Google have just published the draft spec for a protocol called Roughtime, which allows clients to determine the time to within the nearest 10 seconds or so without the need for an authoritative trusted timeserver. One part of their ecosystem document caught my eye – it’s like a small “chaos monkey” for protocols, where their server intentionally sends out a small subset of responses with various forms of protocol error:
A healthy software ecosystem doesn‘t arise by specifying how software should behave and then assuming that implementations will do the right thing. Rather we plan on having Roughtime servers return invalid, bogus answers to a small fraction of requests. These bogus answers would contain the wrong time, but would also be invalid in another way. For example, one of the signatures might be incorrect, or the tags in the message might be in the wrong order. Client implementations that don’t implement all the necessary checks would find that they get nonsense answers and, hopefully, that will be sufficient to expose bugs before they turn into a Blackhat talk.
The fascinating thing about this is that it’s a complete reversal of the ancient Postel’s Law regarding internet protocols:
Be conservative in what you send, be liberal in what you accept.
This behaviour instead requires implementations to be conservative in what they accept, otherwise they will get garbage data. And it also involves being, if not liberal, then certainly occasionally non-conforming in what they send.
Postel’s law has long been criticised for leading to interoperability issues – see HTML for an example of how accepting anything can be a nightmare, with the WHAT-WG having to come along and spec things much more tightly later. However, but simply reversing the second half to be conservative in what you accept doesn’t work well either – see XHTML/XML and the yellow screen of death for an example of a failure to solve the HTML problem that way. This type of change wouldn’t work in many protocols, but the particular design of this one, where you have to ask a number of different servers for their opinion, makes it possible. It will be interesting to see whether reversing Postel will lead to more interoperable software. Let’s call it “Langley’s Law”:
Be occasionally evil in what you send, and conservative in what you accept.
Compare and contrast: a Wall Street Journal article linked directly, and one reached via Google (click the top link in the search results). The former leads to a preview and a paywall (or, at least, a signupwall), the latter does not.
The press are so concerned about the dominance of Google, at least in Europe, that they are making various (also foot-shooting) moves to try and bring in ancillary copyright. So why, I wonder, is the WSJ enhancing that dominance by privileging Google users over other users in terms of access to their content?
Google recently released an update to End-to-End, their communications security tool. As part of the announcement, they said:
We’re migrating End-To-End to GitHub. We’ve always believed strongly that End-To-End must be an open source project, and we think that using GitHub will allow us to work together even better with the community.
They didn’t specifically say how it was hosted before, but a look at the original announcement tells us it was here – on Google Code. And indeed, when you visit that link now, it says “Project “end-to-end” has moved to another location on the Internet”, and offers a link to the Github repo.
Is Google admitting that Google Code just doesn’t cut it any more? It certainly doesn’t have anything like the feature set of Github. Will we see it in the next round of Google spring-cleaning in 2015?
From the Google Online Security blog:
Starting next week, we’ll be expanding Safe Browsing protection against additional kinds of deceptive software: programs disguised as a helpful download that actually make unexpected changes to your computer—for instance, switching your homepage or other browser settings to ones you don’t want.
I posted a comment asking:
How is it determined, and who determines, what software falls into this category and is therefore blocked?
However, this question has not been approved for publication, let alone answered :-( At Mozilla, we recognise exactly the behaviour this initiative is trying to stop, but without written criteria, transparency and accountability, this could easily devolve into “Chrome now blocks software Google doesn’t like.” Which would be concerning.
Firefox uses the Google Safe Browsing service but enhancements to it are not necessarily automatically reflected in the APIs we use, so I’m not certain whether or not Firefox would also be blocking software Google doesn’t like, and if it did, whether we would get some input into the list.
Someone else asked:
So this will block flash player downloads from https://get.adobe.com/de/flashplayer/ because it unexpectedly changed my default browser to Google Chrome?!
Kudos to Google for at least publishing that comment, but it also hasn’t been answered. Perhaps this change might signal a move by Google away from deals which sideload Chrome? That would be most welcome.
Microsoft recently announced that they were enhancing their “SmartScreen” system to send back to Microsoft every SSL certificate that every IE user encounters. They will use this information to try and detect SSL misissuances on their back end servers.
