Google Safe Browsing Now Blocks “Deceptive Software”

From the Google Online Security blog:

Starting next week, we’ll be expanding Safe Browsing protection against additional kinds of deceptive software: programs disguised as a helpful download that actually make unexpected changes to your computer—for instance, switching your homepage or other browser settings to ones you don’t want.

I posted a comment asking:

How is it determined, and who determines, what software falls into this category and is therefore blocked?

However, this question has not been approved for publication, let alone answered :-( At Mozilla, we recognise exactly the behaviour this initiative is trying to stop, but without written criteria, transparency and accountability, this could easily devolve into “Chrome now blocks software Google doesn’t like.” Which would be concerning.

Firefox uses the Google Safe Browsing service but enhancements to it are not necessarily automatically reflected in the APIs we use, so I’m not certain whether or not Firefox would also be blocking software Google doesn’t like, and if it did, whether we would get some input into the list.

Someone else asked:

So this will block flash player downloads from https://get.adobe.com/de/flashplayer/ because it unexpectedly changed my default browser to Google Chrome?!

Kudos to Google for at least publishing that comment, but it also hasn’t been answered. Perhaps this change might signal a move by Google away from deals which sideload Chrome? That would be most welcome.

IE11, Certificates and Privacy

Microsoft recently announced that they were enhancing their “SmartScreen” system to send back to Microsoft every SSL certificate that every IE user encounters. They will use this information to try and detect SSL misissuances on their back end servers.

They may or may not be successful in doing that, but this implementation raises significant questions of privacy.

SmartScreen is a service to submit the full URLs you visited in IE (including query strings) to Microsoft for reputation testing and possible blocking. While Microsoft tries to reassure users by saying that this information passes to them over SSL, that doesn’t help much. It means an attacker with control of the network can’t see where you are browsing from this information – but if they have control of your network, they can see a lot about where you are browsing anyway. And Microsoft has full access to the data. The link to “our privacy statement” in the original SmartScreen announcement is, rather worryingly, broken. This is the current one, and it also tells us Each SmartScreen request comes with a unique identifier. That doesn’t contain any personal information, but it does allow Microsoft, or someone else with a subpoena, to reconstruct an IE user’s browsing history. The privacy policy also says nothing about whether Microsoft might use this information to e.g. find out what’s currently trending on the web. It seems they don’t need to provide a popular analytics service to get that sort of insight.

You might say that if you are already using SmartScreen, then sending the certificates as well doesn’t reveal much more information to Microsoft about your browsing than they already have. I’d say that’s not much comfort – but it’s also not quite true. SmartScreen does have a local whitelist for high traffic sites and so they don’t find out when you visit those sites. However (I assume), every certificate you encounter is sent to Microsoft, including high-traffic sites – as they are the most likely to be victims of misissuance. So Microsoft now know every site your browser visits, not just the less common ones.

By contrast, Firefox’s (and Chrome’s) implementation of the original function of SmartScreen, SafeBrowsing, uses a downloaded list of attack sites, so that the URLs you visit are not sent to Google or anyone else. And Certificate Transparency, the Google approach to detecting certificate misissuance after the fact which is now being standardized at the IETF, also does not violate the privacy of web users, because it does not require the browser to provide information to a third-party site. (Mozilla is currently evaluating CT.)

If I were someone who wanted to keep my privacy, I know which solution I’d prefer.

GSoC 2013 Successes

We’ve wrapped up another GSoC, with 20 of 21 projects passing – our highest pass percentage ever. Not all students emailed me the URL to their wrap-up status report (you might find some more by following the links in the original announcement) but I know that we have:

Which is a pretty awesome set of achievements. Well done to all the students, and many thanks to all their mentors.

I’m also pleased to announce that Florian Quèze, who has been administering the program alongside me this year, will be in the driving seat for next year’s GSoC – which will be the 10th anniversary edition. Wish him luck! :-)

GSoC 2013 Project List

The Google Summer of Code students got chosen 2 weeks ago, and I am pleased to list the 21 projects being done under the Mozilla banner – a new high for the Mozilla project. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!

