As promised last week, I have now put my presentation slides for my talk at FIRST2008 online.  I’ve also put up a video I recorded of a dry-run through the slides, in case you want to experience the talk, and not just read it.

Slides (CC-BY-SA):

• PDF
• PDF with speaking notes
• Original Keynote Files

Video (CC-BY-SA):

• Quicktime .mov format (52M - recommendations for compression?)

Thanks again to Mike Shaver for helping me put these slides together, and to all the people who reviewed them ahead of time.  I really enjoyed this talk, and hope to give it again - as I’ve said many times before, we have learned a lot of lessons the hard way; we should be sharing that experience broadly, since we’re one of the few organizations that can.

I would love any edits or suggestions for the slides themselves, or my presentation of them.  I’ll also accept offers of exciting cash and prizes to give this talk at your campus/company/private island.

I can’t take any credit for this at all - it’s how the French have made bread for 500 years, I suspect (albeit more often with water than beer.)  It takes about 15 minutes of active work (most of it up front), 30 minutes of baking (all of it at the end) and hours in between when you go and do other things.

Ingredients:

• 1lb flour (white, whole wheat, whatever turns your crank.  I have pretty good success starting with about 10-14oz unbleached white flour, and topping up with whole wheat, but going all white flour is the classic french bread recipe) plus some for working.
• One 12oz bottle of beer (or, I suppose, 12oz of water).
• 2tsp salt
• 1tsp instant yeast (if you buy the traditional yeast instead of instant, I presume you already know how to activate it)

Method in Brief:

• Combine dry ingredients
• Stir in beer
• Knead
• Cover, let rise for at least 1 hour
• Punch down mixture, recover.  Let rise for at least 2 hours or refrigerated overnight
• Pre-heat oven to 450F
• Form dough into loaf, slash top, dust lightly with flour
• When dough is placed in oven, spray oven surfaces with water, or throw in two ice cubes
• Bake for 25-30min or until the crust is nicely browned.  Let stand for at least 15 minutes.

Method with Narrative (and an explanation of the ice cubes):

Mix the flour, salt, and yeast in a bowl that you think is too big.

Pour in the beer.  It helps if the beer is not ice cold, since that will really slow down the yeasties.  If you didn’t think to take the beer out earlier, no worries, just run it under a warm tap until it’s no longer cold to the touch.  This is not an exact science, nor should you treat it as such.

Mix with a spoon until the ingredients are combined.  This will be a really sticky dough.  It will make you sad the first couple times, until you learn to recognize the goodness it portents.

Sprinkle some flour on a countertop or other largish surface, and dump the dough out on to it.  Remove any rings or watches.

Now you’re going to knead the dough.  If you’ve never kneaded before, it’s easy.  Your job is basically to keep mooshing the flour molecules past one another so that there is ample opportunity for them to link up into chains called “gluten”.  Gluten is what gives bread its elasticity.  If you are not accustomed to thinking of bread as “elastic”, think about how a slice of bread deals with mashing and stretching (i.e. by mashing and stretching) vs. how a slice of cake does (i.e. by crumbling).  Flour mixtures all tend to form gluten.  Things like kneading help it out (which you do it with bread doughs and not cake doughs), things like fat hinder it (which is why you add things like shortening to cake - so-called because it “shortens” the dough - breaks up the gluten chains).

Kneading is also a nice analog process for getting the flour:beer ratio right, since your natural stickiness aversion will tend to have you adding sprinkles of flour as you work the dough and the surface becomes sticky again and again.  To knead, use your fingers, knuckles, or palms to stretch the dough out along one axis, then fold it over on itself and repeat.  When it gets too sticky to work with (try to keep it as sticky as you can stand) add more flour.  You don’t have to do this for long, 5-10 minutes is probably fine.  When you’re done, you’ll see a difference in the dough ball: if you stretch it a little, it will bounce back mostly into shape.

You’re basically done the hard work.

Throw the dough ball into a big bowl.  If you’re clever, you will have really lightly oiled the bowl first (not like a muffin pan or anything, just a shot of Pam, or a dab of canola oil swooshed around on a paper towel) because it will make the dough easier to remove later.  Throw a dishcloth over the bowl and leave it somewhere warm in your kitchen to think about life.  If your oven is a newer one with a “Proof” setting, now is when you can use it.

