Microsoft recently announced that they were enhancing their “SmartScreen” system to send back to Microsoft every SSL certificate that every IE user encounters. They will use this information to try and detect SSL misissuances on their back end servers.
They may or may not be successful in doing that, but this implementation raises significant questions of privacy.
You might say that if you are already using SmartScreen, then sending the certificates as well doesn’t reveal much more information to Microsoft about your browsing than they already have. I’d say that’s not much comfort – but it’s also not quite true. SmartScreen does have a local whitelist for high traffic sites and so they don’t find out when you visit those sites. However (I assume), every certificate you encounter is sent to Microsoft, including high-traffic sites – as they are the most likely to be victims of misissuance. So Microsoft now know every site your browser visits, not just the less common ones.
By contrast, Firefox’s (and Chrome’s) implementation of the original function of SmartScreen, SafeBrowsing, uses a downloaded list of attack sites, so that the URLs you visit are not sent to Google or anyone else. And Certificate Transparency, the Google approach to detecting certificate misissuance after the fact which is now being standardized at the IETF, also does not violate the privacy of web users, because it does not require the browser to provide information to a third-party site. (Mozilla is currently evaluating CT.)
If I were someone who wanted to keep my privacy, I know which solution I’d prefer.
We’ve wrapped up another GSoC, with 20 of 21 projects passing – our highest pass percentage ever. Not all students emailed me the URL to their wrap-up status report (you might find some more by following the links in the original announcement) but I know that we have:
Which is a pretty awesome set of achievements. Well done to all the students, and many thanks to all their mentors.
I’m also pleased to announce that Florian Quèze, who has been administering the program alongside me this year, will be in the driving seat for next year’s GSoC – which will be the 10th anniversary edition. Wish him luck! :-)
The Google Summer of Code students got chosen 2 weeks ago, and I am pleased to list the 21 projects being done under the Mozilla banner – a new high for the Mozilla project. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!
Micire’s talk was an excellent example of what can happen when a device maker doesn’t lock down its device. It seems likely that no one at Google or Samsung considered the possibility of the Nexus S being used to control space robots when they built that phone. But because they didn’t lock it down, someone else did consider it—and then went out and actually made it happen.
– LWN (an awesome publication; do subscribe)
Summer of Code 2013 is on! The Mozilla Project is hoping to be involved again, so in the next five weeks we need to produce a list of suitable projects to support our application.
Can you think of an 8-week task you might be able to guide a student through? It doesn’t matter where in Mozilla you contribute. We are collecting project ideas for every part of the project – Firefox, Firefox OS, Thunderbird, SeaMonkey, Bugzilla, L10n, NSS, IT, Documentation and many more.
If you have an idea, put it on the Brainstorming page, which is our idea development scratchpad. Please read the instructions at the top – following them vastly increases your chances of your idea getting added to the formal Ideas page.
 For those who are not familiar with it, Summer of Code is where Google pays students to work on free software projects – as long as those projects can provide support and a mentor for the particular task the student is undertaking. This is a great opportunity for us as a project to introduce new people to Mozilla, and for you as an individual to get new people involved in your team :-) In the past, it has been the source of major features of our flagship products. For example, the 3D web page debugging tool Tilt started life as a SoC project.
Every year since it began, Mozilla has been invited to take part in the Google Summer of Code. For the first few years, I wrote a summary of outcomes a few months after the close of the program. Recently, I’ve not had time to do so, but this year I’m back on the wagon.
I’m pleased to say that this year’s Summer of Code was extremely successful. Of the 18 projects (50% more than last year – many thanks, Google!), 17 were successful, and in the case of the other one, an unsuccessful applicant stepped in to complete the work for the love of the code. Now that’s dedication.
I’ve produced a table which lists the 17 successful projects, their original goals, what actually happened, and where you can find the code they wrote. So if there was a project you were following, you can find out what happened to it. The projects ranged widely across Mozilla-related activities, from Firefox to MDN, Instantbird to OpenBadges. Without wanting to upset anyone I don’t mention, particular highlights for me include native support for webapps on Linux in desktop Firefox, an addon to allow users to specify a Content Security Policy for particular sites, and some other improvements to Firefox and Thunderbird which (thanks to our rapid release process) are already shipping and making people’s lives better.
