angelsandeggs.com

Mozilla has been steadily demonstrating how open source projects can make money without betraying their community goals. At Mozilla, she says “we absorb the costs in criticism and we tolerate that in security because the benefit for us far outweighs everything else.”

The goal, she said, is to remove whole categories of vulnerabilities. “Here’s a pattern, and if we implement one architectural change we can eliminate all these vulnerabilities.”

Snyder says often the security story isn’t that a company created a tool that found 14 vulnerabilities in it own product, it’s that there were 14 vulnerabilities in the product in the first place. “Why would they want to share this tool? Maybe they want to demonstrate how successful it was because it found a vulnerability. That’s something that we can do that other companies cannot.”

Threat modeling is more theoretical; it’s abstract. “So, instead of saying concretely if you do this that and the other thing, that will result in an actual vulnerability, threat modeling, says there is no input validation mechanism, for example. If you send a request this way, you end up bypassing the input validation mechanism and you’re sending content, unvalidated to this audio decoder. That would be scary. So the threat would be unvalidated content is being passed directly to the audio decoder if it comes in this way. A vulnerability would be there’s an overflow in the audio decoder that an attacker is able to trigger if they craft a URL this way, and because it bypasses the input validation mechanism, all these other mechanisms that would have protected from an exploit are bypassed as well.”

Snyder started her security work at @Stake (now a part of Symantec) then went to Microsoft and later Matasano Security. She describes her journey as moving toward open source with each environment. At Mozilla, makers of the popular
Firefox browser, Thunderbird e-mail client, and other open software, she’s pretty much at ground zero.

Window Snyder, Mozilla’s chief security something-or-other (her official title), wants to bring open source practices to the security community.

They decided to start out small. “We’re starting off with secure programs and practices for C and C++. There is a focus on how to make it useful for a browser, but there is of course a general aspect to this. It’s training materials, it’s syllabi, exercises, it’s a workshop-style class. Hopefully we’ll be able to do video as well.” The idea is that one employee from a company can attend these workshops and then take the training back home to train even more people.

Snyder said the idea of opening up security came about by asking, “What are we doing internally that we can make publicly available to help somebody else in some other project.”

Johnathan Nightingale of Mozilla echoed this. “It’s pretty brittle if there’s only one person who is the security guy or gal that always solves a problem. It’s better to get that knowledge out there–whether it’s working on Mozilla or some other project. By working at understanding the good habits and the bad habits, you’ve made a huge step forward.”

In addition to training and tools, Mozilla wants to talk more about security metrics and threat modeling.

“Threat modeling is a methodology for identifying security vulnerabilities, for identifying the risks of a security vulnerability within that application,” Snyder said. “Making a threat model available shows other development environments how a complex application like Firefox gets deconstructed into threats, along with the mitigations that we’ve implemented to address those specific threats.

In addition to training sessions, Mozilla will be making a variety of tools available. Last year Mozilla released a protocol fuzzer created by Michael Eddington, and a Javascript fuzzer created by Jesse Ruderman. Further, Mozilla admitted that these tools had found vulnerabilities within Firefox. Accepting that openness, Opera reported that the tools had also discovered a flaw within its browser product. Microsoft, maker of Internet Explorer, and Apple, maker of
Safari, haven’t revealed whether they used the tool to detect any flaws in their products.

“But it also gets us feedback on whether or mitigations are sufficient. It gets the research community engaged in another point in the development process. Instead of looking for vulnerabilities at the end of the lifecycle, they’re able to get involved in the threat modeling process which is between design and implementation, ideally. You want to be able to do it early enough in the process so that you can actually change at the architectural level as the result of threat modeling.”

She concludes that the training, the tools, and the threat modeling is “good for peer reviews, it’s good for testers, it’s good for developers.” She sees it as delivering on a promise to “to make the Web more secure.”

In this video, Window Snyder talks about security metrics.

“At a lot of companies,” she told me recently, “there’s fear around security: you don’t want to talk about what you’re doing around security because one might deem it not enough–or might want to criticize it.” She said most companies have a lot of reasons to keep what you’re doing in security quiet, but not Mozilla. “We benefit from being open; it’s the model for us and it’s been successful for us.”

