1. The study is not "still active and ongoing." It was pulled yesterday after the backlash, though that may take up to 24 hours to propagate: https://gizmodo.com/after-blowback-firefox-will-move-mr-robo...
2. Even when "enabled" in the add-on manager, the add-on was completely inert unless a user also manually dove into about:config and specifically enabled a flag related to the add-on. Without taking that deliberate action, it didn't do anything but watch that flag. No headers, no word inversions, etc.
If you'd like to verify my claims, the source lives at https://github.com/mozilla/addon-wr, and initialization is controlled by addon/bootstrap.js.
This doesn't excuse our actions, but I hope it adds some context.
yahoo and google pay hundreds of millions, is this not sufficient? have any of these gimmicks actually helped gain users? it's likely that only Quantum - a purely technical improvement (plus marketing dollars) - made any dent in your user share. it's almost like mozilla keeps expanding into all the shady corners to use up its budget so it can have a bigger budget next year.
many users use firefox for ideological reasons, even when Chrome is/was technically superior. and these reasons are disintegrating at a ludicrous speed. you are throwing away the very users that helped you grow. we are telling you this here, directly and in plain language. much of the same group uses firefox because they can make it work exactly how they want with exactly 0 surprises. some of this died with the web extension addon transition, but it's at least justifiable from a technical & security perspective.
every time you force-feed what should be a visible and removable extension, i have less and less control over my browser and less incentive to to use or recommend it. it's heartbreaking, really. whoever is pushing forward on all this farcical marketing spin and bundling stunts needs to be shown the door, asap. call ads "ads", not "experience enhancements". it is not okay. you guys need to stop this before you lose your most dedicated users that have stuck with you through thick and thin. having been on firefox/nightly for over 10 years, deploying firefox on thousands of PCs, reporting many bugs, and making donations to mozilla, i am this close to saying "fuck it" and taking my friends, relatives and coworkers with me. i'm gonna be one user that costs you 2000 more.
please get this to whoever needs to hear it [and gives enough fucks to actually do something].
But pushing it out broadly, even in an inert state, was not good.
I can assure you that there's an active internal discussion to that effect. I'm hopeful that we'll learn from this.
I don't understand why you believe that, especially when it's not an "easter egg" but actually an ad.
When's the last time I upgraded my linux kernel and it came bundled with an "easter egg" kmod, loaded by default, which made lightsaber noises if I wrote 1 to /sys/class/ad/starwars/enabled? Would you think that's appropriate?
You're developing a web browser, a critical piece of software. Almost an OS within an OS these days. You got rid of "cookies are delicious delicacies" (an actual easter egg) because you deemed that the joke wasn't worth obfuscating an important piece of information. 15 years later you're adding stealthy extensions that look like backdoors. What changed?
I can assure you, people who want novelty extensions know where to find them.
The folks behind this presumably wanted this experience to be seamless, and were also trying to keep it under wraps to preserve the surprise factor. This meant that they bypassed the usual processes by which Firefox engineers would have had the opportunity to (a) raise concerns about the deployment approach, and (b) suggest other mechanisms that would have achieved the desired experience while keeping deployment appropriately scoped.
It's really heartbreaking that it ended up this way. The marketing team was trying to think outside the box to bring new users to Firefox, which is crucial if Quantum is to succeed. Surprises and stealth are the bread and butter of marketing, but they didn't think through the dangers of applying those things to engineering. Moreover, the very nature of surprise and stealth meant that they missed the chance for internal feedback before it went live.
A lot of us inside Mozilla are hurting right now. We poured our lives into Quantum for two years for the long-shot dream of giving Firefox a fresh start and saving the web from monopoly. It's frustrating to feel that all our hard-earned goodwill might be squandered by a few people and a botched marketing stunt. But the people behind that stunt were only trying to help, and I'm sure they feel especially terrible right now too.
Mozilla will learn from this. But the mistakes here are probably less sinister than they may appear, and it would be sad if they caused our most closely-aligned users to switch to Chrome.
i would have been happy to write this one off, but the ship has all but sailed. the ice is so thin that you guys are one PR disaster away from a mass exodus of people who trust you.
if mozilla learned anything from the Pocket disaster, it would have immediately made it a removable addon and genuinely apologized. instead, there it is in my toolbar on nightly. i know you guys bought them, but that's a solution that only addresses the privacy aspect - you went from nonremovable Pocket to nonremovable Mozilla/Pocket.
every misstep that has happened with "enhancing the user experience" is an affront to the brilliant engineering you guys are doing. you're literally shedding user-engineers - not unlike yourselves - over these user choice, bundling/marketing double-speak, viralgrab and privacy fiascos.
i'm reasonable. i understood the DRM situation. the content providers make the rules and the consumers make the choices based on where they can consume the content. many people went apeshit with ideology. but mozilla is in full control of everything that is going on right now.
