Wrangler Doodles, green.

Building a Better World through Technology

co-founder Mozilla

( from the LizardWrangling Archive )

Tag: security

  • Online Safety: Helping People Help Themselves

    The online world is new enough that many of us aren’t really sure how we can keep ourselves as safe as possible. In the physical world we have generations of experience about how to minimize risk (beware of dark “shortcuts” through unknown neighborhoods alone at night), and well-developed social institutions to mitigate risk (police forces, insured accounts at banks, etc.). In the online world most of us are still learning what we can do as individuals to improve our own safety. Sometimes it’s daunting.

    It turns out that one important thing each of us can do is keep our software up-to-date.  By doing so we get a regular flow of security improvements. Firefox has a good update rate. But it’s easy for people to forget to update software that we don’t think about very often. One type of software that’s easy to forget about is a category known as “plugins.” Plugin software works with a browser to display additional types of content. Plugins are not created by the browser developers; they are separate teams and separate software. Because of the interaction with the browser, many people don’t know or forget about updating plugins. And a crash or security problem in a plugin often feels like a problem in the browser. So it’s easy for people to think that they’ve fixed the problem by updating the browser when in fact the plugin is still a problem.

    Last week Mozilla tried something new to help people help themselves. The results so far have been encouraging. We realized that a lot of people are using old version of the “Flash” plugin. We suspected that this is because people didn’t know they should update or that updating is an important safety habit. Flash is not a Mozilla product — it’s  from Adobe — so updating the browser doesn’t update Flash. And nearly everyone uses Flash to view video. So we put a notice on the Firefox update page, letting people with old, less-secure versions of Flash know that Adobe offers an updated version with security fixes.

    The response to this notice has been very high. The percentage of people viewing this (in the English language, US version) and then following the link to update flash is about 30%. This is a very high response rate. A typical response rate for this page is around 5%. A more detailed analysis can be found at our metrics blog.

    We’re very careful about putting anything on the Firefox update page, so asking people to deal with a different product is new. The response suggests that people are receptive to clear information about how to keep themselves safer. That’s encouraging. It benefits the individual doing the updating, and also provides a system wide “public health”- like benefit as well.

    Online security is a tough problem. It will be with us constantly, just like questions of physical security never go away. There are things each one of us can do to improve our setting. At Mozilla we’ll keep thinking about how we can help people figure out and do these things. And hopefully we’ll be part of a growing community of people doing this.

  • Symantec Security Report

    I’ve been following the news reports that Symantec has decided to change the way it counts security threats for browsers. Symantec is moving from a system which counted only vendor-acknolwedged problems to two categories. One is vendor-acknowledged and one is both acknowledged and not-acknowledged.

    I want to applaud Symantec for making this change and for noting that this is a better methodology. The new method is better because it reports serious problems whether or not the vendor has acknowledged them. The information citizens get should not be so dependent on what the software vendor chooses to tell them, so this is a good step.

    The new method is also better because it removes an insidious (and I’m sure absolutely unintended) side effect of rewarding software vendors for not acknowledging problems. Acknowledging problems is hard enough in any setting — for companies, for people, for most organizations. Symantec’s new system removes this unintentional public relations reward for not acknowledging problems.

    The Mozilla project creates its own internal incentives for acknowledging security issues in a timely way to protect consumers. We do this through our community and our open source development process. We open our code to people who are not employees. By doing so we make sure that we have independent experts involved in improving Mozilla products and acting as consumer advocatees. These experts monitor our performance constantly and provide an expert voice in getting security information from the Mozilla project to our user base.

    Security in the Internet era is a complex, constant process. No one is perfect today, and no one will be perfect tomorrow. Internet security will be a hard problem requiring vigilance for a long time. Protecting consumers over the long run requires a software vendor to have appropriate motivations, effective policies and develpment methods, and of course, good results. In this setting a strong, open process with built-in consumer protections is critical.

    We’ve pioneered such a process and we see its results in our products.

  • Monoculture and Flexibility

    Security issues are in the news recently with the Windows Metafile vulnerability. The point of this post is not to second-guess Microsoft’s handling of this vulnerability. For this discussion I’m happy to assume that Microsoft is taking exactly the correct actions on exactly the correct schedule. And beyond that, security is much more of a process than a one-time result. It’s not possible to be perfect. All of us, including Mozilla Firefox, must deal with security issues. Instead, I want to note that this vulnerability points out a key issue with the Internet that has little to do with Microsoft’s handling of this — or any other — specific vulnerability.

    The current monoculture of operating systems is dangerous. The degree to which people rely on Windows and have few viable options in times of need is dangerous for the Internet and dangerous for life on the Web. This dominance is also dangerous for the business models of Microsoft’s competitors of course, and unfortunately much of the analysis often stops at this business level. But far more important is the danger to a vital piece of our infrastructure — the health of the Internet itself.

    Take the current setting as an example. The WMF vulnerability exists in the Windows operating system, the experts report it’s being exploited by a range of websites, visiting one of these websites is about all that’s required to be affected, there’s no official fix and news reports differ on the likely effectiveness of antivirus software.

    So what is a person to do? Buy and install more antivirus and security software? Stop using the web until a patch is released? Try to determine which are “safe” sites to visit? The current answer seems to be angst, resignation and a sense of fear about the dangers of the Internet. This is bad for all of us.

    A better answer is to have greater flexibility in operating systems and applications. One way to get flexibility is through diversity and competition, which gives people an effective choice about what option best meets their needs. Today one can use an Apple computer with a non-Windows operating system (as I do) and avoid many of these problems. But Apple isn’t the perfect answer, being a closed-source, single-vendor, more expensive alternative. And just about everyone seems to agree that the Linux desktop is not yet ready for most people. So the alternatives are slim, and most people appear to be stuck.

    Another source of flexibility can be found in the competition of ideas that go into a shared resource, a process at the heart of great open source software projects. But one way or another, a healthy system needs the flexibility to adapt. And the people in the system need some way to demonstrate what matters to them.

    These goals of flexibility, adaptation and choice drive the Mozilla project. This is one reason Mozilla Firefox has always been a “cross-platform” application. By “cross-platform” we mean that the same codebase can be used on many operating systems. We make sure Firefox runs well on a variety of Windows, Mac, and Linux operating systems. Other contributors make Firefox work on yet more operating systems.

    We do this because it allows people a choice of operating systems. It allows that choice now, and it provides a key element in promoting effective choice in operating systems. It is much harder to change operating systems, or to move between operating systems, if the applications people use are different as well. Firefox removes this burden. Use Firefox on Windows today. Use a Linux machine tomorrow for some specific task — Firefox will be the same. Switch back to Windows for your main work, use a relative’s Macintosh when you visit them — Firefox will be the same.

    Building a great cross platform application is not easy. It is extra work. t requires massive expertise and testing, and it requires grappling with the differences between operating systems so that the user doesn’t have it. In some cases it may mean not taking full advantage of some opportunities to integrate with the operating system offers. (Of course sometimes integrating with the operating system can create problems of its own, as the security issues with ActiveX have demonstrated.)

    We do not do this because it is easy, but because it is important. The Web is still young — too young to be tied to a single path of development. Through our open-source, cross-platform applications the Mozilla project seeks to promote flexibility and consumer choice and to help build a healthier Web. It’s exciting and extremely challenging, and there’s no doubt it’s worth the effort.