“Outstanding Requests” Whining

We want to take some action about outstanding requests (review, approval, feedback, etc.) in Bugzilla. Leaving requests outstanding for a long time is particularly demotivating to new contributors. There is a plan.

One action we are taking is that we will be enhancing Bugzilla to send out weekly emails to anyone who has an outstanding request older than 7 days, listing the bugs on which all their requests can be found. A sample of such an email can be found below. So we want to warn you to expect it, and we hope that this gentle reminder will encourage people to keep their turnaround times short.

We have written a draft guide to what is and isn’t acceptable community practice in responding to requests. Review of this document, and whether the community norms it attempts to establish are realistic, would be appreciated.

The metrics team plan to roll out some Bugzilla metrics very soon, which will enable us to track how successful this drive is.

Sample request whine mail:

Here are your outstanding requests older than 7 days:

review
------

  Bug 1: Hollywood Bowl has majority market share (76 days old)
    http://bmo-4.0.localhost/show_bug.cgi?id=1

  Bug 11: Lane 12 keeps racking up only nine pins (75 days old)
    http://bmo-4.0.localhost/show_bug.cgi?id=11

  Bug 12: Bowling ball holes are too small (71 days old)
    http://bmo-4.0.localhost/show_bug.cgi?id=12

  Bug 13: Pins keep getting racked upside down (65 days old)
    http://bmo-4.0.localhost/show_bug.cgi?id=13

wanted
------

  Bug 3: Vending machine does not accept 10p pieces (8 days old)
    http://bmo-4.0.localhost/show_bug.cgi?id=3

To see all your outstanding requests, visit:
http://bmo-4.0.localhost/request.cgi?action=queue&requestee=email@example.com&group=type

For guidance on handling requests, see:
https://wiki.mozilla.org/BMO/Handling_Requests

How To Say Goodbye To Twelve Million Dollars

“We want to emphasize that the bankruptcy filing by DigiNotar, which was primarily a certificate authority, does not involve VASCO’s core two-factor authentication business,” said Jan Valcke, VASCO’s President and COO. “While we do not plan to re-enter the certificate authority business in the near future, we expect that we will be able to integrate the PKI/identity verification technology acquired from DigiNotar into our core authentication platform. As a result, we expect to be able to offer a stronger authentication product line in the coming year to our traditional customers.”

The entire press release sends a very clear message. And that is: “Investors, please stop selling VASCO stock!”

It’s interesting that just after the 19th of July, the day the DigiNotar breach was discovered internally, there is a significant fall of VASCO stock on a larger-than-normal volume. 1/4 of the share value was lost – that’s a significant decrease. It would be interesting to know who exactly decided to sell at that point…

Watch It And Weep

This YouTube video, from the newly-released Fox-IT report into the DigiNotar compromise, demonstrates the extent of the failure. Every red dot is an OCSP hit for the *.google.com certificate, indicating that someone in Iran was successfully MITMed, giving the attacker access to their private Google data. There were over 300,000 unique IPs over the course of a month (August 4th to 29th). See page 8 of the report.

Build Tool Name Shortage

This is a public service announcement. If you plan to write a build tool, please note that there is a rapidly developing shortage of prefix letters. As of this writing, the following names are already taken:

That leaves only ‘a’, ‘l’ and ‘s’ in the Basic Latin alphabet.

Our advance knowledge of upcoming projects suggests that letter exhaustion could occur as soon as February 2012. We are attempting to move to a Unicode-based naming system to provide room for expansion, permitting names like €make, ☮make, and ♥make. In the mean time, we advise attempting greater naming creativity.

Message To Iranians

I have just read part of the unreleased Fox-IT report on DigiNotar, which should be published in full soon. This should already have been obvious from what is publicly known, but if you are in Iran, you should:

  • Update your browser and/or Windows (in Firefox: go to Firefox menu | Help | About Firefox)
  • log out of and back into every email and social media service you have (to invalidate any captured cookies) – particularly ones on this list
  • change your password for each of those sites

Anyone: feel free to publicize this.

