The Mozilla Blog

Last week, we took the International Mozilla Store offline as a precautionary measure after being notified of the GatewayCDI security breach that impacted the North American Mozilla Store. After verifying the security of the International Store, we brought it back online earlier today and it is now completely operational again.

During the downtime, the IT teams from both Mozilla and Merchandise Mania, the operating vendor for the International Mozilla Store, performed diagnostic tests and confirmed that the appropriate security procedures were in place. The International Store was not affected by the GatewayCDI breach and no personal information was exposed at any point.

We’d like to thank Merchandise Mania for their cooperation and prompt response to this matter, and want to assure customers that the International Store has our continued confidence.

Today, Mozilla discovered that GatewayCDI, the third party vendor entrusted to run the backend of the Mozilla Store, suffered a security breach. Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised.

Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised.  GatewayCDI is currently investigating their systems and determining the cause and extent of the breach.  Mozilla Store customers who are affected will be contacted directly by GatewayCDI.

Mozilla is committed to user privacy and the store will only be reinstated once we have a satisfactory assurance of ongoing login security and data privacy.

The International Mozilla Store, although run by a separate partner company, has also temporarily been shut down as a precautionary measure. The Mozilla Community Store is operated on a wholly separate system and was not impacted by the breach.

Wow! was the only word that can really sum up the Open Video Conference last weekend in New York City. It was an amazing confluence of people from the worlds of online video, art, free culture, open content and web technology. This is not a group that comes together often, but it turns out sparks fly when they do (in a good way).

Photo: Kid Kameleon, CC BY SA NC

…

Of course, the big take away is that open video is both important and fun. Dean, Elizabeth, Ben and all the volunteers did an AMAZING job organizing an event that showed this. They invited the right mix of people, programmed the right content and threw the right parties. The organizations that backed the event also showed tremendous leadership and prescience — Participatory Culture Foundation, Kaltura, the Yale Information and Society Project and iCommons. All of these people and orgs deserve a huge thank you (I hear clapping!).

Next steps: start doing the small and easy things (open video awareness and documentation), and figure out a way to pick up some of the hard stuff along the way (better codecs, easy tools, deeper connections to the people who make video). The good news is there are alot of people and orgs that want to make it happen, and they are gathering around this idea of an Open Video Alliance (the umbrella for the conference). Good things ahead.

PS. A full video archive of the conference sessions is coming soon. In the meantime, you can see one of the demos that Blizzard and Paul Rouget gave here and Blizzard and my slides here.

Read Mark’s full wrap-up of the Open Video Conference.

Editor’s note: This is a repost of the Mozilla Labs announcement of the Extend Firefox 3.5 contest now underway at ExtendFirefox.com.

The Extend Firefox contest is back challenging developers to make the next great web experience!

This global developer contest awards prizes for developing new Firefox Add-ons for the upcoming production release of Firefox 3.5. Last year’s contest received over 100 add-on submissions of some of the coolest and most innovative add-ons to-date and with Firefox 3.5 really raising the bar in terms of features, you can expect this year’s competition to be intense!

We’ve worked hard to line up great documentation and resources for contestants along with awesome prizes for the winners. Along with MacBook Pro laptops, the contest’s sponsors are providing professional development tools, software and books which are sure to complement any developers toolkit & library!

All entries will be judged by a panel of experts, with Grand Prize and Runner’s Up prize packages awarded for add-ons that take advantage of the new capabilities being introduced in Firefox 3.5 and that demonstrate excellence in user experience, innovativeness, and use of open standards. In addition, we’ve added two new categories this year for the best shopping add-on and the best gaming and entertainment add-on. Hot!

Special thanks to our sponsors, Manning Publications, InformIT, MacroMates, Sofa and ExpanDrive, for offering up some cool prizes and for helping to promote and get the word out to the wider development community!

Extend Firefox 3.5 is open now and runs through October 2nd, 2009.

Official contest rules and information are available at http://www.extendfirefox.com/.

Editor’s note: Lucas Adamski, director of security engineering for Mozilla, has posted a response to Secunia’s recently released 2008 security report (PDF link). We’ve reposted the full post from the Mozilla Security Blog here.

