WordCamp Baroda 2014

Earlier this year, I had the privilege of attending the 2nd annual WordCamp Baroda, in Baroda (Vadodara), India, with Siobhan. The trip was my second to India, having traveled throughout Rajasthan and a few other places with a friend back in 2010.

WordCamp

WordCamp Baroda was my first time speaking at a conference. I was asked by Rahul, the organizer, to speak for thirty minutes on Contributing to WordPress. In reality, I probably spoke for forty or longer, but went through a full range of ways to contribute.

The video hasn’t made it up on WordPress.tv yet, but here’s a quick overview of ways to contribute (all of them are listed on make.wordpress.org), along with a link to my slides:

Download Presentation

Overall, it was great meeting all of the local community, especially Rahul Banker (the WordCamp Baroda organizer) and Alexander Gounder, the lead organizer of WordCamp Mumbai this year. Seeing the work the Indian community is doing to grow is inspiring. I only wish I could have made it to WordCamp Mumbai this past weekend! (Next year; promise!)

Volunteers of WordCamp Baroda 2014
The volunteers of WordCamp Baroda 2014

Edit: There’s also this great highlight video of WordCamp Baroda 2014. If only it included less of me… 😉

Food

I love Indian food. It’s one of my favorite cuisines. Naturally, I ate as much Indian food as I could. Everything from the airplane food to the street food to the fancy hotel restaurant was delicious – seriously, some of the best airplane food I’ve had. Some of my favorites included the speakers’  dinner at Hotel Express Baroda – especially the “coffeee chicken” and the laughs it provided – the ice cream we had after the speaker’s dinner, and both lunches at the WordCamp.

Butter bhurji. One of the most delicious Indian dishes you will ever taste.

The highlight, however, happened at the very end of our trip, as we were headed to the airport. We made a quick stop for some street food at a place that is quite famous in Baroda: Raju’s Omelet Centre. Prior to this, I had never actually had an Indian egg dish. I’ve been missing out. The flavors were completely overwhelming (in a good way!) and was some of the best Indian food I’ve ever tasted. By far, these egg dishes were the best food of the trip. We had three different ones, all served with bread: butter bhurji, crushed bhurji, and the butter masala half fry. Unfortunately, it was dark and my photos didn’t quite come out very well (the butter bhurji is pictured), but the flavors were unbelievable.

Pictures

Here’s a ton of pictures from before and after the event.

Is Forecast the best mobile web app?

I’ve been using Forecast since they launched, but I hadn’t “installed” it on my phone until very recently. To say I’m impressed with their mobile web app is an understatement.

There are a few places where you can tell it’s a web app and not a mobile app, but not many. In fact, it’s my favorite weather app barnone. In a recent blog post, the team talks about how it was their goal to design not a mobile app and not a web app and not even a mobile web app, but just an App (with a capital A).

We’ve had conversations like this dozens of times since launching Forecast. They usually comes from people who have an iPhone but aren’t particularly tech savvy, and I’m fairly certain none of them will ever know that Forecast is actually a web app. To them, it’s just an app you install from the web.

Putting the app maker in control of the entire user experience – in-app purchases, advertising, updates to the app, etc – is of course the ideal. But up until recently there hasn’t been a mobile web app that looks and feels like a real app.

If Firefox OS is to survive and flourish – and really this applies to other alternative mobile operating systems – there needs to be more of these slick mobile web apps that feel exactly like a real app. The portability of apps that is a major selling point of Firefox OS is within reach if more companies choose the path that Forecast has and create thought-out, well-done mobile web apps apps you install from the web.

I highly recommend reading Forecast’s blog post, which includes some of the lessons they learned creating their app.

Three Months to Scale NewsBlur

Great report from Samuel Clay about his challenges in the post-Google Reader world. Since the news hit about Reader shutting down in July, NewsBlur has been hit hard with requests. (Previously.)

I was able to handle the 1,500 users who were using the service everyday, but when 50,000 users hit an uncachable and resource intensive backend, unless you’ve done your homework and load tested the living crap out of your entire stack, there’s going to be trouble brewing.

