Reasonable Discussion

When I went to Bible college, I learned two things about engaging in debate which struck me as very wise, and have stuck with me since. While I learned them in the context of theology, I’d argue that they apply universally.

The first is that you become properly qualified to critique someone’s position only when you can summarize it in a way which would have that person, were they looking over your shoulder as you write, saying “yes, that’s exactly what I was trying to say”. Ideally, you need to understand their position and rationale for holding it as well as, or even better, than they do themselves. Being able to summarize it well before interacting with it is proof that you have done the work to do this. It will not only make your arguments better, but it will make it much more likely that those who disagree with you might consider and even accept them. Anyone can attack a straw man; however, doing so may lead to cheers from your own side, but is unlikely to win any converts. Attacking straw men is always much easier than interacting with people’s actual nuanced positions and therefore might be said to be a form of virtue signalling.

The second is that you should always engage with a person’s strongest arguments and points, not their weakest ones. If someone writes a piece where 50% of the arguments are, in your view, so weak that they barely require refutation, then you can either refute them anyway, or you can engage with their better arguments and points. We were strongly encouraged to do the latter, for much the same reasons. Refuting bad arguments is much easier than refuting better arguments, but is far less likely to convince anyone who holds the opposing view.

In the context of recent Internet debates, this Medium post was recommended to me as “excellent”. However, it is hard to agree with this assessment given that the first paragraph spectacularly fails the first of the two above tests. (I’d argue much of the rest of the post does as well, but the first paragraph is the clearest example.) And I’d say most of the Internet has joined in that failure, including, shamefully, many reporters who should be able to do better. A rather insightful Twitter commenter (yes, I know, wow) noted that the debate around this document had mostly been a complete waste of time as it involved a version of it which existed only in the imagination of the debaters. I’ve certainly seen many instances where people have claimed the document says things it either does not say, or even explicitly denies.

As for the second test, the difficulty is that the Internet hate machine’s lack of nuance means that if you pull out one or two points and say “these are worthy of further discussion”, it is assumed that you are therefore a wholehearted supporter of everything written, and are treated accordingly. This is not how debate works in a sane society. Still, in ever-present hope that this won’t happen, I think the following two parts of the memo deserve careful consideration:

Viewpoint diversity is arguably the most important type of diversity and political orientation is one of the most fundamental and significant ways in which people view things differently. In highly progressive environments, conservatives are a minority that feel like they need to stay in the closet to avoid open hostility. We should empower those with different ideologies to be able to express themselves. Alienating conservatives is … non-inclusive.

Just as some on the Right deny science that runs counter to the “God > humans > environment” hierarchy (e.g., evolution and climate change) the Left tends to deny science concerning biological differences between people.

Note for the hard of thinking: this post in no way endorses any bits of the memo I did not quote, and the bits I did quote I endorse only so far as to say that they deserve careful consideration.

Introducing Deliberate Protocol Errors: Langley’s Law

Google have just published the draft spec for a protocol called Roughtime, which allows clients to determine the time to within the nearest 10 seconds or so without the need for an authoritative trusted timeserver. One part of their ecosystem document caught my eye – it’s like a small “chaos monkey” for protocols, where their server intentionally sends out a small subset of responses with various forms of protocol error:

A healthy software ecosystem doesn‘t arise by specifying how software should behave and then assuming that implementations will do the right thing. Rather we plan on having Roughtime servers return invalid, bogus answers to a small fraction of requests. These bogus answers would contain the wrong time, but would also be invalid in another way. For example, one of the signatures might be incorrect, or the tags in the message might be in the wrong order. Client implementations that don’t implement all the necessary checks would find that they get nonsense answers and, hopefully, that will be sufficient to expose bugs before they turn into a Blackhat talk.

The fascinating thing about this is that it’s a complete reversal of the ancient Postel’s Law regarding internet protocols:

Be conservative in what you send, be liberal in what you accept.