You don’t want to cook the dough here, you just want the yeasties to be at a happy temperature.  In case you weren’t clear, yeast are little, edible, live fungi that eat sugars in flour (among other things) and leave alcohol and carbon dioxide gas as well as a host of mostly nice-tasting things in their wake.  The alcohol is mostly incidental for our purposes here, though there is a delightful symmetry in the fact that we’re mixing beer (grains + yeast + water = alcohol and incidentally CO₂) and bread (grains + yeast + water = CO₂ and incidentally alcohol).  Point is, these guys will work through the flour making little bubbles as they go, which give our bread the ability to rise.  Very exciting.

After an hour or two, your dough will have doubled in size.  The only problem with cooking it right now is that your bubbles will not be evenly distributed.  You’ll probably actually have a couple giant bubbles that will lead to silly looking bread.  And anyhow, that’s not actually the only reason - giving the yeast more time also lets them develop more interesting flavours.

What you CAN do after an hour (or two, or three, this is not an exact science) is what bakers call “punching down.”  You can leave the dough in the bowl, but basically what you want to do is re-distribute the bubbles through the dough, and bust up any big ones.  Just rotate the bowl around, folding the edge back towards the center until you’ve got a ball again without any obvious giant bubbles.  It will lose some of its newfound volume too, that’s okay.  The yeasties still have plenty to work with.

What you do now is up to you.  You could wait another hour and bake it and have tasty bread.  You could go out for the afternoon and then bake it for dinner and have very tasty bread.  Personally, I do this on a Saturday, with an eye to baking it on Sunday, so I give it the rest of the day to rise, and then I’ll generally punch it down a second time and put it in the fridge overnight.  By Sunday dinner, I have me some outstandingly tasty bread.  Again, I’m not taking credit, the recipe is as old as the hills.  But ask around, my Sunday night bread kicks ass.  Anyhow, time passes.

Your dough should be room temperature when you go to bake it which is trivial unless you’ve gone for the (highly recommended!) overnight rise in the fridge.  Why not just leave it to rise overnight, out of the fridge, I hear you ask?  By all means, give it a shot.  It will rise a lot, and the surface will feel like silk, and it will be nearly impossible to handle (think about trying to form a loaf out of steam, say).  But I admire your moxie.

Every time you manipulate your dough, some of the bubbles will collapse.  They’ll come back as long as there is anything else for your yeast to eat (which there will be), so don’t worry, but it does mean that you don’t really want to be doing any dough manipulation immediately before baking.  I deal with this by forming the loaf and putting it on a sheet of parchment for the final rise, since parchment can go directly into the oven.  Pro-tip: wax paper is not parchment.

This is a French bread recipe, so you want to bake it on a stone or, failing that, a cookie sheet.  You don’t put this in a loaf pan.  That means that you have considerable flexibility on the size and shape of your loaf.  You can sort of just plop your bread ball down and make a round “boule” loaf, or you can form it into the standard french-stick ellipsoid.  The only trick here is to try to ensure that the “skin” of the loaf, the soon-to-be-crust, is stretched nicely instead of lying slack.  To do that, as you’re shaping it, curl the sides of the loaf down under itself, so that the top skin stretches.  This is easier to do than to describe - you’ll get the hang of it.

Heat your oven to 450F (convection ovens are yay, and will generally be smart enough to re-interpret that as 425F since they do a better job of baking.  If yours doesn’t, help it out.)  If you have a baking stone, it should obviously be in there too.  When the oven is hot, right before putting the bread in, slash the top a few times and dust it with a little more flour.  Not only does this give it a classic look, but it also lets the bread rise more evenly as the bubbles expand in the heat.

Right after you put it in the oven, throw in a few ice cubes.  Not on the bread, just anywhere in the oven.  The ice cubes are key. They will form steam, and the steam will condense on the dough, since it is cooler than the air in the oven.  In the process, they will give up some heat to the surface of the dough.  This makes for very happy crusts, and is the difference between people thinking you cooked bread, and people thinking you are super-awesome.

5 minutes in, you can throw a few more ice cubes in, to finish the job. Be careful when you open the oven door, that steam is going to try to have a party on your face.

Total baking time is about 25 minutes, though I generally have to give whole wheat dough a little bit longer to get a good crust going.