For example, you may find that you don’t have the same selection of fonts available in Writer as you did in Word, nor will you have access to the templates you used in Office. This doesn’t mean you have to do without, though. There are plenty of free resources available that let you use OpenOffice without sacrificing functionality.

Convert your templates
To import Office templates to OpenOffice’s Writer, Calc, and Impress programs, open one of the programs, and click File > Wizards > Document Converter. Select Microsoft Office, choose all three Office applications, and click Next.

For more on making the switch to OpenOffice, see Solveig Haugland’s great article, which includes links to OpenOffice training sites and other resources (scroll a little past the middle of this long page to find them).

It’s much easier to notice the similarities between the programs in the free OpenOffice.org suite and their
Microsoft Office counterparts than to see their differences. Unfortunately, it’s the differences that can slow you down as you make the switch from Word to Writer, Excel to Calc, and PowerPoint to Impress.

Add productivity-enhancing extensions
You’ll find dozens of useful add-ons for OpenOffice applications on Sun Microsystems’ Extensions page (the link leads to the most popular extensions).

(Credit:
OpenOffice.org)

One of my favorites is Andre Schanbel’s Template Changer, which adds an “Assign new” option to the File > Templates menu. This lets you assign a template to the currently open file. Also, Sun offers the Professional Template Pack that includes cover pages, presentation backgrounds, certificates, business letter templates, and personal-finance templates.

Now choose Tools > Options, click Paths in the left pane under OpenOffice, select Templates in the right window, click Edit > Add, navigate to the folder you placed the templates in, and click OK three times.

Browse to the folder holding your Office templates in the “Import from” text box, choose a destination folder for the templates (you can also import your Office files), and click Next again. Do the same for Excel and PowerPoint on the next two screens, review the files that will be converted on the following screen, and click Convert.

The templates will now be available when you click File > New > Templates and Documents, and select the appropriate application. Note that the templates may not look and act exactly as they did in Office, and PowerPoint templates will likely have to be renamed because the conversion changes all their file names to “PowerPoint Presentation.”

Tomorrow: Perform any operation on your PC without using your mouse.

Find free fonts
If you stick with such tried-and-true fonts as Times New Roman, Arial, Garamond, Courier New, and Calibri, you probably won’t need to add any types to Writer’s roster. People who rely on a wider range of typefaces may find their favorites missing, however. To supplement the fonts built into OpenOffice, visit 1001 Free Fonts, HighFonts.com, or Mike’s Sketchpad. Place the new fonts in the C:Windows\Fonts folder to make them accessible in OpenOffice applications.

Convert your Microsoft Office templates to OpenOffice via the Document Converter wizard.

When the conversion completes, you’ll see the files that were converted. Click Close to return to the OpenOffice program.

There’s no better way to incur user wrath than to change one of the fundamental features of a product. Apple’s been doing it for years with each revision, usually prompting a positive cheer from most while alienating a certain margin of its fervent user base that vows to never buy or use the product again. Browser maker Mozilla is not without its own minority that appears to be up in arms about the updated address bar.

The Smart Location Bar, dubbed the “awesome bar” by the company, drops in a mix of your bookmarks and browser history as you type. For example, if you’ve got CNN.com bookmarked, or have visited it in the past, simply typing in a “C” would drop down a stream of links with some of the most relevant or highly visited sites rising to the top. It’s been designed as a time-saver, but a group of users have come down on the new feature because it can’t be turned off easily and has a quirky habit of putting some links in front of others.

Similar threads exist in Mozilla’s own community forums, although most quibbles are linked up to Mozilla’s knowledge base articles which show how to tweak and edit certain features step-by-step.

What do you think of the new address bar in Firefox 3?

(polls)

Reader Jim points us toward this post on Mozilla Links about the feature back in the second beta that has accumulated nearly 300 user comments. Notice the date though (November 2007), and the latest comment was just a few minutes ago. Most of the comments praise the new feature, while some power users are complaining about the structuring of the links and want the option to disable bookmarks as part of the equation.

(Credit:
CNET Networks)

There are, in fact, several ways to disable this feature entirely. One way is to follow the instructions on this page, which involves a small tweak to your about:config file. Doing so will disable the drop-down of links completely, but not your auto fill. There’s also an add-on extension that mimics the behavior of the address bar found in
Firefox 2 with slightly smaller favicons, link text, and sorting.

