HSBC Weakens Their Internet Banking Security

From a recent email about “changes to your terms and conditions”. (“Secure Key” is their dedicated keyfob 2-factor solution; it’s currently required both to log in and to pay a new payee. It’s rather well done.)

These changes will also enable us to introduce some enhancements to our service over the coming months. You’ll still have access to the full Internet Banking service by logging on with your Secure Key, but in addition, you’ll also be able log in to a limited service when you don’t use your Secure Key – you’ll simply need to verify your identity by providing other security information we request. We’ll contact you again to let you know when this new feature becomes available to you.

Full details of all the changes can be found below which you should read carefully. If you choose not to accept the changes, you have the right to ask us to stop providing you with the [Personal Internet Banking] service, before they come into effect. If we don’t hear from you, we’ll assume that you accept the changes.

Translation: we are lowering the security we use to protect your account information from unauthorised viewing and, as long as you still want to be able to access your account online at all, there’s absolutely nothing you can do about it.

Absence

I will be away and without email from Thu 14th August to Friday 22nd August, and then mostly away from email for the following week as well (until Friday 29th August).

Accessing Vidyo Meetings Using Free Software: Help Needed

For a long time now, Mozilla has been a heavy user of the Vidyo video-conferencing system. Like Skype, it’s a “pretty much just works” solution where, sadly, the free software and open standards solutions don’t yet cut it in terms of usability. We hope WebRTC might change this. Anyway, in the mean time, we use it, which means that Mozilla staff have had to use a proprietary client, and those without a Vidyo login of their own have had to use a Flash applet. Ick. (I use a dedicated Android tablet for Vidyo, so I don’t have to install either.)

However, this sad situation may now have changed. In this bug, it seems that SIP and H.263/H.264 gateways have been enabled on our Vidyo setup, which should enable people to call in using standards-compliant free software clients. However, I can’t get video to work properly, using Linphone. Is there anyone out there in the Mozilla world who can read the bug and figure out how to do it?

It’s Not All About Efficiency

Delegation is not merely a way to spread the workload around; it is also a political and social tool. Consider all the effects when you ask someone to do something. The most obvious effect is that, if he accepts, he does the task and you don’t. But another effect is that he is made aware that you trusted him to handle the task. Furthermore, if you made the request in a public forum, then he knows that others in the group have been made aware of that trust too. He may also feel some pressure to accept, which means you must ask in a way that allows him to decline gracefully if he doesn’t really want the job. If the task requires coordination with others in the project, you are effectively proposing that he become more involved, form bonds that might not otherwise have been formed, and perhaps become a source of authority in some subdomain of the project. The added involvement may be daunting, or it may lead him to become engaged in other ways as well, from an increased feeling of overall commitment.

Because of all these effects, it often makes sense to ask someone else to do something even when you know you could do it faster or better yourself.

— Karl Fogel, Producing Open Source Software

Laziness

Dear world,

This week, I ordered Haribo Jelly Rings on eBay and had them posted to me. My son brought them from the front door to my office and I am now eating them.

That is all.

Fraudulent Passport Price List

This is a list (URL acquired from spam) of prices for fraudulent (but perhaps “genuine” in terms of the materials used, I don’t know) passports, driving licenses and ID cards. It is a fascinating insight into the relative security of the identification systems of a number of countries. Of course, the prices may also factor in the economic value of the passport, but it’s interesting that a Canadian passport is more expensive than a US one. That probably reflects difficulty of obtaining the passport rather than the greater desirability of Canada over the US. (Sorry, Canadians, I know you’d disagree! Still, you can be happy at the competence and lack of corruption in your passport service.)

One interesting thing to note is that one of the joint lowest-price countries, Latvia (€900), is a member of the EU. A Latvian passport allows you to live and work in any EU country, even Germany, which has the most expensive passports (€5200). The right to live anywhere in the EU – yours for only €900…

Also interesting is to sort by passport price and look if the other prices follow the same curve. A discrepancy may indicate particularly weak or strong security. So Russian ID cards are cheaper than one might expect, whereas Belgian ones are more expensive. Austrian and Belgian driver’s licenses also seem to be particularly hard to forge, but the prize there goes to the UK, which has the top-priced spot (€2000). I wonder if that’s related to the fact that the UK doesn’t have ID cards, so the driver’s license often functions as one?

Here is the data in spreadsheet form (ODS), so you can sort and analyse, and just in case the original page disappears…

Why Do Volunteers Work On Free Software Projects?