> This meant that they bypassed the usual processes by which Firefox engineers would have had the opportunity to (a) raise concerns about the deployment approach, and (b) suggest other mechanisms that would have achieved the desired experience while keeping deployment appropriately scoped.
i don't know what's worse, that users don't know what's going on, or that the engineers don't. here's an apt description for this: rgba(0,0,0,1)
rather than being delighted to discover features i didn't know where in there, i'm now horrified to discover them. i'm becoming mozilla's unwitting social testing platform and this is unacceptable. it is not what i signed up for with firefox 1.5. there's a reason that Tor's browser is firefox; i think this reason is ripe for re-evaluation.
mozilla is long overdue for automated regression tests of their core values.
plz don't take this comment personally. i have huge respect for the work you do. it's a shame the engineers are not in control of their destiny; they rarely are.
This scares me an many others quite a lot.
Thanks for listening.
Are those responsible for this stunt still employed at mozilla? If so, you can say goodbye to trust of most of the technically aware world. I cannot recommend Firefox while idiotic stunts like this are institutionally viable - have you got the message?
I humbly suggest that your message might be a little harsh and unforgiving. Is there anything I can say which will change your mind? Kindness has a place in the world. Please help me preserve it.
That doesn't make any sense--if it's an ad for Firefox, why is it in Firefox, which is presumably already being used by the target audience? It should be in some other site or software set up by the Mr Robot production company which directed people to Firefox, no?
If I understand correctly, at some point when following the breadcrumbs the user is given the opportunity to opt in to the game. I think everyone now agrees that this opt-in step should have triggered the download and installation of the add-on, rather than the activation of a dormant add-on that was deployed to every single Firefox user.
I think you agree:
> But pushing it out broadly, even in an inert state, was not good.
But who actually wants it? Who wants a fundamental part of their daily work suddenly manipulated by somebody else at a whim?
What if Ford decided it would force-push add a cool "Star Wars" tie in to its cars (no pun intended on "force push")? That's a mission-critical part of my life, I drive my kids in it. Don't mess with my car over-the-air without telling me, I don't care if it's all fun and games to you, to me it's my life.
Same for my browser. It's not a toy I use for fun. It's how I see my medical records, pay bills, transport extremely sensitive and confidential information... I don't want anyone to suddenly push "cool fun easter eggs" to it, under any circumstance.
FWIW, Tesla includes easter eggs in its cars. You need to go out of your way to use them, and they're pretty much hidden unless you go looking for them, and they keep adding more via OTA updates.
If your question is "Who are easter eggs made for?" then the answer is "the people that care to go looking for them." The difference between a Tesla easter egg (which are almost entirely regarded as delightful) and this easter egg is that this easter egg was poorly executed.
A Tesla easter egg is silly and whimsical. This easter egg parodied something that's potentially threatening. And hell, Firefox has had easter eggs since its first release; go visit `about:mozilla` in your address bar. Saying easter eggs are bad outright is silly, but they should be done in a way that isn't concerning to users.
I don't own a Tesla but I assume a key difference is that the easter eggs exist solely to delight the user whereas this was more of a partnership designed to make Mozilla money.
Hah, good one.
Thanks for that warning. I was considering buying one, but now I'm certain that I won't.
See also: https://news.ycombinator.com/item?id=15942722
In the part you quoted they were just pointing out that an optional extension is the correct place to implement this sort of thing. I am sure that if they had just posted this as a separate extension from day one then the target audience of Mr Robot fans would have had fun with the ARG and everyone else would be totally unnafected.
That aren't Callahad's words. Here I quote him exactly:
"Looking Glass is a really cool idea for users who want it. But pushing it out broadly, even in an inert state, was not good."
Note, not even "bad." Just "not good." And far from "terrible, terrible."
> The core idea (deploy an easter egg via an add-on) seems pretty reasonable.
no, no it doesn't. especially not when done silently, without confirmation and modifies headers and content on pages i visit.
in what alternate universe is this "reasonable"?
