I Use This!
Very High Activity

News

Analyzed 12 days ago. based on code collected about 1 month ago.
Posted 2 days ago by Will Kahn-Greene
Summary I work on a lot of different things. Some are applications, are are libraries, some I started, some other people started, etc. I have way more stuff to do than I could possibly get done, so I try to spend my time on things "that matter". For ... [More] Open Source software that doesn't have an established community, this is difficult. This post is a wandering stream of consciousness covering my journey figuring out who uses Bleach. Read more… (4 mins to read) [Less]
Posted 2 days ago by Air Mozilla
On February 23rd, we're hosting an Internet Trivia Night (HTTPS: Humans + Tech Trivia Party(s)) at WeWork Civic Center in San Francisco. We also want...
Posted 2 days ago by J.C. Jones
Our deprecation plan for the SHA-1 algorithm in the public Web, first announced in 2015, is drawing to a close. Today a team of researchers from CWI Amsterdam and Google revealed the first practical collision for SHA-1, affirming the insecurity of ... [More] the algorithm and reinforcing our judgment that it must be retired from security use on the Web. As announced last fall, we’ve been disabling SHA-1 for increasing numbers of Firefox users since the release of Firefox 51 using a gradual phase-in technique. Tomorrow, this deprecation policy will reach all Firefox users. It is enabled by default in Firefox 52. Phasing out SHA-1 in Firefox will affect people accessing websites that have not yet migrated to SHA-2 certificates, well under 0.1% of Web traffic. In parallel to phasing out insecure cryptography from Firefox, we will continue our outreach efforts to help website operators use modern and secure HTTPS. Users should always make sure to update to the latest version of Firefox for the most-recent security updates and features by going to https://www.mozilla.org/firefox. Questions about Mozilla policies related to SHA-1 based certificates should be directed to the mozilla.dev.security.policy forum. [Less]
Posted 3 days ago by JR Conlin
This article is a continuing series about using and working with WebPush and Mozilla’s WebPush service. This article is not meant to be a general guide, but instead offer suggestions and insight into best using the service. Some knowledge of ... [More] Javascript, Python, or other technologies is presumed. Sending out push notifications to Customers is a great way to ensure that they’re up-to-date with information that is of importance to them. What’s also important is that your growing business use this service efficiently so you don’t wind up wasting money creating and sending out messages that no one will ever read. In addition, not honoring response codes could lead to your server being blocked or severely limited in how many Subscription Updates it may be able to send. Mozilla’s WebPush server will let you know if a Customer has unsubscribed, but it’s important that you notice and act on these. I have created a simple demonstration program that can help you understand what you will need to consider when creating a Push Subscription service. Definitions First off, let’s refresh a few terms we’ll use in this article: App – The javascript web application that receives the decoded Push Message. Customer – The end recipient of the Push Message. Push Message – The content of the Subscription Update to be provided to the App by the User Agent and potentially viewed by the Customer. Push Server – The service located at the endpoint URL which handles delivery of the Subscription Update to the User Agent. Subscription – A Customer request to be updated. A Subscription contains an endpoint URL, and a set of keys that are to be used to encode the Push Message. Subscription Provider – The subscription provider sends out Push Messages to User Agents to be read by Customers. Subscription Update – The message sent by the Subscription Provider to the Push Server. User Agent – The Customer’s browser, specifically, code internal to the browser which processes and routes Push Messages to your App. Sending Subscription Updates Sending a Push Message is a fairly simple operation, and thanks to modern libraries, easily done. It’s important to pay attention to the returned result. When a Subscription Provider sends a Subscription Update, the Push Service returns a response code. In most cases, the response code will be either 201 (Message Created) or 202 (Message Accepted). There’s subtle differences between those, but those differences are not important right now. What is important is to know that the Push Server will return an HTTP error code along with a body that has extra information about what may have happened. A possible 404 return message body might look like: { 'errno': 102, 'message': 'Request did not validate invalid token', 'code': 404, 'more_info': 'http://autopush.readthedocs.io/en/latest/http.html#error-codes', 'error': 'Not Found' } In this case, there was a problem with the URL. More than likely it was corrupted at some point. In any case, the URL is now invalid and should not be tried again. The Customer’s record can be safely removed from storage. This is also true for 410 return codes. These are subscribers who no longer wish to receive your updates. A Customer may unsubscribe for any number of reasons, and you should respect that choice. You can always ask the Customer to resubscribe later. The Demo App As an example, I’ve created a very simple demonstration project that uses Python3. This project does require Python3 to take advantage of native async programming to speed up delivery and message handling. Follow the steps in the README file to get it started. You can then navigate to http://localhost:8200 to see the page. The test page (located in the /page directory) is very simple and only starts the process of subscribing once the Customer has requested it. Clicking the one button on the page will automatically create a Subscription Request and offer some script snippets you can use to send messages to the App. To see what happens when a user unsubscribes, disable the permissions using the page information pip: If you try to send a Subscription Update to that customer again, you will receive an error and should drop the subscription. An example error from pusher may look like: Failed to send to HMV192av: No such subscription For more info, see: http://autopush.readthedocs.io/en/latest/http.html#error-codes Dropping no longer valid user: HMV192av In this case, the subscription for user HMV192av has been removed, and the record was dropped from the user database. It’s important to only ask your Customers to subscribe once they understand what they’re subscribing to. A Customer who is asked to subscribe to WebPush notifications without being given a clear indication of what they’re being offered may click the “Always Block Notifications” option. When a user blocks notifications from your site, you may never get a chance to ask them again. Following these simple guidelines will ensure that both you and your Customers are happy using the WebPush service. [Less]
Posted 3 days ago by Air Mozilla
We are holding a Meet up with speakers in two locations and audience in two locations- London and Berlin Mozilla offices.