Updated DigiNotar CN List

I don’t work on Sundays, but the list of confirmed misissued DigiNotar certs is now up to 531, with a mix of the following CNs:

*.*.com
*.*.org
*.10million.org
*.android.com
*.aol.com
*.azadegi.com
*.balatarin.com
*.comodo.com
*.digicert.com
*.globalsign.com
*.google.com
*.JanamFadayeRahbar.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.mozilla.org
*.RamzShekaneBozorg.com
*.SahebeDonyayeDigital.com
*.skype.com
*.startssl.com
*.thawte.com
*.torproject.org
*.walla.co.il
*.windowsupdate.com
*.wordpress.com
addons.mozilla.org
azadegi.com
Comodo Root CA
CyberTrust Root CA
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
GlobalSign Root CA
login.live.com
login.yahoo.com
my.screenname.aol.com
secure.logmein.com
Thawte Root CA
twitter.com
VeriSign Root CA
wordpress.com
www.10million.org
www.balatarin.com
www.cia.gov
www.cybertrust.com
www.Equifax.com
www.facebook.com
www.globalsign.com
www.google.com
www.hamdami.com
www.mossad.gov.il
www.sis.gov.uk
www.update.microsoft.com

I’d be interested to know if there are any clients in which those first two certs would actually work.

Batches were signed on the 10th, 18th and 20th of July. I have no expiry date information for the expanded list.

There are two new intermediates I haven’t seen before: “Koninklijke Notariele Beroepsorganisatie CA” and “Stichting TTP Infos CA”. Any info about those would be appreciated.

DigiNotar Compromise: PostScript

[Update 2011-09-05: To be clear, I posted this because it was funny, not because I have anything against Wikipedians, or the Dutch Wikipedia community. Also, I was asking for Dutch-speaking people to help with the program we had for warning webmasters; I was not asking for them to put anything on or make changes to the Dutch Wikipedia.]

Once we decided to remove DigiNotar’s root certificate from our trusted store, I started a crowdsourced effort to warn webmasters who were using certificates which chained to this root. This required Dutch-speaking people to read Dutch websites and work out how to contact the webmaster. This is a partial and slightly tweaked transcript of some of my attempt to persuade the occupants of the wikipedia-nl channel on FreeNode to help:

(21:31:51) gerv: This organization has issued an unknown number of bad certificates to evil people,
(21:31:56) gerv: perhaps like the government of Iran.
(21:32:07) gerv: That government is now using those certificates to spy on Iranians.
(21:32:47) Brimz: gerv: do write the article first and than we act
(21:32:54) gerv: Er, what?
(21:32:56) Brimz: this is wikipedia you know
(21:33:02) Brimz: it's all about articles here
(21:33:05) gerv: Let me put it another way.
(21:33:11) gerv: If you guys don’t help me,
(21:33:14) Brimz: let me put it in another way
(21:33:17) gerv: tomorrow morning the Dutch people will wake up
(21:33:21) gerv: and 700 of their websites,
(21:33:25) gerv: including a lot of Government websites,
(21:33:25) Brimz: this channel is only about wikipedia
(21:33:27) gerv: won’t work any more,
(21:33:35) Brimz: we don't care
(21:33:39) gerv: and I’m hoping you care enough about your countrymen
(21:33:40) gerv: to help.
(21:33:48) Brimz: we only care about the encyclopedia
(21:33:59) Brimz: sorry
(21:34:00) gerv: Really?
(21:34:05) Brimz: yes
(21:34:06) gerv: No friends, family, tulips, canals, love, sunsets?
(21:34:12) Brimz: we are very narrow minded people

DigiNotar Compromise: Webmaster Notification Crowdsourcing

A Dutch CA called DigiNotar has suffered a security breach. Mozilla is removing trust from their root certificate – we hope to release updates today. We have used the EFF SSL Observatory data to make a list of affected websites (those whose certificates chain up to the DigiNotar root[0]). We want to warn the webmasters of these sites that they need to get new certificates ASAP. And that’s where we use the power of the community :-)

If you can read Dutch, we would appreciate your help. There is a Google Docs spreadsheet with the list of affected sites and instructions on how to find the webmaster email or contact form and warn them, using a letter we have written. The more warning they get, the less disrupted the Dutch SSL internet will be. Please head over there and help out :-) Thanks!

(Short URL for this post)

[0] This is not the same as being issued by DigiNotar. Please do not contact sites not on our list.