July 2008 Archives

A "security company" (yes, those are scare quotes,) named Radware recently decided to hype a very low risk Firefox bug to ridiculous proportions in a lame attempt to sell you their security package.

Computer and online security is already difficult enough for regular people without these kinds of sleazy tactics. Radware should be ashamed and if they're not, they should be shamed.

This kind of behavior, regardless of which program is being targeted, is simply unacceptable.

George Hulme, over at InformationWeek's Security Weblog has more.

You helped so much to make Mozilla better and Facebook will be the next organization to benefit from your good works. Aloha, Schrep!

I suspect that too few know fully what Schrep's done for Mozilla beyond the what speaks quite well for itself in the last three Firefox releases. And I'm on the road today so I don't have time to list all of the ways that Mozilla's benefited from having Schrep's leadership these last few years but it's worth a quick reminder that his work and influence go well beyond just product engineering. Without him we not only would not have the Firefox we do today, but we wouldn't have the infrastructure and other key pieces of product and organizational coherence that have us in such an amazing position to rock and roll the Web forward.

It's been a blast working with you Schrep! Good luck at Facebook and thanks for all that you've done to make Mozilla better.

Following up on my Wakoopa Firefox metrics post, I should definitely mention the latest from Forrester Research, as excerpted by Larry Dignan:

Firefox is the browser of choice for 19.4 percent of enterprise users surveyed up from 16.8 percent in January. It’s also notable that IE 6.0 is top dog with 63.5 percent share. IE 7.0 is 36.5 percent. Overall, the message is clear. Browsers are diverse within the enterprise and you can’t develop for just one.

That really does hit home Larry's point that the enterprise really is a diverse space and there's just no good excuse for most enterprises to develop for just one rendering engine.

Even more exciting than that, though, is how much progress Firefox is making and how quickly. Not long ago, analysts at companies like Forrester were saying that Firefox just couldn't make it in the enterprise. At nearly 20% and growing almost half a point per month, I don't think anyone can discount Firefox's potential to succeed in the enterprise as well as it is with consumers.

Go Firefox!

update: IE numbers updated based on better data from here.

update2: With Macs making up 4.5% of the machines surveyed and Safari accounting for only 2.4% of the browsers, is it reasonable to assume that nearly half the Mac users are opting for Firefox rather than Safari?

It's been a while since I looked in at Wakoopa and they've gained quite a few users since I was last there.

Every data source has its biases, but it's still pretty cool that Firefox has been used more hours than the rest of the 15 most popular programs combined.

Nothing even comes close. Go Firefox!

We're about to go live with a very special Air Mozilla. Tune in at 11:00.

update: And thanks to everyone that showed up. That was a fun show!

Apparently, Apple's pretty comfortable with the results it gets abusing its users on Windows.

I also saw this over the weekend when I was updating one of the home Windows laptops and again my opinion of Apple (a company that makes a good chunk of the hardware and software I've come to depend upon,) has dropped significantly.

Apple succeeded in calming the storm last time around with slight and completely insufficient changes to its malware-like update utility. With that minor change, nearly everyone said "OK, good enough" and today there can be little doubt that Apple took that as a signal that no one really cares how abusive its tactics get. They've decided that it's totally cool to continue those kinds of practices.

Let me say this as clearly as I can so there will be no misinterpretation. Installing a new and unrequested program on a person's computer is simply unacceptable. Apple should stop this practice now and Apple users should stand up and say "No more!" to that kind of abusive and malware-like behavior.

Next Wednesday, from 11:00 a.m. - 12:00 p.m. PDT (UTC-07:00) I'll be hosting another exciting edition of Air Mozilla Live.

Our guests this week will be Mitchell Baker and Mark Surman. Rather than type it up myself, I'll just quote Mitchell's blog:

I’m thrilled to report that we’ve identified the person we believe should lead the Mozilla Foundation into a new stage of activity. That person is Mark Surman, the role is Mozilla Foundation Executive Director. "We" in this case is the Executive Director Search Committee, the Mozilla Foundation Board of Directors, Mozilla Foundation staff, plus a set of other Mozilla contributors who have spoken with Mark.

So, this is your chance to meet Mark and ask questions. Don't miss it. If you can't make it, you can send me your questions ahead of time in email and watch the videocast after the fact. If you can join us, you'll want to be at Air Mozilla Live and on IRC server irc.mozilla.org, channel #airmozilla.

I've read around the blogs and twitterverse that people are seeing some of their add-ons disabled by the just-released Firefox 3.0.1 security and stability update.

There's good news and bad news here.

First the bad news. Yes, several add-ons seem to be disabled with the update to Firefox 3.0.1. This should not have happened and is most likely the result of a mistake in the add-on's Firefox compatibility string. Where the author should have used "3.0.*" they instead used just "3.0" (note the missing "*")

The good news is that it's only a few add-ons and Mozilla folks are reaching out to those authors to help them fix their version compatibility. I think we'll see pretty quick updates from those vendors.

