out of service

I suffer from depression, and some related issues like anxiety. I was first treated for it in high school, though my condition predates that treatment by some unknown amount. Since that time, I’ve had varying success managing that aspect of myself, but most of the time I can keep it from interfering much with my personal and professional life.

The severity of my condition varies, and lately it has varied…against me. I’m not really functional, due to a combination of random-onset crying, incredible fatigue, (even for me) very high distractability, and virtually no motivation or enjoyment of my usual pleasures and rewards. Because of this, I’m taking some time off work to recover, and during that period Damon Sicore will be assuming my duties. I have complete confidence in Damon, and knowing that he’ll be ably running things is a source of no small comfort.

I am 100% certain that I’m going to be OK. I’ve been through episodes like this before — though it’s been perhaps a decade since the last one of this severity — and I have always come out the other side with a better understanding of myself and improvements to my life. I am intellectually optimistic, even if my emotional state doesn’t often match these days. I could not wish for a more supportive family, circle of friends, and set of co-workers. I’m truly touched by the kind notes and words from so many people already, even though I know that my absence will make their lives harder for a while.

I’m writing about this in some detail because my absence will affect a fair number of people in the project and community; because I want to encourage everyone to help Damon sort out the things I’ve dumped on him; and especially because I think that people don’t talk about mental illness enough. If we could discuss mental illness with the same candor as we do our diets, food allergies, back pain, or diabetes, I think that it would be much easier for people to get the help they need. It is very hard to make good decisions about treatment (like to get some!) when your very mind is working against you; doing it alone is terrifying and for many people virtually impossible. I am incredibly fortunate to have the support, experience, and resources that I do, and it is still a very difficult thing for me to work through. Even as I write this, part of me worries how it will reflect on Mozilla. I just wouldn’t worry about that at all if I had a “physical” ailment.

I’ll likely post more on my blog about this, but not likely syndicate to planet; it’s not really Mozilla-related, other than the fact that Mozilla, like most communities, is probably more affected by mental illness than we realize.

free as in smokescreen

The web is full of headlines today like this one from MacRumors: “MPEG LA Declares H.264 Standard Permanently Royalty-Free”. It would be great if they were accurate, but unfortunately they very much are not.

What MPEG-LA announced is that their current moratorium on charging fees for the transmission of H.264 content, previously extended through 2015 for uses that don’t charge users, is now permanent. You still have to pay for a license for H.264 if you want to make things that create it, consume it, or your business model for distributing it is direct rather than indirect.

What they’ve made permanently free is distribution of content that people have already licensed to encode, and will need a license to decode. This is similar to Nikon announcing that they will not charge you if you put your pictures up on Flickr, or HP promising that they will never charge you additionally if you photocopy something that you printed on a LaserJet. (Nikon and HP are used in the preceding examples without their consent, and to my knowledge have never tried anything as ridiculous as trying to set license terms on what people create with their products.)

H.264 has not become materially more free in the past days. The promise made by the MPEG-LA was already in force until 2015, has no effect on those consuming or producing H.264 content, and is predicated on the notion that they should be controlling mere copying of bits at all! Unfortunately, H.264 is no more suitable as a foundational technology for the open web than it was last year. Perhaps it will become such in the future — Mozilla would very much welcome a real royalty-free promise for H.264 — but only the MPEG-LA can make that happen.

because no respectable MBA programme would admit me

I read (and talk) a lot about various “management topics”. I’ve been doing this since long before I managed anything more significant than my own clothing choices, because part of my brain was swollen in a childhood bicycle accident; it deprives other parts of my brain of blood and nutrients, explaining in part why I know a lot about how decision-making processes can fall apart, but usually can’t remember to have lunch. (Part of that is true.)

I have made some important findings over the last, uh, 17 years of reading and thinking about groups. Let me show you them.

Business and management books, which are latterly bleeding over into the self-help and pop-economics spaces, have terrible names. It is not a useful filter, just as it is not for science fiction. You are as likely to find a worthwhile read in a book titled “Monkey Fighting and Tomato Plants: How To Rebuild Your Team For The Digital Economy” as in any other.

