meandering wildly » Linkage
A quick note, to any Vancouverites that may be interested, that I will be in town on Wednesday to speak at the FIRST 2008 conference. The title of the talk is “The Most Important Thing - How Mozilla Does Security, and What You Can Steal.” If you’re attending the conference, I hope I’ll see you there. Once the conference is over, I’ll post my slides and a video of a presentation dry-run, in case anyone is interested.
I had a lot of help from several people, most notably Shaver, in putting this presentation together; my goal is to keep adapting it and ideally get other people giving it as well. Security is something that the Mozilla project has a lot of experience with, and a lot to be proud of. It is important to our mission that we share that expertise. Even when what we’re saying isn’t new (”have unit tests”), the fact that we have achieved the success we have lets us be a proof point for people trying to make change in their own projects (”Mozilla didn’t think code review was too time-intensive.”)
I may not be an official member of the evangelism team, but I will do whatever I can to encourage more people in our community to take their knowledge outbound. We are doing crazy awesome stuff here (how many IT people, on the planet, have dealt with what Justin’s team has?) and we should consider it an obligation to spread that knowledge around. Heck, that’s actually sort of what my talk is about.
Window and I recently did a joint interview for Federico Biancuzzi at SecurityFocus about many of the security changes we’ve made in Firefox 3. It covers both front-end and back-end information, and mentions several changes that I haven’t had a chance to mention here in the past.
If you’re interested, check it out.
[PS - Full props to r80o on flickr - this is a pretty excellent photo for "caution", and CC too!]
I’ve been meaning to write a post like this for a while, and maybe I still will, but in the meantime Deb has done a great job of introducing the world to Larry. Her writing is enviably clearer than my own, so you should go check it out right now.
I bet she’d love it if you gave her some digg love, too.
[Killing comments on this one to reduce forking/repetition - take 'em to digg or debb]
This is a pretty cool idea.
- Randomly generate a bunch of colours.
- Use Mechanical Turk to get names for them all
- Play
I really like the things that mechanical turk makes possible, now that people are getting more next-level experimental with it.
I also really like that the folks who did this one have an interactive explorer page for the data, and make the raw data set available as well.
In other “Graphics on the Web” news: heehee.
It’s a couple weeks old, I know, but for anyone who hasn’t seen it, Google’s Online Security Blog has linked to a draft article produced by some of their malware researchers about the trends they’ve observed in malware hosting and distribution. Aside from a troubling pre-occupation with CDF graphs, it’s a really interesting look at the way malware networks are spread through the internet.
I found this snippet interesting:
We also examined the network location of the malware distribution servers and the landing sites linking to them. Figure 8 shows that the malware distribution sites are concentrated in a limited number of /8 prefixes. About 70% of the malware distribution sites have IP addresses within 58.* — 61.* and 209.* — 221.* network ranges.
…
Our results show that all the malware distribution sites’ IP addresses fall into only 500 ASes. Figure 9 shows the cumulative fraction of these sites across the 500 ASes hosting them (sorted in descending order by the number of sites in each AS). The graph further shows the highly nonuniform concentration of the malware distribution sites— 95% of these sites map to only 210 ASes.
But I think this is the big takeaway:
Because malware is being distributed via ad networks more and more, it’s no longer safe to assume that you’ll be okay if you just avoid the seedy parts of the net. And because it’s no longer requiring user interaction in a lot of cases, the old-school “don’t run executables from random websites” best practice might not be enough either. To stay on top of things, you are going to want to be running a browser that is as hardened as we can make it, and that also incorporates active checking of known malware sites.
And lookit, the Firefox 3 beta is right over here.
Melissa, our PR gal, recently wrote a pretty awesome post about a pretty awesome kid. You should go read it. Go.
It really gave us a lift and, immediately, several of us here in the office (today is code freeze for FF3 Beta 3 so yes, we are still in the office) agreed that we needed an about:icecream URL in the browser.
Ryan beat me to it. It’s now a Firefox 3 add-on.
I took a vacation day yesterday, since I had a bunch of appointments piling up, and figured it would be best to just blitz. In the evening, I was sort of fiddling around, and built this:
It’s probably only interesting to people who find performance monitoring interesting, but I like having it around, even in its very rough condition. I would love to include the Talos graphs in there, since Talos data is a lot more relevant than the oldschool tests, particularly around pageload. Nevertheless, it beats clicking a hundred different links off the tinderbox waterfall, and it was a fun excuse to play with a tiny bit of jQuery too.
Johnath’s Performance Dashboard - Trunk
[PS - NSID Day 12 - pretty damned shaggy. Itch might be subsiding though!]
As announced Very Early In The Morning (EST) today, Firefox 3 Beta 1 is now live.
There is some appropriately scary text there about not downloading it unless you are a developer or a tester, and that’s good text to have, because we wouldn’t want people treating this like a final release BUT it’s pretty awesome, and if you don’t mind living a little bit on the edge, you should check it out.
There are a ton of changes, and as I’ve said here before, a lot of them are subtle. I want very much to point out a bunch of them, but I also don’t, because I want to know what unprimed minds think of it. I’ll leave it up to you - if you want to see a (non-exhaustive) list of the kinds of changes we’ve made, you can check the release notes. If you don’t, skip straight to the announcement and grab a copy.
Once you’re on the beta, you’ll get updates as new betas come out, just like you do with Firefox 2 when we release security and stability updates. Running the betas and letting us know what you think is a great way to help the project, even if you’ve never tried programming. You’re a human and a web user, that’s as much expertise as we need.