Firefox security and stability updates should not break anything. The Web should continue working just fine and so should extensions, themes, and plug-ins. Mozilla works very hard to make sure that the security updates are as painless as possible, including keeping a close eye on all of the add-ons hosted at http://addons.mozilla.org. But there are all kinds of add-ons that live outside of AMO and that makes things a bit more difficult to track and help out when needed.

So, if you see or hear of add-ons that are disabled by a security update, please let me or Basil or someone else from add-ons land know about it. Thanks.

Oh, and you can read more about this from Basil and you can digg it to help get the word out to the wider world.

It was on this day, 5 years ago, that we launched the Mozilla Foundation to provide a lifeboat for the Mozilla project as Netscape/AOL/Time Warner, Mozilla's former sponsor and primary contributor, was slipping into Microsoft's warm technology embrace and abandoning its 5 years of work on Mozilla.

With a new Mozilla Roadmap in hand, and just a handful of people, we had high hopes, but little mind share and even less market share.

A little more than a year later, we would be shipping Firefox 1.0 and changing the face of the Web.

For many people, it was only then, in late 2004, that Mozilla and Firefox began. But as we celebrate this year's 5th anniversary of the Mozilla Foundation, and 10th anniversary of the Mozilla project, it should be a good reminder that we've been slogging through it for quite a while and are only recently starting to see the rewards for those many years of work.

If you have been a part of this Mozilla history, today is a fine time to pat yourself on the back and to be reminded that you've made the Web a better place. If you have not, there's no better time to get involved and help Mozilla make the next 5 and 10 years even better.

Mary Colvig, who spearheaded the Firefox Download Day Guinness World Record campaign for Firefox 3, has a great blog post covering how it came about and how it all came together. Be sure to give it a read.

Someone asked, off-topic-ly in one of my other blog posts, what I thought about Opera's new Web standards curriculum. My answer is pretty short and I don't think that even those predisposed to finding insults where none were intended will be able to complain:

I think it's a wonderful project and I hope they're wildly successful.

I suspect there's little or no disagreement among the major browser teams (even, the I.E. team,) about the value of well-defined Web standards that can be easily implemented in a cross-browser way. Where the rubber meets the road, so to speak, is in what those browser teams actually do to go beyond agreeing about that value and actually doing something to promoting the value. It appears that all browser teams are working on improving client technologies with respect to Web standards. At Mozilla, we're going beyond just implementing those standards and actively evangelizing them.

I'm pleased to see Opera also putting resources into raising awareness and educating Web developers. Opera's the only and largest "dedicated Web browser developer company in the world" (as their CEO likes to say in his presentations,) and I think it's a great move for them. If they will actually put a good chunk of their substantial resources behind it, it could have some real impact.

Of course, not everyone agrees about what kind of impact Opera can have.

Rob Enderle, an analyst at Enderle Group in San Jose, said the project is timely, but he noted that Opera isn't one of the major players in the Web browser marketplace. "I think it's a good idea, but for a small player, and Opera's a small player, it's hard to drive a change like this"

I'd say that's completely up to Opera.

While their browser market share is indeed quite small, less than 1% globally, their resources aren't. Opera Software has well over 500 full-time employees and non-trivial revenue streams. They're quite large, and if they want to make a serious effort to educate people about Web standards, and they're willing to put a big enough chunk of their substantial resources into that effort in terms of money and people, I think they could definitely move the needle.

Go Opera!

This has to be one of the most adorable things I've ever seen. (Thanks, Robert, for the link.)

As most of you know, the Red Panda, A.K.A the Firefox, is our browser mascot. This story of a baby rejected by its mother and now adopted by a sweet mother cat is just too sweet.

The AP article notes "The cub doesn't have a name yet, but the zoo says that, through its adoption program, anyone willing to sponsor her will be allowed to name her."

It sure would be neat if the Mozilla community could adopt her and call her "Firefox" or maybe "Mozilla" :-)

If, like me, you're interested in these amazing creatures, be sure to head over to the Red Panda Network, and learn about, or even better -- get involved in, some great programs our good friend Brian Williams is working on to help ensure that red pandas have a future beyond the zoos.

update: Oh. My. There's video.

Our awesome metricist has digested the server logs and created a nice graph showing definitive proof that the Colbert Bump is a real phenomenon.

In the three weeks since Firefox 3 shipped, we've averaged ~1,000 Twitter messages per day that mention Mozilla or Firefox. The pace has slowed a bit with the last week averaging only ~800 tweets per day.

Still more reasons to avoid Internet Explorer.

Another great post by Michael Horowitz over at his Defensive Computing blog on cnet, explains how Microsoft's failures around software update and Firefox's successes there really ought to get you onto Firefox if you're not already.