Project Student Mentor
Improving Text Selection and Rotation in PDF.js Srishti Srivastava Bill Walker
Designing Hacktivities (Meemoo) Matthias Brown Forrest Oliphant
Dynamically Configurable Actions add-on (ZAP) Alessandro Secco Simon Bennetts
Autosuggest Search Engines (Firefox) Sankha Narayan Guria Matthew Noorenberghe
Clearer Add-on Installation (Firefox) Sachin Hosmani Jorge Villalobos
Enhanced Customization APIs (Firefox) Riadh Chtara Kris Maglione
Additional JavaScript Protocol Plug-ins – Yahoo! (Instantbird) Quentin Headen Patrick Cloke
Awesometab (Instantbird) Nihanth Subramanya Benedikt Pfeifer
Profile in the Cloud (PiCl) Client (Firefox OS) Akshay Katyal Jed Parsons
Prototype HTTP/2 Server Gábor Molnár Nick Hurley
Debug Symbol Generation (Rust) Michael Woerister Josh Matthews
Implement Branch Prediction (IonMonkey) Wei Wu Nicolas B. Pierron
Make Firefox Developer Tools Compatible With Thunderbird Philipp Kewisch Mike Conley
Security Report (Firefox) Kailas Ravsaheb Patil Mark Goodwin
CSS Generation Tools (MDN) Gabriel Ivanica Jean-Yves Perrier
Unit Tests for Mozbase Anhad Jai Singh Clint Talbert
Backend Connectors for Ensemble (Thunderbird) Jonathan Demelo Mike Conley
Localization Dashboard Berker Peksag John Karahalis
FileLinks in Instant Messages Instantbird) Atul Jangra Florian Quèze
Sample Apps for Firefox Marketplace Developer Hub (Firefox OS) Andre Alves Garzia Marcos Caceres
about:memory for Real People (Firefox) Abhishek Choudhary Felipe Gomes

No One Considered…

Micire’s talk was an excellent example of what can happen when a device maker doesn’t lock down its device. It seems likely that no one at Google or Samsung considered the possibility of the Nexus S being used to control space robots when they built that phone. But because they didn’t lock it down, someone else did consider it—and then went out and actually made it happen.

LWN (an awesome publication; do subscribe)

Summer of Code 2013

Summer of Code[0] 2013 is on! The Mozilla Project is hoping to be involved again, so in the next five weeks we need to produce a list of suitable projects to support our application.

Can you think of an 8-week task you might be able to guide a student through? It doesn’t matter where in Mozilla you contribute. We are collecting project ideas for every part of the project – Firefox, Firefox OS, Thunderbird, SeaMonkey, Bugzilla, L10n, NSS, IT, Documentation and many more.

If you have an idea, put it on the Brainstorming page, which is our idea development scratchpad. Please read the instructions at the top – following them vastly increases your chances of your idea getting added to the formal Ideas page.

[0] For those who are not familiar with it, Summer of Code is where Google pays students to work on free software projects – as long as those projects can provide support and a mentor for the particular task the student is undertaking. This is a great opportunity for us as a project to introduce new people to Mozilla, and for you as an individual to get new people involved in your team :-) In the past, it has been the source of major features of our flagship products. For example, the 3D web page debugging tool Tilt started life as a SoC project.

Summer of Code 2012 Outcomes

Every year since it began, Mozilla has been invited to take part in the Google Summer of Code. For the first few years, I wrote a summary of outcomes a few months after the close of the program. Recently, I’ve not had time to do so, but this year I’m back on the wagon.

I’m pleased to say that this year’s Summer of Code was extremely successful. Of the 18 projects (50% more than last year – many thanks, Google!), 17 were successful, and in the case of the other one, an unsuccessful applicant stepped in to complete the work for the love of the code. Now that’s dedication.

I’ve produced a table which lists the 17 successful projects, their original goals, what actually happened, and where you can find the code they wrote. So if there was a project you were following, you can find out what happened to it. The projects ranged widely across Mozilla-related activities, from Firefox to MDN, Instantbird to OpenBadges. Without wanting to upset anyone I don’t mention, particular highlights for me include native support for webapps on Linux in desktop Firefox, an addon to allow users to specify a Content Security Policy for particular sites, and some other improvements to Firefox and Thunderbird which (thanks to our rapid release process) are already shipping and making people’s lives better.

Thanks must go to all the students who took part, to the mentors who took time out to look after them, and to Google for funding and administering the program.

Google Calendar, and Meetings in UTC: The ‘Rekjavik Trick’

Google Calendar is great; I’m a big fan. A little while back, it acquired timezone support for events. More recently, it acquired split timezone support (start and end in different timezones), which is awesome for flights. And there’s a drop-down list of all the countries in the world with all of their applicable timezones. Surely that must be comprehensive, right?