Why do volunteers work on free software projects?

When asked, many claim they do it because they want to produce good software, or want to be personally involved in fixing the bugs that matter to them. But these reasons are usually not the whole story. After all, could you imagine a volunteer staying with a project even if no one ever said a word in appreciation of his work, or listened to him in discussions? Of course not. Clearly, people spend time on free software for reasons beyond just an abstract desire to produce good code. Understanding volunteers’ true motivations will help you arrange things so as to attract and keep them. The desire to produce good software may be among those motivations, along with the challenge and educational value of working on hard problems. But humans also have a built-in desire to work with other humans, and to give and earn respect through cooperative activities. Groups engaged in cooperative activities must evolve norms of behavior such that status is acquired and kept through actions that help the group’s goals.

— Karl Fogel, Producing Open Source Software

The Latest Airport Security Theatre

All passengers flying into or out of the UK are being advised to ensure electronic and electrical devices in hand luggage are sufficiently charged to be switched on.

All electronic devices? Including phones, right? So you must be concerned that something dangerous could be concealed inside a package the size of a phone. And including laptops, right? Which are more than big enough to contain said dangerous phone-sized electronics package in the CD drive bay, or the PCMCIA slot, and still work perfectly. Or, the evilness could even be occupying 90% of the body of the laptop, while the other 10% is taken up by an actual phone wired to the display and the power button which shows a pretty picture when the laptop is “switched on”.

Or are the security people going to make us all run 3 applications of their choice and take a selfie using the onboard camera to demonstrate that the device is actually fully working, and not just showing a static image?

I can’t see this as being difficult to engineer around. And meanwhile, it will cause even more problems trying to find charging points in airports. Particularly for people who are transferring from one long flight to another.

Spending Our Money Twice

Mozilla Corporation is considering moving its email and calendaring infrastructure from an in-house solution to an outsourced one, seemingly primarily for cost but also for other reasons such as some long-standing bugs and issues. The in-house solution is corporate-backed open source, the outsourced solution under consideration is closed source. (The identities of the two vendors concerned are well-known, but are not relevant to appreciate the point I am about to make.) MoCo IT estimates the outsourced solution as one third of the price of doing it in-house, for equivalent capabilities and reliability.

I was pondering this, and the concept of value for money. Clearly, it makes sense that we avoid spending multiple hundreds of thousands of dollars that we don’t need to. That prospect makes the switch very attractive. Money we don’t spend on this can be used to further our mission. However, we also need to consider how the money we do spend on this furthers our mission.

Here’s what I mean: I understand that we don’t want to self-host. IT has enough to do. I also understand that it may be that no-one is offering to host an open source solution that meets our feature requirements. And the “Mozilla using proprietary software or web services” ship hasn’t just sailed, it’s made it to New York and is half way back and holding an evening cocktail party on the poop deck. However, when we do buy in proprietary software or services, I assert we should nevertheless aim to give our business to companies which are otherwise aligned with our values. That means whole-hearted support for open protocols and data formats, and for the open web. For example, it would be odd to be buying in services from a company who had refused to, or dragged their feet about, making their web sites work on Firefox for Android or Firefox OS.

If we deploy our money in this way, then we get to “spend it twice” – it gets us the service we are paying for, and it supports companies who will spend it again to bring about (part of) the vision of the world we want to see. So I think that a values alignment between our vendors and us (even if their product is not open source) is something we should consider strongly when outsourcing any service. It may give us better value for money even if it’s a little more expensive.

Success Is Not Inevitable

Last week, the Policy, Legal and Business Development teams had a 2-day get-together, and one thing I came to understand much more clearly is something I think that many Mozillians need to take to heart: success is not inevitable.

For the first few years of Mozilla’s life, we didn’t have much success. Then, a combination of good code, good grassroots marketing, sleeping or absent competitors and favourable market conditions saw Firefox take off and reach a desktop market share north of 25%. That was five years ago, and we’ve been trying to hold on to it since. We haven’t entirely succeeded, but it might be easy to imagine that Firefox on the desktop will be around and relevant forever.

But working really hard, and knowing that what you are doing is the right thing for the world, are not enough by themselves to guarantee that you succeed. There’s no law of the universe which says that Google have to keep giving us a search deal on better (or even the same) terms, particularly if our market share falls. That may happen, or it may not. And there’s no law which says that Firefox OS has to be a success. If what we build isn’t the right thing, carriers will stop stocking and promoting Firefox OS phones, and the world will be left with a choice of Apple, Google or Microsoft.

