Actually, I went from Microsoft to a start-up that a few friends were doing [New York-based security consultancy Matasano Security LLC] and from there went to Mozilla. I went to Mozilla because it seemed like there was a real opportunity to impact how users really experience the Internet and to try and make that as secure as possible. Obviously, your allegiance is to Mozilla now. But do you think Microsoft has gotten better at producing patches that are quick and accurate?
I was never skeptical of what Microsoft was doing. I was always very proud of the changes they made over the time when I was there. They do have a difficult task in that they are testing their changes against a huge suite of applications that rely on Internet Explorer, for example, and they have to test against a lot of controls used in internal applications that the home user doesn't see as much. On our side, we have this tremendous community that's able to test all these different configurations in a very short period of time. In that regard, it's almost surprising to think that maybe Mozilla has more resources on the testing side than Microsoft with all its financial resources. That's one of the reasons we're able to ship patches so quickly, because we're able to get really broad testing done in a short amount of time. While Microsoft has its internal team of researchers to work on these problems,
Exactly. Mozilla has the benefit of an enormous community that helps us test our nightly builds. There's something like 10,000 people downloading and testing it every night. That's a huge number of people working on security patches and new versions of the browser, testing them in different combinations on different platforms. That's the real difference between our process and Microsoft's.
Mozilla tries to ship a security patch every six to eight weeks. That includes patches for vulnerabilities found externally and internally. So to say a patch came out right after we shipped 2.0 -- I could have told you that months before we shipped it. Of course we're going to ship a security patch because we're going to continue to look for vulnerabilities and we'll make a security update available to the user as soon as we can. Microsoft has a slightly different process where they do look for vulnerabilities in their products and update them in service packs that come out -- in Windows' case -- once a year or so. And when vulnerabilities are found externally, they're addressed in the monthly security updates. The difference is we're continuously looking for vulnerabilities and continuously fixing them. Users don't have to wait for the next version of the product to get a lot of the benefits of the security work we're doing. They get it on a regular basis. Talk about the ease of deploying these patches. There are some who say the process has gotten easier for Microsoft customers because of programs like Windows Server Update Services (WSUS). Then there are the Mozilla fans who say that with Firefox, you just get an update box and there it is.
The model we work with is designed to meet the needs of the consumer whereas Microsoft has a lot of infrastructure built in for enterprises. On our side we think we have an easier model for the user where they see the update box, click and then they're good to go. We spend a lot of time creating features to protect consumers and end users. That's where the bulk of our time has been because that's out target market.
It has been an issue for us, actually. We've been ready to ship a fix for something and then decided there was a more robust way to fix the problem that would prevent other problems in the future. Or maybe a particular fix didn't get enough testing, and so on. This was an issue when I was at Microsoft and really on every team I've worked with. Occasionally you go to fix something and find it's not the only problem, that there are many, and you want to fix the whole category of problems instead of the one issue. Sometimes you find that late in the process. There are lots of reasons this can happen. These are all smart people working on really hard problems and we're all trying to do right by the user. I'm sure [Microsoft] is not holding back on a whim. I'm sure they've just concluded that the user will be better protected later on [by spending more time working on a patch]. Microsoft has taken a lot of researchers to task in the past for disclosing flaws without giving them a chance to provide a patch or workaround. What do you consider to be responsible disclosure vs. irresponsible disclosure, and has Mozilla ever fallen victim to the latter?
Microsoft and Mozilla both agree that the user is most protected when the security researcher reports the vulnerability to the vendor and the vendor has the chance to patch it before the information is made public. So we both agree on that point. But Mozilla appreciates any report of security vulnerabilities even if it happens to go public because that means we have an opportunity to fix it and that makes the product more secure over time. I personally prefer that users have the opportunity to get the patch before the rest of the world gets the vulnerability details, but even getting that information out there is still valuable because overall the product becomes more secure and the users are protected Talk about the value of source code and binary analysis and Mozilla's approach to it compared to Microsoft.
Microsoft has done a lot of work internally to train their developers on security best practices and engages vendors to come in and work on their code. At Mozilla, we really try to reach out the research community and encourage them to contribute to the Mozilla Project by turning their research in this direction as well. A lot of browser issues impact every browser. It's easier to understand [common browser issues] if you have the source code and it makes for an interesting project for some of these people. We really value their contributions and really encourage them to help us find security vulnerabilities and think of better ways to secure the browser.