Again as in science fiction, you can apparently get published if you just have a kernel of a good idea, even if it doesn’t benefit from more than a 5-page treatment, or you can’t communicate concepts clearly to save your life. Out of every, say, 10 books I start reading in this space, fully 9.7 of them have me asking “why is this a whole book?”, or even “why is this a whole chapter?” I guess this is why there are so many of those “summarize the hot business books in 1000 words each” services around.

If you’re not reading the citations, you’re not really reading the book. (If the book doesn’t have citations…yeah.) You don’t have to read all of every paper, but you should skim the ones that pertain to the parts that are most interesting to you. That probably means the parts that trigger the strongest “wow! yeah!” as well as the strongest “no way!”. (I am sometimes not really reading the book, especially where I can’t get my hands on the papers in question.)

Sequelae (“More Monkeys Fighting More Tomato Plants: How The Social User Economy Makes Left-Handed People Obsolete”) are either a) not really sequels, just named that way, not that names matter per above; or b) terrible. There are exceptions, but you should not count on finding them.

If there aren’t people on Amazon pissed off enough to 1-star in 10-paragraph denunciations, you’re probably not going to learn anything you don’t already know, though you might find a useful reframing of something. That can be pretty valuable, in my experience, and is also the most common silver lining from trudging through the first few chapters of an otherwise lame book.

So far I’ve found at least 3 books that I would recommend strongly to people, whether they have plans to manage or not. Links are to Amazon, which I’m sure shows some sort of cultural insensitivity. They are also not affiliate-tagged, because I’m not really very smart.

“Mistakes Were Made (But Not by Me)”: a lot of management, in my perhaps-too-telling experience, is overcoming cognitive dissonance and otherwise getting from questions to assumptions to data to decision to understanding to execution. This book is a really accessible treatment of cognitive dissonance and some other common biases; it has made me painfully aware of my own such dissonance episodes, and made me much more sympathetic in a lot of my interactions. When I find myself clenching my jaw and wondering “why does he do that? so illogical! wtf!”, most of the time I can tie it back to this sort of thing. Also, the book has a pretty decent title, as long as you stop before the colon.

“Influencer: The Power To Change Anything”: making change possible/successful/kinda-pleasant is the other “a lot of management”, for me, so I have read…more than one book in this area in the last year. While this one does occasionally fall back on the “magic in step 2″ formulation of “create rewards”, I found it to be a pretty great treatment of different change contexts, and different ways of approaching various change efforts.

“The Checklist Manifesto”: this book in one sentence: “make a checklist and use it”. Why is this a whole book? IMO because of the amount of cognitive dissonance involved in the idea that a simple tool can make a difference in sophisticated processes, and because making a good checklist and getting people to use it are really the valuable and hard parts. Also because Atul Gawande is a great, great storyteller. (Thanks to John O’Duinn for turning me on to his previous books, which are also great.)

Bonus, not quite as good as the previous three IMO: “Switch: How To Change When Change Is Hard”: a pretty interesting dissection of why some kinds of change are hard, and what successful change efforts tend to have in common. The presented framework sounds a little hokey (“Elephant, Rider and Path”), and the example case studies sometimes feel like they’re being stretched a bit, but still pretty good. I might like it more on a re-read, even.

Comments are open, unusually.

[Updated: I didn't mean to imply that these were the only books that I felt were worth recommending!]

HTML5 video and codecs

Recently, Vimeo and YouTube announced that they were moving to support the HTML5 video tag, as DailyMotion did last summer. This is an important step in making video a first-class citizen of the modern web, and that is great news. Unlike DailyMotion, however, Vimeo and YouTube chose to rely on the patented H.264 video encoding, rather than an unencumbered encoding like Ogg Theora. This means that the <video> pages on those sites will not work with Firefox.

