of today, the Mozilla Toronto office has moved from our building at 20 Richmond to this little out-of-the-way place:

720 Spadina

The CN Tower! 720 Spadina Avenue!

We didn’t want to talk about it until everything was fully settled, but we are now residents of an architectural icon building with a pretty ridiculously excellent view door. Full props to beltzner for scouting out office space, and to ben for orchestrating the move; it’s been a crazy pretty smooth couple of weeks!

Some information about the new office, since it’s a little more noteworthy different than the old one. 🙂

Suite 12811

Q: What is the actual new address?

A: We’re now accepting mail at

Mozilla
301 Front Street, Suite 12811
Toronto, ON
M5V 2T6

Mozilla
720 Spadina Avenue, Suite 218
Toronto, ON
M5S 2T9

Q: Did that say 12811 218?

A: Yep. We’re a loooong way up.

Q: How do I get there?

A: There’s a stairwell. 🙂

Seriously, this can be a bit of a trick the first time is quite straightforward. If you come in through the usual entrance, you’ll be sort of pipelined into the “tourist” sections elevators of the tower. Those elevators won’t will go where you want them to, and the visit will end up costing you significantly more nothing.

Q. Do we get discounts for the tourist areas?

A. We do! As tenants we get basically a pad of discount coupons. Visit us first, and we’ll tear you off a few. No.

Q. What about the view?

A. Oh there’s a view. Of a brick wall. Unfortunately, we only have some cameraphone pictures from our move-in day right now, but we’ll get better ones up soon. In the meantime, here’s a taste.

Gavin checking out a conference room (and missing the view wall):

Closer view through some of the NorthSouth-facing windows (you’ll notice not care that these windows don’t open):

Ahh, April 1.  We really did move, and the new, second floor office in a normal office building really is a big improvement.  The rest though, is a big fat lie (and full credit to madhava for the photo work).  “720 Spadina”, “CN Tower” — the keys are right next to each other.

We regret the error.


01
Apr 08

New Digs!

[This post contained certain errors not caught at press time. Please see the corrected post here.]

As of today, the Mozilla Toronto office has moved from our building at 20 Richmond to this little out-of-the-way place:

CN Tower

The CN Tower!

We didn’t want to talk about it until everything was fully settled, but we are now residents of an architectural icon with a pretty ridiculously excellent view.  Full props to beltzner for scouting out office space, and to ben for orchestrating the move; it’s been a crazy couple of weeks!

Some information about the new office, since it’s a little more noteworthy than the old one.  🙂

Suite 12811

Q: What is the actual new address?

A: We’re now accepting mail at

Mozilla
301 Front Street, Suite 12811
Toronto, ON
M5V 2T6

Q: Did that say 12811?

A: Yep.  We’re a loooong way up.

Q: How do I get there?

A: There’s a stairwell.  🙂

Seriously, this can be a bit of a trick the first time.  If you come in through the usual entrance, you’ll be sort of pipelined into the “tourist” sections of the tower.  Those elevators won’t go where you want them to, and the visit will end up costing you significantly more.

Instead you want to take a hard left when you get in, and follow the signs for “Tower Offices.”  If you get lost, ask one of the tourist reps, they are (unsurprisingly) used to this confusion.  From the office elevators, it’s about a 70 second trip to 128, and we’re the 5th door on the right.

Q. Do we get discounts for the tourist areas?

A. We do!  As tenants we get basically a pad of discount coupons.  Visit us first, and we’ll tear you off a few.

Q. What about the view?

A. Oh there’s a view.  Unfortunately, we only have some cameraphone pictures from our move-in day right now, but we’ll get better ones up soon.  In the meantime, here’s a taste.

Gavin checking out a conference room (and missing the view):
New Office 1

Closer view through some of the North-facing window (you’ll notice these windows don’t open):
New Office 2


17
Mar 08

Should Malware Warnings have a Clickthrough?

In the latest nightly builds of FF3, and in the upcoming Beta 5, we let users choose to ignore our phishing warning, and click through to the site, just like they could in Firefox 2:

Ignore this Warning

But that same spot is empty in the malware case (unless you install my magic extension.)  Should it be?  It’s a harder question than it seems, on first blush.

Continue reading →


26
Feb 08

State of the Malware Nation

It’s a couple weeks old, I know, but for anyone who hasn’t seen it, Google’s Online Security Blog has linked to a draft article produced by some of their malware researchers about the trends they’ve observed in malware hosting and distribution.  Aside from a troubling pre-occupation with CDF graphs, it’s a really interesting look at the way malware networks are spread through the internet.

I found this snippet interesting:

We also examined the network location of the malware distribution servers and the landing sites linking to them. Figure 8 shows that the malware distribution sites are concentrated in a limited number of /8 prefixes. About 70% of the malware distribution sites have IP addresses within 58.* — 61.* and 209.* — 221.* network ranges.