Take it out when it’s ready, put it on some kind of rack to cool.  If you put your ear up next to it, you will hear the signature sound of bread - a crackling as it cools, that makes my mouth water just thinking about it.

Cut thick slices.  Use real butter.  Marvel at how something so easy can taste so good.  I know there’s a lot of words there, but by the third time you do this, it is easier and more rewarding than just about anything else you’ll do in your kitchen.

What’s interesting to me, though, is the difference between what I originally recorded, and what Alix published. I recorded the raw screencast using Jing, which is a simple, free screencasting tool for Mac and Windows. It caps you at 5 minutes, and records as flash, but it’s super easy to use, and screencast.com will host the resultant video for you. You can see what I recorded here:

But then I handed it off to Alix and David and Rainer, and they turned my 5 minutes of low production values into 2 minutes of edited, titled video, with helpful visuals! See if you notice the difference…

Firefox 3: Security from Mozilla Firefox on Vimeo.

As promised in my last post, I’ll soon be posting yet another video, this time an hour long talk I gave at FIRST. And then, I think, no more blatant self-promotion for a couple weeks, eh?

Have you installed Firefox 3 yet?

I had a lot of help from several people, most notably Shaver, in putting this presentation together; my goal is to keep adapting it and ideally get other people giving it as well. Security is something that the Mozilla project has a lot of experience with, and a lot to be proud of. It is important to our mission that we share that expertise. Even when what we’re saying isn’t new (”have unit tests”), the fact that we have achieved the success we have lets us be a proof point for people trying to make change in their own projects (”Mozilla didn’t think code review was too time-intensive.”)

I may not be an official member of the evangelism team, but I will do whatever I can to encourage more people in our community to take their knowledge outbound. We are doing crazy awesome stuff here (how many IT people, on the planet, have dealt with what Justin’s team has?) and we should consider it an obligation to spread that knowledge around. Heck, that’s actually sort of what my talk is about.

If you’re interested, check it out.

[PS - Full props to r80o on flickr - this is a pretty excellent photo for "caution", and CC too!]

1. Go read the Deb Richardson’s unbelievable Field Guide to Firefox 3, so you can see what all the hubbub is about.
2. Go watch Mike Beltzner’s magnificent-yet-brief Intro to Firefox 3 features screencast, to set your pots a boilin’.
3. Go view John Slater’s profoundly triumphant post of the new Firefox 3 Victory Poster, to adorn your walls and windshields.
4. Go sign up yourself to participate in the life-alteringly spectacular Download Day, you one best chance to be part of a Guinness World Record that doesn’t involve putting bees up your nose.
5. Go find yourself a party full of people every bit as frothy as we are.

Can I get an “Amen!” people?

It is time for us to be planning up some parties.  Firefox 3 is just around the corner and we have thusly undertaken to begin populating Mozilla Party Central.  I invite you to do likewise - join an existing one, or start your own!

If it helps you in your planning, the Firefox search bar knows things.  Important things.

With Firefox 3 on the cusp of the precipice of the knife’s edge of release, though, I wanted to stop pretending that everyone reads the same articles I do and talk about one of the many, really concrete things we’re doing to keep our users, like you, safe.  There will be graphs.

The Age of Dorks

In Gang Leader For A Day, Sudhir Venkatesh writes about the embarrassment inner city drug dealers feel when they see what passes for a “gang” out in the suburbs; little more than young kids with nothing better to do than smash windows for the fun of it.  That’s what internet crime was in the early days.  The typical criminal might have looked a little different, and the typical crime a little more confusing, but the net effect was about the same: some people, particularly people who visited the wrong parts of town, were victimized in relatively unexciting ways.  Maybe a sensitive email got forwarded around to your coworkers by a mysterious hacker.  Maybe your computer started acting funny.  Ho hum.

There Goes the Neighbourhood

After a while, your less geeky friends started getting online.  Words like “online banking” stopped sounding like something out of a bad movie.  Everything started getting the letter ‘e-’ attached to it.  Most importantly, there started to be money.  Money begets lots of fun things, like Diet Black Cherry Vanilla Dr. Pepper and Turtle Wax.  But it also begets crooks.