It's pretty basic reasoning. If you take it as given that all complex software has bugs (and browsers are some of the most complex consumer software available,) and all complex, network-connected software has security flaws, then there are basically only two measures that really matter when you're trying to stay safe using a web browser. The first is how hard does the software vendor work to find and fix those flaws. The second is how quickly and effectively can the software vendor get an update in place on your machine.

With Firefox, you can actually see how much work is done finding and fixing flaws. You really can't say that about any of the other vendors -- Microsoft, Apple, and Opera only disclose the flaws found by third-party security researchers so you really have no idea whether or not they're even trying to find flaws in their own software. I sure hope they are, but it's their policy not to say anything about this in public so there's really no way to know for sure.

With Firefox, you get updates as soon as they're developed and tested, thanks to our amazing, and demonstrably superior update system. The system quickly and quietly downloads the update in the background, not interrupting your work by being smart about only downloading when the connection isn't under heavy use. Then it prompts you to restart, and after a quick restart that restores all your work, (including your open tabs and and even that blog post you were in the middle of typing,) you're running on the new secure version.

With Microsoft, you have to wait on their "Patch Tuesday" which could be a month away, depending on when the software flaw surfaced. Even then, they may not include fixes for publicly known security vulnerabilities. Not only that, but the I.E. fix often comes with a load of other Windows fixes that usually requires a full OS reboot. Co-mingling I.E. with the rest of Windows was a big mistake and this is just one of the ways in which that mistake surfaces to harm users.

With Apple, who knows. It seems kind of random when they push out updates and when they do, you have to be especially careful not to accidentally install unwanted new software that came with the malware-like update system. With apple, the update mechanism is not just about keeping you safe and secure, it's about pushing their other products on you. Advertising and security are basically the same priority for them, even when they're in the middle of a critical security fire-drill. This mixing of security and advertising is pretty horrible behavior and shouldn't be tolerated by anyone. Making users less comfortable with security updates is irresponsible behavior and does harm to the entire industry and to all computer users.

And with Opera, if they're not misleading users about security updates, you only get a notification but no actual update. To get an "update" you visit their website, download an entirely new version of Opera, maybe(?) uninstall your old version, and then install the new version. With all that hassle, it's no wonder so few of their users stay up to date and secure. It's absolutely unconscionable for a software vendor to distribute a browser in this era of rampant malware without a real software update system in place. It's irresponsible, bordering on negligence.

Mozilla puts security first and our update system and our security process were designed to keep users safe with as much transparency and as little hassle as possible. With Microsoft, Apple, and Opera, it's mostly opaque, rarely timely, overly complex, very disruptive, sometimes flat out misleading, and you don't always get what you asked for or what you need to be safe online.

The results of this are pretty obvious and it didn't take a serious study on the topic for most thinking people to realize that Firefox users would be more up to date and so less at risk than users of alternative browsers.

Firefox Update: one more reason to switch to Firefox.

A few people have asked me questions or otherwise raised what they though were serious issues or flaws in the Mozilla Firefox Download Day 2008 Guinness World Record attempt. I figured it was worth a quick blog post to clear up some of those questions and misunderstandings.

• "There was no pre-existing record so Mozilla didn't break any records."

The is an accurate statement but not quite right. There was no pre-existing record. One cannot break a record without it being first established. Mozilla didn't set out to break any existing records, though. Mozilla set out to set the record. With the help of more than 8 million Firefox fans, Mozilla and its community succeeded.

• "It's meaningless because any number of downloads, even just one, would have set the record."

Not quite. Guinness doesn't accept a new World Record unless it finds the event to be of interest. Had Mozilla achieved only a few downloads, Guinness would not have agreed to give Mozilla a spot in the Guinness World Record books.

• "This was just a stunt."

First, are you familiar with the Guinness Book of World Records at all? Even casually aware of what it is? It's a collection of interesting, entertaining, and often completely wacky accomplishments. Mozilla, with great interest from its community and with obvious interest from many millions of its users, thought this would be an interesting, entertaining, and even somewhat wacky, but most of all fun challenge and so we did it.

• "Windows Update on 'patch Tuesday' would easily beat this record."

Actually, probably not. The record attempt was clearly defined by Mozilla and Guinness beforehand and intentionally made to not cover automatic software updates. Mozilla could easily serve out many times more automatic updates in a 24 hour period, but that's not something that gets our community and our users engaged and excited so that's not what this was about. This was about millions of people, from all over the world, coming together and taking a very specific collective action.

• "If Firefox is so great, it shouldn't need do marketing."

I think that's kind of like saying "if the kid is so smart, why does he need to read books." Marketing is about education. It's about raising awareness of new opportunities. We're thrilled with what our community has built in Firefox 3 and as a community, we want as many people to hear about it, to try it, and ultimately to get a better Web experience by adopting it.