Our results show that all the malware distribution sites’ IP addresses fall into only 500 ASes. Figure 9 shows the cumulative fraction of these sites across the 500 ASes hosting them (sorted in descending order by the number of sites in each AS).  The graph further shows the highly nonuniform concentration of the malware distribution sites— 95% of these sites map to only 210 ASes.

But I think this is the big takeaway:

Malware Landing Site Distribution

Because malware is being distributed via ad networks more and more, it’s no longer safe to assume that you’ll be okay if you just avoid the seedy parts of the net.  And because it’s no longer requiring user interaction in a lot of cases, the old-school “don’t run executables from random websites” best practice might not be enough either.  To stay on top of things, you are going to want to be running a browser that is as hardened as we can make it, and that also incorporates active checking of known malware sites.

And lookit, the Firefox 3 beta is right over here.


23
Jan 08

Being Green, easiness of

As of today’s nightly firefox build, we’ve turned on EV support and activated the Verisign EV root for testing purposes.  What this means is that when you go to sites that have Verisign-issued EV certificates like, say, British Airways, the site-identity button (shall we call it Larry? Yes. Let’s.) will pick up the name of the site owner, all green-like.

I rather suspect this might startle a few of you.

Larry on British Airways

I’ve talked a lot about identity and security in Firefox 3, but some of the actual changes were easy to ignore if you weren’t looking for them.  The site button has been around for a while, with Larry telling you what he knows about a site, but you could choose not to click on him, not to get that information.  A while ago, I mentioned a way to get the EV behaviour ahead of schedule, if you wanted to test, but now those steps are no longer necessary.

So things are going to feel a little weird for a few days.  There are about 4000 EV sites these days (the AOTA has a pretty long list) so you will probably hit a few, and it will probably feel weird.  By all means, open bugs.  The whole reason we’re doing this is to get more sunlight on the code, because it’s required weird custom builds and secret handshakes for too long.

The story goes that when London first introduced street signs, there was significant protest.  They were gaudy, the argument went, and anyhow the locals already knew where they were going.  Many streets in London still don’t have them.  I’m excited about getting feedback into the UI to help users know better who they’re dealing with online, help them orient themselves, and rebuild some of the cues that we all take for granted in the real world.  But like the London signposts, I suspect it’ll take some getting used to.  Especially on Proto. Where it currently looks, as Shaver so eloquently puts it, like the South end of a North-facing horse.


10
Jan 08

Standardizing UI, and other Crazy Ideas

Decision making, by nerovivoStandards make the web go ’round.  I hope it doesn’t come as too much of a surprise that Mozilla cares a lot about standards, or that a significant percentage of the community, myself included, participate in active standards groups, be they W3C, WHATWG, industry consortia, or other.

They are often, to be honest, a slog.  Anything important enough to be standardized is important enough to attract a variety of interests and motivations, and being in the middle of multiple, divergent forces can be just as fun as it sounds.  They are usually noble slogs, though.  An open web needs a set of linguas franca. As it matures, people invent new creoles to express new ideas, and so our standards need to constantly evolve and add that new wealth to the growing lexicon of awesome.

A little while ago though, the W3C decided to try something sort of odd.  They formed up a working group to look at standardizing security UI.

Standardizing. UI.

To anyone who has designed a user interface, that sort of feels like standardizing art. Not that we are quite so full of hubris as to imagine ourselves Caravaggios, but UI design is a complex interplay of functionality, ergonomics, and subjective experience.  There are general principles, sure, but it’s a very different beast from, say, CSS2 margin properties, where everyone can at least agree that there ought to be a single correct result, even if they disagree about what that result should be or how to obtain it.

Nevertheless, boldly forth they have gone and established the Web Security Context working group with a pretty broad charter. Capturing current best practice is certainly fair game, but it is equally permissible for the group to try to move the state of the art forward.  We’re active members, as are Opera and Konqueror (though not Apple or MS), but like most standards bodies, the group includes folks from academia, from other companies, and from various interested groups as well.

This workgroup has put out its First Public Working Draft (FPWD), which means I have two things to ask you, or maybe ask of you.  In marketing, I believe they call this the Call to Action, so if you were looking for it, here it is!

The first thing I would ask, if you are at all interested, is that you to read it and remark upon it.  The group needs public comment, and you fabulous people are ably placed to provide it.

This first draft was kept deliberately inclusive, to make sure that the majority of recommendation proposals got public airings. So if your main criticism is just “too much,” that is unsurprising, but still welcome, feedback.

The second thing is harder.

