May 2008 Archives

First, I want to apologize to you all and to Jesse for taking so long with this. I was slow to gather up all of your questions a slow to get it published. I think, however, that it was well worth the wait. Here is your interview with Mozilla's Jesse Ruderman.

“How did you get involved with Mozilla?”

When I was in high school, I read Slashdot and was a fan of the open-source movement. Slashdot ran an article pointing out that having a good web browser was a crucial part of the effort to make Linux succeed on the desktop. I realized that I could contribute to the Mozilla project even though I used Windows, so I downloaded M13 and started reporting bugs. Soon I was helping to triage bugs and make reduced testcases for broken sites. People like Eli Goldberg and Asa Dotzler really made me feel appreciated early on, which fueled my enthusiasm for contributing.

Since then, Linux hasn't really succeeded on the desktop. Mozilla's effort to keep the Web open may have kept Linux from being completely marginalized, but the Mac may have benefited more.

“Was security research something you were interested in before getting involved with Mozilla?”

When I was in high school, I spent a lot of time on IRC and found a few holes in both clients and servers. I even exploited a few of the bugs I found. But around the time I started college, I realized that reporting bugs felt a lot better than disrupting IRC conversations.

During my freshman year of college, Mitch Stoltz asked me to do a summer internship at Netscape working on security. I was surprised; he pointed out that of the hundreds of bug reports I had made, the security bug reports were especially valuable to the project.

“How do you feel about full disclosure?”

I don't like to put pressure on people to fix bugs quickly. I know that demanding a fix within a week or a month is likely to take time away from other worthwhile activities. Some of these other activities are related to security: for example, addressing other security holes, or making sure the patch doesn't cause other problems (so that users will trust future security updates).

In my experience, if a software maker agrees that what I reported is a security bug, it usually gets fixed within three months even if I don't threaten to disclose or prod for updates. I only used the threat of full disclosure once, against the Mozilla project, when I had already waited for a fix for over a year. Luckily, I haven't felt the need to do so again since I became a Mozilla employee ;)

Some people who disclose early are hungry for publicity, angry at a specific software company, or just impatient. Others have better reasons. Some do it when they think it's likely that black hats will also discover the bug, so they want to the vendor to rush a fix to protect users who may already be under attack. Others do it because they see vendors putting less effort into security than they should. The costs of spam and fraud due to operating system flaws are borne by users, so profit-driven companies may have the wrong incentives when it comes to security. A security researcher might force a vendor to fix a specific bug quickly because he thinks the bug is more important than the vendor does, or because he wants to punish vendors that don't put enough effort into security when writing new software.

“Are you working [at Mozilla] full time? What programming languages do you know?”

I've been working at Mozilla full time since 2005. I use C++, JavaScript, and Python regularly. My favorite programming language is SML, but sadly I have not had a chance to use it since I graduated from college.

“Which one do you say "helped more/have more share" in finding security bugs: 1) people/researchers 2) automatic tools?”

People and tools find different kinds of bugs, so it's hard to make the comparison. Most memory safety bugs in Firefox are found by fuzz-testing tools, while other types of bugs are mostly found by people.

Gecko is far too large and complex for me to review at the code level, and the attack surface for memory safety bugs is every line of code involved in the use of pointers. A fuzz-testing tool can test large parts of code fairly well with little human input, and it's easy to tell when a fuzz-testing tool has found a bug -- Firefox crashes in a way that looks exploitable.

Most other security bugs, such as those that involve user interface issues or JavaScript privileges, are found by people. Finding these bugs requires guessing what a developer might not have thought of, or how components might interact, or how a browser's user interface might be subverted. It would be very difficult to design a tool that understood these things, or even knew when it had found a security hole. But the attack surface is limited to parts of the software that deal with permissions or privileged data in some way, so it's possible for a human to reason about the issues.

When I fuzz, I find more bugs and they tend to be more severe. But when I look for other security bugs, I'm more likely to find the same bug that someone else finds, which might impact users' day-to-day security more (especially if that other person is a black hat).

“[Do you have] any interesting story about security and automated tools? e.g. a problem that is found both by someone and a tool at the same time, etc.?”