"reasonable" would be to push it to a tile on the new tab page.
EDIT 2: Mr Robot is the exact type of sensationalized shit i want to keep out of my tools.
As to your edit, I absolutely agree. That's what I meant when I said pushing the add-on was not good. I was only suggesting that an add-on is a reasonable place to implement an easter egg, since it's separate from the core browser code. Distributing that add-on is a different matter, and I personally disagree with what happened there.
It was not a common add-on but an ad disguised as a "study." The question is still: why?
Why did that marketing team need that treatment instead of giving to the interested users a link to the normal add on? What was the actually planned scenario? Was it planned that that "study" (the studies are apparently officially "a way of making more informed product decisions based on actual user needs") uses some functionality not available to the normal add-ons? Was it that the normal add-ons wouldn't have access to the API that the "study" would use but that is forbidden to the normal add-ons since v57?
"The addon is actually deployed as an embedded WebExtension, which is subtly different. It has a 40-line legacy XUL/XPCOM bootstrapper controlling whether the WebExtension part of it runs. The legacy code actually could upload your hard drive and isn't bound by any of the WebExtension restrictions. We know it doesn't do anything harmful, but it could have done so.
The WebExtension itself also has <all_urls> and webRequest permissions, granting it the ability to sniff the content and headers of every page."
(Source: https://www.reddit.com/r/talesfromtechsupport/comments/7k7wu... )
The question is still: what was the goal?
That's not okay.
Pretty much every site on the internet does that.
Why are we spending 500 replies and all this developer time on an issue that if done by, say google on their home page, would be considered at best a fun little doodle at worst business as usual?
There is some degree of deceit present here which bothers me. They pushed out this advertisement through user studies, a feature that ostensibly exists and is designed to improve Firefox. I take issue with it instead serving as a backdoor silently install an advertisement.
If I personally saw this in my add-on page without any knowledge of what it was, I would be alarmed. My first thought would be that my computer had been somehow compromised.
I'm also slightly sympathetic to the idea that these user studies / telemetry can be used to improve FF. By abusing the feature, they encourage people to disable it, which harms Firefox if you take the position that the data gained by telemetry is useful. I certainly no longer have it turned on.
I've seen people link to anecdotes about the user study feature being reenabled after an update was downloaded. All I'll say here is that this is not cool if true.
And really, at the end of the day, why should I put up with any form of advertisements in my actual browser software? Good alternatives exist that don't have advertisements. Advertisements embedded in the product is a huge part of the reason why I switched away from Windows 10 to Linux.
To me, it's a worrying trend between this, Cliqz, the initial integration of pocket, and the the advertisements on the default new tab page.
I'm not particularly sympathetic to the idea that Mozilla needs to pull these kind of anti-user stunts in order to function. We're talking about a foundation that saw revenue of 421 million US Dollars in 2015 and 520 million in 2016.
 - https://www.ghacks.net/2017/12/02/mozillas-revenue-increased...
... your computer was compromised.
I think we should all expect a full accounting from Mozilla on their actions and what data and information was acquired by them or a 3rd party as a result of the 'study' as well as what steps they will take to prevent this from happening again (now that they have a proof of concept (MVP?) surely another 3rd party can plant their own easter eggs in the future.
Count me in here... I was opposed to this feature and commented about making it Opt-in when it was introduced, however I did leave it enabled on a few of my systems believing it would only be used to improve the technology of the browser.
It is now (or will be soon) disabled on every system I manage...
Good Job Mozilla...
If this code had been in core-Firefox, we'd never have noticed it. Counter-intuitively, maybe it wouldn't have felt as invasive, because I know that Mozilla controls core-Firefox, not me. (And I choose to defer to their judgement, because my other options are to defer to Google or Apple.)
The code is available. I'm pretty sure the tor project would have noticed it.
I do not expect advertisements from my web browser - and I don't think that's an unreasonable line to draw.
To add insult to injury I don't see an apology or anything similar from Mozilla (or callahad here on hn) that would show me they understand the extent of this issue - how badly they f* up on how many occasions.
It's ironic, right when browser can finally stand next to Chrome in terms of performance...
No, it doesn't do that until you explicitly activate it.
The "pretty reasonable" core idea is just having that flag available in about:config or on the addons website or similar.