Vimeo and YouTube seem to believe that reliance on proprietary plugins for video is a problem on the web. Mozilla believes that reliance on patent-encumbered formats is a problem on the web. Who’s right? Both groups are, in this case; that we can attack, from different perspectives, the multifacted problem of freeing video on the web is an example of the distributed innovation that has made the web such a powerful and popular platform.

For Mozilla, H.264 is not currently a suitable technology choice. In many countries, it is a patented technology, meaning that it is illegal to use without paying license fees to the MPEG-LA. Without such a license, it is not legal to use or distribute software that produces or consumes H.264-encoded content. Indeed, even distributing H.264 content over the internet or broadcasting it over the airwaves requires the consent of the MPEG-LA, and the current fee exemption for free-to-the-viewer internet delivery is only in effect until the end of 2010.

These license fees affect not only browser developers and distributors, but also represent a toll booth on anyone who wishes to produce video content.  And if H.264 becomes an accepted part of the standardized web, those fees are a barrier to entry for developers of new browsers, those bringing the web to new devices or platforms, and those who would build tools to help content and application development.

Some companies pay annually for H.264 licenses, which they can pass on to users of their software. Google has such a license, but as they have described, it does not extend to people building from their source or otherwise extending their browser. (Apple and Microsoft are licensors to the MPEG-LA’s AVC/H.264 patent pool, so their terms may differ substantially.) Personally, I believe that it is completely their right to make such a decision, even if I would prefer that they made a different decision.

Mozilla has decided differently, in part because there is no apparent means for us to license H.264 under terms that would cover other users of our technology, such as Linux distributors, or people in affiliated projects like Wikimedia or the Participatory Culture Foundation. Even if we were to pay the $5,000,000 annual licensing cost for H.264, and we were to not care about the spectre of license fees for internet distribution of encoded content, or about content and tool creators, downstream projects would be no better off.

We want to make sure that the Web experience is good for all users, present and future. I want to make sure that when a child in India or Brazil or Kenya discovers the internet, there isn’t a big piece of it (video) that they can’t afford to participate in. I want to make sure that there are no toll-booth barriers to entry for someone building a whole new browser, or bringing a browser to a whole new device or OS, or making and using tools for creating standard web content. And I want that not only altruistically, but also because I want the crazy awesome video (animation, peer-to-peer, security, etc.) ideas that will come from having more people, with more perspectives, fully participating in the internet. The web is undeniably better for Mozilla having entered the browser market, and it would have been impossible for us to do so if there had been a multi-million-dollar licensing fee required for handling HTML, CSS, JavaScript or the like.

I very much believe that Google (both the Chrome and YouTube teams), Vimeo and many others share our desire to have a web with full-featured, high-performance, unencumbered, natively-integrated video, and I look very much forward to us all working — together and separately — towards that end.

People have raised questions about using existing support for H.264 (or other formats) that may already be installed on the user’s computer. There are issues there related to principle (fragmentation of format under the guise of standardized HTML), to effectiveness (about 60% of our users are on Windows XP, which provides no H.264 codec), to security (exposure of arbitrary codecs to hostile content), and to user experience (mapping the full and growing capabilities of <video> to the system APIs provided); I’ll post next week about those in more detail, if others don’t beat me to it.

[A translation of this post to Belorussian has been provided by PC.]

five by five, in the pipe

A little more than eighteen-hundred days ago, I and many others held our breath as the much-anticipated Firefox 1.0 was released to the world. A million downloads in the first week pushed our server infrastructure to the brink, and left me reeling: we had come so far from the days of Netscape 6 and the drive to Mozilla 1.0. Our message of a better browser experience, exemplified by the security and performance and personalization and open source and standards-friendliness of Firefox, had found a welcoming audience.

We faced, then, a daunting series of challenges: shifting focus to our most promising product (Firefox) while maintaining the energy and contribution of the Mozilla community; making the project sustainable over the long term, within the inviolable parameters of our mission; navigating new waters of commercial-non-profit-hybrid-community-mainstream-competitive software. We’ve had success at all of those so far, by my lights, though surely not without our bumps and scrapes.

