Archive for Rants

What Am I Ticked Off About re: Mozilla/Firefox?

// November 17th, 2011 // 2 Comments » // Rants, tech

What Am I Pissed Off About re: Mozilla/Firefox?

EDIT 12/2/11: heh… Looks like I’m not alone in my thoughts. Comments at Slashdot on Firefox losing market share [image].

Mozilla is fighting an invisible battle against Google Chrome. They’ve implemented a ‘me too’ rapid release cycle for Firefox (and therefore also Thunderbird since they have [again artificially] tied their cycles together) in answer to Google’s rapid release cycle.

And the poop started hitting the fan. Not only was the public confused (“OMG! My browser’s really old! I only have 3.6 and they’re already up to 6! Was I asleep for a year?”) but enterprise IT folks were not amused. We can’t afford to have a browser we just deployed be declared un-supported mere weeks later. Similar remarks here: http://mike.kaply.com/2011/06/23/understanding-the-corporate-impact/

Yes, there is a working group that was put together after Mozilla finally admitted that enterprise IT had a valid point ( http://www.readwriteweb.com/hack/2011/08/mozilla-chair-acknowledges-ent.php )… in August 2011 after the release of version 6… two more major releases have come out since then. But right now there’s just an ESR proposal and… that’s where we stand. In the meantime, time continues to go forward at the same pace and we’re still dealing with actually using the browser. We esentially had ESR, then Mozilla took it away to go tilt at a windmill called Chrome. Now we wait while people talk about ESR… or we don’t wait and we move on.

We want to love you, Firefox! Why won’t you let us love you!??

The browser we’d fought for, the browser that finally took away share from IE, the browser that worked across platform and became popular enough for sites to start to say “OK, we support Firefox too.” That browser’s maker has seemingly turned into a parody of Microsoft trying to keep up with [Apple/Google/etc. and yes, even Mozilla] when they’d clumsily announces after the fact “Oh, yeah, we’re gonna do that too!” Now I have users who used to complain maybe about a website complaining about the browser.

So now, no more stable release followed by a cycle of improvements and bug fixes (all the while being supported because the ordinal number up front hasn’t changed and won’t change until the next release goes stable and comes out of beta). Now it’s release, release, release and pray to bob the bug fixed in 5 doesn’t show up again in the ‘all new super hot off the press’ 8.

And, most importantly, this all loses sight of how the browser wars ended. They ended with Firefox the moral and spiritual victor on one solid principal: Build a better browser and people will use it. Goliath IE was slain (or at leads severely maimed and forced to also get better) by one simple principal: Build a better browser and people will use it. Did I mention “Build a better browser and people will use it”? Not “OMGZ googlez has bilt a browzer and they’s gonna take all our search eyeballs moneys! Run around in circles!!!”

Now Firefox is so effing scared that they’ll lose that sweet Google search eyeballs cash that they’re all but making it a self-fulfilling prophecy in their panic. ( http://www.conceivablytech.com/9419/business/browser-market-share-forecast-update-firefox-losses-accelerate ) Why? Because Google planted that idea in their head when they released Chrome and now Mozilla’s management can’t see past it. It’s like a bug in their brain that’s making them crazy. (“This is Ceit Alpha V!”) They are so fixated on the forest they don’t see the trees catching fire. But the truth is that Google will keep paying out that cash as long as Firefox brings in eyeballs. That is, unless Mozilla gets so panic’d they start acting like headless chickens and _manage to drive all its customers away_!

Which is exactly what I think might be happening. Hell, I’M using Chrome now because I just can’t take it any more (and Safari is in the crapper too as far as I’m concerned – so I don’t have much choice… in a world that used to be all about choice).