They may or may not be successful in doing that, but this implementation raises significant questions of privacy.
You might say that if you are already using SmartScreen, then sending the certificates as well doesn’t reveal much more information to Microsoft about your browsing than they already have. I’d say that’s not much comfort – but it’s also not quite true. SmartScreen does have a local whitelist for high traffic sites and so they don’t find out when you visit those sites. However (I assume), every certificate you encounter is sent to Microsoft, including high-traffic sites – as they are the most likely to be victims of misissuance. So Microsoft now know every site your browser visits, not just the less common ones.
By contrast, Firefox’s (and Chrome’s) implementation of the original function of SmartScreen, SafeBrowsing, uses a downloaded list of attack sites, so that the URLs you visit are not sent to Google or anyone else. And Certificate Transparency, the Google approach to detecting certificate misissuance after the fact which is now being standardized at the IETF, also does not violate the privacy of web users, because it does not require the browser to provide information to a third-party site. (Mozilla is currently evaluating CT.)
If I were someone who wanted to keep my privacy, I know which solution I’d prefer.
We’ve wrapped up another GSoC, with 20 of 21 projects passing – our highest pass percentage ever. Not all students emailed me the URL to their wrap-up status report (you might find some more by following the links in the original announcement) but I know that we have:
Which is a pretty awesome set of achievements. Well done to all the students, and many thanks to all their mentors.
I’m also pleased to announce that Florian Quèze, who has been administering the program alongside me this year, will be in the driving seat for next year’s GSoC – which will be the 10th anniversary edition. Wish him luck! :-)
The Google Summer of Code students got chosen 2 weeks ago, and I am pleased to list the 21 projects being done under the Mozilla banner – a new high for the Mozilla project. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!
Micire’s talk was an excellent example of what can happen when a device maker doesn’t lock down its device. It seems likely that no one at Google or Samsung considered the possibility of the Nexus S being used to control space robots when they built that phone. But because they didn’t lock it down, someone else did consider it—and then went out and actually made it happen.
— LWN (an awesome publication; do subscribe)
Summer of Code 2013 is on! The Mozilla Project is hoping to be involved again, so in the next five weeks we need to produce a list of suitable projects to support our application.
Can you think of an 8-week task you might be able to guide a student through? It doesn’t matter where in Mozilla you contribute. We are collecting project ideas for every part of the project – Firefox, Firefox OS, Thunderbird, SeaMonkey, Bugzilla, L10n, NSS, IT, Documentation and many more.
If you have an idea, put it on the Brainstorming page, which is our idea development scratchpad. Please read the instructions at the top – following them vastly increases your chances of your idea getting added to the formal Ideas page.
 For those who are not familiar with it, Summer of Code is where Google pays students to work on free software projects – as long as those projects can provide support and a mentor for the particular task the student is undertaking. This is a great opportunity for us as a project to introduce new people to Mozilla, and for you as an individual to get new people involved in your team :-) In the past, it has been the source of major features of our flagship products. For example, the 3D web page debugging tool Tilt started life as a SoC project.
Every year since it began, Mozilla has been invited to take part in the Google Summer of Code. For the first few years, I wrote a summary of outcomes a few months after the close of the program. Recently, I’ve not had time to do so, but this year I’m back on the wagon.
I’m pleased to say that this year’s Summer of Code was extremely successful. Of the 18 projects (50% more than last year – many thanks, Google!), 17 were successful, and in the case of the other one, an unsuccessful applicant stepped in to complete the work for the love of the code. Now that’s dedication.
I’ve produced a table which lists the 17 successful projects, their original goals, what actually happened, and where you can find the code they wrote. So if there was a project you were following, you can find out what happened to it. The projects ranged widely across Mozilla-related activities, from Firefox to MDN, Instantbird to OpenBadges. Without wanting to upset anyone I don’t mention, particular highlights for me include native support for webapps on Linux in desktop Firefox, an addon to allow users to specify a Content Security Policy for particular sites, and some other improvements to Firefox and Thunderbird which (thanks to our rapid release process) are already shipping and making people’s lives better.
Thanks must go to all the students who took part, to the mentors who took time out to look after them, and to Google for funding and administering the program.
