echo reply

By now, everyone and their brother has reblogged Darin’s post about experimental support for <a ping>. And, as I think most people predicted, there was an outcry about privacy concerns, support for non-standard HTML extensions. Others have written lots about what the actual effect on the privacy landscape is (IMO, a slight improvement), so I won’t rehash that, and my feelings on the “divine right” of any one standards-for-a-living body to define the future of the web are pretty well-known among those who care, so you also won’t have to endure that.

What I‘m concerned about is that developers involved in this process were, in the words of at least one of them, “surprised” that there was controversy over implementation of this feature. I agree that, at least so far, the controversy seems to be based mostly on an incomplete understanding of how things are actually tracked on the web today. But there’s a difference between not thinking that the objections are valid and being surprised that people have a reaction to the proposal. The latter worries me a bit, because the emotional and social context in which we operate is pretty important to our success. We ignore that at our own peril, I think, though there would certainly also be peril in swaying with every wind. I guess this is why philosopher kings make the big bucks.

Also, somewhere between the initial bug filing, the trunk landing, the request that it go into the Firefox 2 branch, and Darin’s blog post, the original intent of this work seems to have become obscured, at least in our messaging: this is an experimental implementation to be used to gather feedback from implementors, web authors, users, and the rest of our huge world.

(Aside to the Slashdot submitter: when you link to a blog post that explicitly describes the feature and mentions that people might be nervous due to privacy fears, you might not want to say that it was “quietly” done. This was one of the louder landings for a change of its scale, IMO — which is as it should have been, also IMO.)

checking it twice

At the urging of, and on the basis of recommendations from, people whose expertise in these matters I respect more than slightly, I have turned on a blacklist check for mail on the server I run, through which all of my mail eventually transits.

If you find that your mail to me is bouncing due to this blacklist, please do inform me via mail to Thanks!

the things go in the boxes and the boxes go in the place

We’re moving today, by which I mean that three nice men are coming to put a bunch of rectangular cardboard prisms in a truck and take them to a new, entirely unsuspecting place. We have carefully hidden our most precious belongings inside these cardboard prisms, in hopes that they will not be noticed, and thereby end up in said new house.

We packed yesterday, by which I mean that seven very nice friends — to wit: Madhava, Kate, Chelsea, Mr. Chelsea, Emily, Stuart, and Vlad — came and helped us hide our possessions as described above. Emily arrived quite directly after her return from Ottawa, for which we were proud to award her a special Sleeman trophy. (But not a glass, because we had to pack all the glasses.) The best available information also indicates that Matej was able to breathe again after leaving our dusty and cat-hairy premises. So that’s nice for him.

Vlad and Stuart have been here for almost two weeks now, watching time-to-movers decrease at a signficantly faster rate than things-in-boxes increased. Hell, for a while we weren’t sure about the movers-booked milestone at all. They’re going to get to enjoy the fruits of their labours as they become our first guests in the new house, some scant hours from now. To commemorate the occasion we have acquired a new guest bed, to be put in the room-that-is-not-a-nursery-stop-it-already.

There may also be cake.

high fidelity

(I can only barely forgive myself for that title. I hope you can manage as well.)

After my previous post about Fidelity and Firefox, Rafael pointed me at another article about Fidelity’s adoption of Firefox. A gem from that one, emphasis mine:

Recently the center began testing the open-source Firefox browser, an alternative to Microsoft’s dominant Internet Explorer. Charlie Brenner, a Fidelity senior vice president in charge of the center, says the idea came from engineers in his department who were using it at home and liked Firefox’s advanced features, such as the ability to open new browser windows in tabs rather than in a whole separate browser, and its promise of being more secure from hacker attacks than Explorer.

Someone else agrees with, or is perhaps experiencing, my current theory on enterprises and our software: we’re better off trying to get to enterprises via users, and not the other way around. Dunno if the same logic holds for other disruptive software, especially our open source cousins, but I think that the following three-step plan is probably as useful as many wordier ones that are getting funding and publicity today:

  1. Make it easy for users to try and love your software where they can most comfortably do so (e.g., at home).
  2. Make it them wish they could have it elsewhere (e.g., at work).
  3. Help them sell it to the people who can make that wish come true.

I could easily write paragraphs upon paragraphs about each of those bullet points, talking about things like minimizing change cost and playing to the unique scaling strengths of open source communities, but you can all probably imagine what it’d look like. And I don’t have to type or edit your imaginings, so we all win.

Of course, I am not a millionaire entrepreneur success story, teenage software genius, proven technology futurist, or even venture-funded experimenter, so it’s quite likely that you can get better advice elsewhere.

halos and security holism

A nice article about Fidelity and open source has two things that I find especially nice, in this one paragraph alone:

The Mozilla Firefox browser was an eye-opener, added Mike Askew, who also works in the technology center. A head-to-head comparison of Firefox and Internet Explorer showed that both had about the same level of security vulnerability, but ”the time needed to fix vulnerabilities in Firefox was much less,” Askew said. That experience led Fidelity to look at open source more intently.

First, I do quite like to hear that our success is making people look at other open source offerings more seriously. It’s not a primary goal for the project, but it’s one of the nice unintended consequences that we get as a bonus.

Second, I like to see people evaluating security characteristics of software in a more nuanced way than simple advisory or vulnerability count. Not all bugs are equal (as is perhaps obvious now, in the throes of the WMF vulnerability, though that’s not an IE bug), and even with severity weighting you are still faced with what are likely even more important questions. Chief among them might well be “how long am I likely to be exposed once a bug is found, or publicized?” If you believe that history is a useful, if imperfect, guide, then something like this vulnerability-window study might be of interest. If not, then you’ll have to do more research, which I very much hope you’ll publish.

hit list

Just so I don’t forget.

I was gonna set up something to help me track such hit lists, so that I don’t have to keep asking “what was that cool thing graydon showed me?” all the time, but, you know.