Posted 3 days ago by Dave Townsend
A few things are happening which means there are a bunch of new Firefox/Toolkit peers to announce. First since I’m now owner of both Firefox and Toolkit I’ve decided it doesn’t make much sense to have separate lists of peers. Either I trust people to ... [More] review or I don’t so I’m merging the lists of peers for these modules. Practically since Toolkit already included all of the Firefox peers this just means that the following folks are now Firefox peers in addition to already being Toolkit peers: Nathan Froyd Axel Hecht Mark Mentovai Ted Mielczarek Brian Nicholson Neil Rashbrook Gregory Szorc David Teller Second we’re updating the list of suggested reviewers in bugzilla for Toolkit. In doing so I found that we have a number of reviewers who weren’t already listed as peers so these folks are now considered full Firefox/Toolkit peers: Kit Cambridge Tantek Çelik Mike Hommey Matt Howell Mike Kaply François Marier Nicholas Nethercote Gian-Carlo Pascutto Olli Pettay J Ryan Stinnett Andrew Sutherland Gabriele Svelto Jan Varga Jonathan Watt All of these folks have been doing reviews for some time now so this is largely just book-keeping but welcome to the fold anyway! [Less]
Posted 3 days ago by Chris Lord
Keeping up my yearly blogging cadence, it’s about time I wrote to let people know what I’ve been up to for the last year or so at Mozilla. People keeping up would have heard of the sad news regarding the Connected Devices team here. While I’m sad for ... [More] my colleagues and quite disappointed in how this transition period has been handled as a whole, thankfully this hasn’t adversely affected the Vaani project. We recently moved to the Emerging Technologies team and have refocused on the technical side of things, a side that I think most would agree is far more interesting, and also far more suited to Mozilla and our core competence. Project DeepSpeech So, out with Project Vaani, and in with Project DeepSpeech (name will likely change…) – Project DeepSpeech is a machine learning speech-to-text engine based on the Baidu Deep Speech research paper. We use a particular layer configuration and initial parameters to train a neural network to translate from processed audio data to English text. You can see roughly how we’re progressing with that here. We’re aiming for a 10% Word Error Rate (WER) on English speech at the moment. You may ask, why bother? Google and others provide state-of-the-art speech-to-text in multiple languages, and in many cases you can use it for free. There are multiple problems with existing solutions, however. First and foremost, most are not open-source/free software (at least none that could rival the error rate of Google). Secondly, you cannot use these solutions offline. Third, you cannot use these solutions for free in a commercial product. The reason a viable free software alternative hasn’t arisen is mostly down to the cost and restrictions around training data. This makes the project a great fit for Mozilla as not only can we use some of our resources to overcome those costs, but we can also use the power of our community and our expertise in open source to provide access to training data that can be used openly. We’re tackling this issue from multiple sides, some of which you should start hearing about Real Soon Now™. The whole team has made contributions to the main code. In particular, I’ve been concentrating on exporting our models and writing clients so that the trained model can be used in a generic fashion. This lets us test and demo the project more easily, and also provides a lower barrier for entry for people that want to try out the project and perhaps make contributions. One of the great advantages of using TensorFlow is how relatively easy it makes it to both understand and change the make-up of the network. On the other hand, one of the great disadvantages of TensorFlow is that it’s an absolute beast to build and integrates very poorly with other open-source software projects. I’ve been trying to overcome this by writing straight-forward documentation, and hopefully in the future we’ll be able to distribute binaries and trained models for multiple platforms. Getting Involved We’re still at a fairly early stage at the moment, which means there are many ways to get involved if you feel so inclined. The first thing to do, in any case, is to just check out the project and get it working. There are instructions provided in READMEs to get it going, and fairly extensive instructions on the TensorFlow site on installing TensorFlow. It can take a while to install all the dependencies correctly, but at least you only have to do it once! Once you have it installed, there are a number of scripts for training different models. You’ll need a powerful GPU(s) with CUDA support (think GTX 1080 or Titan X), a lot of disk space and a lot of time to train with the larger datasets. You can, however, limit the number of samples, or use the single-sample dataset (LDC93S1) to test simple code changes or behaviour. One of the fairly intractable problems about machine learning speech recognition (and machine learning in