This behaviour instead requires implementations to be conservative in what they accept, otherwise they will get garbage data. And it also involves being, if not liberal, then certainly occasionally non-conforming in what they send.

Postel’s law has long been criticised for leading to interoperability issues – see HTML for an example of how accepting anything can be a nightmare, with the WHAT-WG having to come along and spec things much more tightly later. However, but simply reversing the second half to be conservative in what you accept doesn’t work well either – see XHTML/XML and the yellow screen of death for an example of a failure to solve the HTML problem that way. This type of change wouldn’t work in many protocols, but the particular design of this one, where you have to ask a number of different servers for their opinion, makes it possible. It will be interesting to see whether reversing Postel will lead to more interoperable software. Let’s call it “Langley’s Law”:

Be occasionally evil in what you send, and conservative in what you accept.

Wall Street Journal Supports Google’s Dominance of the Content Industry

Compare and contrast: a Wall Street Journal article linked directly, and one reached via Google (click the top link in the search results). The former leads to a preview and a paywall (or, at least, a signupwall), the latter does not.

The press are so concerned about the dominance of Google, at least in Europe, that they are making various (also foot-shooting) moves to try and bring in ancillary copyright. So why, I wonder, is the WSJ enhancing that dominance by privileging Google users over other users in terms of access to their content?

Google Concedes Google Code Not Good Enough?

Google recently released an update to End-to-End, their communications security tool. As part of the announcement, they said:

We’re migrating End-To-End to GitHub. We’ve always believed strongly that End-To-End must be an open source project, and we think that using GitHub will allow us to work together even better with the community.

They didn’t specifically say how it was hosted before, but a look at the original announcement tells us it was here – on Google Code. And indeed, when you visit that link now, it says “Project “end-to-end” has moved to another location on the Internet”, and offers a link to the Github repo.

Is Google admitting that Google Code just doesn’t cut it any more? It certainly doesn’t have anything like the feature set of Github. Will we see it in the next round of Google spring-cleaning in 2015?

Google Safe Browsing Now Blocks “Deceptive Software”

From the Google Online Security blog:

Starting next week, we’ll be expanding Safe Browsing protection against additional kinds of deceptive software: programs disguised as a helpful download that actually make unexpected changes to your computer—for instance, switching your homepage or other browser settings to ones you don’t want.

I posted a comment asking:

How is it determined, and who determines, what software falls into this category and is therefore blocked?

However, this question has not been approved for publication, let alone answered :-( At Mozilla, we recognise exactly the behaviour this initiative is trying to stop, but without written criteria, transparency and accountability, this could easily devolve into “Chrome now blocks software Google doesn’t like.” Which would be concerning.

Firefox uses the Google Safe Browsing service but enhancements to it are not necessarily automatically reflected in the APIs we use, so I’m not certain whether or not Firefox would also be blocking software Google doesn’t like, and if it did, whether we would get some input into the list.

Someone else asked:

So this will block flash player downloads from https://get.adobe.com/de/flashplayer/ because it unexpectedly changed my default browser to Google Chrome?!

Kudos to Google for at least publishing that comment, but it also hasn’t been answered. Perhaps this change might signal a move by Google away from deals which sideload Chrome? That would be most welcome.

IE11, Certificates and Privacy

Microsoft recently announced that they were enhancing their “SmartScreen” system to send back to Microsoft every SSL certificate that every IE user encounters. They will use this information to try and detect SSL misissuances on their back end servers.

They may or may not be successful in doing that, but this implementation raises significant questions of privacy.

SmartScreen is a service to submit the full URLs you visited in IE (including query strings) to Microsoft for reputation testing and possible blocking. While Microsoft tries to reassure users by saying that this information passes to them over SSL, that doesn’t help much. It means an attacker with control of the network can’t see where you are browsing from this information – but if they have control of your network, they can see a lot about where you are browsing anyway. And Microsoft has full access to the data. The link to “our privacy statement” in the original SmartScreen announcement is, rather worryingly, broken. This is the current one, and it also tells us Each SmartScreen request comes with a unique identifier. That doesn’t contain any personal information, but it does allow Microsoft, or someone else with a subpoena, to reconstruct an IE user’s browsing history. The privacy policy also says nothing about whether Microsoft might use this information to e.g. find out what’s currently trending on the web. It seems they don’t need to provide a popular analytics service to get that sort of insight.