Thanks must go to all the students who took part, to the mentors who took time out to look after them, and to Google for funding and administering the program.
Google Calendar is great; I’m a big fan. A little while back, it acquired timezone support for events. More recently, it acquired split timezone support (start and end in different timezones), which is awesome for flights. And there’s a drop-down list of all the countries in the world with all of their applicable timezones. Surely that must be comprehensive, right?
Well, yes and no. I attend one meeting which is scheduled in UTC. There seems to be no entry in the massive timezone list for this. If you say you are in London (GMT+00:00), then your event will obey the UK DST rules, which means it won’t actually be in UTC during the summer.
However, there is a workaround. There is one country in the world which uses UTC and no DST – Iceland. So, if you want to have a meeting whose time is set year-round in UTC, then tell Google Calendar you are holding it in Rekjavik.
(It would be nice if Google would add an explicity “UTC” option to their massive timezones list, but this will do for now.)
Unfortunately, for the last few months, we have not been able to hook up newly-created discussion forums to Google Groups. This means that they don’t have a method of posting over the web and they don’t have a web-based archive. (Existing groups continue to function as normal). This is bug 716007 (although note that that bug started off covering a different syncing issue). mburns writes in another bug:
Essentially, Google Groups’ codebase is at a state that new newsgroups need to manually be added by the (one?) engineer working on it. This is a low-to-not-gonna-happen level priority for them.
The underlying issue was supposed to be resolved in March, with a new rollout of the GG codebase, but wasn’t. I’ve emailed them about the ~17 other newsgroups created since than that have issues, without response.
I am working with Corey Shields, who manages Mozilla’s Systems team, to try and figure out what long-term solutions and short-term mitigations we can put in place to make this less painful. In the mean time, people may want to use or repurpose existing groups for discussions rather than starting another one. (Please don’t go off and create random free mailing lists, at Google, Yahoo or anywhere else – it just makes Mozilla project communication more fragmented and makes it harder for new people to find the group they need.)
(This post may well start a thread about the best way to technically achieve Mozilla’s goals for public discussion. If so, this document will be very relevant; I’m getting my linkage in early :-)
[Update: This turned up on Planet Mozilla, even though it was only published for a few minutes before being withdrawn, so to prevent 404s, I'm putting it back. But the answer appears to be: other people can see my free/busy information, so the person who reported a problem was probably looking in the wrong place. Zimbra actually works well and how you might expect it to.]
[On the principle of "if there's no reason for it to be private, it should be public"...]
I use Google Calendar, and I’m very happy with it. The UI is excellent, it supports events starting and ending in different timezones for flights, I can open it in a tab in Thunderbird, and I can share it with my wife and see our calendars overlaid. It’s super. The only thing it lacks is offline support.
However, that means I don’t use Zimbra, the MoCo calendar. And so when people want to schedule meetings with me, they assume I am free all the time :-|.
Can anyone, probably a MoCo employee, tell me how to get Zimbra to give other people my correct free/busy information?
I have managed to import my Google Calendar into Zimbra as an external calendar. When I go to its properties, the checkbox “Exclude this calendar when reporting free/busy times” is unchecked. When I try and arrange a meeting, the Scheduler correctly shows when I am free and when I am busy. And yet, other people who try and arrange meetings involving me tell me that I still look to them like I’m free all the time.
Importantly, I want to solve this without having to share the details of what I am doing when with everyone. I only want to share free/busy information. The “Share Calendar” option looks like it’ll share too much.
The Google Summer of Code kicked off two weeks ago, and I am pleased to list the 18 projects being done under the Mozilla banner. This is a 50% increase on last year; we are very grateful to Google for being so generous with slots. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. (Apart from those students who have not yet sent me this information; consider this a public reminder.) I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!
Student Applications for the Google Summer of Code 2012 are now open. If you are a student and want to spend your summer hacking on cool software and potentially making a difference to the lives of millions of people, read the Mozilla list of ideas (or come up with your own), and apply. Need a summer job? Flip bits, not burgers!
Established Mozilla people: if you know someone who’s a student, please get them to consider applying!