 

[…]

 

It has also been a dream come true to receive accolades from the many who are trying NewsBlur for the first time and loving it. Since the announcement, NewsBlur has welcomed 5,000 new premium subscribers and 60,000 new users (from 50,000 users originally).

Because it’s open source and because I can actually pay for it (unlike Feedly), Newsblur is my top choice for replacing Google Reader at the moment. And the new design he’s working on is a nice improvement.

Graze

Graze

Graze is an interesting concept from Nature Delivered Inc. Each week, they send you a box of four different, healthy snacks. You can customize the kinds of snacks you want before they’re shipped to you or after you’ve received them. The more you customize, the more Graze gets to know you.

But how much does it cost? Just $5 a week. That’s it. It includes shipping and handling, all the way from England.

What’s more, Graze offers the first and fifth box free if you sign up with an invitation code. Mine is SAMUEL5XP.

If you’re paleo, I recommend starting with the non-celiac options and working from there. I’m a huge fan of the service and recommend it for anyone who’s paleo. I even signed up for the occasional chocolate snacks, as they make a good cheat.

Goodbye Google Reader… now what?

The big news in the feeds I follow is that Google Reader is shutting down July 1. Why?

There are two simple reasons for this: usage of Google Reader has declined, and as a company we’re pouring all of our energy into fewer products. We think that kind of focus will make for a better user experience.

Of course, usage has declined because they’ve poured their energy elsewhere, but facts don’t matter here.

So now what? What other web apps exist that can replace Google Reader, especially the backend sync feature? For just a web app, there’s Fever. For a desktop app, Newsfire can still be purchased, but hasn’t been updated in years. Nothing is ideal.

Update: Looks like a bunch of people are getting behind Newsblur. It’s open source too.

2nd Update: The Old Reader looks much nicer to me, but feeds aren’t updated all that often from what I can tell.

3rd Update: Tiny Tiny RSS looks like a pretty good alternative. As does 1k, which open sourced a few hours ago.

4th Update: Okay okay, I know I left out a few before. Feedly, of course. And NetVibes and Bloglines. But I’m not all that impressed with those, and the idea of an open source feed reader is particularly enticing. Meanwhile, Digg has thrown its hat into the race. And as Robert Kaiser says below, there’s ownCloud News if you don’t mind running your own.

5th Update: Feedbin is another option.

MP6 – the New WordPress Admin UI

I’m typing this post in what may become the new WordPress admin UI. It’s actually quite nice, though a bit bolder than what most are used to. The boldness and general flatness reminds me of the move toward a “flatter” design across multiple platforms including the Metro UI that Windows has taken on.

mp6 wordpress

The new MP6 plugin will likely be updated with changes as the WordPress team works to tighten up the admin UI. Try it at your own risk.

All of this reminded me of Craft, a new CMS that Pixel & Tonic made. I haven’t tried it yet, but it’s been on my mind. Of course, not all of the features of it are free, a price many are willing to pay, myself included.

Firefox OS and Browser Choice

Back when I was working at Mozilla, there was quite a bit of discussion about user choice, specifically how important it is for users to be able to choose their browser. Often, this discussion was tied to the Mozilla Manifesto, point 5:

Individuals must have the ability to shape their own experiences on the Internet.

Back in February 2010 (a couple months after I left Mozilla), Mozilla launched the “Open to Choice” campaign (since shuttered), which was a great place to send individuals to show them why the ability to choose your own browser is important. The campaign was mostly tied to Microsoft’s settlement with the European Union and its requirement to offer a selection of browsers to choose from during setup. Here’s Mozilla’s then-CEO John Lilly on why browser choice matters:

(Side note: the Open to Choice campaign has been shut down and wasn’t archived, unlike most other Mozilla sites. Going to opentochoice.org leads to a bad https site, and then a 403. I would love to read the letter from John Lilly and Mitchell Baker again.)