You might say that if you are already using SmartScreen, then sending the certificates as well doesn’t reveal much more information to Microsoft about your browsing than they already have. I’d say that’s not much comfort – but it’s also not quite true. SmartScreen does have a local whitelist for high traffic sites and so they don’t find out when you visit those sites. However (I assume), every certificate you encounter is sent to Microsoft, including high-traffic sites – as they are the most likely to be victims of misissuance. So Microsoft now know every site your browser visits, not just the less common ones.

By contrast, Firefox’s (and Chrome’s) implementation of the original function of SmartScreen, SafeBrowsing, uses a downloaded list of attack sites, so that the URLs you visit are not sent to Google or anyone else. And Certificate Transparency, the Google approach to detecting certificate misissuance after the fact which is now being standardized at the IETF, also does not violate the privacy of web users, because it does not require the browser to provide information to a third-party site. (Mozilla is currently evaluating CT.)

If I were someone who wanted to keep my privacy, I know which solution I’d prefer.

GSoC 2013 Successes

We’ve wrapped up another GSoC, with 20 of 21 projects passing – our highest pass percentage ever. Not all students emailed me the URL to their wrap-up status report (you might find some more by following the links in the original announcement) but I know that we have:

Which is a pretty awesome set of achievements. Well done to all the students, and many thanks to all their mentors.

I’m also pleased to announce that Florian Quèze, who has been administering the program alongside me this year, will be in the driving seat for next year’s GSoC – which will be the 10th anniversary edition. Wish him luck! :-)

GSoC 2013 Project List

The Google Summer of Code students got chosen 2 weeks ago, and I am pleased to list the 21 projects being done under the Mozilla banner – a new high for the Mozilla project. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!

Project Student Mentor
Improving Text Selection and Rotation in PDF.js Srishti Srivastava Bill Walker
Designing Hacktivities (Meemoo) Matthias Brown Forrest Oliphant
Dynamically Configurable Actions add-on (ZAP) Alessandro Secco Simon Bennetts
Autosuggest Search Engines (Firefox) Sankha Narayan Guria Matthew Noorenberghe
Clearer Add-on Installation (Firefox) Sachin Hosmani Jorge Villalobos
Enhanced Customization APIs (Firefox) Riadh Chtara Kris Maglione
Additional JavaScript Protocol Plug-ins – Yahoo! (Instantbird) Quentin Headen Patrick Cloke
Awesometab (Instantbird) Nihanth Subramanya Benedikt Pfeifer
Profile in the Cloud (PiCl) Client (Firefox OS) Akshay Katyal Jed Parsons
Prototype HTTP/2 Server Gábor Molnár Nick Hurley
Debug Symbol Generation (Rust) Michael Woerister Josh Matthews
Implement Branch Prediction (IonMonkey) Wei Wu Nicolas B. Pierron
Make Firefox Developer Tools Compatible With Thunderbird Philipp Kewisch Mike Conley
Security Report (Firefox) Kailas Ravsaheb Patil Mark Goodwin
CSS Generation Tools (MDN) Gabriel Ivanica Jean-Yves Perrier
Unit Tests for Mozbase Anhad Jai Singh Clint Talbert
Backend Connectors for Ensemble (Thunderbird) Jonathan Demelo Mike Conley
Localization Dashboard Berker Peksag John Karahalis
FileLinks in Instant Messages Instantbird) Atul Jangra Florian Quèze
Sample Apps for Firefox Marketplace Developer Hub (Firefox OS) Andre Alves Garzia Marcos Caceres
about:memory for Real People (Firefox) Abhishek Choudhary Felipe Gomes

No One Considered…

Micire’s talk was an excellent example of what can happen when a device maker doesn’t lock down its device. It seems likely that no one at Google or Samsung considered the possibility of the Nexus S being used to control space robots when they built that phone. But because they didn’t lock it down, someone else did consider it—and then went out and actually made it happen.