Now, my team is forced to sit down and talk about “What browser do we support officially if/when Firefox doesn’t get back on track. Also, we’re screwed email client-wise if Thunderbird ends up under the bus for no good reason.” My server guy… my poor staunch advocate for open source and non-big brothery software is forced to admit that we might have to consider Chrome! He wants to love you, Firefox! Hell, he does love you. But his love is wavering. So what exactly is wrong? Sheesh, where to begin. And, honestly, I’ll forget something. It’s all become a blurry laundry list of complaints from minor annoyances to show-stopping bugs (Stack space errors?? Really?? In 2011?). But, quickly and anecdotally, go google this:
http://www.google.com/search?q=firefox+switch+to+chrome

Those people? They’re not switching to Chrome because Chrome is sexy or amazing… largely you’ll see them saying that they are leaving Firefox because of Firefox’s problems or short-comings, not Chrome’s features. OK, on to my gripes as an enterprise (education, actually, but we work the same and expect the same) IT shop.

* Instability. We’ve gone from a stable Firefox (sure, it had its quirks, but stable enough for us to say “we support Firefox” and be able to stand by it) to having to say “well, if you’re having problems in Firefox, you may have to use Safari/IE for that”. And then bracing for the next release 6 weeks later. (In all honesty, we’re just leaving most people on 3.6.x)

* Page rendering and slowness. This has forced us to downgrade some users who just can’t deal with it to 3.6.x And we’re clearly not alone: http://www.zdnet.com/blog/hardware/firefox-36-is-mozillas-windows-xp/16098?tag=rbxccnbzd1
And, tellingly, you’ll still find a link to 3.6.24 on Mozilla’s download site. Even they, tacitly admit there’s still a reason for it to be there:
http://www.mozilla.org/en-US/firefox/all.html

* Let’s talk about slowness. How can it be that Chrome got faster and Firefox got slower? ZDnet sure thinks so. Compare these two Kraken scores:

http://www.zdnet.com/blog/hardware/ie9-vs-chrome-10-vs-firefox-4-vs-opera-1101-vs-safari-5-the-big-browser-benchmark/12023?pg=5

http://www.zdnet.com/blog/hardware/the-big-browser-benchmark-chrome-15-vs-opera-11-vs-ie9-vs-firefox-8-vs-safari-5/16041?pg=5

You’re killing yourself, Mozilla. No excuses, no waffling. You. Are. Killing. Yourself.

* New weirdness depending on if you’re on 6 or 7 or 8. Profiles being trashed, bookmarks reverting or disappearing… What works in 7 might not work in 8. What was fixed in 7 from 6 seems to once again affect 8. And boy is it RAM hungry. But it was i/o hungry before, so that’s probably a step forward for users with networked hime directories… Submit crash report, submit crash report, submit crash report.

* The artificial rapid release cycle creating browser instability is also unnecessarily affecting Thunderbird. For us, Thunderbird 8 is unusable. It _simply does not work for some users_. Add an IMAP account with lots of folders and mail and it crashes at startup. Get someone with less mail and it’s fine (but Lightning may or may not work). Submit crash report, submit crash report, submit crash report.

* The rapid release cycle also tends to break plugin/add-ons, often for no other reason than the fact that this version, which isn’t much different, starts with a different number. We even saw Thunderbird run into this day of release when we rushed to test it. In my case, instead of bringing Lightning with it, it disabled the already-installed lightning add-on and then refused to upgrade (Lightning will be upgraded on next restart -> restart -> Lightning will be upgraded on next restart -> removed lightning manually -> install lightning -> Lightning is not compatible with this version (WTF?) -> clear everything out -> install, go to add-ons, aha! Lightning link in featured add-ons -> install Lightning -> Lightning will be installed on next restart -> restart Lightning will be upgraded on next restart… give up.) That’s… crazy. This is Mozilla we’re talking about…

Dammit… we were pinning our hopes on integrating Lightning into our environment to stem the tide of requests for Outlook for those who just wanted calendaring of some sort. Now we have a 1.0 release of Lightning for a version of Thunderbird we can’t even deploy. ARGH! Because of Firefox chasing the Chrome around like a big dumb puppy chasing a car. (“It must want to eat my food! GRR! Chase!”)

I think Mozilla has lost their minds. Please. Please. Go find your minds and put them back in before you lose all that you’ve worked and fought so hard for (and we’ve supported so strongly) because you got a little scared by some actual competition. This coming from someone who wants you to succeed. Who’s begging you to succeed. I’m your fan. Your cheerleader. And now I’m about to break up with you because… you won’t let me love you!