- - -
for other reasons I wanna comment on the "seems pretty reasonable" bit
"In this day and age" what with fear and stuff being a main chunk of news , perhaps using a webext (which can really only modify a page to do any tricky cool stuff) is a bad thing?
(especially when it plays off of the pre-existing FUD by referencing hacking n' stuff!, but not my point)
same for any unexpected icons appearing in the toolbars! People are being told to be weary when using their browsers: look out for signs the pages might be fake or messed with, look out for unexplained installation of programs and addons, being hammered in from every secure site!
Its worrying that, I know it would fuck with my parents pretty bad WHEN it would be enabled, because there isn't much point in developing something for it to not be enabled! Especially when money is probably on the table, when higher ups probably rammed this through normal steps designed to prevent this sort of stuff (again)
I need something to give my parents, something that is ethical, something that cares about them, and something that works: chrome still works better for them, and mozilla seems really really keen on blurring the lines for the other ones (I know I know, it requires users to opt into shield studies etc, but man, I had a talk with my ma, "do you wanna contribute back to mozilla in this way?", please don't punish us for asking other less-techy people that.)
If you guys need easter eggs, probably keep them off to the side, in the settings or about sections
Erm no. I don't use a browser to have fun. I certainly don't want any surprises, and coming from Firefox/Mozilla this is very, very disappointing. How can we trust you guys to do the right thing from now on?
(the upsidedownternet is over 10 years old at this point - http://www.ex-parrot.com/pete/upside-down-ternet.html is from at least 2006 - awkward out of touch big company advertising isn't fun)
He explains that including that addon for everyone by default is NOT OK.
What he means by the first sentence is that using addon for easters eggs is OK (but users need to install it themselfs).
> How can we trust you guys to do the right thing from now on?
The same way you can continue to trust the GNU/Linux system which contains easter eggs.
Easter-eggs, to me, means something like "press a key combination, get a list of developers" or "go through the levels in a fast time, unlock a secret level" or "on march 14th there's a message about Pi day". It doesn't mean "if you change xyz settings, we'll sell some control to your system to a third party for our profit".
This is not an easter Egg, I wish people would stop calling it that.
This is a Paid Advertisement, injected with out my permission into my software. AKA Malware or Adware.
Companies pay thousands of dollars a year to prevent that type of software from being loaded on their system.
Firefox DOES NOT have a long history of being a distributor or malware or adware...
Easter Eggs are funny things that Dev put into code that make people chuckle but have no impact on the actual software
To call this a "Easter egg" is naive and ignorant. This is a Paid Promotional Advertisement of a Large Commercial project not an Easter egg
By which you mean, not at all, I assume.
Whenever a story like this happens, I'm left wondering who came up with those ideas and who okayed them. From my perspective, anyone who thinks those things (as they were implemented) were justified is not suited to make decisions in a project like Firefox, period.
Another comment in this thread asked what will be done to make sure something like this doesn't ever happen again. I am aware that probably, nobody here can answer that question. But in essence, this is the thing Mozilla should be considering and communicating clearly in the near future.
I don't see how "push" is even useful here. It's ARG content; teasing players into actively seeking out content is the bread and butter of ARGs. While it's certainly part of the premise that they exist as a sort of overlay on top of reality, well-run ones usually have a clear concept of which media are "in-game" to discourage people getting off into the weeds of fan-made content and unintended red herrings. The game is typically not meant to leak into unrelated media (such as the add-ons tab of Firefox on my company-issued laptop). Good examples of wider distribution for the initial round of hints to advertise the existence of an ARG include the "corruption" in a Halo 2 trailer (I Love Bees) and the heat-sensitive ink on the Nine Inch Nails Year Zero CD.
> I can assure you that there's an active internal discussion to that effect. I'm hopeful that we'll learn from this.
Here's one thing that somebody at Mozilla ought to learn (though I worry that the people who most need to learn this are going to be above the fray of the internal discussion): This was absolutely not a mere PR misstep, as the current non-apologies from official channels suggest. The primary problem now isn't that users misunderstood what Looking Glass is, it's that Mozilla management misunderstands what Looking Glass represents. If the Mozilla brand stands for anything at all, it stands for the mission of building the future of the web on behalf of the full spectrum of end users and developers instead of parochial and shortsighted corporate interests. The fact that Looking Glass was deployed in this way, with any internal alarm over it clearly either absent or overruled until after the fact, sends the opposite message. That message was further reinforced by the "clarifications" issued in response to the backlash.