As an iPhone user, I’m more-or-less stuck with Safari. Sure, I can find numerous browsers in the App Store, Chrome included. But the browsers in the app store are mostly just embedded version of WebKit – a limited version of WebKit at that. Why can’t I run Firefox on my iPhone? Why can’t I run a real version of Chrome? Apple has locked out browser makers by making specific requirements of the applications in the App Store and making the App Store the only way to distribute apps. Short of jailbreaking my iPhone and hoping Mozilla or Google port their respective browsers to jailbroken iPhones, there’s nothing I can do.

Prior to my iPhone, however, I had a Google Nexus One phone. One of the features of Android is the “open” Android Market and the ability to install applications from any source. Back then, I wasn’t locked in to any specific browser. In fact, I ran Firefox on my Nexus One and was quite happy with it, even back in the days of Firefox being incredibly slow on Android. The situation has gotten even better with Google shipping a version of Chrome for Android. It isn’t hard to imagine another browser running on the platform some time in the future.

Last year, in May 2012, Harvey Anderson, Mozilla’s General Counsel, wrote about the lack of browser choice on Microsoft’s Windows RT, an ARM-specific operating system tailored for tablets. He conclusion is quite clear:

The prospect that the next generation of Windows on ARM devices would limit users to one browser is untenable and represents a first step toward a new platform lock-in.

But the upcoming Firefox OS, built on Mozilla technology (namely Gecko), doesn’t appear to have any browser choice (as John Gruber pointed out a couple days ago). Is this an oversight or are developers working on the ability to allow browsers to run successfully on Firefox OS? And what about Chrome OS – why hasn’t Mozilla publicly asked for browser choice from Google?

Even webOS – Palm’s HP’s LG’s ill-fated operating system built on Linux and WebKit – had a method for porting browsers. In fact, a Mozilla developer started an experimental Firefox port a while ago. That experiment ended, likely because it isn’t important to port Firefox to a dying platform, but the point remains that it was possible.

I’ll ask again: where is the ability to select a third party browser on Firefox OS? Is this ability being planned in the future? And why has there been no advocacy against Chrome OS for its lack of browser choice? It all feels rather hypocritical to me.

Timeline of Comodo Certificate Compromise

There’s been a lot written about the most recent Comodo certificate compromise including two Mozilla Security Blog posts on the topic, but I have yet to see a concise timeline of the events. As a former Mozilla security release coordinator, I’ve been following this topic closely and wanted to write up my thoughts, as well as a full timeline.

A good write up of the issue is available on the Mozilla Security Blog, as well as on the Tor blog, where Jacob Appelbaum did excellent detective work to find this issue long before it was publicly disclosed. I also want to mention bug 642395 in which details are emerging about a hacker claiming to be responsible for the compromise.

Timeline

  • 15 March, 18:00-20:00 – Certificates issued.
  • T+0d, 0h, 15m – Comodo revokes certificates.
  • T+1d, 1h, 32m – Mozilla informed of issue with initial list of certificates.
  • T+1d, 4h, 33m – Google lands initial fix in Chrome’s tree.
  • T+1d, 13h, 29m – Mozilla bug filed.
  • T+1d, 21h, 59m – Comodo confirms most major browser vendors aware of the issue.
  • T+1d, 23h, 44m – Chrome update with initial fix available.
  • T+2d, 1h, 38m – Mozilla lands initial fix on main development trunk and Firefox 4 branch.
  • T+2d, 13h, 29m – Comodo informs Mozilla of two additional certificates to block.
  • T+2d, 15h, 33m – Mozilla lands additional fix on main trunk and Firefox 4 branch.
  • T+2d, 19h, 59m – Google lands additional fix in Chrome’s tree.
  • T+3d, 16h, 45m – Confirmation that Apple is aware of the issue.
  • T+3d, 23h, 20m – Mozilla lands initial fix and additional fix on Firefox 3.5 and 3.6 branches.
  • T+6d, 17h, 44m – Firefox 4 with fixes available.
  • T+7d, 6h, 30m – Firefox 3.5.18 and 3.6.16 with fixes available.
  • T+7d, 7h, 12m – Mozilla announces certificate issue, without details.
  • T+7d, 20h, 44m – Microsoft issues fixes.
  • T+9d, 1h, 16m – Chrome update with additional fix available.
  • T+9d, 19h, 23m – Mozilla announces details of certificate issue.