Additional reading from way back at version 5 (oh, wait, that wasn’t that long ago…)
http://www.conceivablytech.com/8102/business/should-mozilla-ditch-the-rapid-release-cycle-again

The Principle of Least Privilege – A Failure in MA

// May 18th, 2011 // Comments Off // Rants

[cross-posted to my blog at Berkman/Harvard Law Weblogs]

Disclaimer: I am not a lawyer, nor do my opinions represent that of Harvard Physics, Harvard Law or Harvard University. What I am is a computing professional and technologist. A sometimes outraged one. As a result, some of what follows may be a bit snide. I can’t apologize just yet for that. Past the outrage, I’m hoping that something good will come from this incident… although I rather doubt it.

The Incident:
On April 20th, 2011 around 1,500 computers in the Massachusetts labor department’s Departments of Unemployment Assistance (DUA) and Career Services (DCS) were found to be infected with a [allegedly] new variant of a well-known Windows worm (not a virus as has been reported) called W32.Qakbot. From some prior date — they say April 19th, but I don’t find the idea that they know when the initial infection occurred convincing given other facts — until around May 13th (or May 16th, according to another report), information entered or accessed on these machines may have been intercepted by the worm for transmission to an unknown recipient.

The Response:
The Executive Office of Labor and Workforce Development reported this incident on May 17th. That’s 28 days until they notified the public or state officials. Call it four weeks, call it nearly a month, but either way it’s too long and clearly at odds with state law which requires that any such break-in be reported to the Attorney General’s office “as soon as practicable and without unreasonable delay”. There is absolutely no reason this could not have been reported sooner… except, perhaps, incompetence and/or fear. In their official statement it’s claimed that “all possible actions have been taken to minimize the impact to the Commonwealth’s constituents”, but this is clearly in error as “all possible actions” would have included notifying the AG immediately.

And I’m afraid I have to take the Boston Globe to task too. In its report on the incident it said:

“The potential impact of the breach is dwarfed by other recent data thefts. In April, Sony Corp. suffered an attack on several of its networks used by consumers for video gaming, music, and movie downloads. In the same month, Texas e-mail marketing firm Epsilon Data Management LLC reported that hackers had raided its network and stolen the e-mail addresses of millions of US consumers.”

If anything, it’s the other way around. Those other episodes presented a low risk that actual sensitive data was released. The Sony breach, while involving more people, may have included names, email addresses and probably mailing addresses, but these sorts of scraps are something that criminals can often already buy or collect on their own from search engines. The Epsilon breach netted mostly email addresses. In all likelihood, that just means more phishing attempts; Something people are already inundated with unless their email provider is one of the better spam preventers.

But the labor department incident most likely included the transfer of critically sensitive information such as Social Security numbers, financial information, EINs, and work or personal history information. So let me be very clear in exactly what I’m stating. This incursion is more serious than the Sony or Epsilon breaches. It may affect tens or hundreds of thousands of MA residents and potentially thousands of MA businesses and, unlike the Sony breach, which may help identity thieves zero in on a target, the information gleaned from DUA/DCS might make it a trivial matter for thieves to hijack a person’s identity.

The initial response to the media from the labor department was a shrugging ‘Well you know… viruses, right?’ and a clearly implied wish that everyone will just move on and not make a big deal of it. As though virus/worm outbreaks are just part and parcel of having a computer. And some, it seems, including some of the media reporting the issue, are buying this wrong-headed idea. Why? Because… well, because lots of people have PCs and they get viruses all the time, right? Right. And Wrong. And part of the problem. The home computer user’s experience cannot and should not be projected onto the ‘enterprise’ computing environment. Despite the fact that the average PC user and the average business user are both using a boat with Windows written on the side does not mean that the water they sail on is the same.

That sort of thinking is what’s got us where we are. The proliferation of malware (viruses, worms, trojans, etc.) in the world is not a foregone conclusion. It’s not an endemic side-effect of owning a computer. It’s something that has grown and been fostered by a poor understanding of ‘security’, a leaning towards this sort of passive concession that it’s Computer Magic and beyond our ken and… frankly… laziness. That’s been followed up by an industry that’s happy to do the least they can get away with to band-aid the situation and entities who put their head in the sand and think slapping on an anti-virus client is good enough. And the cycle repeats. The only winners are the thieves. They win because a large portion of the United States computing population can’t be bothered to do better.