Right now, I feel like any apology is likely to ring hollow. All indications so far are that upper management badly wants this sort of thing and that there will just be another flavor of it next year, as though it's just a matter of tweaking the recipe until they find a version of the pill that people will swallow.
I really love the work you guys do, but I feel like it's being undermined by exactly the sort of thing Mozilla is supposed to be the antidote to. I imagine many Mozillans feel the same way. So what the heck is going on?
It's fine if you believe this, but it means I'm not using your browser. I switched to Safari today.
Also, as others pointed out, this sentence you quote (probably) isn't as bad as your interpretation (I think I interpreted as you did, too, on first read). If you want an easter egg in your browser, and you install an add-on to get it, what's bad about that? The interpretation that "add-on" means "installed by default by Mozilla" seems off compared to what was said elsewhere here (though as it happens, this add-on was installed by default, hence the interpretation that this was okay... but read on, and clearly
callahad is saying that it wasn't okay to install by default).
I think the statement is poorly worded, but with the larger context, I'll give Mozilla a chance here... or else I'll use a browser that I think is more privacy conscious and that is more likely to listen to its users, not a browser that I think is less privacy conscious and less likely to listen to its users.
There were very disappointing answers by mozilla employees on r/firefox.
Consider for a moment what you think the lesson is.
Now that you have it...
(have it? great)
... is it different from the lesson when Pocket was made part of the browser?
What % of your users did you think you would frighten -- I guess it was acceptably low?
Yes, deploying an easter egg via an add-on is pretty reasonable, hell if it's out of the way enough even in the core browser. But Mozilla didn't deploy an easter egg: they deployed an advertisement.
I am stunned. I need to think about it for a few days, but this, to me is enough of a reason to stop using FF. Force feeding users this way is not even Chrome-style; it is early Internet Explorer like behavior.
Dan is saying "Easter egg yay, auto-include in browser nay".
Let me clarify: I do not want Easter eggs in my browser. At all. If you have to insert it, doing it via an add on is better than via core capability (I guess), but either way it is a very bad idea. And I think (correct me if I am wrong) that it is not "auto include nay". It is rather "Easter egg yay, auto-include yay, auto-activate nay".
At best an Easter egg is some useless junk and at worst it is a possible backdoor which can be activated by mistake on the developer side (as happened) or by a user fat fingering some input.
Sadly, I do not trust Mozilla anymore. It is just another evil empire competing to capture any user information it can. Any time there is another non-removable "feature" added I could bet 10:1 that the goal is to try putting yet another hook into the user and "good news: we are enhancing user experience again" is a clumsy PR. My 2c.
So don't install the addon. Why is everyone missing Dan's point? He's saying the current method (Available on AMO, you can install it if you want it) is what it should have been from the start.
BTW, they didn't get paid for this.
As far as I can tell, to get Mr. Robot viewers to try Firefox Quantum.
The Mr. Robot episode from Wednesday, as aired in the U.S., had a Firefox ad on a commercial break.
(Note that I'm not endorsing or excusing the ad extension or the manner in which it was delivered, or claiming a positive effect on the number of users. Having contributed to Quantum technically, I'm very upset about this.)
I was here since Netscape, AOL, prodigy, and Mozilla save me from the hell of IE.
I didn't move to Chrome not cause Firefox was inferior. It's because firefox can handle 100s of tabs and Chrome crash when I have a fraction of that.
You're right on the ideology but it also can handle 100s tabs.
Your team has just ruined a huge amount of trust by not appropriately reviewing and documenting this feature. This goodwill is the most important capital Mozilla has.
Your team is continuing to make this situation worse by not posting any official response on Mozilla's communication channels, and by arbitrarily censoring incoming comments.
It would be appropriate for all members of your team to question the processes that led to this, and drive structural changes to ensure this never happens again. This includes the continued inaction of Mozilla's communications team.
But regardless, basically the entire company is on flights right now, and it's the weekend after an intensive all-company event, and everyone is tired, and it's the freaking weekend. Wait a bit.
(Also, the Gizmodo article is an official response, as is https://support.mozilla.org/en-US/kb/lookingglass. There will probably be more, idk.)
Also, your all-company event maybe "intensive", but it doesn't matter one whit. Why? When your corporation's actions are raising a damn ugly stink ruining Mozilla's good will, you're better off paying immediate attention even if it's the "freaking weekend".