Mozilla’s way of working has always been to get market share by making great products, and use that to make our voice heard. We aren’t an advocacy-only organization.

Back when we did Firefox, our future, and our ability to get that market share, was in our own hands. If we wrote great software, users could download and install it themselves, and that was it. No-one was stopping consumers from installing any software they wanted. No-one was stopping OEMs from shipping copies of Firefox with their machines. We didn’t have to worry about proprietary hardware. There were no web features which couldn’t be implemented in open source code.

In the new world, our future and our ability to gain market share are not entirely in our own hands. We need partnerships to reach consumers. Business partnerships involve giving someone something they want in return for something you want, and they mean that usually you don’t get everything you want, but have to compromise. The need to partner and the need to compromise are relatively new and difficult things for Mozilla. Such agreements often come with obligations – which, in its most general form, is the loss of the ability to choose exactly what we are going to do because we are constrained by our promises. As an organization, particularly as an engineering organization, we don’t like that.

But operators are only going to carry and promote Firefox OS phones if they think it’s in their best interests to do so. And consumers are only going to buy them if they think they are better for what they want to do than the alternatives. “Why this rather than Android?” is a question to which we need a good answer.

If we want Firefox OS to be a success, we need partners, and we need to provide what those partners want, while holding on to our principles. What they want may well not be “software for us”, or even “software for people we know”. And that means we need to listen to the people within Mozilla who talk to them and report back to us. That’s the Business Development team – who currently have a pretty low community profile. Perhaps that needs to change.

Success is not inevitable – but it is still possible, if we carry on producing software that succeeds in the market. But how we find out what that means has changed, and we as Mozilla need to make sure we adapt to that, and listen in the right places.

Slavery…

I got the following (presumably misdirected) email at licensing@mozilla.org:

If i go on several sites that shows adult videos for free on streaming it’s because i need to see that kind of things ! just don’t ask me why ! I don’t intend to hurt anybody I just want to get fed up to it ! As you know,i never download and i’ve been said it was free to see as long as you don’t share !
Please, let me see what i want ? I’m completely out of money

How sad :-(

Jesus replied, ‘Very truly I tell you, everyone who sins is a slave to sin. Now a slave has no permanent place in the family, but a son belongs to it for ever. So if the Son sets you free, you will be free indeed.

John 8:34-36

To Serve Users

My honourable friend Bradley Kuhn thinks Mozilla should serve its users by refusing to give them what they want.

[Clarificatory update: I wrote this post before I’d seen the official FSF position; the below was a musing on the actions of the area of our community to which Bradley ideologically belongs, not an attempt to imply he speaks for the FSF or wrote their opinion. Apologies if that was not clear. And I’m a big fan of (and member of) the FSF; the below criticisms were voiced by private mail at the time.]

One weakness I have seen in the FSF, in things like the PlayOgg and PDFReaders campaigns, is that they think that lecturing someone about what they should want rather than (or before) giving them what they do want is a winning strategy. Both of the websites for those campaigns started with large blocks of text so that the user couldn’t possibly avoid finding out exactly what the FSF position was in detail before actually getting their PDF reader or playback software. (Notably missing from the campaigns, incidentally, were any sense that the usability of the recommended software was at all a relevant factor.)

Bradley’s suggestion is that, instead of letting users watch the movies they want to watch, we should lecture them about how they shouldn’t want it – or should refuse to watch them until Hollywood changes its tune on DRM. I think this would have about as much success as PlayOgg and PDFReaders (link:pdfreaders.org: 821 results).

It’s certainly true that Mozilla has a different stance here. We have influence because we have market share, and so preserving and increasing that market share is an important goal – and one that’s difficult to attain. And we think our stance has worked rather well; over the years, the Mozilla project has been a force for good on the web that other organizations, for whatever reason, have not managed to be. But we aren’t invincible – we don’t win every time. We didn’t win on H.264, although the deal with Cisco to drive the cost of support to $0 everywhere at least allowed us to live to fight another day. And we haven’t, yet, managed to find a way to win on DRM. The question is: is software DRM on the desktop the issue we should die on a hill over? We don’t think so.