Google Calendar is great; I’m a big fan. A little while back, it acquired timezone support for events. More recently, it acquired split timezone support (start and end in different timezones), which is awesome for flights. And there’s a drop-down list of all the countries in the world with all of their applicable timezones. Surely that must be comprehensive, right?
Well, yes and no. I attend one meeting which is scheduled in UTC. There seems to be no entry in the massive timezone list for this. If you say you are in London (GMT+00:00), then your event will obey the UK DST rules, which means it won’t actually be in UTC during the summer.
However, there is a workaround. There is one country in the world which uses UTC and no DST – Iceland. So, if you want to have a meeting whose time is set year-round in UTC, then tell Google Calendar you are holding it in Rekjavik.
(It would be nice if Google would add an explicity “UTC” option to their massive timezones list, but this will do for now.)
Unfortunately, for the last few months, we have not been able to hook up newly-created discussion forums to Google Groups. This means that they don’t have a method of posting over the web and they don’t have a web-based archive. (Existing groups continue to function as normal). This is bug 716007 (although note that that bug started off covering a different syncing issue). mburns writes in another bug:
Essentially, Google Groups’ codebase is at a state that new newsgroups need to manually be added by the (one?) engineer working on it. This is a low-to-not-gonna-happen level priority for them.
The underlying issue was supposed to be resolved in March, with a new rollout of the GG codebase, but wasn’t. I’ve emailed them about the ~17 other newsgroups created since than that have issues, without response.
I am working with Corey Shields, who manages Mozilla’s Systems team, to try and figure out what long-term solutions and short-term mitigations we can put in place to make this less painful. In the mean time, people may want to use or repurpose existing groups for discussions rather than starting another one. (Please don’t go off and create random free mailing lists, at Google, Yahoo or anywhere else – it just makes Mozilla project communication more fragmented and makes it harder for new people to find the group they need.)
(This post may well start a thread about the best way to technically achieve Mozilla’s goals for public discussion. If so, this document will be very relevant; I’m getting my linkage in early :-)
[Update: This turned up on Planet Mozilla, even though it was only published for a few minutes before being withdrawn, so to prevent 404s, I’m putting it back. But the answer appears to be: other people can see my free/busy information, so the person who reported a problem was probably looking in the wrong place. Zimbra actually works well and how you might expect it to.]
[On the principle of “if there’s no reason for it to be private, it should be public”…]
I use Google Calendar, and I’m very happy with it. The UI is excellent, it supports events starting and ending in different timezones for flights, I can open it in a tab in Thunderbird, and I can share it with my wife and see our calendars overlaid. It’s super. The only thing it lacks is offline support.
However, that means I don’t use Zimbra, the MoCo calendar. And so when people want to schedule meetings with me, they assume I am free all the time :-|.
Can anyone, probably a MoCo employee, tell me how to get Zimbra to give other people my correct free/busy information?
I have managed to import my Google Calendar into Zimbra as an external calendar. When I go to its properties, the checkbox “Exclude this calendar when reporting free/busy times” is unchecked. When I try and arrange a meeting, the Scheduler correctly shows when I am free and when I am busy. And yet, other people who try and arrange meetings involving me tell me that I still look to them like I’m free all the time.
Importantly, I want to solve this without having to share the details of what I am doing when with everyone. I only want to share free/busy information. The “Share Calendar” option looks like it’ll share too much.
The Google Summer of Code kicked off two weeks ago, and I am pleased to list the 18 projects being done under the Mozilla banner. This is a 50% increase on last year; we are very grateful to Google for being so generous with slots. The name of each student is linked to the location where they will be posting weekly updates on their progress, if you want to follow along with a project you are interested in. (Apart from those students who have not yet sent me this information; consider this a public reminder.) I’m sure they would appreciate any help or advice you have :-) Please make them feel welcome!
Student Applications for the Google Summer of Code 2012 are now open. If you are a student and want to spend your summer hacking on cool software and potentially making a difference to the lives of millions of people, read the Mozilla list of ideas (or come up with your own), and apply. Need a summer job? Flip bits, not burgers!
Established Mozilla people: if you know someone who’s a student, please get them to consider applying!