22
Nov 10

First Impressions from China

Great Wall in FogChina is different.

When I got back from my recent trip to visit Mozilla Online in Beijing, I heard myself saying that often, but it’s very nearly a content-free statement. Of course China is different. A better, albeit clumsier, way to express things is:

The Chinese web is not the web we are used to.

“We” Mozilla, “We” the Western tech world, “We” the builders of the web. China is going about things differently, and they’re bringing more than a billion people online with them. The folks at Mozilla online understand this and were exceedingly patient and generous with their time helping me begin to do so as well.

Here’s one way of thinking about that difference: Continue reading →


13
Aug 10

6 Months

ExpectantIt’s been 6 months since I wrote you this. 6 months. And in that tiny little amount of time, you have turned into a person. It’s hard for me to guess which things you’ll find interesting later in life if you’re reading this letter, and you’re moving so quickly right now that, by next week, it will all be different.

You’re adorable. Daddies are known to lack objectivity on this point, but I have it on good, impartial authority that you are an absolute delight. You smile when I come home at night, you smile when someone picks you up, you smile almost any time mommy speaks. You have learned how to splash in the bath, you shove basically everything into your mouth, and you’ve become ticklish. You are mere seconds away from learning to crawl – already getting into position but then not quite knowing what to do and faceplanting out of desperation. Sometimes you use the faceplants to drag yourself forward. You’re an odd duck. I love that.

You’re also terrifying. You don’t sit still, you roll directly for the edge of whatever surface we put you on, you bonk into stereo cabinets head first. The other day, in the bath, you managed to dump a cup full of water down your throat before I could stop you, sputtered, and for a second that lasted 3 years, you looked like you weren’t breathing. Don’t do that any more, okay?

You’ve rewritten us. Every time I see a parent with a kid, especially a dad with a daughter, I sort of nod, like we’re part of the same club now. I’ve always liked kids, but now I spot every one of them, everywhere I go, and make sure there’s a parent nearby watching them. I’ve noticed that I’ll often be swaying gently back and forth when I’m standing around, regardless of whether I’m holding you, or some groceries, or nothing at all. I’ve noticed other parents doing it, too.

I’ve taken 1,387 pictures of you since you were born, posted 76 of them publicly, and forced taxi drivers, coffee shop baristas, and every single one of my coworkers to admire them. I think that’ll probably slow down a little, if only because you’ll start to lose patience with me, but it’s hard to resist capturing every moment, especially with the speed you keep growing.

Your mom and I are very fortunate to have a lot of love in our lives. Family, friends, coworkers – there’s a lot of love to go around. But I was not ready, I was not ready for the way you would multiply that. You are a tiny, ticklish, ever-blonder force to be reckoned with, Lily, and I don’t even know how to imagine what the next 6 months will hold.

Love,

Daddy


05
Aug 10

The SSL Observatory

Oh ho, lookit what the EFF went and did!

The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded a dataset of all of the publicly-visible SSL certificates, and will be making that data available to the research community in the near future.

This is exciting. I knocked together a less ambitious version of this last year, but the EFF guys are doing it like grown-ups, and are getting some interesting data.

Numbers-wise, they’re in the right ballpark, as far as I can tell. Their numbers (1-2m CA-signed certs) coarsely match ones I’ve seen from private sources. I’ve heard from a few CAs that public-crawl estimates tend to err 50-80% low since they miss intranet dark matter, but at least the EFF is tracking other public-crawls. Given that their collection tools and data are going to be made public, that’s a really big deal. Previously, I haven’t been able to get this kind of data without paying for it or collecting it myself. If the database is actively maintained and updated, this will be a great resource for research.

Their analysis of CA certificate usage is also interesting. I’d like to see more work done, here, and in particular I’d like to see how CA usage breaks down between the Mozilla root store and others. We spend considerable effort managing our root store, and recently removed a whole pile of CA certificates that were idle. In some places, the paper seems to make the claim that fully half of trusted CAs are never used, but in other places, the number of active roots they count outnumbers our entire root program. I understand why they blurred the line for the initial analysis, but it would be swell to see it broken out.