I believe Microsoft could make an honest Google Docs competitor without killing its Microsoft Office business. Eventually, Microsoft will have to. So it might be smart for Microsoft to encourage people to start thinking about the company as an expansive supplier of productivity solutions–desktop and Web-based–rather than just a company that makes desktop office products that, by the way, also have some add-on Web support.

Offlice Live does have its own text editor, but it’s rather weak and doesn’t have Google Docs’ killer feature: simultaneous editing. If someone edits a document you’ve got open and you then try to save it, you get a conflict error and have to decide whose edits you want to kill.

Microsoft has announced a milestone with its Office Live Workspace product: It’s scored its millionth user. And the company has announced the product will be out of beta this year.

Tidbit: Office Live Workspace works nicely in Internet Explorer and also in
Firefox. But you get a blocking error page if you try to use it in Google Chrome.

Those other productivity suites are a) free, and b) browser-based. They don’t require that you pay for and then install software on your PC.

As ZDNet’s Mary Jo Foley writes, Microsoft believes that users don’t want to create big files and documents “on the Web.” Maybe that’s because they can’t.

Yay, Microsoft. Now go back and build the service we want, please.

There are people who say that Office Live is a Google Docs competitor. It certainly could be, someday, and I’d like to see that. But it’s not right now. What it is right now is a way for people who have paid for the
Microsoft Office suite to share files with other people who have the suite. It’s useful, but it’s no Google Docs, nor Zoho for that matter.

Beard has coined it a “concept series” and included three videos of products and services currently at a the conceptual level and not yet ready for public consumption. Of the three embedded in Beard’s post, the most buzz-worthy was the mobile version of Firefox, which surfaced two months ago. The other two are a little more out there, with a bookmarks visualizer and what is seemingly the most complicated-looking interface demo ever done by the folks at Adaptive Path for a project called “Aurora” which was unveiled last night.

Mozilla is also using tags on popular Web services to let people post up their mockups, the first of which have already shown up on Flickr.

I’ve embedded all three concept videos below. The aurora one is in HD only if you watch it on Vimeo, so click here to see it in it’s full-resolution glory.

On Monday, Chris Beard, vice president and general manager of Mozilla Labs, posted a rather vague, yet optimistic, blog entry about opening up Mozilla Labs projects to the Web community at large. The move comes just a week after the company lost Mike Schroepfer, Mozilla VP of engineering, to Facebook.

Bookmarking and History Concept Video from Aza Raskin on Vimeo.

Firefox Mobile Concept Video from Aza Raskin on Vimeo.

Aurora (Part 1) from Adaptive Path on Vimeo.

To get involved, Beard is asking users to keep their ideas structured into one of three buckets:

Ideas
It all begins with an idea. A sentence, paragraph, or even bullet-points kick-start the process. Ideas can be simple and non-technical. It should be easy for anyone and everyone to help shape the future of the Web. So throw your notions, inspirations, dreams and visions out to the community. Mockups
Turn your idea (or someone else’s) into an image, sketch or video. Words are great, but you know what they say about pictures. Mockups offer up a visual and communicate ideas in terms that are just a bit more polished and real. They draw the next person in, tempting them to pick up the concept and run with it.
Prototypes
A prototype is interactive. Feel, touch and play with developing concepts. Prototypes get ideas across by showing off the moving parts. They aren’t always fully functional or pretty, but they’re more than a static image or two. They’re a dress rehearsal of sorts, with minimal programming. Make a prototype in HTML, Flash, or whatever puts things into action.

The terms of a 2006 settlement in a lawsuit against Netflix will be allowed to stand over the objections of four Netflix subscribers, according to a report by Reuters.

As part of the settlement, Netflix agreed to give 5.5 million users a free month of service and to pay attorneys’ fees.

On Tuesday, however, a California appeals court upheld the settlement, marking a victory for the online video rental company.

In 2006, Netflix reached a settlement agreement, but the four Netflix subscribers challenged it, saying the attorneys’ fees awarded by the trial court were “excessive” and they were improperly notified of the terms of the agreement.

In the initial lawsuit, the customers accused the company of “throttling.” They alleged that Netflix held up delivery of DVDs to customers who were heavier users of the service–and therefore less profitable–in order to fill orders for new customers and less frequent users.