Let’s talk about particulars. One concept most PC users do not follow but every business PC environment that calls themselves security-conscious should is the ‘Principle of Least Privilege’ aka least-privileged user account (LUA). Given the notoriously malware-prone existence that Windows has lived, a corporate or government support entity who does not subscribe to this principle is just asking for it. The idea is very simple: The end-user should ordinarily be logged in with an account which has the least amount of administrative privilege possible which still allows them to do their work. In other words, require passwords and don’t log in with an administrator account. But… walk into any coffee shop in America and you can wager a safe bet that 80%-90% of the people there are doing just that.

Why is this so important? Why am I bringing it up here? And why do I assume the computers in question didn’t rely on this principle already? Simple: This one action, implementing this one policy, would have stopped the spread of this worm in the DUA/DCS computers. W32.Qakbot cannot extend its infection without the user having certain administrative privileges. And, in my opinion, this principle should not only be encouraged… it should be mandated, especially for computers that come into contact with sensitive information. I know mine are. And how many ‘inevitable’ virus/worm infestations have we dealt with in my tenure as head of this group? Zero.

I’m not saying this to imply that my network is beyond the reach of malicious computer thieves and black hat hackers. No network can ever be 100% secure. But there are certain principles and methodologies well-known and well-documented in annals of computer security that, if followed, reduce your susceptibility by leaps and bounds. But, sadly, many would rather cross their fingers, stick their heads in the sand and hope they get lucky. Well… the law of averages (another name for ‘luck’) is not on their side. Yes, your users will complain that they can’t install software without your help, but they won’t be complaining about a proliferation of viruses and malware. Because, and this is the crux of the whole principle of least privilege, if they can’t install software, malware can’t install itself. The malware only has as much privilege to modify the system as the user does (barring flaws in the operating system – that’s a wholly separate issue that we’ll not get into here). And you, the administrator, control that level of privilege.

Simple. Effective. And… ignored by the average IT outfit as being too ‘burdensome’ on the end-user. Sure, a firewall is the first line of defense when designing your network. But an anti-virus client is not the second defense, it’s the last line of defense. We’re not even concerned yet with what operating system is in the line of fire, much less what software it’s running. The second line of defense in this case is your policies and whether it’s more burdensome to inconvenience the user a little bit… or risk having the whole thing come down on your head like DCA and DCS are now experiencing.

  • If you approach your security policies as merely ‘keeping people out’, you have already failed.
  • If you approach them from the standpoint of ‘let’s assume they’re already in’, you have a chance at success.

So when CNET reports that “The agency is notifying people who may have been affected and is working with the Massachusetts attorney general’s office to investigate the breach”, I sincerely hope that part of the investigation will include looking into what made this possible from inside, not just from outside. Because there’s zero chance they’ll stop the thievery of this information. It’s already in the wild and catching the perpetrators is, now, a secondary concern given that there’s not taking back the damage. But as a MA state resident, right now I care very much about what my state government’s computing security policies are and why they’re not using every proven method available to them to safeguard our information. We have new and very specific laws in MA about how sensitive information can be transmitted, but how it’s stored and maintained by the state is equally as important.

And, as such, I feel that the Executive Office of Labor and Workforce Development has some explaining to do.

State House News Service report: Massachusetts officials disclose data breach in unemployment system
Official response: Executive Office of Labor and Workforce Development Reports…

Disk Test Results Round 2

// July 16th, 2008 // Comments Off // Rants, Represent, tech

I’ve finished the tests I’d planned and the results are posted in the PDF linked here.
(I’ve updated this since yesterday into one document with added notes, so grab the latest copy.)

In the end, Seagate trounces the competition on performance. However, the second place Samsung disk is still a strong contender, especially where price is an issue. Quite frankly, these are the only two 1TB disks I’ll be recommending to anyone for any sort of capture or editing. Well… actually, I’ll be recommending 4 disks: the two winning models here and their cheaper non-enterprise versions. You’ll have to decide for yourself which best fits your needs and pocketbook.