Bradley accuses us of selling out on our principles regarding preserving the open web. But making a DRM-free web is not within our power at the moment. Our choice is not between “DRM on the web” and “no DRM on the web”, it’s between “allow users to watch DRMed videos” and “prevent users from watching DRMed videos”. And we think the latter is a long-term losing strategy, not just for the fight on DRM (if Firefox didn’t exist, would our chances of a DRM-free web be greater?), but for all the other things Mozilla is working for. (BTW, Mitchell’s post does not call open source “merely an approach”, it calls it “Mozilla’s fundamental approach”. That’s a pretty big misrepresentation.)

Accusing someone of having no principles because they don’t always get their way when competing in markets where they are massively outweighed is unfair. Bradley would have us slide into irrelevance rather than allow users to continue to watch DRMed movies in Firefox. He’s welcome to recommend that course of action, but we aren’t going to take it.

How We Should Be

Four weeks ago, I posted about Who We Are and How We Should Be. I wrote:

As I see it, the principle behind the [Community Participation Guidelines] was, in regard to non-mission things: leave it outside. We agreed to agree on the mission, and agreed to disagree on everything else. And, the hope was, that created a safe space for everyone to collaborate on what we agreed on, and put our combined efforts into keeping the Internet open and free.

Is that CPG principle still the right one? Are the CPGs the best expression of it?

Following on from Who We Are, here is my answer to How We Should Be.

I think the principle is still the right one, but the CPGs could express it better.

The CPGs have many good things about them, and I think that they did a good job of defusing the difficulties in our community at the time they were written in 2012. But they still very much bear the marks of the worldview of the person who wrote them. (This is not surprising or in itself worthy of criticism; it’s very difficult to write in a way which does not show one’s own worldview.)

The world the CPGs conjure up is one where there are two groups of people. There are those who are wholeheartedly for “inclusion and diversity” in every way – let’s call them group A. And those who “identify with activities or organizations that do not support the same inclusion and diversity standards as Mozilla” – let’s call them group B.

The CPGs seem to have the following assumptions:

  1. Attacks on Mozilla’s inclusivity and diversity will only come from group B;
  2. Anyone who supports exclusionary practices in some other sphere (i.e. those in group B) is likely to want to see them in Mozilla;
  3. The key thing is to keep support for exclusion out of “Mozilla spaces”, so they remain safe for people who would otherwise feel or be excluded.

Therefore people in group B need constraining, such that “support for exclusionary practices in non-Mozilla activities [is] not … expressed in Mozilla spaces”. And so that is what the CPGs say.

However, in the recent series of unfortunate events, the attacks on Mozilla’s inclusivity and diversity came from people who would self-identify with group A (not matching assumption 1) and were directed at someone who, by long example, clearly did not match assumption 2. Support for exclusion (or, at least, for restriction) was expressed by some Mozillians in a very public way, but it was not in a specifically Mozilla space – yet it clearly resulted in exclusion, and in damage to the project and its mission. So assumption 3 didn’t really hold either.

It is true that the CPGs also restrict people in group A, in that they are conditionally asked to “treat [support for exclusionary practices outside Mozilla] as a private matter, not a Mozilla issue”, and that was not done in this case. That is a matter of deep regret. But I don’t think the consequential and conditional statement here gives full and clear force to the strong need for both sides to understand that disagreements of this kind within Mozilla are deeply damaging to our unity and capability as a project.

So, I think we would do well to redefine our alliance as a community. This would involve rewriting the CPGs in a way which expresses the principle of “agree to disagree on non-mission things” more evenhandedly and broadly, and making it clear that it applies to everyone, in all the Mozilla-related communications they make, wherever they are made. I think we must abandon the distinction between Mozilla and non-Mozilla spaces. It clearly wasn’t useful in staving off the damage in this case, and as a definition it always had boundary problems anyway. On today’s internet, it doesn’t matter where you express something – it can be around the world in an instant. And if we move to that model, in order to avoid unfairly restricting people’s speech wherever they may be talking, we would also need to change our attitude to the content of what people say. Instead of “don’t talk about that here”, we should instead affirm the principle of “I disapprove of what you say, but I will defend to the death your right to say it”.

That is not to argue for carte blanche for people to fill up Mozilla communications channels with political advocacy of one sort or another. Most of our channels have a concept of “off-topic”, and that would not change. But only a project dominated by a small group of people from a single consistent political ideology could ever hope to have and maintain a policy of “do not ever even expose me to ideas with which I disagree”. And, as an international project with big growth ambitions, Mozilla is and should not be such.

Respectfully expressing opinions – in any space – should be fine; calling for exclusion from or demotion in Mozilla due to those opinions – in any space – should not be.