I found an inconsistent layout bug while looking at some output from one of my tools. Uri Bernstein commented in the bug, saying that it was likely to affect real web sites. A few days later, someone filed a bug about jiggling text on Wikipedia, and we considered delaying Firefox 3 Beta 5 to make sure we'd get enough testing on RTL sites. The two bugs turned out to be the same issue -- and both were a regression from a third bug, which I had found with another tool. We ended up not fixing the bug for Beta 5, causing it to collect five duplicates, but we did fix it for RC1.

Another example is the bug that forced Firefox 3 RC2, a crash on motortrend.com. Martijn Wargers had found the bug months earlier through fuzzing, but at the time, it was assumed to not affect web sites.

“What is the hardest part about securing a software product?”

Complexity, combined with bad programming languages.

The Web's layout model and scripting language are complex and demanding of high performance. Its security model is complex and under-specified, partly because the security model evolved over time against the constraints of compatibility and the discovery of new attacks.

C++ makes performance tricks possible, but it increases complexity by being unexpressive, forcing programmers to wrap fundamental complexity in additional unnecessary complexity. And it makes bugs (which arise more often due to complexity) worse by encouraging the unsafe use of pointers, turning many logic bugs into memory safety bugs. Having better "safe" programming languages would help to the extent that it could be used -- for example, it might be possible to use it for layout code but not for a JavaScript engine.

My ideal solution is allowing programmers to prove things about their code. The first step is to declare your invariants, which act as suggestions for lemmas. If a portion of your code implements garbage collection using raw pointers, you should be able to and work with the compiler and an automated theorem prover to show that your use of pointers is safe. If a portion of your code deals with privileges, you might want to prove that it is correct in some way. And if a portion of your code needs to run faster, you might be able to help the compiler optimize it by merely adding assertions and invariants!

Some people think static analysis is hopeless, citing the the undecidability of the halting problem. Maybe it is hopeless for existing C++ programs. But I agree with maxwell demon: Undecidability doesn't make verification of software obsolete any more than Gödel's incompleteness theorem makes proofs in mathematics obsolete.

“In terms of building software, how much is security a matter of a set of best practices (e.g. validating input) versus the need to consider it at an architectural/design level?”

I think Mozilla tends to get the easy stuff, like avoiding buffer overflows and validating/escaping input, right. But we don't do very well at "Don't make your data structure invariants so complex that you cannot keep track of them."

“If you used a Mac, would you run anti-virus software?”

I use a Mac and I don't run anti-virus software. But I didn't use anti-virus software even when I used Windows, because I'm careful with what I download and I don't trust anti-virus software to be effective. It's not worth the price or the system-wide slowdown to protect against a small percentage of attacks.

“Have you been doing anything interesting with in-browser page modification (bookmarklets/greasemonkey) recently? Know anybody who is?”

I've been writing scripts for Mozilla developers, such as TidyBox. But I haven't done much general-purpose page modification lately.

“Do you believe in the 'Many Eyes' theory of security for open source, or is overstated? Are people outside the mozilla organization actively looking and helping find security vulnerabilities in the source?”

I think the theory is a bit overstated. Having the source code available doesn't cause all the code to be looked at. The most complicated and poorly-understood code, which is the most likely to have serious memory safety bugs, probably gets looked at the least. I've found ancient bugs in the JavaScript engine, for example. (The second one was a security hole.)

What source code availability does do is allow people who want to look at the code to do so. Academic security researchers love it because it's a real-world software project they can play with without getting special permission beforehand. Companies making static analysis tools love it for the same reason, and because it can help them promote their products. If someone notices glitchy behavior while looking for bugs, she can examine the code and determine whether it's a security hole before reporting it.

Having the source code not only viewable but also reusable also gets more people looking at the code -- not because they're looking for security holes, but because they're building software with it.

Being open-source helps, but not enough to make "all bugs shallow".

“I rarely hear about people getting spyware while running Firefox, but I still hear about it with IE. If the market share of Firefox and IE where reversed and Firefox was the [dominant] browser, do you still believe spyware installation on/through Firefox would still be scarce? Why or why not?”