LWN (an awesome publication; do subscribe)

Summer of Code 2013

Summer of Code[0] 2013 is on! The Mozilla Project is hoping to be involved again, so in the next five weeks we need to produce a list of suitable projects to support our application.

Can you think of an 8-week task you might be able to guide a student through? It doesn’t matter where in Mozilla you contribute. We are collecting project ideas for every part of the project – Firefox, Firefox OS, Thunderbird, SeaMonkey, Bugzilla, L10n, NSS, IT, Documentation and many more.

If you have an idea, put it on the Brainstorming page, which is our idea development scratchpad. Please read the instructions at the top – following them vastly increases your chances of your idea getting added to the formal Ideas page.

[0] For those who are not familiar with it, Summer of Code is where Google pays students to work on free software projects – as long as those projects can provide support and a mentor for the particular task the student is undertaking. This is a great opportunity for us as a project to introduce new people to Mozilla, and for you as an individual to get new people involved in your team :-) In the past, it has been the source of major features of our flagship products. For example, the 3D web page debugging tool Tilt started life as a SoC project.

Summer of Code 2012 Outcomes

Every year since it began, Mozilla has been invited to take part in the Google Summer of Code. For the first few years, I wrote a summary of outcomes a few months after the close of the program. Recently, I’ve not had time to do so, but this year I’m back on the wagon.

I’m pleased to say that this year’s Summer of Code was extremely successful. Of the 18 projects (50% more than last year – many thanks, Google!), 17 were successful, and in the case of the other one, an unsuccessful applicant stepped in to complete the work for the love of the code. Now that’s dedication.

I’ve produced a table which lists the 17 successful projects, their original goals, what actually happened, and where you can find the code they wrote. So if there was a project you were following, you can find out what happened to it. The projects ranged widely across Mozilla-related activities, from Firefox to MDN, Instantbird to OpenBadges. Without wanting to upset anyone I don’t mention, particular highlights for me include native support for webapps on Linux in desktop Firefox, an addon to allow users to specify a Content Security Policy for particular sites, and some other improvements to Firefox and Thunderbird which (thanks to our rapid release process) are already shipping and making people’s lives better.

Thanks must go to all the students who took part, to the mentors who took time out to look after them, and to Google for funding and administering the program.

Google Calendar, and Meetings in UTC: The ‘Rekjavik Trick’

Google Calendar is great; I’m a big fan. A little while back, it acquired timezone support for events. More recently, it acquired split timezone support (start and end in different timezones), which is awesome for flights. And there’s a drop-down list of all the countries in the world with all of their applicable timezones. Surely that must be comprehensive, right?

Well, yes and no. I attend one meeting which is scheduled in UTC. There seems to be no entry in the massive timezone list for this. If you say you are in London (GMT+00:00), then your event will obey the UK DST rules, which means it won’t actually be in UTC during the summer.

However, there is a workaround. There is one country in the world which uses UTC and no DST – Iceland. So, if you want to have a meeting whose time is set year-round in UTC, then tell Google Calendar you are holding it in Rekjavik.

(It would be nice if Google would add an explicity “UTC” option to their massive timezones list, but this will do for now.)

Google Groups Fail

Unfortunately, for the last few months, we have not been able to hook up newly-created discussion forums to Google Groups. This means that they don’t have a method of posting over the web and they don’t have a web-based archive. (Existing groups continue to function as normal). This is bug 716007 (although note that that bug started off covering a different syncing issue). mburns writes in another bug:

Essentially, Google Groups’ codebase is at a state that new newsgroups need to manually be added by the (one?) engineer working on it. This is a low-to-not-gonna-happen level priority for them.