general) is that you need lots of CPU/GPU time to do training. This becomes a problem when there are so many initial variables to tweak that can have dramatic effects on the outcome. If you have the resources, this is an area that you can very easily help with. What kind of results do you get when you tweak dropout slightly? Or layer sizes? Or distributions? What about when you add or remove layers? We have fairly powerful hardware at our disposal, and we still don’t have conclusive results about the affects of many of the initial variables. Any testing is appreciated! The Deep Speech 2 paper is a great place to start for ideas if you’re already experienced in this field. Note that we already have a work-in-progress branch implementing some of these ideas. Let’s say you don’t have those resources (and very few do), what else can you do? Well, you can still test changes on the LDC93S1 dataset, which consists of a single sample. You won’t be able to effectively tweak initial parameters (as unsurprisingly, a dataset of a single sample does not represent the behaviour of a dataset with many thousands of samples), but you will be able to test optimisations. For example, we’re experimenting with model quantisation, which will likely be one of multiple optimisations necessary to make trained models usable on mobile platforms. It doesn’t particularly matter how effective the model is, as long as it produces consistent results before and after quantisation. Any optimisation that can be made to reduce the size or the processor requirement of training and using the model is very valuable. Even small optimisations can save lots of time when you start talking about days worth of training. Our clients are also in a fairly early state, and this is another place where contribution doesn’t require expensive hardware. We have two clients at the moment. One written in Python that takes advantage of TensorFlow serving, and a second that uses TensorFlow’s native C++ API. This second client is the beginnings of what we hope to be able to run on embedded hardware, but it’s very early days right now. And Finally Imagine a future where state-of-the-art speech-to-text is available, for free (in cost and liberty), on even low-powered devices. It’s already looking like speech is going to be the next frontier of human-computer interaction, and currently it’s a space completely tied up by entities like Google, Amazon, Microsoft and IBM. Putting this power into everyone’s hands could be hugely transformative, and it’s great to be working towards this goal, even in a relatively modest capacity. This is the vision, and I look forward to helping make it a reality. [Less]
Posted 3 days ago by Air Mozilla
This is a weekly call with some of the Reps to discuss all matters about/affecting Reps and invite Reps to share their work with everyone.
Posted 3 days ago by chuttenc
:mconley‘s been looking at tab spinners to try and mitigate their impact on user experience. That’s when he noticed something weird that happened last October on Firefox Developer Edition: It’s a spike a full five orders of magnitude larger than ... [More] submission volumes for a single build have ever been. At first I thought it was users getting stuck on an old version. But then :frank noticed that the “by submission date” of that same graph didn’t tally with that hypothesis: Submissions from Aurora (what the Firefox Developer Edition branch is called internally) 51 tailed of when Aurora 52 was released in exactly the way we’ve come to expect. Aurora 52 had a jump mid-December when we switched to using “main” pings instead of “saved-session” pings to run our aggregates, but otherwise everything’s fine heading into the end of the year. But then there’s Aurora 51 rising from the dead in late December. Some sort of weird re-adoption update problem? But where are all those users coming from? Or are they actually users? These graphs only plot ping volumes. ( Quick refresher: we get anonymous usage data from Firefox users via “pings”: packets of data that are sent at irregular intervals. A single user can send many pings per day, though more than 25 in a day is a pretty darn chatty. ) At this point I filed a bug. It appeared as though, somehow, we were getting new users running Aurora 51 build 20161014. :mhowell popped the build onto a Windows machine and confirmed that it was updating fine for him. Anyone running that build ought not to be running it for long as they’d update within a couple of hours. At this point we’d squeezed as much information as the aggregated data could give us, so I wandered off closer to the source to get deeper answers. First I double-checked that what we were seeing in aggregate was what the data actually showed. Our main_summary dataset confirmed what we were seeing was not some weird artefact… but it also showed that there was no increase in client numbers: A quick flip of the query and I learned that a single “client” was sending tens of thousands of pings each and every day from a long-dead non-release build of Firefox Developer Edition. A “client” in this case is identified by “client_id”, a unique identifier that