Firefox has some features that will continue to protect users. Firefox 3 can block known malware distribution sites and block versions of Flash and Java that are known to be vulnerable. Firefox's automatic update system uses clever compression techniques to ensure that even dial-up users get the new version quickly.

So far, Firefox's window of exposure has been much smaller than IE's. We do better on both components of window of exposure: the number of bugs that are made public before they are fixed, and the length of time each one lasts until it is fixed.

I think we're able to do better on patch speed in part because we have a lot of nightly testers. Our open bug-tracking system also helps, by encouraging nightly testers to report bugs they find, which lets us find out quickly if a security fix causes problems.

It's harder to know why we have fewer security holes disclosed before they are fixed. It could because (1) Firefox actually has fewer holes, (2) fewer people are trying to find holes in Firefox, (3) it's harder to find the holes in Firefox despite the code being visible, or (4) people who find the holes are more friendly to us. I only have insight into the fourth item.

First, Mozilla's fast patch time may also test researchers' patience less. Bug reporters who are initially friendly to both Mozilla and Microsoft may become unfriendly toward Microsoft simply because Microsoft takes too long to fix the bug.

I've heard from several researchers that they are angry at Microsoft for delaying a fix indefinitely, blowing off a bug as not being a security hole, or releasing a patch that fixes one exploit but not others. As a result, they no longer give Microsoft the benefit of the doubt. There is pretty strong evidence that Microsoft did things like this in 2002 and 2004, but I don't know if it still happens. Mozilla isn't perfect, of course, but these problems seem to occur less frequently for us.

There are also reasons beyond reputation that researchers are friendlier toward Mozilla. Again, Mozilla's open bug-tracking system helps. (Bugs marked as security holes can't be viewed by the general public, but they can be viewed by the reporter.) Bug reporters can see very quickly that we agree that the bug is a security hole, then that we are discussing a fix, then that we have a patch and we're waiting for a release vehicle. This is much more comforting than only finding out when the bug is fixed. People who report security bugs in Firefox can even contribute beyond the initial bug report, such as by explaining why a proposed fix wouldn't really work, or by posting a patch.

Note that it's possible to have open-source code without an open bug-tracking system, or vice versa. For example, until recently, security holes in WebKit had to be reported through Apple's Radar, which would result in little feedback until the patched version of Safari was released.

“How's the collaboration with other browser manufacturers on fuzzing (and other security related) tools going?”

Other browser vendors appreciate jsfunfuzz, but I haven't been able to share my other fuzzers yet. I'm hoping that other browser makers will follow my example and share the fuzzers they write, ignoring competitive advantage in favor of improving the overall health of the Web.

“What sort of things are you working on these days now that most of the fuzzers you wrote have been used enough to discover most of the easy bugs to find? More fuzzers? :)”

I still spend a lot of time reporting bugs found by my fuzzers and other automated testing tools. At this point, most of the bugs I find are regressions.

A few months ago, Mozilla Messaging intern Gary Kwong asked me to show him how to use my fuzzers. Teaching him has helped me find many opportunities to make the fuzzers easier to use. He has also pointed out some areas that I had been neglecting, so my fuzzers are also more effective at finding bugs than they were before he joined the project.

I'm still doing things that give me ideas for what to fuzz and what to poke at, such as triaging bug reports and writing Burning Edge updates.

“What's your favorite Firefox feature or add-on?”

Greasemonkey. I love being able to fix broken web pages, and Greasemonkey makes it easy.

I want to thank all of you for your great questions and especially thank Jesse for taking the time to give such informative answers.

Stay tuned for the next installment of Ask A Developer!

Tens of thousands of Firefox fans have already set the world on fire with amazing accomplishments like the New York Times campaign, Firefox Flicks, and the Firefox Crop Circle.

Today, the Firefox community is taking it even further, and you will definitely want to be a part of this, so head over to the Firefox Download Day 2008 site and sign up to help set the Guinness World Record for the most software downloads in 24 hours.

update: This will be a new record and we'll want to set it at an unimpeachable level. We've done at least a million and a half on previous release days, so we can definitely top that.