In terms of crime (okay, e-crime), the e-crooks were still mostly e-clueless, because they were still mostly e-newbies.  They weren’t very efficient, they weren’t very organized, they were actually pretty dumb.  But the internet was also wide open and didn’t have a lot of rules.  Ask an American Bison how that heady mix tends to play out.

So this legion of idiots started ruining it for everyone: they started spamming, because the internet made it cheap; they started defacing web sites of Fortune 500 companies and world governments, because the internet made it easy; and they started mass-mailing bank fraud, “phishing,” because the internet made it hard to stop.

Phishing is the emails you see every day telling you that your bank accounts will be closed for some reason unless you log in right away.  Of course, the link in the email doesn’t take you to your bank, but to a clever forgery that steals your information, and then uses it to steal your money.  It’s not a trick you would fall for in real life, because a criminal would have trouble setting up shop in your actual bank branch, but online, it can be hard to tell your bank’s real web site from one of these fakes.  Firefox 3 includes some features to help you do that, but really, it would be far better to just not go there in the first place.  That’s why we keep a list of known phishing sites in the browser, and warn you when you’re about to visit one.  We’ve done that since Firefox 2; maybe you’ve even seen one of our warning messages.  If not, well… that’s good!

The Heavies

The internet isn’t new any more.  We don’t bother pasting “e-” to the front of everything, because the fact that a service is available online isn’t exceptional any more.  That’s really fantastically awesome, as far as I’m concerned, but there’s a catch.  The really bad people out there, who were busy doing really bad things in the real world to make money before, they don’t ignore the internet as a passing fad any more.  There are ways for them to make real money online now: protection rackets extorting online casinos or major web sites for hundreds of thousands of dollars; selling 10,000 hacked computers to a major spam operation so that they can evade filters; enslaving millions of computers to click ads all day in order to scam ad companies.  The legion of idiots is making way for genuine organized crime, and it sucks.  The way they’re running a lot of these operations is with a thing called malware.

Malware (think “software”, but bad) is the name we give to web sites and software that try to take over your computer, in order to do bad things, in the service of bad people.  Sometimes they use the old trick of getting you to run the program yourself - promising screensavers or greeting cards or otherwise nice-sounding things.  More and more though, they’re trying to attack you through the web sites you visit.  Here’s one way it can work:

1. You visit a web site that you trust - maybe a news site, or an interesting blog.
2. Unbeknownst to you (Aside: do we ever talk about things being knownst?  “Knownst to me, this bagel contained bagel.” Anyhow…) Unbeknownst to you, the malware guys have injected some new code into the website.  They can do this by hacking the site, or by buying “ad space” as a way to get their content in there.
3. As soon as you load the page, this code starts trying to attack your computer by exploiting some unpatched security hole.  In fact, it will try hundreds of attacks, looking for any weakness.  This can happen in seconds, and invisibly, while you read about the rising price of Turtle Wax.

Obviously, we work very hard to make sure that Firefox is never the “unpatched security hole” and I think we do a pretty good job, as long as you make sure to apply those security updates when we send them to you.  But there are lots of programs on your computer, so Firefox’s own security isn’t a guarantee.  The best thing we can do is stop the page from ever getting the chance.

In Firefox 3, we have juiced up your protection in a couple of pretty hard core ways.  First of all, we’ve added a second list, tracking all reported malware sites live on the net, in addition to the forgeries we blocked in Firefox 2.  Second, we now block the page right up front, before it even loads, so that your computer is not at risk.  And third, for people who are curious, we provide a report for malware sites that explains exactly what badness is going down.  This report is pretty technical, but it’s there if you’re interested.  It’s your browser.  You can even choose to ignore the warning, if you want, and go through to the site.  Obviously, I sort of hope you don’t.

We’ve got the real bad dudes and dudettes online now, and they’re not going to like having their income shut down, so we’re going to have to stay on our toes.  But when Firefox 3 comes out (and we’re getting it out as quickly as we can, believe me), I’m going to feel a lot better about you getting online.

I bet she’d love it if you gave her some digg love, too.

[Killing comments on this one to reduce forking/repetition - take 'em to digg or debb]

We have built-in malware protection now, and better phishing protection.  We have a password manager that intelligently lets you see whether your login was successful before saving, instead of interrupting the page load.  We have gotten rid of several security dialogs that taught users to click OK automatically, unseeingly.  We have OCSP on by default.  We have a consistent place in the UI now where users can get information about the site they are visiting, including detailed secondary information about their history with the site; all of which are first steps in a long road towards equipping users with more sophisticated tools for browsing online, by taking advantage of habits they already have, and things we already know.  All the people who worked on this stuff know who they are, and I want to thank them, because it sure as hell wasn’t all me.