It's elementary common sense.
Is this satire?
So, from a certain perspective, yes it is.
>It has been clarified that an about:config flag must be set for this addon’s behavior to be visible. This improves the situation considerably, but I do not think it exenorates Mozilla and I stand firm behind most of my points. The study
has also been rolled back by Mozilla, and Mozilla has issued
statements  to the media  justifying the study (no apology has been issued).
This is my problem, right here. To err is human, but I would expect a level of contriteness, rather than doubling down on the "nothing to see here" attitude.
1. Aside from how it reaches the users machine, is the extension on or off when it gets installed invisibly?
2. If it's off, why push it at all? If the user is expected to give consent at some point down the line for it to be on, why not just have the user actually install the extension at the time of consent, rather than prefetching?
 work gives me a Chrome OS laptop, and I find the lock-in of sync-ing bookmarks and things pretty real.
You could argue technicalities for either, but semantically, it's off by default.
The add-on is implemented as an "embedded webextension" which is wholly contained by an outer "bootstrapped add-on." The bootstrapped add-on controls whether or not the embedded webextension gets initialized, and that's all it does.
The bootstrapped add-on is literally just this one file: https://github.com/mozilla/addon-wr/blob/59659431fd2a75c33ac...
The outer shell is on by default. The embedded webextension is only initialized by the bootstrapped add-on if the user manually flips the "extensions.pug.lookingglass" preference in about:config. That preference is off by default.
> why not just have the user actually install the extension at the time of consent, rather than prefetching?
That's what we're moving to by pulling the add-on from Firefox and posting it on AMO.
Mozilla fucking up like this still feels like a friend fucking up. It's frustrating and disappointing precisely because I expect Mozilla to be better than this.
Why was this not done in the first place?
If you do decide to come clean, it would help a lot if you gave assurances about what you have learned and how you will change the process so that this doesn't happen again. Trust is difficult to gain and easy to lose.
I must say I am sorry to see all this happening though. I have always hated Chrome (a bit less than IE, but for other reasons) and am (still) your loyal user. I even enabled telemetrics recently (which means _a lot_ - there is no other piece of software that gets this willingly from me) - needless to say, they are turned off again. We'll see how the postmortem turns out.
was it a candid easter egg ?
I feel a bit distanced about the whole situation. The issues I've seen are:
- getting money from secret extension
- potential security risk
- bad will from mozilla
the name shield studies feels a bit scary, a CIA paranoia tone but anyway.. I believe that's the era that is tense and what seems to be an easter egg as you say, ends up as a brutally negative thing.
And it's not like we have any massive problems to unite against (that we can actually feel like we can help with).
That’s a very dangerous type of justification there, not one I expected someone at Mozilla to get that wrong.
The fact that it took a backlash to pull something that Mozilla engineers built and deployed is the worrisome element that the post and many people discussed.
> This event tells us that “Firefox studies” into a backdoor for advertisements, and I will never trust it again. But it doesn’t matter - you’re going to re-enable it on the next update. You know what that means? I will never trust Firefox again.
That's the real problem. There's already a strong negative taste after incidents like https://twitter.com/dherman76/status/433320156496789504
> Excited to share the launch of @mozilla @firefox Tiles program, the first of our user-enhancing programs
The default assumption that Mozilla is "one of the good guys" may have been there years ago, but in 2017 after many stumbles people are calling Mozilla's actions into question. The impression Mozilla's actions left upon 'sir_cmpwn wasn't based on an overnight reaction -- it was years of questionable actions. Trust is incredibly hard to earn, but very easy to lose
So who is telling the truth?
The one thing I know is that I am writing from a Firefox right now and don't see headers, inversions etc. at all. The examples given in the article should have all been inverted, right?
the use, as far as I know, has always been to disable broken features in older versions of users that do not update. pretty ok and necessary.
but this makes me think they are using it to a/b test or capacity plan for marketing campaigns now :(
I completely disagree this need to be hidden from the end user, it should be FULLY and COMPLETELY transparent what is being disabled, added, or changed. There should be an "about/system-extension" page where a person could go and see everything that is doing or has done, and even optionally disable it if they desire.
There is NEVER a ethical reason for a dark update channel to exist.
Altering the functionality of installed software without consent or notification is an act of sabotage, even when done by the vendor. If you want to disable broken features you prompt the user to have them disabled.