The aim of Knowmore.org is to raise awareness of corporate abuse, and to serve as a catalyst for direct action against corporate power.

I wrote a few weeks back about a great idea that needed extension developer help. Today that idea is a fully-formed Firefox extension called KnowMore -- but it's not quite there yet because to become available to the general public, (to move out of the Add-ons sandbox,) it needs your help.

So, if you wanna help out, head over to KnowMore at AMO, log in, install KnowMore, and post your reviews.

Bob Sutton, a friend and a very smart guy, has a nice blog post up talking about Firefox. As usual, I think he's right on. Go give him a read.

Lots of folks have seen this, but in case you aren't watching live, NASA JPL is sharing the first images from the Mars Phoenix Lander at the Martian North Pole using Firefox 2 on Mac.

Photo by Flickr user Gen Kanai and used under a Creative Commons license.

It's so much fun to watch these events and so great to see the joy on the faces of all of the people who have worked so hard to make this effort a success.

Champagne corks popping.

Sounds like Phoenix is sitting almost perfectly level on the ground. 1/4 degree tilt, oriented almost perfectly East x West.

It couldn't have gone any better. "Never even in reversal did it go this well."

Final critical data will be in a few minute when we get confirmation of the solar arrays deployment.

update: post touchdown systems poll coming up at 5:30. We should get information on all the primary systems with that.

Com reports nominal
Thermal reports nominal
ACE reports nominal - Flight phase (obviously) over and "damn near perfection"
Attitude reports nominal
Flight Software reports nominal
EDL Trajectory reports parachute deploy 7 seconds later than nominal, supporting the "long". From there on down event times agree with nominal trajectory
Navigation reports nominal. Entry flightpath was well within bounds. Sigma insignificant. Plotted lat/long and it is "long" but within the suspected bounds.
EDL Com reports nominal. Signals via Odyssey and direct to earth. No plasma blackout. Neither DTE nor Odyssey has seen any signal since touchdown plus one minute.
Mission Manager everything looks nominal.

update2: We're waiting to see the solar arrays deployed and the first photos from Phoenix. Those photos will be mostly covering craft health and positioning.

update3: UHF link via Odyssey now up. Images and data should be coming in shortly.

6:52 Solar arrays probably out given early power data. No images yet.
6:54 First images in showing both solar arrays fully deployed, footpads on solid ground, and more.

Sweet! That's Firefox they're using to look over the first photographs.

photos!!

first mosaics!!

4:56 Phoenix has landed. Phoenix has landed.

4:55 ALIVE!
4:55 touchdown!
4:54 lander separation detected!
4:53: 1800m
4:52 60m/second
4:52 Radar for altitude detection on confirmed.
4:51 Heat shield trigger detected, Parachute detected, velocity as expected 90m/sec.
4:50 Switch to 32Kbit/second detected.
4:48 Peak heating and the signal via Odyssey is still coming.

As Phoenix enters the atmosphere, it's getting quite hot and generating plasma on the heat shield. During this time, we may have UHF blackouts.

4:46 Atmospheric entry now.
4:45 Phoenix 8Kb/s data transmitted and Turn to Entry completed.
4:43 Phoenix 4 minutes into turn to entry and both Odyssey and MRO are relaying EDL data to Earth.

Turn to entry is the maneuver where MPL changes attitude to enter the Martian atmosphere. Everything nominal so far!!

4:40 Turn to entry in process.
4:40 Confirmed cruise stage separation and acquisition of UHF signal.
4:40 Odyssey data recording has started.
4:36 Odyssey data flow (transmitting EDL data to Earth) expected in 2 mintues.
4:35 MRO software sequence for recording EDL data loading confirmed.
4:35 Com checks happening now.

As "cruise stage" wraps up, there's a change in com systems for the beginning of the "entry, descent and landing" phase.