The underlying issue was supposed to be resolved in March, with a new rollout of the GG codebase, but wasn’t. I’ve emailed them about the ~17 other newsgroups created since than that have issues, without response.

I am working with Corey Shields, who manages Mozilla’s Systems team, to try and figure out what long-term solutions and short-term mitigations we can put in place to make this less painful. In the mean time, people may want to use or repurpose existing groups for discussions rather than starting another one. (Please don’t go off and create random free mailing lists, at Google, Yahoo or anywhere else – it just makes Mozilla project communication more fragmented and makes it harder for new people to find the group they need.)

(This post may well start a thread about the best way to technically achieve Mozilla’s goals for public discussion. If so, this document will be very relevant; I’m getting my linkage in early :-)

Help Requested: Zimbra and Google Calendar

[Update: This turned up on Planet Mozilla, even though it was only published for a few minutes before being withdrawn, so to prevent 404s, I’m putting it back. But the answer appears to be: other people can see my free/busy information, so the person who reported a problem was probably looking in the wrong place. Zimbra actually works well and how you might expect it to.]

[On the principle of “if there’s no reason for it to be private, it should be public”…]

I use Google Calendar, and I’m very happy with it. The UI is excellent, it supports events starting and ending in different timezones for flights, I can open it in a tab in Thunderbird, and I can share it with my wife and see our calendars overlaid. It’s super. The only thing it lacks is offline support.

However, that means I don’t use Zimbra, the MoCo calendar. And so when people want to schedule meetings with me, they assume I am free all the time :-|.

Can anyone, probably a MoCo employee, tell me how to get Zimbra to give other people my correct free/busy information?

I have managed to import my Google Calendar into Zimbra as an external calendar. When I go to its properties, the checkbox “Exclude this calendar when reporting free/busy times” is unchecked. When I try and arrange a meeting, the Scheduler correctly shows when I am free and when I am busy. And yet, other people who try and arrange meetings involving me tell me that I still look to them like I’m free all the time.

Importantly, I want to solve this without having to share the details of what I am doing when with everyone. I only want to share free/busy information. The “Share Calendar” option looks like it’ll share too much.

Help? :-)

GSoC 2012 Project List

The Google Summer of Code kicked off two weeks ago, and I am pleased to list the 18 projects being done under the Mozilla banner. This is a 50% increase on last year; we are very grateful to Google for being so generous with slots. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. (Apart from those students who have not yet sent me this information; consider this a public reminder.) I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!

Project Student Mentor
Thunderbird: ‘No Reply’ Reminder Han Lin Jonathan Protzenko
Thunderbird: App Tabs Nguyen Ngoc Trung Mike Conley
Calendar: Improve Invitation Support Christian Kulpa Ludovic Marcotte
Dynamic MathML – Support <maction> Andrii Zui Fred Wang
HTML5 and CSS3 Examples on MDN Vikash Agrawal Jean-Yves Perrier
Get ISPDB Into Production Sergio Charpinel Blake Winton
Graphical Timeline of Browser Events Girish Sharma Panos Astithas
Improve Gmail Interoperability Atul Jangra David Bienvenu
Instantbird: Account Import Wizard Will Nayes Florian Quèze
L10n Tool for Standardization of Terms Gautam Akiwate Philippe Dessante
Meemoo Improvements Vilson Vieira Forrest Oliphant
Native Webapps Support on Linux Marco Castelluccio Felipe Gomes
Networking Dashboard Jiten Thakkar Patrick McManus
OpenBadges Back End Improvements Matthew Ramir Chris McAvoy
Port SuperTux to the Web Xingxing Pan Alon Zakai
Slide Drive Improvements Jeremy Banks Greg Wilson
User-Specified Content Security Policy Kailas Ravsaheb Patil Tanvi Vyas
WebSocket Testing Tool Robert Koch Yvan Boily