Well, yes and no. I attend one meeting which is scheduled in UTC. There seems to be no entry in the massive timezone list for this. If you say you are in London (GMT+00:00), then your event will obey the UK DST rules, which means it won’t actually be in UTC during the summer.

However, there is a workaround. There is one country in the world which uses UTC and no DST – Iceland. So, if you want to have a meeting whose time is set year-round in UTC, then tell Google Calendar you are holding it in Rekjavik.

(It would be nice if Google would add an explicity “UTC” option to their massive timezones list, but this will do for now.)

Google Groups Fail

Unfortunately, for the last few months, we have not been able to hook up newly-created discussion forums to Google Groups. This means that they don’t have a method of posting over the web and they don’t have a web-based archive. (Existing groups continue to function as normal). This is bug 716007 (although note that that bug started off covering a different syncing issue). mburns writes in another bug:

Essentially, Google Groups’ codebase is at a state that new newsgroups need to manually be added by the (one?) engineer working on it. This is a low-to-not-gonna-happen level priority for them.

The underlying issue was supposed to be resolved in March, with a new rollout of the GG codebase, but wasn’t. I’ve emailed them about the ~17 other newsgroups created since than that have issues, without response.

I am working with Corey Shields, who manages Mozilla’s Systems team, to try and figure out what long-term solutions and short-term mitigations we can put in place to make this less painful. In the mean time, people may want to use or repurpose existing groups for discussions rather than starting another one. (Please don’t go off and create random free mailing lists, at Google, Yahoo or anywhere else – it just makes Mozilla project communication more fragmented and makes it harder for new people to find the group they need.)

(This post may well start a thread about the best way to technically achieve Mozilla’s goals for public discussion. If so, this document will be very relevant; I’m getting my linkage in early :-)

Help Requested: Zimbra and Google Calendar

[Update: This turned up on Planet Mozilla, even though it was only published for a few minutes before being withdrawn, so to prevent 404s, I'm putting it back. But the answer appears to be: other people can see my free/busy information, so the person who reported a problem was probably looking in the wrong place. Zimbra actually works well and how you might expect it to.]

[On the principle of "if there's no reason for it to be private, it should be public"...]

I use Google Calendar, and I’m very happy with it. The UI is excellent, it supports events starting and ending in different timezones for flights, I can open it in a tab in Thunderbird, and I can share it with my wife and see our calendars overlaid. It’s super. The only thing it lacks is offline support.

However, that means I don’t use Zimbra, the MoCo calendar. And so when people want to schedule meetings with me, they assume I am free all the time :-|.

Can anyone, probably a MoCo employee, tell me how to get Zimbra to give other people my correct free/busy information?

I have managed to import my Google Calendar into Zimbra as an external calendar. When I go to its properties, the checkbox “Exclude this calendar when reporting free/busy times” is unchecked. When I try and arrange a meeting, the Scheduler correctly shows when I am free and when I am busy. And yet, other people who try and arrange meetings involving me tell me that I still look to them like I’m free all the time.

Importantly, I want to solve this without having to share the details of what I am doing when with everyone. I only want to share free/busy information. The “Share Calendar” option looks like it’ll share too much.

Help? :-)

GSoC 2012 Project List

The Google Summer of Code kicked off two weeks ago, and I am pleased to list the 18 projects being done under the Mozilla banner. This is a 50% increase on last year; we are very grateful to Google for being so generous with slots. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. (Apart from those students who have not yet sent me this information; consider this a public reminder.) I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!

Project Student Mentor
Thunderbird: ‘No Reply’ Reminder Han Lin Jonathan Protzenko
Thunderbird: App Tabs Nguyen Ngoc Trung Mike Conley
Calendar: Improve Invitation Support Christian Kulpa Ludovic Marcotte
Dynamic MathML – Support <maction> Andrii Zui Fred Wang
HTML5 and CSS3 Examples on MDN Vikash Agrawal Jean-Yves Perrier
Get ISPDB Into Production Sergio Charpinel Blake Winton
Graphical Timeline of Browser Events Girish Sharma Panos Astithas
Improve Gmail Interoperability Atul Jangra David Bienvenu
Instantbird: Account Import Wizard Will Nayes Florian Quèze
L10n Tool for Standardization of Terms Gautam Akiwate Philippe Dessante
Meemoo Improvements Vilson Vieira Forrest Oliphant
Native Webapps Support on Linux Marco Castelluccio Felipe Gomes
Networking Dashboard Jiten Thakkar Patrick McManus
OpenBadges Back End Improvements Matthew Ramir Chris McAvoy
Port SuperTux to the Web Xingxing Pan Alon Zakai
Slide Drive Improvements Jeremy Banks Greg Wilson
User-Specified Content Security Policy Kailas Ravsaheb Patil Tanvi Vyas
WebSocket Testing Tool Robert Koch Yvan Boily