4:30 All personnel at stations. Cruise stage finishes in 8 minutes.
4:29 Confirmation that the space craft has performed final inertial measurement unit calibration and the star tracker is powered down (expected.)
4:28 Waiting for confirmation that the star tracker calibration has taken place.
4:19 Pressurization confirmed (this is really good.)
4:18 The propulsion system is being pressurized.
4:12 Madrid (MDSCC,) part of the Deep Space Network, tracking the MPL.
4:10 Reminder of good final window for wireless radio battery change for the EDL team.
4:09 Mars Reconnaissance Orbiter is go for com support.
4:08 Additional positive tests of MPL's radio.
4:07 Mars Odyssey Orbiter is go for communications support.
4:02 confirmation of heater activation.
4:00 turn to entry thruster pre-ignition heaters being activated.

The Mars Phoenix Lander is just about one hour away from entry, descent, and landing. If you're not following and would like to, tune in at NASA's Mars Phoenix Lander pages. Live streaming coverage is available at NASA TV.

If neither of those is available to you, stay tuned here for updates. I'll try to keep things "live" here through confirmation of a live MPL on the Martian surface.

This is just a reminder that I'll be participating in tomorrow's Support Firefox Day. I'll be on starting at 4:30, but you should definitely check out the full schedule and join David and the rest of the team for as much of the day as you can make available.

Johnathan Nightingale, the man with the clever Mozilla title of "Human Shield," has a great post over at his blog, meandering wildly, that really makes concrete what kinds of dangers have come to the web and what we're doing to help keep Firefox users safe with the malware protection in Firefox 3. Go read it.

via PKim's blog

Lifehacker has "completely geeked out" (along with literally millions of others) about the upcoming Firefox 3 release. They've put together a great collection of their top 10 new features in Firefox 3 and I really couldn't agree more -- even their ordering.

Check out "Top 10 Firefox 3 Features"

I didn't, so I'm glad that someone else found the time to respond to some rather broken security "journalism" that made the rounds yesterday.

If you've got questions for Jesse Ruderman, head over to this post and get them recorded.

I'm going to wrap up what we have and add a few of my own tomorrow so don't miss your chance to be a part of this Mozilla developer interview.

I'll be participating this Friday in Support Firefox Day. You should come. It'll be great, even the parts that don't include me ;-)

The most important product launch of the year is just a few weeks away. It’s a web browser called Firefox– ever heard of it?

Head over to the Miro blog and read the rest.

I couldn't have said it better myself. The feeling is mutual. I'm a proud user of Miro and a big fan of what they're doing. If you're not using and supporting Miro and the PCF, I strongly encourage you to take a look at what they're up to and find a way to be a part of it.

As you can see from Adrian Kingsley-Hughes' SunSpider performance graph over at ZDNet's Hardware 2.0 blog, Firefox 3 RC1 is the fastest browser in the world. Firefox 3 RC1 is pretty much identical to what's going to ship as Firefox 3 next month so these are reasonably final numbers.

Firefox 3 will not only be faster than the niche browsers Safari and Opera, but it's going to completely decimate its competitor in the mainstream, IE 7 -- beating Microsoft's offering in JavaScript performance by nearly 10x!!

Users migrating to Firefox from IE 7 are going to find that performance boost to be very noticeable at popular Web applications like Gmail where messages load about 7 times faster in Firefox 3 compared to IE7. Not only that, Firefox 3 will do it with about 1/5th the RAM usage of IE7.

Tired of poky performance at Gmail, or Google Reader or other Web applications? Get Firefox 3 for the fastest experience available.

Percy Cabello, over at the estimable Mozilla Links, has a great review of FIrefox 3's improvements.

I'll try to round up the rest of the great coverage, but the early reviews and responses are overwhelmingly positive. I have no doubt that this is not only the best browser we've ever shipped, but it's the best shipping browser, period.

We're almost there, folks.

Today's penultimate release will make it clear to millions of people all across the globe that Firefox is in a league all its own.

This is the culmination of 3 years of intense development by the world's most experienced browser team to bring us the fastest, safest, most powerful, and easiest to use Web browser ever.

With more than 14,000 improvements over the previous release, ranging from dramatic performance and memory gains to truly innovative features like the "Awesome Bar," Firefox 3 is the no-compromise browser that puts you back in control of your Web experience.