We participate in this group for all the reasons mentioned above, and I personally take that participation seriously.  Even on the sketchy topic of standardized UI, I think there’s potential. A document which all browsers conform to as a baseline guide, which says things like “Don’t let javascript arbitrarily resize windows, because it lets this spoofing attack happen,” is a valuable one.  At Mozilla, we talk about things like making the mobile web a better place, for example. One thing we can do right up front in that world is spare this new generation of browser implementors (and their users!) from rediscovering our mistakes the hard way.  This standard could help do that.

But this draft is also defining new UIs, new interactions, new metaphors for online browsing.  The academics in the group have offered to gather usability data on several proposed recommendations, but at a fundamental level, I have asked the group a couple times whether it’s right to use a standard to do this kind of work at all.  I think several of the proposed requirements sound like interesting, probably fruitful UI experiments.  But that’s not the same as “Standards-compliant user agents MUST …”

My second question is this: as members of the Mozilla community, is this an effort that you want me (or people like me) participating in, and helping drive to final publication?

I’m still engaged on the calls and the mailing list – I still see good things coming out of the group, and I have my own opinions about how to best contribute.  But as an employee of Mozilla, I feel an obligation to steward my own resources responsibly, and to expend them on things that the community finds valuable, so it’s important for me to hear how people feel about the value of this work.

Opinions? Suggestions? Funny anecdotes?


13
Dec 07

What happens when your job is also a hobby?

I took a vacation day yesterday, since I had a bunch of appointments piling up, and figured it would be best to just blitz.  In the evening, I was sort of fiddling around, and built this:

PDB v1

It’s probably only interesting to people who find performance monitoring interesting, but I like having it around, even in its very rough condition.  I would love to include the Talos graphs in there, since Talos data is a lot more relevant than the oldschool tests, particularly around pageload.  Nevertheless, it beats clicking a hundred different links off the tinderbox waterfall, and it was a fun excuse to play with a tiny bit of jQuery too.

Johnath’s Performance Dashboard – Trunk

[PS – NSID Day 12 – pretty damned shaggy.  Itch might be subsiding though!]


23
Nov 07

Security Tidbits

How am I going to find a blog pic that talks about 'security' and 'donuts'.  Oh, that was easy.Tidbits, mind you, not Timbits.  Every time I’m dealing with non-Canadians in Canada, and they refer to “donut holes” when they clearly mean “Timbits,” I have a moment where I feel sort of embarrassed for them. Like they just said they were going to nip up the old gorn and scumbles for some hennylummers. Like they are hopelessly antiquated.  And then I remember that “Timbit”, like “Kleenex”, “Xerox” and “100% Beef,” is just a corporatism, and truly it is I who should feel ashamed. And I do. On with the show.

SSL Error Pages

Yes, again.  But just a quickie.  When I land bug 402207 later today, it will slightly change the way adding a security override works.  You’ll still have the option to add an exception when you visit a site with unverified security, but whereas recently the dialog that popped up would auto-fetch the certificate for you, it will now pre-populate the url, but make you fetch the certificate yourself.

This isn’t just a stupid attempt to annoy users more, it’s an attempt to make it easier to understand what’s going on.  The behaviour of our exception adding is now controlled by a preference named:

browser.ssl_override_behavior

With three values:

  • 0 = Don’t pre-populate the site URL or pre-fetch the certificate
  • 1 = Pre-populate the URL, but don’t pre-fetch the certificate (New default)
  • 2 = Pre-populate and pre-fetch (Old default)

Doing this means that the dialog has less text when users first see it, meaning users might be more inclined to actually read it.  It also don’t have an obvious one-click path, the user needs to fetch the certificate (at which point the problems will show up) and then add the exception.

Users who want to fast track the process because they know what they’re doing can just switch that to “2”, and users (or possibly IT departments deploying Firefox internally) might also choose to set it to 0 to compel more user interaction before trust is given to an unverified site.

EV Support

For all the talk about Larry and EV certificates, people might be wondering when they’ll start seeing them.  In a funny sort of way, they’re already there – all the code to DO stuff is there, but we don’t yet have any authorities “blessed” as being EV issuers.  So that code is idle at the moment.

Kai has now finished up bug 404592 though, which means testers on nightlies can turn on EV trust by setting an environment variable.  To see EV treatment on your (post-beta1) nightly, just run with:

NSS_EV_TEST_HACK=USE_PKIX

I won’t go into detail about how to set environment variables, because this only matters in the very short term anyhow, but for those who are fluent in this underworld machination, doing so will prematurely bless the Verisign EV root.  This doesn’t mean anything about Mozilla and Verisign and what certs will be trusted in Firefox 3, it’s purely a testing contrivance.  Live sites with Verisign EV certs include Paypal and eBay. Once we have at least one EV root in the trusted list, this hack won’t be necessary, and Larry will truly be free to roam.

[Update: It took one minute – sixty terran seconds – for google to index this blog and give me sole possession of the googlerank for ‘hennylummers.’  Spooky.]