Our approach to marketing is radically different and follows the traditions of Mozilla's open source code development with strong community leadership and participation. If our community decides that large-scale marketing efforts like World Download Day are no longer interesting, fun, or effective, then we'll probably change. But today, that's not the case, and there are millions in the community that think we're all on the right path with spreading Firefox.

Mozilla and Firefox are people-powered and while our financial resources are a tiny fraction of our primary competitors, our active and enthusiastic community is unrivaled. There's no greater proof than the success of World Download Day. I wasn't directly involved in the World Download Day program, but I was there in the very beginning of Mozilla's grass-roots, people-powered, community marketing program and I believe strongly in the abilities and the judgment of our community marketing team. I think Download Day was a phenomenal success and I'm proud to count myself as one of the 8M+ people who set the Guinness World Record for most software downloaded in a day.

Window Snyder blogged about this yesterday and today Ryan Naraine has an article up, Can Mozilla’s security metrics project end the patch-counting nonsense? that I think hits the nail right on the head.

Security is serious. It's not the place for vendors to be opaque and the press to be sensationalist. Mozilla, beyond its great track-record on client application security and best in the world openness, is working to bring some sanity to the larger browser security landscape with a new program that will hopefully, as Ryan says, "put an end to the silly notion that patch-counting helps to determine a product’s security posture."

Go give Window's blog post a read -- and don't forget that you have a chance to participate, here, in a community interview with Window so if you've got questions for her, head over to the interview post and ask them.

It's official!!

The good folks at Guinness have certified the Firefox download record. 8,002,530 unique individuals downloaded Firefox 3 in the 24 hour period after launch on June 17th, 2008.

I have to give a big shout-out to Mary Colvig who organized this supercool community program. Mozilla community marketing really has taken Firefox to levels unimagined just a few years ago.

We said it when Firefox 1.0 launched but it bears repeating: We're setting the world on fire!

Congratulations also to the 8M+ people that all own a piece of this accomplishment. You all are amazing and you inspire me.

Tomorrow at 1PM, I'll be hosting another episode of Air Mozilla Live. Our guest this week is Ellen Siminoff, the newest member of the Mozilla Corporation Board of Directors, and Mitchell Baker. Ellen and Mitchell will be taking your questions, live, so please join on Wednesday.

You can read more about the program and Air Mozilla Live here.

Oh, and also read Mitchell's welcome post.

Brian Krebs, over at the Washington Post, has a great article up on the recently released study by IBM, Google and Communication Systems Group, which finds that Firefox users are far and away the most up to date users on the Web.

"83.3 percent of Firefox users were found to have the latest version installed at any given time. That's notably more than Web surfers using the latest versions of Safari (65.3 percent), and Opera (56.1 percent). "

Wow. That's a pretty stark difference. I'm not surprised to see Opera so low, considering their lack of a simple and efficient update mechanism, (something I've written about in the past,) but I am surprised that more than one third of Safari users weren't on the latest release given that Apple does have that simple update mechanism as part of its operating system. I suppose that some of Apple's problem could be that it unsupports older versions of OSX rather quickly and so there may be some decent number of people running OSX versions that simply cannot run the latest and safest software.

The report is pretty clear on the state of software updaters, saying, "We believe the auto-update mechanism as implemented within Firefox to be the most efficient patching mechanism of the Web browsers studied,"

The I.E. data is a bit less concerning to me because Microsoft continues to provide security updates for I.E. 6, making it less concerning that users update to I.E. 7. Still, with I.E. 7, users do get added protections both in terms of security architecture and user-facing security features, so Microsoft shouldn't be let off the hook for not moving more of its users forward. I do wonder, if like I speculated for Apple, Microsoft still has any significant number of users on pre-SP SP2 systems that simply cannot run I.E. 7.

My take-away from this is that we're doing a pretty good job, certainly with room for improvement, of keeping Firefox users up to date. Safari is the big let-down given their built in system for updating their users, and Opera remains the lone browser maker that puts dozens of nice-to-have features above the basic security needs of its users. As I said in January of 2007," Opera Software should not ship another major release until they have a similar [automatic update] program in place." Unfortunately for their users, Opera has shipped two major feature updates since, and there's still no sign of an automatic update system for their desktop users.

Security is a process. That process includes the effort an organization puts into developing a software architecture that's secure from the ground up, extensive code reviews to prevent security bugs from creeping in, thorough security auditing, both blackbox and whitebox security testing, fix responsiveness to security issues as they become known, and fast and easy deployment to their users. At Mozilla, all of that is available for the world to see and the results are solid. At the other browser companies, it's only that final step that's available to see and if the other vendors are falling down on that one, who knows what else they're dropping on the floor behind closed doors.