Worst case (say something that allows malware to propagate or puts them or others at active risk) you disable it and display a message telling exactly what has happened.
I've only seen people that saw the addon being installed unexpectedly.
That doesn't lead to thinking any sites have been hacked.
And, for good measure, here's an official quote confirming that we're pulling the add-on from Firefox: https://gizmodo.com/after-blowback-firefox-will-move-mr-robo...
It's great that it was pulled, but what about removing the ability to silently install add-ons? Give up the power to make this mistake in the future if you want forgiveness.
Although different, this too brushes off this one instance as a mistake, and entirely disregards the rest of the article, not even trying to address or explain the rest of Mozilla's recent borderline malicious behavior.
A serious fork is long overdue, if only it didn't take a corporation as big as Mozilla to undo their bad deeds.
I still want a justification of the cliqz thing, sure, but I don't demand it in relation to this.
Even if the add-on is "enabled," it's doesn't initialize itself unless a specific about:config value is also manually flipped
Attack surface 101 / reason nobody else does this
"It involved sideloading a sketchy browser extension which will invert text that matches a list of Mr. Robot-related keywords like “fsociety”, “robot”, “undo”, and “fuck”, and does a number of other things like adding an HTTP header to certain sites you visit."
Only if HN is on the list of "certain sites". It's also irrelevant because the extension offers me no value so Mozilla was not acting in my best interest.
But still, the fact that the extension was not active unless you mess around in about:config is a crucial fact, which should not have been omitted in an highly critical article, specially if they use words like "Mozilla, you fucked up bad, and you still haven’t apologised. The study is still active and ongoing".
I feel misinformed by that article, to say the less.
If that is the case (I'm not saying it's not, just that I don't know)... why did the extension even need to exist? Presumably "certain sites" are partner sites participating in the promotion. If they are participating and (I assume) they control their own content, why didn't they just invert those words or whatever else they wanted to do with the content when they served it?
I'm very confused about why this needed to roll out as a browser extension at all.
So presumably it was implemented as a browser extension so game players would be able to find the browser extension, which would give them hints about what to do next.
"We didn't make any money off of this; it was intended as an easter egg in Firefox for fans of the show." https://www.metafilter.com/171227/Your-Reality-Is-Driven-By-...
"Mozilla wasn't paid for the Mr. Robot tie-in, Kaykas-Wolff [Jascha Kaykas-Wolff, Mozilla's chief marketing officer] said. "We've enjoyed a growing partnership with the show and the show's audience," he said." https://www.cnet.com/au/news/mozilla-backpedals-after-mr-rob...
It doesn't matter if the extension was not activated on installation because the check for the extensions.pug.lookingglass on line 22 https://github.com/mozilla/addon-wr/blob/master/addon/bootst... can easily be gone in the next version of the extension.
Not getting paid for this ad is even worse in my opinion. Mr. Robot is produced by Universal Cable Productions, which is part of NBCUniversal, which in turn is owned by Comcast.
Your marketing people are probably laughing behind your back, they got the dork developers to implement this ad for free, be proud of it and even defend it in online forums. As they say: "The intent is to provide players with a sense of pride and accomplishment for unlocking different heroes." https://www.reddit.com/r/StarWarsBattlefront/comments/7cff0b...
Your marketing people got to play with the big boys in mass media and are now owned some favors. Think about that for a minute.
Mozilla did a free advertisement for Comcast owned TV Series Mr. Robot?
What The Proverbial F?
What's being done to make sure this never happens again? How could something like this happen after the Pocket fiasco?
You can verify that this is the same code as your own local copy of the add-on by visiting about:debugging, clicking "enable add-on debugging," and hitting "Debug" under the Looking Glass add-on.
Here's a press release confirming that we're pulling the add-on: https://gizmodo.com/after-blowback-firefox-will-move-mr-robo...
I'm an engineer in Developer Relations. I'm not in management, I wasn't in the decision chain for this. I'm not here to defend that decision. I'm just here to try to explain, factually, the technical aspects of what happened, and to then reflect your sentiments internally.
Let me state the obvious for your management: violating user trust is unacceptable. I expect Mozilla to be user-centric but I can no longer take that for granted.
This is a very dangerous action because it's not something that can be taken back. The addon can be removed but it shows very poor judgement on the part of Mozilla leadership and now I have to doubt all future motives.
How do you make sure it never happens again?