Summer of Code Applications Open

Student Applications for the Google Summer of Code 2012 are now open. If you are a student and want to spend your summer hacking on cool software and potentially making a difference to the lives of millions of people, read the Mozilla list of ideas (or come up with your own), and apply. Need a summer job? Flip bits, not burgers!

Established Mozilla people: if you know someone who’s a student, please get them to consider applying!

Summer of Code 2012

Google has announced that they will be running the Summer of Code again this year, 2012. The Mozilla Project has had the honour of participating in every SoC so far, and intends to submit a request to take part again. This means we need to produce a list of suitable student projects in the next four weeks.

For those who are not familiar with it, Summer of Code is where Google pays students to work on free software projects – as long as those projects can provide support and a mentor for the particular task the student is undertaking. This is a great opportunity for us as a project to introduce new people to Mozilla, and for you as an individual to get new people involved in your team :-) In the past, it has been the source of major features of our flagship products. For example, the 3D web page debugging tool Tilt started life as a SoC project.

It doesn’t matter where in Mozilla you contribute. We are collecting project ideas for every part of the project – Firefox, Thunderbird, Camino, SeaMonkey, Bugzilla, L10n, NSS, B2G, IT and many more. Can you think of an 8-week-sized task you might be able to guide a student through?

If you have a proposal, head over to the Brainstorming page, which is our idea development scratchpad. Please read the instructions at the top – following them vastly increases your chances of your idea getting added to the formal Ideas page.

Note that, in order to have much chance of going ahead, ideas need to have a suitable mentor. So if you submit an idea and you aren’t available to or suitable to mentor it, you may want to go about trying to find one by politely emailing experienced hackers in the appropriate areas of the code.

The Impossibility Of SOPA

It has been suggested that if SOPA or PIPA pass, then sites with user-generated content would need to review it all manually for copyright violations.

What would it look like for YouTube, if a reviewer had to watch every minute of video?

  • About 48 hours of video a minute is uploaded to YouTube (that figure is from May 2011, so it’s probably more now, but let’s go with that as a conservative estimate)
  • 48 hours a minute is 483,840 hours a week
  • If the reviewers worked 40-hour weeks, you would need 12,096 of them (plus a thousand or so more for holiday cover) – call it 13,000
  • If you paid them all at the US Federal minimum wage of about $15,000, it would cost $195 million per year.

But, of course, you couldn’t start the reviewers straight out of high school. First, they’d need to watch the 100 years of video which has been submitted to YouTube by content owners, so they knew a copyright violation when they saw one. (They wouldn’t be able to detect copyright violations of the content of independent filmmakers or individuals, but hey, this system isn’t about them, is it?)

The problem is that after watching 100 years of video, those who aren’t dead would have pretty poor eyesight. It would also introduce an unacceptable delay in getting the system up and running. So the job needs to be parallelized. Specialization is the key. One set of reviewers could watch all the musicals, and another could focus on vampire movies. (They might need paying extra.) If we got each trainee reviewer to spend 3 years exclusively watching Hollywood movies, TV network serials and listening to major-label music (drawing parallels with the average college degree is left as an exercise for the reader) then we could get the system up and running faster. However, we’d need 33 times more reviewers – 429,000 in all, making the cost $6.4 billion.

For comparison, 429,000 people is about 1 in 30 of the entire jobless population of the USA, and $6.4 billion is approximately 60% of Google’s annual profits. These resources would be spent entirely on content checking for YouTube, without considering Google’s other sites which take user-generated content, or Facebook, or any other social site.

There is just too much user-generated content to check it all manually, and automatic methods will never be 100% effective. So how do SOPA proponents expect that sites like YouTube can possibly remain open and legal? It’s impossible.