CBS Interactive’s technology category will include CNET.com, CNET Reviews, Download.com, and others. The entertainment category will include TV.com, GameSpot.com, Chow.com, CBS.com, TheInsider.com, Last.fm, and the CBS Audience Network, while the sports category will include CBSSports.com, CBSCollegeSports.com, and NCAA.com.

CBS Interactive will also incorporate the news category, serving as home to CNET News.com, for technology news, and CBSNews.com, which features global news and current events. The business division will operate BNET.com, as the anchor to its business-related content, as well as ZDNet and TechRepublic, which serve readers who use tend to use technology for large corporations.

Under the acquisition, CBS Interactive will include such categories as technology, entertainment, sports, news, and business. The division will be headed up by Quincy Smith, former CBS Interactive president, who will now serve as its CEO. Neil Ashe, former CNET Networks CEO, will become president of the business unit.

CBS announced Monday it completed its $1.8 billion acquisition of CNET Networks, publisher of many Web sites including CNET News.com, setting the stage for expanding its CBS Interactive division into five categories.

Updated from the top Monday 6:10 AM PDT by Dawn Kawamoto, who also added a short update note at the bottom at 2:30 PM PDT.

Jerry Yang, Yahoo's CEO

One major institutional investor said over the weekend that he had previously informed Yahoo’s independent directors that he may consider voting for a new board of directors, if the parties did not move forward in a deal.

(Credit:
Yahoo)

“As a follow up to a recent meeting among our respective legal advisors we had on this topic, and at your request, we provided to you on March 28, a list of additional information we would need to further our understanding of the regulatory issues associated with any transaction. To date, you have still not provided any of the requested information,” Yahoo’s letter states.

Yahoo, in closing its Monday note, said it wants Microsoft to provide “certainty of value and certainty of closing.”

Yahoo on Monday responded to Microsoft’s merger deadline, reiterating its rejection to the software giant’s unsolicited buyout bid as “substantially” undervaluing the company.

Full coverage
Microsoft’s big bid for Yahoo Click here for the latest on the software giant’s attempt to buy the Net pioneer.

Microsoft, meanwhile, could be hearing the clock ticking on the waning months of the Bush administration and feeling pressure to wrap up the regulatory process. The process can take anywhere from six to eight months to review, said one former high-level antitrust attorney with the Department of Justice who is now in private practice.

Antitrust concerns
Yahoo also highlighted its concern about a potentially rigorous antitrust review, both domestically and overseas, should it agree to a deal.

“Steve, you personally attended two of these meetings and could have advanced discussions in any way you saw fit,” they added in response to Microsoft’s claim that Yahoo has refused to enter negotiations.

Kevin Johnson, president of Microsoft’s platforms and services division, sent an e-mail to his employees Saturday, to inform them of the ultimatum Ballmer was issuing that day to Yahoo:

“I wanted to make you aware that we sent the attached letter to the Yahoo! Board of Directors today.
We will not be commenting publicly or internally on the letter as we believe the letter speaks for itself.
I will continue to keep you updated as events warrant. Thank you for your continued focus on our innovation roadmap and business objectives.”

Yahoo said its recent road show to outline its three-year financial plan to investors received “positive feedback from our stockholders.” The company went on to note that it had strengthened its view that it’s worth more as a standalone company than Microsoft’s current bid.

Update, 2:30 PM:
Microsoft is also working to keep its troops up-to-date as the heat intensifies between the two companies.

Under the Bush administration, Microsoft’s antitrust situation has been far less dicey than it has been with the European Commission. In February, the Commission slapped Microsoft with a $1.35 billion fine for failing to comply with its previous antitrust sanctions.

More importantly, Yahoo stated that investors representing a “significant portion” of its shares have indicated to the company that Microsoft’s offer substantially undervalues Yahoo.

(Credit:
CNET Networks)

Yahoo’s board of directors met on Sunday to review Microsoft’s ultimatum to close the deal within three weeks, according to a report in the Financial Times.

Microsoft CEO Steve Ballmer

Yahoo: Reflect our true value
In its letter to Microsoft on Monday, Yahoo highlighted its global brand, recent sizable investments in its advertising platform, growth prospects, and its “strategic benefit to Microsoft,” in justifying a higher bid.