As they mention, there are legit reasons for root certs to be idle, particularly for future-proofing. We have several elliptic curve roots, and some large-modulus RSA roots, which are waiting for technology to catch up before they become active issuers while giving CAs a panic switch in the case of an Interesting Mathematical Result — that feels okay to me. On the other hand, if there are certs which are just redundant, it would be great to know, so that we can have that conversation with the relevant CAs, and understand the need to keep the cert active.

This is exactly what I hoped would come of my crawler last year, but they’ve done a much more thorough job. We’ve seen an uptick in research interest in SSL over the last few years. Having a high quality data source to poke when testing a hunch is going to make it easier to spot trends, positive or otherwise. Interesting work, folks; keep it going!


13
Jul 10

Kathleen, a FAQ

Q: Kathleen who?

Kathleen Wilson works for the Mozilla Corporation, and manages our queue of incoming certificate authority requests. She coordinates the information we need from the CAs, shepherds them through our public review process and, if approved, files the bugs to get them into the product.

Q: Holy crap! One person does all of that? Is she superhuman?

It has been proven by science. She is 14% unobtainium by volume.

Q: That’s really awesome, but I am a terrible, cynical person and require ever-greater feats of amazing to maintain any kind of excitement.

She came in to a root program with a long backlog and sparse contact information, and has reduced the backlog, completely updated our contact information, and is now collecting updated audit information for every CA, to be renewed yearly.

Q: Hot damn! She’s like some kind of awesome meta-factory that just produces new factories which each, in turn, produce awesome!

I know, right? She has also now removed several CAs that have grown inactive, or for which up to date audits cannot be found. They’ll be gone as of Firefox 3.6.7. They’re already gone on trunk.

Q: Wait, what?

Yeah – you can check out the bug if you like. I’m not positive, but I think this might represent one of the first times that multiple trust anchors have ever been removed from a shipping browser. It’s almost certainly the largest such removal.

Q: I don’t know what to say. Kathleen completes Mozilla. It is inconceivable to me that there could be anything more!

Inconceivable, yes. And yet:

  1. She’s also made what I believe to be the first comprehensive listing of our root, with signature algorithms, moduli, expiry dates, &c.
  2. In her spare time, she’s coordinating with the CAs in our root program around the retirement of the MD5 hash algorithm, which should be a good practice run for the retirement of 1024-bit RSA (and eventually, in the moderately distant but forseeable future, SHA-1).
  3. She has invented a device that turns teenage angst into arable land suitable for agriculture.

Fully 2 of the above statements are true!

Q: All I can do is whimper.

Not true! You can also help! Kathleen ensures that every CA in our program undergoes a public review period where others can pick apart their policy statements or issuing practices and ensure that we are making the best decisions in terms of who to trust, and she’d love you to be a part of that.

Q: I’ll do it! Thanks!

No, thank you. That wasn’t a question.


20
Apr 10

105 – Why I Bird

Yesterday my life list passed 100 birds. This makes me happy; I’ll try to explain why.

Beltzner asked me once why I liked birds so much. I told him I didn’t, not particularly. I like nature. But if you go out for a walk in nature, you’re apt to come across a rodent or two, maybe an interesting mammal like a fox or deer, and you’re going to see at least 20 to 30 different kinds of birds. Bird knowledge is high return on investment, and gives lots of opportunity for practice. Knowing… I don’t know… voles, seems less immediately rewarding.

As for keeping track of them, I only started that last fall after a trip to Florida that was particularly packed with “life birds” (birds I’d never seen in the wild.) It may delight you to know that keeping track, “listing” as it’s called, is not without controversy. There are rules, if you enjoy such things, and there are a variety of local, regional, continental and world lists to work from. There are also, because of course there would be, reactionary elements within the bird watching world who are anti-list. There are lines drawn along the axis of listing that separate “birders” from “bird watchers” in ways that any Trekkie (or Trekker) will find immediately familiar.