Beware the Security Metric

Security metrics are very difficult to do well, and easy to do poorly. For example, take a look at the recent Secunia “2008 Report” (http://secunia.com/gfx/Secunia2008Report.pdf). It tries to break down vulnerabilities reported by browser, and specifically states:

31 vulnerabilities were reported for Internet Explorer (IE 5.x, 6.x, and 7), including those
publicly disclosed prior to vendor patch as well as those included in Microsoft Security
Bulletins.

Safari and Opera each had 32 and 30 vulnerabilities, whereas 115 vulnerabilities were registered for Firefox in 2008.

From a quick read it appears as though Firefox had almost 4 times as many security issues as IE or Safari! Like, OMG! However, that conclusion would be painfully incorrect. Mozilla discloses and releases bulletins for all security issues fixed in Firefox, regardless of how they were discovered. Unlike other vendors that only disclose issues reported by external independent parties, but not by internal developers, QA or security contractors.

So presenting those numbers as comparable is worse than useless, it is in fact very misleading. It’s like comparing traffic accident rates for two cities of equal size, but one only reports accidents that make the news while the other reports all traffic accidents. Directly comparing such numbers is meaningless.

Some vendors make the point that the number of internally found issues is small and not meaningful. That would unfortunately imply their internal testing and security processes are incapable of finding security issues, and rely entirely on the generosity of random strangers (security researchers). I would find that pretty scary.

Fortunately, having worked in-house and consulted to a number of large software vendors, I can assure you that is not true. In fact they generally have very capable security teams and QA processes, which are so good at finding security issues that they usually find far more internally than they ever disclose to the public.

The Secunia report is deeply disappointing on a number of levels. Frankly, it’s disappointing that security researchers aren’t taking the “research” part of their jobs as seriously as they once did. It’s also disappointing that Secunia would publish something like this as one really expect better from them. This sort of reporting only encourages companies to hide as many security issues and fixes as possible, which moves the state of security backwards. And this is perhaps the most disappointing thing of all.

Lucas Adamski
Director of Security Engineering

Comment on this post at the Mozilla Security Blog

In response to questions that have been asked about Mozilla’s involvement with the recent European Commission (EC) conclusion regarding Microsoft’s tying of Internet Explorer to the Windows operating system, we’ve prepared this brief set of questions and answers.

What is Mozilla’s involvement in the EC’s complaint against Microsoft?
We are following it closely and are obviously interested in the outcome. Mozilla has received “interested third party” status in the EC’s investigation. As a result, we may see the Statement of Objections confidentially. We may participate in a hearing if the EC concurs. Mozilla’s role as an interested third party best enables us to contribute our knowledge of the browser industry to the EC. Mozilla is not a complainant; we have not “joined the suit”, despite some reports to the contrary.

Why is Mozilla getting involved?
The EC has taken a position that Microsoft’s actions harm competition among web browsers. The EC is currently developing a response based on this conclusion. A good remedy could be helpful; a bad remedy could create more damage. Mozilla has relevant and unique expertise in the web browser industry, both as to the nature of the damage and the complexities of possible remedies. We believe it’s worth offering that expertise to the EC. Ultimately, this case has huge potential impact on our mission of supporting an open and participatory web.

What does Mozilla want to have happen?
We want any remedy imposed to support an open and participatory web. By the same token, we seek to avoid any remedy that causes unintended damage.

There have been a number of opinions shared by individuals affiliated with Mozilla. What is Mozilla’s official stance on the EC complaint?
As with any dedicated and enthusiastic community, ours is one of diverse opinions. Our official stance: (1) we want to offer our knowledge to the EC as it considers its next steps; and (2) we intend to continue public discussions of this topic.

What remedies does Mozilla propose?
Mozilla has not proposed any remedies at this point. We have started a discussion to help figure out what the options are and how helpful they might be.

When will you have an opinion on remedies?
We’re synthesizing feedback from our community, our own previous experiences and from the EC. We don’t have a preset timetable.

What will the EC’s decision mean for Microsoft in other parts of the world?
Mozilla has no way of knowing this – we’ll learn what this means along with everyone else.

For additional information, please refer to the following blog posts by Mitchell Baker, Mozilla Foundation chair:

• The European Commission and Microsoft
• EC and Microsoft: Discussion Themes
• EC: Foray into Remedies
• EC Theme: Building Firefox is the only appropriate activity for Mozilla