Those Ajax apps that were "almost" fast enough? In Firefox 3 they scream. That Web page you can't find but were just at? It's only a few keystrokes away with the Awesome Bar. That mess of un-filed bookmarks? Neatly tagged and sorted. That suspicious "paypall" or "amason" website? Identified and blocked. That one add-on you just can't live without? Now available right from the Add-ons Manager.

I could go on and on and on. There are literally too many improvements to list. Why not download Firefox 3 RC1 now and see which new feature makes Firefox your browser of choice.

As some of the long-time readers here will remember, this blog hosted a number of Mozilla developer interviews "back in the day". The format was simple but fun, and I think informative.

For those of you who don't remember or weren't around back then, here's one of the interviews with Gecko hacker, Boris Zbarsky.

It's time to bring that feature back. I've got a few amazing Mozilla people lined up, starting with Jesse Ruderman, a member of Mozilla's security team and author of several amazing fuzzing tools.

Jesse's been finding and helping fix security bugs in Mozilla longer than just about anyone else and I couldn't be more pleased that he's agreed to do this interview with all of us.

So, ask away. At the end of the week, I'll gather up the best questions and deliver them to Jesse. (I may add a couple of my own, too.) Jesse will answer them and I'll post the questions and his answers soon after.

Jesse's pointed out another "Firefox in Space" -- this time from the amazing Chandra X-Ray Observatory.

With Firefox 3 RC1 just around the corner, Basil Hashem has just announced the availability of the the "3.0" and "3.0.*" Firefox compatible versions at AMO.

This means that add-on developers who have tested with Firefox 3 RC1 can offer those add-ons as being compatible with the final version of Firefox 3.

If you're an add-on developer and you're already compatible, you can flip that switch now. If you're not yet compatible because you've been waiting for the final release, now's the time to dive in.

alternate title: "Ho To Make Firefox 3 Crash A Lot"

Over the last six or seven months, I've come across literally hundreds of blog posts and a decent number of full-length articles explaining how Firefox users can make all of their extensions "compatible" or "work" with Firefox 3 betas by making a very simple change to one of Firefox's hidden preferences.

This idea is not true. You can not make your extensions compatible by changing a Firefox preference.

Setting the hidden preference extensions.checkCompatibility to false does not make extensions compatible with Firefox 3. What it does is tell Firefox to not care about extension compatibility.

This is a problem because most extensions that are "fixed" by this change are genuinely not compatible with Firefox 3 and will cause problems ranging from pages not rendering correctly to frequent program crashes to Firefox not starting at all.

The only people that should be disabling this check are the extension developers and testing community that are contributing to making those extensions actually work with Firefox 3.

If you're experiencing regular Firefox crashes or other strange behavior after changing this preference, it is very likely that those problems are the result of an incompatible extension.

Firefox 3 is just around the corner and the community is making great progress in updating all of the most popular add-ons. Unless you're one of the people working on that, please don't open yourself up to crashes, broken web pages, or even security vulnerabilities by turning off the compatibility check.

You can undo the change by typing about:config into the addressbar, filtering on checkc and double-clicking the item to switch the value back to true

For those of you who read Arrington's post, "Mozilla Stealth Data Project Could Be Just What The Internet Needs" I encourage you to head over to John Lilly's post, Mozilla, Firefox & Data to get some more information and better context.

update: Ken Kovash has a related post Fluctuations in International Internet Usage.

If you've been putting it off because other things always seemed to get in the way, you're in luck. It's not too late! You still have time to follow me on Twitter and perhaps be witness to my first 'tweet'.

Join the tens! of people who are already following me on Twitter in anticipation of my first post and you might just get to see me type something somewhere else some time!

Then again, if past performance is any kind of indicator of future results, probably not.

For those of you who read the somewhat widespread coverage of the Vietnamese language pack add-on issue and came away wondering if Firefox was indeed infected with worms, demolishing city blocks underfoot, and stealing babies, I've posted a few responses to the common misunderstandings and misreportings around the issue over at the For the Record blog.

Ken Kovash has an update on the Net Applications Market Share data for the month of April that reported an across the board drop in not-IE market share and a pretty substantial spike for IE 6.

