Mozilla Software

Pavlovian Vulnerability

It seems like Ivan Pavlov’s theory of Classical Conditioning is demonstrated every time I install an extension. You follow the same mindless task of white listing the domain, so that you can install, then wait for the delay, and install. Restart your browser, and your done. It rather quickly gets to the point where you don’t even think about it. Is that a good thing? Is this a bug?

I hope at some point, we get to the point where there’s a secure repository of extensions, ones that have been tested and known to be “evil free” (spyware, adware, virus, etc.). A source of safe and effective extensions that you can use without worry. It would likely be hard to review them all, but some. That can be installed easily, and the user can know that they are safe.

My objection to the current system is that it does little but block “drive-by downloads”. It requires a few clicks, so you don’t install something by accident. But other than that, what have you prevented? The extension can still be literally anything in the world.

How many end users really understand the risk? How many actually understand the dialog presented by those prompts that we bypass without even thinking about? I’m guessing most people just few these as annoyances, and still open and install stuff indiscriminately.

The problem with security is eventually people get used to it, and life goes back to normal. It’s something faced by national security experts, as well as programmers. Special security measures are only special when used in a limited way. Otherwise they become the norm. Right now the US threat level is “elevated”. How many people are doing something special as a result of that? Yea, most are just living their normal lives. Does this “elevated” level serve a purpose (other than PR)?

The big question is how do you clearly distinguish between safe, and unsafe to end users? I’d love to hear some comments on how to prevent these current security measures from becoming a Pavlovian Vulnerability.


Pavlovian Vulnerability – the susceptibility to a security risk due to a learned response almost automatic in nature in reaction to a monotonous situation or predictable chain of events.

Note: this is different from carelessness or negligence because Pavlovian requires it be learned, either by training, repetition or some other means.

Note: Yes, I’m discussing extensions here, but it also applies to how IE handles ActiveX, Safari and Dashboard Widgets, or how all browsers handle downloads. No browser that I am aware of is exempt from this issue.

Edit (10/15/05 9:13 PM EST): Added definition for clarity in regards to the title of this post.


MSN “Kahuna” Beta doesn’t work with Firefox

According to CNet:

Downside: Getting used to the new layout may be hard for die-hard fans of Hotmail. Kahuna works with Internet Explorer 5.5 and up, but not with Firefox….

I’m a bit concerned about that, and wonder what Microsoft’s plans are regarding Firefox and other non-IE browsers. Will they be stuck with the old interface and begged to upgrade? Will future beta’s of the new layout be fixed so they work with other browsers? It’s clearly possible as Google has done it.

If anyone at Microsoft wants to clarify the plans for other browsers, I’d of course welcome that dialog.

In The News Mozilla Tech (General) Web Development

Top 20 IT mistakes to avoid

From InfoWorld’s Top 20 IT mistakes list:

11. Developing Web apps for IE only

Despite the fact that mission-critical applications continue their march onto the Web browser and that Windows continues to dominate the corporate desktop, Web developers should avoid the temptation to develop applications only for bug-ridden IE. IT shops that insist on using IE for Web applications should be prepared to deal with malicious code attacks such as JS.Scob.

First discovered in June 2004, JS.Scob was distributed via compromised IIS Web servers. The code itself quietly redirects customers of compromised sites to sites controlled by a Russian hacking group. There, unwitting IE users download a Trojan horse program that captures keystrokes and personal data. Although this might not sound like a threat to corporate IT, keep in mind that employees often use the same passwords across corporate and personal assets.

Many enterprises may not be able to avoid using IE. But if you make sure your key Web applications don’t depend on IE-only functionality, you’ll have an easier time switching to an alternative, such as Mozilla Firefox, if ongoing IE security holes become too burdensome and risky for your IT environment.

I’m upset they didn’t mention that failure to be compatible on your website will get you on my naughty list. Oh well.

The whole list is very good, I’d strongly recommend anyone interested in IT read the complete article.

Hardware Mozilla

The Laptop Saga Continued

Zach was taken care of by Apple (I guess it’s now clear Apple wins for service as well as hardware design). I got a few days tacked onto my ordeal as my laptop is expected to ship out a few days later now. Unfortunately for me, there is no “store” to go to. My laptop still needs to be assembled, and from what I’m told there is a “parts constraint”. So if anyone out there is working for a company who owes Lenovo/IBM parts: get working!

Edit: Added link for those who didn’t see last weeks episode.

Mozilla Web Development

CSS Hero

Stuff like this, and potentially this make me very eager to get a copy of CaScadeS II. Those are some very welcome features, that would save a ton of time. Especially if they can be done within Firefox.

One of the biggest caveats of CSS is that it’s such a pain to develop with. A good development tool doesn’t fix the problems CSS, nor the implementations (or the differences in implementations), but does make it a little easier. Now if it had some magical way of helping you with layout (something like layout-o-matic but better), it would be a WMD in the CSS arena. Something to help create various popular CSS layouts, [#] column [fluid/fixed] layouts, with options for header, footer. Likely wouldn’t be to hard. What would be make it tough is making it flexible, while keeping a user interface that someone without a PhD. could understand.

For those wondering, I have tried TopStyle, and yes, it’s not a bad CSS editor, but I don’t think it really saves me any time, your mileage may vary. Though I haven’t tried the pro version.

Google Mozilla

Ian Hickson goes to Google

Ian Hickson has gone to Google. It’s great to see Google picking up great minds like him. WHATWG is clearly something Google should have an interest in. Considering how Google seems to be pushing the Web into this “Web 2.0” (yes it is a bullshtick term from the geeky technical perspective, but it’s relevant from the business side of things). WHATWG is clearly moves in that direction.

Internet Mozilla Web Development

Eolas 2.0

It’s back. As if it wasn’t ridiculous the first time, we get to go through this again.

  1. Create something.
  2. Don’t enforce for years, silently awaiting wide deployment, then magically appear and start collecting $$$. (can you say GIF)?
  3. Profit.

Oh boy is stuff like this just insane at this point. It’s going to be interesting to see what happens from here. Hint: root for Microsoft (yes, I said it).

In The News Politics

MTA copyrighting subway maps

This is kind of disturbing. The MTA isn’t really a private company. As taken from their website (with my emphasis):

Since 1982 the MTA has been carrying out the largest public works rebuilding project in the country. Funded by federal, state, and local government and by the issuance of debt, the MTA’s most recent capital program has generated an average 31,760 private-sector jobs, $1.3 billion in wages, $100 million in state and local tax revenues, and $3.52 billion in economic activity annually.

That’s right New Yorkers… you by law paid for those maps, but by law you can’t have them.

There’s something seriously wrong when you have to pay for access to something paid for by your taxes. They should be given the choice of either giving up the federal/state/local funding, or release copyright into the public domain. The current situation is ridiculous.