Some notes about the above timeline:

  1. All times in UTC.
  2. T+0 is 15 March, 20:00 since that’s seemingly when the last certificate was issued.
  3. The “initial fix” listed is a patch blacklisting the initial 7 certificates that Comodo informed vendors about.
  4. The “additional fix” listed is a patch blacklisting the additional 2 certificates that Comodo informed vendors about.
  5. Details about when vendors other than Mozilla were alerted to the issue are hard to find.

There’s a lot to say about this event, much of which has already been said. Before talking about timeline, I think it’s important to call out Comodo for both their good and bad work in this instance.

To save face, Comodo could have simply revoked the certificates and dealt, in private, with the RA that issued the certificates. Those outside of the open source world know how hard it is to come clean, publicly, for something that can be kept private. Kudos to them for contacting browser vendors and ensuring a fix made it out fast.

That said, this isn’t the first problem Comodo has had. Previously Comodo allowed issuance of a www.mozilla.com certificate, allowing domain verification to be done by their RA.

(I could also mention bug 526560 but that wouldn’t be entirely fair to Comodo since other CAs are doing the same thing. While this is blatantly against Mozilla’s CA Policy, Mozilla has decided not to enforce such issues. The open bug on enforcing section 7 is 567193.)

Of course everyone is focusing on Comodo right now. I’d like to focus on the browser vendors and their reactions to this threat.

From the timeline, it’s fairly clear that one browser vendor has taken the longest getting this issue fixed. No surprise here, that vendor is Apple. I yearn for the day when Apple takes security seriously. Unfortunately, I think I’ll be yearning for a long, long time.

It’s also clear that Google responded fastest, issuing a fix to its users less than 48 hours after the attack. While we don’t know for sure when they were contacted, we can assume it was around the time Mozilla was contacted. It’s clear they went into overdrive and released a stable version of Chrome blacklisting the bad certificates less than 24 hours after being informed of the issue. Sadly, Google didn’t know that Comodo would later realize they had failed to disclose two additional fraudulent certificates to browser vendors. They issued a fix for those two certificates seven days later.

Mozilla has often worked that fast to fix critical security issues, but in this case didn’t. While they quickly decided to rebuild the Firefox 4 release candidate to include the blacklisted certificates, it still took a full six days before a fix was in the hands of users, in the form of Firefox 4 and later Firefox 3.5.18 and 3.6.16. During this time, all users were theoretically at risk.

Comodo has said that there is no evidence of any of the bad certificates being used in the wild, based on their OCSP responder logs. Of course, OCSP pings can be stopped with a MitM attack, something any state-driven attack — as Comodo claims this is likely to be — could easily do. (Read more on revocation and its shortfalls.)

Mozilla also decided not to disclose this issue publicly until a fix was release. They have since apologized for waiting so long but I think the bigger story is how long it took to get a fix out in the first place. While Google jumped to protect Chrome users, Mozilla waited almost six days before issuing a fix to users.

Attacks like this are often targeted at a specific group of users and this one was likely the same. We will likely never know all the details but there are a few questions and takeaways from this event that we should look at closely and take very seriously.

  1. Revocation clearly doesn’t work right now. At what point will browsers fail on revocation errors?
  2. Mozilla has always held openness and security as two of its main mantras. In this instance, they failed at both, not informing users of a targeted attack immediately and not issuing a security fix for almost six days. Sometimes waiting for everyone else isn’t “responsible disclosure.”
  3. Comodo has never had full control over its RAs – something likely true of many CAs – and is increasingly causing critical security issues for users worldwide. The larger your network of RAs, the larger your threat vector.

I’m actually a bit disappointed at Mozilla’s performance during this event and I hope they take such compromises more seriously in the future. Regardless, there are lessons to be learned at each step of the way by all parties involved.