Long story short, the report was wrong, Firefox did not lose share, IE didn't have a massive spike, and Net Applications will be posting a corrected report.

Here's what they had to say:

The April, 2008 market share data has some significant variations from established trends.  The following major anomalies occurred on April 18th:

A 25% increase in visitors

A 3% drop in Firefox share

A 4.9% increase in Internet Explorer 6.0 share

A 3.4% increase in Windows XP share (with a small drop in Mac share)

A .7% drop in Windows Vista share

Since April 18th, all trends have returned to expected values, including an expected uptick in Vista share due to the release of SP1.

Once we discovered the extent of the variations, we have worked diligently to discover the cause.  The variations were coincidental to the release of Vista SP1 to automatic updates, so we initially thought there might be a connection.  However, our investigation showed Vista SP1 had nothing to do with the problem.

What happened was a distributed collection of sites inadvertently caused the problem.  We can't identity the sites responsible, but the nature of the problem is that all the millions of new visitors we saw were part of a massive marketing campaign that only worked on Internet Explorer.  This glitch caused respective drops in Firefox, Safari and Opera share.

We are in the process of removing the skewing data.  It should be completed by May 7th.

So, one anomalous day that was enough to skew the monthly report. Now, had I subscribed to Net Application's super cool upgraded version, I'd have seen this as a one week anomaly in a specific geography (weekly reports and geo location data being the key parts of the paid upgrade,) and a return to normal trends before the month was over, saving me a few gray hairs. Live and learn :-)

A big thanks to Ken Kovash and Net Applications for getting to the bottom of this.

Deb's got another great Firefox 3 feature blog post up. This time she's delivering the goods on the Site Identification Button and "Larry" the Passport Officer.

Oh, and after you've read it, go digg it so others can learn.

Last month's Net Applications browser market share data looked a bit odd to me. Ken Kovash and the Net Applications folks are on the case.

One of my colleagues just pointed me to this blog post where Simeon Bateman calls Mozilla an ungrateful child.

I started to post a reply there but it got a bit longer than what I think fits in "comments" format so I'm posting it here instead (though, this is still more in the "reply" format than the "post" format.)

Simeon's basic assertion is that Adobe is doing a lot to open up some parts of their next-generation platform and Mozilla is a crybaby for suggesting that Adobe might have less than pure motives.

A secondary point, if I'm reading him correctly, is that Adobe deserves to be making lots of money by extending its control of the Web and Mozilla shouldn't be complaining about corporations undermining the free and open Web for profit because Mozilla gave up any say it had when it decided to operate as a public-benefit organization. Stupid Mozilla. You never should have put the interests of a free and open Internet ahead of the corporate bottom line.

So, here's my reply:

For Microsoft and Adobe, it's not about the money (yet.) It's about owning the platform.

Right now, the Web platform doesn't belong to any mega-corporation and the protocols and specifications that underlie the Web are developed in a cooperative process between many of the implementers.

The real issue here is the Web platform (HTML/CSS+JavaScript, plus lots of other cool bits,) that Adobe and Microsoft are challenging and determined to supplant and replace.

It's not that difficult for honest observers to admit that the open Web platform is much harder to monetize over the long run than open Web replacements like Adobe's flex+flash+actionscript or Microsoft's xaml+wpf+.net. (and yes, don't kid youself. Adobe and Microsoft are building replacements for the open Web with Air and Silverlight.)

Both Microsoft and Adobe want to own as much of the post-desktop platform as possible. Adobe has a big short term lead with the ubiquity of Flash, and Microsoft has the medium term advantage of a desktop monopoly with Windows (and whatever they want to label and distribute as a part of Windows.) The Air and Silverlight pushes coming from these companies are all about who will own the biggest piece of the next-generation Web platform pie.

And, don't be fooled by the big giveaways from Adobe and Microsoft. If owning the eventual Web.next platform, or even a large chunk of it, means giving away a lot in the short term, they're happy to give, give, give. It's taken a decade and a half for the Web to advance to where it is today and Microsoft and Adobe aren't focused on 2008 or even 2009. They're looking out at the Web of 2010 and beyond and doing everything in their power to be in control of as much of that space as possible.