With Firefox 3 in full down-hunker for final release (and with conference silly season upon us) though, I’ve started to get serious about thinking through what comes next.

Here’s my initial list of the 3 things I care most about, what have I missed?

1. Key Continuity Management

Key continuity management is the name for an approach to SSL certificates that focuses more on “is this the same site I saw last time?” instead of “is this site presenting a cert from a trusted third party?”  Those approaches don’t have to be mutually exclusive, and shouldn’t in our case, but supporting some version of this would let us deal more intelligently with crypto environments that don’t use CA-issued certificates.

The exception mechanism in Firefox 3 is a very weak version of KCM, in that security exceptions, once manually added, do have “KCM-ish” properties (future visits are undisturbed, changes are detected).  But without the whole process being transparent to users, we miss the biggest advantage to this approach.

Why I care: KCM lets us eliminate the most-benign and most-frequently-occurring SSL error in Firefox 3.  Self-signed certs aren’t intrinsically dangerous, even if they do lack any identification information whatsoever.  The problem is that case-by-case, we don’t have a way to know if a given self-signed cert represents an attack in progress.  The probability of that event is low, but the risk is high, so we get in the way.  That’s not optimal, though.  When the risk is negligible, we should get out of the way, and save our warnings for the times when they can be most effective.

2. Secure Remote Passwords

Secure Remote Password protocol is a mechanism (have some math!) for allowing a username/password-style exchange to happen, without an actual password going out along the wire. Rob Sayre already has a patch.  That patch makes the technology available, but putting together a UI for it that resists spoofing (and is attractive enough that sites want to participate) will be interesting.

Why I care: SRP is not the solution to phishing, but it does make it harder to make use of stolen credentials, and that’s already a big deal.  It also has the happy side effect of authenticating the site to you while it’s authenticating you to the site.  I wouldn’t want this useful technology to get stuck in the chicken-egg quagmire of “you implement it first.”

3. Private Browsing Mode

This is the idea of a mode for Firefox which would protect their privacy more aggressively, and erase any trace of having been in that mode after the fact.  Ehsan Akhgari has done a bunch of work here, and in fact has a working patch.  While his version hooks into all the various places we might store personal data, I’ve also wondered about a mode where we just spawn a new profile on the spot (possibly with saved passwords intact) and then delete it once finished.

Why I care: Aside from awkward teenagers (and wandering fiancés), there are a lot of places in the world where the sites you choose to visit can be used as a weapon against you.  Private browsing mode is not some panacea for governmental oppression, but as the user’s agent, I think it is legitimately within our scope (and morally within our responsibility) to put users in control of their information.  We began this thinking with the “Clear Private Data” entry in the tools menu, but I think we can do better.

(And also…)

Outside of these 3, there are a couple things that I know will get some of my attention, but involve more work to understand before I can talk intelligently about how to solve them.

The first is for me to get a better understanding of user certificates. In North America (outside of the military, at least) client certificates are not a regular matter of course for most users, but in other parts of the world, they are becoming downright commonplace.  As I understand it, Belgium and Denmark already issue certs to their citizenry for government interaction, and I think Britain is considering its options as well.  We’ve fixed some bugs in that UI in Firefox 3, but I think it’s still a second-class UI in terms of the attention it has gotten, and making it awesome would probably help a lot of users in the countries that use them.  If you have experience and feedback here, I would welcome it.

The second is banging on the drum about our mixed content detection.  We have some very old bugs in the area, and mixed content has the ability to break all of our assumptions about secure connections.  I think it’s just a matter of getting the right people interested in the problem, so it may be that the best way for me to solve this is with bottles of single malt.  Whatever it takes.  If you can help here, name your price.

Obviously I’ve left out all the tactical fixup work on the UI we already have.  We all know that those things will need to happen, to be re-evaluated and evolved.  I wanted to get these bigger-topic thoughts out early, so that people like you can start thinking about whether they are interesting and relevant to the things you care about, and shouting angrily if they aren’t.