The world is very different today than it was when Firefox was born. Microsoft has rebuilt its browser team, and released two major updates to its browser — at the time, I counted IE7 as one of Mozilla’s greatest achievements. Two other software Goliaths, Apple and Google, have joined the browser fray with gusto. Where once only Opera dared to tread, the browsing experience is now seen as a defining characteristic of a mobile phone, and we are ourselves getting ready to rock it.

Even in this savagely competitive environment, Firefox and Mozilla continue to thrive. Of our 330 million users world-wide, more than 100M of them are in the last year, and 30M in the last two months alone. We’ve continued to grow incredibly even since the latest competitor entered the scene, because we’ve continued to relentlessly improve Firefox and the web in ways that matter to people around the world. Every day we, along with our incredible and essential mirror partners, ship almost twice as many Firefox downloads as we did in that incredible release explosion from five years ago.

In January, I’ll have been involved in Mozilla for a dozen years. It has been a lot of work and a lot of fun, a professional and personal opportunity that I think makes me one of the luckiest software professionals ever to whine about their debugger. Thank you to everyone who has helped make Firefox what it is today, and what it will be tomorrow. There’s lots more to do, but please take at least a few minutes today to sit back and relish the impact you’ve had on the web, and on the people who use it.

updating the update, as it were

I made an update to my WPF timeline post, but I wanted to make sure that the correction was seen by people who may not revisit that post.

The SRD blog post which revealed that Firefox users were also exposed to the IE vulnerability was published on Tuesday, not Monday. The post is labelled as having been published Monday, and the timeline including that survived review by Microsoft, but nonetheless it was an error that I published, so I’ll own it. To the best of my knowledge, the SRD post which informed us and the world of the Firefox exposure was published on Tuesday after the patch and bulletins were first made available to Windows users.

You guys all about ready to have this thing entirely behind us? Yeah, me too. Me too.

update on the .NET Framework Assistant and Windows Presentation Foundation plugin blocking from this weekend

There’s a fair bit of confusion circulating about what happened, and what’s going to happen next, which is understandable — it’s been confusing! I’ll summarize here what happened, and what’s next.


The add-on and plugin in question have a long and storied history, but for the events of this weekend the timeline basically starts this summer:

July 2009: Mark Dowd, Ryan Smith, and David Dewey present a paper at Black Hat detailing vulnerabilities in Internet Explorer and other software (including some Firefox plugins, such as Google’s Native Client, but not including Firefox itself or the Windows Presentation Foundation plugin).

Tuesday, October 13: Microsoft’s Security Research & Development team posts on their blog revealing that one of the Internet Explorer vulnerabilities in the Dowd and co. paper can be used to attack Firefox users through the use of this IE component in the Windows Presentation Foundation plugin. This plugin was and is distributed as part of Windows .NET Framework 3.5. As part of Patch Tuesday, Microsoft releases MS09-054 and its associated cumulative update, labeled as an Internet Explorer patch. (The bulletin has subsequently been updated to mention Firefox, see below.)

Friday, October 16: Mozilla contacted Microsoft to learn more about the exposure of our shared users. We discussed the nature of the vulnerability as well as the difficulty of uninstalling the plugin and add-on, and agreed that Mozilla should blocklist the add-on and plugin while we sorted out how best to ensure that Firefox users on Windows were protected. The SRP blog post was updated to indicate that Firefox users who applied the patch were protected from the vulnerability.

Saturday, October 17: Based on feedback from users (chiefly enterprise users), our web team began work on mechanisms for an overridable block (“soft block”) capability for Firefox 3.5 users. Discussions with Microsoft indicated that the add-on was a possible vector for the exploit, so it remained blocked.

Sunday, October 18: Microsoft informed us that the add-on (.NET Framework Assistant) was NOT a means for exploiting the vulnerability, and we removed it from the blocklist. The Windows Presentation Foundation plugin was confirmed to be exploitable unless the patch was applied, and remained on the blocklist. The MS09-054 bulletin was updated by Microsoft to include text about Firefox users.