I mostly don’t go in for all that. I record every bird I see in the wild; that’s it. For now I keep the list to North America, though I might start a world list at some point. I don’t record a bird until I’m confident of the ID, and I add a little ‘P’ in the margin for those where I managed to snag a good photo. Among (ahem) serious North American birders, my 105 is child’s play. 250 is the price of admission, 400 is typical of serious hobbyists, and 700 is a target once thought impossible but now reached regularly by people with the ability to fly to the Aleutian Islands to sneak in some Eurasian migrants while still technically in North America. I’m not likely to go in for all that, either.

Still, it’s rewarding for me to keep track. It motivates me to seek out habitats I haven’t visited before, and it lets me flag certain birds with extra import. It helps me notice detail on the birds that, I think, makes me a better photographer. Mostly, it gets me out of the house and into nature with a camera – that’s reason enough.

For posterity, then, my list to date (in Peterson’s order). Big thanks to Barry, my mentor in all things bird, for getting me this far.
Continue reading →


10
Mar 10

Developer Tools in Firefox

jk5854/flickr cc

Web developers make the open web go.

For Mozilla, that means that if we want to see the open web succeed, we need to help web developers build it. When we talk to them about building for the web, most of what they want to talk about is web featuresCSS improvements, new HTML5 goodness, content magic like geolocation and orientation events. We invest a lot in making those things awesome, but they are only part of the answer.

The other thing that web developers talk about is tools. Specifically, when we talk to them about tools they ask for two things:

  1. Mozilla should invest in Firebug. The Firebug and Firefox communities should be working together to fix bugs, not working around them. Firefox releases should ship with a compatible Firebug out of the gate, not weeks or months later.
  2. Mozilla should be leading in developer tools. Before Firebug, View Source and DOM Inspector were the state of the art. Now other browsers are copying Firebug and shipping their tools by default, and the question is where the tools are going to go next. We should be a strong voice there, and back it up with code.

For #1: got it. Loud and clear. Firefox 3.6 shipped with a compatible Firebug from day 1, due in no small part to the contributions of Mozilla employees paid to work on Firebug. Jan “Honza” Odvarko has been fixing bugs and building out features left and right, and Rob Campbell has helped drive the project, and made sure that Firefox dependencies get attention. We don’t want to try to take Firebug over; it has its own, healthy community. We are much more active participants than we used to be, though.

#2 is harder. What tools do web developers need that don’t yet exist? Which tools would be broadly useful, and which ones niche? What can Mozilla bring to the table, as the developer of a browser, to make the design & development experience better/easier/faster/funner? We’re trying to figure that out, we’re working on some early ideas that I’ll write about in subsequent posts, but I’d also like to hear what you think is missing.

Building developer tools into Firefox will mean a lot of exploration, and a lot of new code – that’s scary, but the benefits are huge. In the short term, this work will rekindle the conversation about developer tools, and get us all thinking outside of the existing boxes for a few minutes. In the long term, it should make life better for web devs and tool authors; everybody wins.

Web devs are smart, it’s no coincidence that #1 and #2 above pull in the same direction: make Firefox the best platform for web development and tool building. We all want web authors to have an awesome, empowered experience and I think working together in this way is the best play we have for continuing to build that.


16
Feb 10

A Letter For My Daughter

babyLily,

There’s a lot you don’t know about how you came into this world, little girl, and I plan to tell you all about it. I’m not holding on to details too well right now, though, so I thought I’d write some of it down, just in case.

First – the practical stuff. You were born at 5:44pm, February 13th. You weighed 8lbs, 6oz, which is on the heavy side of normal, and measured 22″ long which is on the long side of normal. Your head was 37cm in circumference, which is on the big side of normal, and it took Mommy 24 hours of labour to deliver you (your love for consistency held fast: this, too, is normal, but longish). You were positioned face up (“sunny side up,” said your doctor) which is normal, though more difficult. You needed some vacuum help (normal, though more difficult) and then some forceps (normal, though more difficult). You had a bit of jaundice which kept us at the hospital for another day (normal, though more difficult). In every way that you could, you tried to tell us that you were bigger than life, and you were right.