Total Google searches since March 2010: 10679. That’s an average of 14.6 a day. And they keep track not only of what I’ve searched for, but where I went afterwards. Across web search, images, maps, the lot.
Delete your web history today if it scares you, too.
Google has announced that they will be running the Summer of Code again this year, 2012. The Mozilla Project has had the honour of participating in every SoC so far, and intends to submit a request to take part again. This means we need to produce a list of suitable student projects in the next four weeks.
For those who are not familiar with it, Summer of Code is where Google pays students to work on free software projects – as long as those projects can provide support and a mentor for the particular task the student is undertaking. This is a great opportunity for us as a project to introduce new people to Mozilla, and for you as an individual to get new people involved in your team :-) In the past, it has been the source of major features of our flagship products. For example, the 3D web page debugging tool Tilt started life as a SoC project.
It doesn’t matter where in Mozilla you contribute. We are collecting project ideas for every part of the project – Firefox, Thunderbird, Camino, SeaMonkey, Bugzilla, L10n, NSS, B2G, IT and many more. Can you think of an 8-week-sized task you might be able to guide a student through?
If you have a proposal, head over to the Brainstorming page, which is our idea development scratchpad. Please read the instructions at the top – following them vastly increases your chances of your idea getting added to the formal Ideas page.
Note that, in order to have much chance of going ahead, ideas need to have a suitable mentor. So if you submit an idea and you aren’t available to or suitable to mentor it, you may want to go about trying to find one by politely emailing experienced hackers in the appropriate areas of the code.
It has been suggested that if SOPA or PIPA pass, then sites with user-generated content would need to review it all manually for copyright violations.
What would it look like for YouTube, if a reviewer had to watch every minute of video?
- About 48 hours of video a minute is uploaded to YouTube (that figure is from May 2011, so it’s probably more now, but let’s go with that as a conservative estimate)
- 48 hours a minute is 483,840 hours a week
- If the reviewers worked 40-hour weeks, you would need 12,096 of them (plus a thousand or so more for holiday cover) – call it 13,000
- If you paid them all at the US Federal minimum wage of about $15,000, it would cost $195 million per year.
But, of course, you couldn’t start the reviewers straight out of high school. First, they’d need to watch the 100 years of video which has been submitted to YouTube by content owners, so they knew a copyright violation when they saw one. (They wouldn’t be able to detect copyright violations of the content of independent filmmakers or individuals, but hey, this system isn’t about them, is it?)
The problem is that after watching 100 years of video, those who aren’t dead would have pretty poor eyesight. It would also introduce an unacceptable delay in getting the system up and running. So the job needs to be parallelized. Specialization is the key. One set of reviewers could watch all the musicals, and another could focus on vampire movies. (They might need paying extra.) If we got each trainee reviewer to spend 3 years exclusively watching Hollywood movies, TV network serials and listening to major-label music (drawing parallels with the average college degree is left as an exercise for the reader) then we could get the system up and running faster. However, we’d need 33 times more reviewers – 429,000 in all, making the cost $6.4 billion.
For comparison, 429,000 people is about 1 in 30 of the entire jobless population of the USA, and $6.4 billion is approximately 60% of Google’s annual profits. These resources would be spent entirely on content checking for YouTube, without considering Google’s other sites which take user-generated content, or Facebook, or any other social site.
There is just too much user-generated content to check it all manually, and automatic methods will never be 100% effective. So how do SOPA proponents expect that sites like YouTube can possibly remain open and legal? It’s impossible.
It seems that Google has not yet managed to implement “Don’t Be Evil” worldwide in their organization.
Here is the story of representatives of Google systematically lying about their relationship with another company (whose public directory they were using to get contacts) in order to get business. Stefan Magdalinski (who I have met a couple of times) has amassed a conclusive portfolio of evidence, including taped phone conversations, of a persistent campaign of such lies.
These people were clearly working to a script. Therefore, someone somewhere within Google authorized these call centre employees in Kenya and India to lie about Google’s relationship with Mocality. That person should be fired.
We recently saw Google do the right thing in relation to another part of their company which had broken their advertising guidelines. Let’s hope we will see the same again.
[Update 2012-01-17: The plot thickens.]