For us, the 4 Seagates will go into a rack unit and be put into daily use offloading backups.
The 4 Samsungs will go in a new Mac Pro for edit/capture.

Disk Test Results (final)

I’m glad I could share this info and I hope someone finds it useful.
Maggie

PHVsPjxsaT48c3Ryb25nPndvb19hYm91dDwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2Fib3V0bGluazwvc3Ryb25nPiAtIGh0dHA6Ly9tYWdnaWVtY2ZlZS5jb20vYWJvdXQ8L2xpPjxsaT48c3Ryb25nPndvb19hZHNfcm90YXRlPC9zdHJvbmc+IC0gdHJ1ZTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzE8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTEuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfaW1hZ2VfMjwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbS9hZHMvd29vdGhlbWVzLTEyNXgxMjUtMi5naWY8L2xpPjxsaT48c3Ryb25nPndvb19hZF9pbWFnZV8zPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tL2Fkcy93b290aGVtZXMtMTI1eDEyNS0zLmdpZjwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX2ltYWdlXzQ8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vYWRzL3dvb3RoZW1lcy0xMjV4MTI1LTQuZ2lmPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzE8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hZF91cmxfMjwvc3Ryb25nPiAtIGh0dHA6Ly93d3cud29vdGhlbWVzLmNvbTwvbGk+PGxpPjxzdHJvbmc+d29vX2FkX3VybF8zPC9zdHJvbmc+IC0gaHR0cDovL3d3dy53b290aGVtZXMuY29tPC9saT48bGk+PHN0cm9uZz53b29fYWRfdXJsXzQ8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb208L2xpPjxsaT48c3Ryb25nPndvb19hbHRfc3R5bGVzaGVldDwvc3Ryb25nPiAtIGRlZmF1bHQuY3NzPC9saT48bGk+PHN0cm9uZz53b29fY3VzdG9tX2Nzczwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2N1c3RvbV9mYXZpY29uPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fZmVlZGJ1cm5lcl91cmw8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19nb29nbGVfYW5hbHl0aWNzPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29faG9tZTwvc3Ryb25nPiAtIGZhbHNlPC9saT48bGk+PHN0cm9uZz53b29faG9tZV9hcmNoaXZlczwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2hvbWVfZmxpY2tyX2NvdW50PC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29faG9tZV9mbGlja3JfdXJsPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29faG9tZV9mbGlja3JfdXNlcjwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2hvbWVfbGlmZXN0cmVhbTwvc3Ryb25nPiAtIDwvbGk+PGxpPjxzdHJvbmc+d29vX2hvbWVfcG9zdHM8L3N0cm9uZz4gLSA8L2xpPjxsaT48c3Ryb25nPndvb19sb2dvPC9zdHJvbmc+IC0gPC9saT48bGk+PHN0cm9uZz53b29fbWFpbnJpZ2h0PC9zdHJvbmc+IC0gZmFsc2U8L2xpPjxsaT48c3Ryb25nPndvb19tYW51YWw8L3N0cm9uZz4gLSBodHRwOi8vd3d3Lndvb3RoZW1lcy5jb20vc3VwcG9ydC90aGVtZS1kb2N1bWVudGF0aW9uL2lycmVzaXN0aWJsZS88L2xpPjxsaT48c3Ryb25nPndvb19uYXY8L3N0cm9uZz4gLSBmYWxzZTwvbGk+PGxpPjxzdHJvbmc+d29vX3Nob3J0bmFtZTwvc3Ryb25nPiAtIHdvbzwvbGk+PGxpPjxzdHJvbmc+d29vX3RhYnM8L3N0cm9uZz4gLSB0cnVlPC9saT48bGk+PHN0cm9uZz53b29fdGhlbWVuYW1lPC9zdHJvbmc+IC0gSXJyZXNpc3RpYmxlPC9saT48bGk+PHN0cm9uZz53b29fdmlkZW88L3N0cm9uZz4gLSB0cnVlPC9saT48L3VsPg==