There’s more you don’t know, though. You don’t know that daddy cried when you were born or that he’s thinking about crying now as he writes this. You don’t know that we’ve been working on you since 2007. You don’t know about your mommy and daddy beating a regular path to the fertility clinic before work most mornings; mommy getting bloodwork and ultrasounds on day 3, 10, 12, 14, 15 and 16 of every month – for nearly 2 years; or that the month you did show up was the one month we had no treatments at all, because mommy’s body needed a break. You don’t know that you weren’t our first positive pregnancy test.

But you’re here now, and we are happier than we’ve ever been. We can barely stay awake, we jump every time you make a noise, but we are awfully smitten with you. We haven’t had many visitors because it’s all still a bit overwhelming, but when visitors do show up, we are the proudest parents, showing you off. We barely recognize your daddy any more – he impulse buys onesies with dinosaurs on the front, and today he boiled nipples.

I can’t wait to tell you all about the world, and about your arrival, and about what an amazing woman your mommy is. I can’t wait to introduce you to the incredible village that has risen up around you and supported us three since the beginning. I can’t wait, but I’m going to try because I don’t want this to go any faster than it has to.

I love you, Lily Margaret.

Daddy


11
Feb 10

Interview with a 419 Scammer

For those who haven’t seen it, scam-detectives.co.uk has a really interesting 3-part interview with a former Nigerian scammer.

Scam-Detective: A reader has asked me to talk to you about face to face scams. Were you ever involved in meeting a victim, or was all of your contact by email?

John: I never met a victim, but I was involved in a couple of Wash-Wash scams.

Scam-Detective: Wash Wash scams? What does that involve?

John: We would tell the victim that we had a trunk full of money, millions of dollars. One victim met some of my associates in a hotel in Amsterdam, where he was shown a box full of black paper. He was told that the money had been dyed black to get through customs, and that it could be cleaned with a special chemical that was very expensive. My associates showed him how this worked with a couple of $100 bills from the top of the box, which they rinsed with some liquid to remove the black dye. Of course the rest of the bills were only black paper, but the victim saw real money. He handed over $27,000 (about £17,000) to buy the chemicals and was told to return to the hotel later that day to pick up the cash. Of course when he came back, there was nobody there. He couldn’t report it to anybody because if it had been real it would have been illegal, so he would have gotten himself into trouble.

Part 1, Part 2, Part 3.

We build tools in Firefox like stale-plugin warnings and malware blocking to help protect our users, to neuter the technological attacks they may encounter on the web. But we also try, and need to keep trying, to build tools that inform our users so that they can make better decisions. Our phishing warnings and certificate errors try to do this, but mostly by scaring users away from specific attack situations. I hope we’ll continue to build tools like Larry which try to give people some affirmative context as well, to lend some nuance to their sense of place online. I want us to help our users know when they’re on Main Street, and when they’re in an alley.

I know: People get conned in the real world, too, and certainly no browser UI is going to save you from an email-based scam. Stories like this, though, are just specific instances of what I believe to be a more universal principle:

the biggest security risk most people face is misplaced trust

John: Some of the blame has to go to the victims. They wanted the money too because they were greedy. Lots of times I would get emails telling me that they wanted more money than I was offering because of the money they were having to send. They could afford to lose the money.

Scam-Detective: John, I think you have been basically honest with me so far. Please don’t stop that now. You know as well as I do that not all of your victims were motivated by greed. I have seen plenty of scam emails that talk about dying widows who want to give their money to charity, or young people who are in refugee camps and need help to get out. You targetted vulnerable, charitable people as well as greedy businessmen, didn’t you? You didn’t care whether they could afford it or not, did you?

John: Ok, you are right. I am not proud of it but I had to feed my family.

If you have ideas for how we can help users place their trust online more deliberately and carefully: please comment here, or build an addon, or file a bug.