lives in a Firefox profile. Generally we take a single “client” to roughly equal a single “user”, but this isn’t always the case. Sometimes a single user may have multiple profiles (one at work, one at home, for instance). Sometimes multiple users may have the same profile (an enterprise may provision a specific Firefox profile to every terminal). It seemed likely we were in the second case: one profile, many Firefox installs. But could we be sure? What could we learn about the “client” sending us this unexpectedly-large amount of data? So I took a look. First, a sense of scale This single client began sending a few pings around November 15, 2016. This makes sense, as Aurora 51 was still the latest version at that time. Things didn’t ramp up until December when we started seeing over ten thousand pings per day. After a lull during Christmas it settled into what appeared to be some light growth with a large peak on Feb 17 reaching one hundred thousand pings on just that day. This is kinda weird. If we assume some rule-of-thumb of say, two pings per user per day, then we’re talking fifty thousand users running this ancient version of Aurora. What are they doing with it? Well, we deliberately don’t record too much information about what our users do with their browsers. We don’t know what URLs are being visited, what credentials they’re using, or whether they prefer one hundred duck-sized horses or one horse-sized duck. But we do know for how long the browser session lasted (from Firefox start to Firefox shutdown), so let’s take a look at that: Woah. Over half of the sessions reported by the pings were exactly 215 seconds long. Two minutes and 35 seconds. It gets weirder. It turns out that these Aurora 51 builds are all running on the same Operating System (Windows XP, about which I’ve blogged before), all have the same addon installed (Random Agent Spoofer, though about 10% also have Alexa Traffic Rank), none have Aurora 51 set to be their default browser, none have application updates enabled, and they come from 418 different geographical locations according to the IP address of the submitters (top 10 locations include 5 in the US, 2 in France, 2 in Britain, and one in Germany). This is where I would like to report the flash of insight that had me jumping out of the bath shouting Eureka. But I don’t have one. Everyone mentioned here and some others besides have thrown their heads at this mystery and can’t come up with anything suitably satisfying. Is it a Windows XP VM that is distributed to help developers test their websites? Is it an embedded browser in some popular piece of software with broad geographic appeal? Is someone just spoofing us by setting their client ids the same? If so, how did they spoof their session lengths? To me the two-minute-and-thirty-five-second length of sessions just screams that this is some sort of automated process. I’m worried that Firefox might have been packaged into some sort of botnet-type-thingy that has gone out and infected thousands of hosts and is using our robust network stack to… to do what? And then there’s the problem of what to do about it. On one hand, this is data from Firefox. It arrived properly-formed, and no one’s trying to attack us with it, so we have no need to stop it entering our data pipeline for processing. On the other hand, this data is making the Aurora tab spinner graph look wonky for :mconley, and might cause other mischief down the line. It leads us to question whether we care about data that’s been sent to use by automated processes… and whether we could identify such data if we didn’t. For now we’re going to block this particular client_id’s data from entering the aggregate dataset. The aggregate dataset is used by telemetry.mozilla.org to display interesting stuff about Firefox users. Human users. So we’re okay with blocking it. But all Firefox users submit data that might be useful to us, so what we’re not going to do is block this problematic client’s data from entering the pipeline. We’ll continue to collect and collate it in the hopes that it can reveal to us some way to improve Firefox or data collection in the future. And that’s sadly where we’re at with this: an unsolved mystery, some unanswered questions about the value of automated data, and an unsatisfied sense of curiosity. :chutten [Less]
Posted 3 days ago by kpapadea
Please join us in congratulating Petras, Rep of the Month for January 2017! Petras is an IT specialist and entrepreneur, who started at an extremely young age to build up a company and to develop his Project Manager skills. Nowadays he has a track ... [More] record of working with or even heading a number of world class IT projects and companies. During the last few months he organized and participated in many events giving talks to thousand of people in various topics, including Privacy and Advocacy and the EU Copyright Reform. He adds his PM knowledge to the program by building up proposals for different projects. He managed to mobilize our community of volunteers, showing great leadership and communication skills. Congrats Petras! Join us in congratulating him in discourse. [Less]