On Saturday, Microsoft issued an ultimatum to Yahoo, giving the Internet search pioneer three weeks to enter formal merger negotiations and conclude a deal. In Monday’s letter, Yang and Bostock rebutted Ballmer’s claim that Yahoo has refused to enter negotiations, citing meetings the two companies have had in recent weeks.

Microsoft launched an unsolicited bid for Yahoo on February 1 in a deal initially valued at $31 a share. But Yahoo rejected that offer as undervaluing the company.

But while Yahoo investors may want more money from Microsoft, it’s unclear whether that would translate into a re-election of Yahoo’s current directors, or if investors would support an opposition slate put forth by Microsoft in a proxy fight.

Yahoo said that an antitrust review could drag out and disrupt its operations, only to end with regulators nixing the deal. According to sources, shortly after Microsoft issued its unsolicited bid two months ago, Yahoo had begun inquiring into the antitrust ramifications and the likelihood that such a deal could get passed.

“Our position is simply that any transaction must be at a value that fully reflects the value of Yahoo, including any strategic benefits to Microsoft, and on terms that provide certainty to our stockholders,” the letter states.

In its Monday letter, however, Yahoo said: “We are confident that our stockholders understand that our independent board is best positioned to objectively and knowledgeably evaluate our company’s alternatives and to maximize value.”

Throughout the takeover effort, Yahoo’s Yang has made a habit of sending reassuring e-mails to the troops at his company.

Over the weekend, Microsoft threatened to launch a proxy fight and to take its offer directly to Yahoo investors in an exchange offer. A proxy fight would entail Microsoft seeking to get an opposition slate of directors elected at Yahoo’s next annual shareholders meeting, for which no date has yet been set. Should Microsoft’s slate prevail, the new board would likely vote on the issue to remove Yahoo’s antitakeover measure, otherwise known as a “poison pill.” Without a poison pill, Microsoft would be able to tender the shares Yahoo’s investors committed to the software giant as part of its exchange offer.

“As a result of the decrease in your own stock price, the value of your proposal today is significantly lower than it was when you made your initial proposal,” Yahoo CEO Jerry Yang and Chairman Roy Bostock wrote in a letter to Microsoft CEO Steve Ballmer.

“There is so much personal information on them: a mother’s maiden name, what they died from,” said Helen Purcell, recorder for Maricopa County, which covers the state capital, Phoenix.

Copies of recorded death certificates can still be viewed but request forms require an applicant’s name, address, phone number, and notarized signature.

Digital copies of death certificates have been removed from the Web site of Maricopa County in Arizona because they could be used for identity fraud, The Arizona Republic
reported on Wednesday.

The county had received complaints from people about the posting of the information for years and removed them last month, she said. The state has one of the highest identity fraud rates in the country.

The County Recorder, which archives real estate records online, requires that death certificates be recorded when a property owner terminates a joint-tenancy deed after another owner has died.

(Credit:
Dan Farber/CNET News.com)

Ray Ozzie, Microsoft's chief software architect

ZDNet’s Mary Jo Foley has posted a detailed report on Ozzie’s talk. Some of the highlights:

Open source has “made Microsoft a much stronger company” by driving changes to Microsoft’s products to make them interoperable with open-source products.

Microsoft’s pursuit of Yahoo “was not a strategy unto itself,” Ozzie said. “It was an accelerator to the ad platform.”

Ozzie said that a new operating system designed today wouldn’t be a single piece of software on a single computer. Instead, it might be something that gives users access to data running across multiple devices, like PCs, TVs,
cars, etc. “Instead of the computer being at the center, you (the user) are at the center,” he said.

Ozzie said that since many open-source programmers aren’t beholden to shareholders they potentially represent a more formidable force in the market.

Microsoft is clearly worried about Google as a competitive threat. But the bigger worry continues to be open source, according to Chief Software Architect Ray Ozzie.

Ozzie, speaking at Sanford C. Bernstein Strategic Decisions Conference in New York on Wednesday, said that while Google is a “tremendously strong competitor…open source was much more potentially disruptive” to Microsoft’s business model.

Ozzie might elaborate on that operating-system-of-the-future idea at Microsoft’s Professional Developers Conference, slated to take place in October in Los Angeles. Ozzie is giving the keynote speech at the event, and the company is expected to have a broader beta of Live Mesh–part of its Live platform strategy–and offer a clearer picture of its overall services push.