Monday, October 19: We updated our blocklist management system to permit “soft blocks”, and adjusted the blocklist entry for the Windows Presentation Foundation plugin so that users who know they have the appropriate IE patch installed can re-enable the plugin.

Next Steps

Microsoft is monitoring patch adoption rates for the relevant patch, and when it reaches a high level of deployment we will remove the remaining blocklist item. I expect that will be in the next 48 hours at the outside.

Users of Windows 7 RTM are not affected, as the add-on and plugin are not distributed as part of Windows 7. Microsoft is working with Mozilla to make the functionality available to Firefox users in a user-controlled way for all operating systems in the future.

Stephanie Boesch, Director of Program Management at Microsoft, coordinated with Mozilla on this issue, and I want to thank her for her responsiveness and help throughout. She says: “Security is a top priority for all Microsoft customers, and we jointly decided the best course of action was to temporarily block the plugin and add-on while Firefox customers applied the Internet Explorer Security Update. We appreciate Mozilla’s shared commitment to protecting our mutual customers and look forward to working more closely with them in the future on such issues.”

Updated (Wed, Oct 21): fixed a timeline error caused by the SRD blog post having an incorrect publishing date on it, which even survived MSFT review of the timeline. The SRD post was published on Tuesday, not Monday.

[Comments are closed on my blog, but you can leave comments at the Mozilla Security Blog post on the topic if you'd like.]

.NET Framework Assistant blocked to disarm security vulnerability

I’ve previously posted about the .NET Framework Assistant add-on that was delivered via Windows Update earlier this year. It’s recently surfaced that it has a serious security vulnerability, and Microsoft is recommending that users disable the add-on if they have not installed IE patch MS09-054.

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately. (Some users are already seeing it disabled, less than an hour after we added it!)

Updated to reflect updates to Microsoft blog post. Also, the add-on was confirmed to not be a vector for the vulnerabilites, so it was removed from the blocklist. The plugin is still blocked pending more information about patch deployment rates; work is underway to make the blocking overridable to accommodate enterprises and sophisticated users who know they have installed the IE patch.

thoughts on chrome frame

Last week, Google announced Chrome Frame — a plugin for running their Chrome browser inside Internet Explorer. Early response from web developers has been predictably positive: they’ve been suffering under the reign of Internet Explorer for years, and even in 2009 they have to deal with Internet Explorer 6. I certainly share that longing for a web in which the vast majority of web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox and Opera. Unfortunately, I don’t think that Chrome Frame gets us closer to that web.

Users who wish to render sites with Chrome can already use Chrome, of course, and should. If they want to keep using IE for sites that the site’s developers agree work better with Chrome — and we agree that the majority of sites are much better with a more modern browser than Internet Explorer — it is likely because of application behaviour. Running Chrome Frame within IE makes many of the browser application’s features non-functional, or less effective. These include private browsing mode or their other security controls, features like accelerators or add-ons that operate on the content area, or even accessibility support.

(Many users who are using IE rather than a more modern browser, especially those who are using the long-suffered IE 6, are likely to be unable to use Chrome Frame due to lack of system permissions or because they are running too old an operating system.)

As a side-effect, the user’s understanding of the web’s security model and the behaviour of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack-plugins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5. It would be better for the web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome, and instructed them on how to install it. The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome’s performance would accrue to Google rather than to Microsoft.


(Is it really true that I only blog what’s too long to tweet now? Need to think about what that means, but I’m already not sure I like it.)

From John, emphasis mine:

The reason we have a vibrant, open web today is because of millions of little decisions and contributions made by thousands of people in that timeframe — people who work on browsers, people who build web sites & applications, people who evangelize for standards, people who use the web and ask/demand that it be better.

From CNET:

Other questions from the audience ranged from what computer science professors should be teaching to whether Internet Explorer would support HTML 5. Ozzie said he had nothing to announce on the latter front, but added, “It is our commitment to be a world class Web browser, what our competitors like to call a modern web browser. I think you can expect us to do the right thing.”

Very much looking forward to it.

« previous pagenext page »