As for what they're actually giving away, documenting the protocols and specifications and allowing others to re-implement them is interesting, but it's not open. Open is developing the protocols and specifications in a co-operative and participatory environment and then competing on implementations. Neither Adobe nor Microsoft are being truly open on this front, because doing so would mean giving up their big shot at control of the next generation Web platform.

If I was in Adobe's shoes, I'd give everything away, all of it. Hell, I'd pay people to develop on the Adobe platform and I'd encourage dozens of competing implementations of my platform across every type of device imaginable because, in the end, it'd be my platform and I'd decide how and when it evolved and to what ends.

And I'd do the same if I was Microsoft.

But, I'm neither. So, all I can do in this battle for the future of the Web is to advocate for advances in real open Web standards from groups like ECMA, W3C, and WHATWG. It may be a bit slower to market, (hopefully not too much slower,) via the collaborative and open road, but the end result is a powerful Web platform that isn't, and cannot be, controlled by any one company.

And to those who think I'm some anti-capitalist, I don't think there's anything wrong with people and companies making money. I don't even care if they're making ridiculous amounts of money. But the Web has always been about more than making ridiculous amounts of monkey. The Web has substantial non-commercial aspects including critical educational, social, and civic value that should not be owned or controlled for the purpose of driving corporate profits.

If we cede control of the Web platform to one or two large corporations, we will cede a big piece of what makes the Web so amazing and no short-term sparkle and flash are worth that concession.

Be careful. The first dose is always free.

Photo by Flickr user laughlin and used under a Creative Commons license.

A while back, there was a major update to the Add-ons site. At that launch, it was decided to try to move the site forward with a series of smaller milestones rather than one big one at the end. The first of those milestones is complete and addresses some of the great feedback on the 3.2 release.

Head over to Basil's Bodacious Blog for the detailed rundown.

Photo by Flickr user Roger Smith and used under a Creative Commons license.

I'm giving the venerable ScribeFire blogging add-on for Firefox another go.

In many ways it feels like a more solid tool than it did in the pre-2.x days but there are still some bits that still feel kinda clunky to me. Stacked sets of tabs and that ancient seamonkey splitter widgets for resizing the panels are a couple of UI bits that could use some cleanup.

Another area of some clunkyness is the category selection list and post options like timestamp, buried off in some tabbed panel to the side, rather than in the toolbar/title/formatting area with other post-related tools. I think the ScribeFire logo area to the right of the title form would be a much better location for a category select widget for blogs that support one category per post, or an auto-completing, comma-separated tag/category field for blogs that support multiple categories/tags.

Also, the share, configure, and info tabs are just wasting space. Share should just live in a browser context menu and be activated from the blog post itself (or any other page.) Configure and app info should be accessed from the add-ons manager preference.

Finally, the main compose panel needs some min-height and min-widths or something to keep the save/publish/delete/etc. buttons from getting pushed out of view.

What I like about the new version, though, is a lot more interesting than what I don't. Tabbed editing of posts makes managing a few in-progress posts much easier to manage. The YouTube and Flickr integration is quite nice and makes me want more (more sites, more search options, and saved/recent list or something like that.)

Overall, good progress and I hope to see more.

Update: Ugh. Why the <br /><br /> tags rather than, you know, actual paragraphs?

Not just a victory, but a domination: Firefox wins the LinuxJournal's Readers' Choice Awards once again and this time with 86% of respondents giving the thumbs up to Firefox.

Firefox wins Favorite Web Browser with 86% of your votes. But where, oh where, have the very capable Opera and Konqueror gone? Fewer than 5% of you named them your favorite browser.

Linux is kind of an unknown when we talk about Firefox users. Because most Linux users get Firefox from their Linux distribution rather than from Mozilla, we don't have any decent visibility into how many of them there are. What we do know from this survey, and many others like it, is that Firefox is far and away the top browser on Linux.

This is a testament to the power of "shipping with the OS" and to the strength of Firefox considering that most Linux users are very comfortable downloading and trying new programs.