(That question alone deserves a lot of discussion)
I actually appreciate your thoughts, but maybe it would be better to let Mozilla, the company, respond in a full blogpost.
One man does not stand well against an internet mob out for blood.
I agree, callahad is not responsible for this fiasco but I'm willing to bet Mozilla's response is gonna look something like this: https://m.imgur.com/obGMl8A
They keep pulling the same shit time after time... For me, it's time to abandon ship... (and I'm really sad to say that)
Now that Mozilla owns Pocket, and is open-sourcing the technology behind it, we get the best of all worlds, a useful addition to Firefox that is developed in line with the ethos of Mozilla.
Lastly, the whole Pocket saga was a storm in a teacup. Want to know what most people did when they didn't want to use it? They didn't click on it. If you're offended that a specific logo was present in your browser, I'd suggest you're in a vocal minority.
Would you (or someone else in the know) please clarify what additional user data (if any) the default-enabled bootstrap add-on caused to be collected when the extensions.pug.lookingglass preference was disabled? I did some searching, but it's unclear to me whether SHIELD studies automatically cause any additional data to be collected and to whom that might go. I think the support site could do a lot better addressing that topic. For example, it mentions (but does not link to) the default data collection policy.
Lastly, I appreciate that you've being candid in sharing your personal feelings about the inappropriateness of pushing this extension. I'd like Mozilla to go one step further and comment on whether an extension of this nature is even appropriate to consider for a SHIELD study. Based on my reading of the feature's design and history (starting at the wiki and branching out from there), as well as the aforementioned user-facing documentation, I believe SHIELD is intended for user research into features/ideas intended to be shipped to all Firefox users. I didn't find definitive guidelines on what constitutes an appropriate study for this program (if aren't publicly available, that's something Mozilla might want to address in the wake of this controversy), but I would disqualify Looking Glass in at least four different ways:
* Fleeting - whatever appeal it has to its target audience has a short shelf-life
* Frivolous - it has no utility and doesn't substantially improve any aspect of the user experience
* Hyper-targeted - it's only for Mr Robot fans
* Advertising-related - this adds an extra level of privacy concern for users
User research is a delicate matter requiring a lot of care to balance collection with privacy. To enroll (or stay enrolled) in these programs, users must be confident that they aren't trading too much privacy and are getting tangible benefits in return. Looking Glass fails the privacy confidence test for being advertising. It fails the tangible benefit test for being fleeting, frivolous, and hyper-targeted.
SHIELD isn't some convenient way to push features. It's a user research tool. Studies ought to have the gravity that the term implies. Mozilla hasn't just failed to respect user's concern over their privacy, it has also undercut its own user research efforts.
It did not collect anything. It just checked whether that preference was enabled upon startup of the browser and then disabled itself, if it was not.
My question is not about what Looking Glass itself does. I can see that in its source. My question is whether Firefox or SHIELD collected additional data because the addon was enabled, even when the pref (and therefore) extension wasn’t. That’d require going through the source for the browser, SHIELD, and Normandy, which is quite a bit more challenging.
I’m hoping for a more authoritative answer with some evidence and preferably from a Mozilla representative.
Wow. So is Drew DeVault lying, or confused? Was there a bug that turned it on for him? This is odd.
This is the only code that runs when the add-on is enabled: https://github.com/mozilla/addon-wr/blob/59659431fd2a75c33ac...
Lines 22 and 39 determine if the inner WebExtension starts up.
As I apologize for the error, I'd also mention that the principle of charity is a thing for a reason. One may very usefully cite errors in published articles and request their correction without also suggesting their presence may be an attempt at deliberate deception. Certainly such things do occur, but we need not assume them, even provisionally, in the absence of any evidence that the error is anything other than an honest mistake. Such behavior when made a norm debases our discourse; such behavior when indulged even occasionally risks its normalization. I think the quality of discourse on Hacker News merits preservation and enhancement, rather than debasement. But perhaps you disagree.
Personally, I do not see "lying, confused, or bug? this is odd" as an accusation of lying.
do you know where i can read up on the decision being made to deploy this extension thru the shield thing?
Jordan Peterson to Student: "You can't force me to respect you" https://youtu.be/WDLIR71Pe0A?t=184
First of all, Mozilla isn't being rude, they're being foolish. But to answer that question in general, the goal is to fix things, not make them generally shit, so one side has to show decency at least. Furthermore, even if you believe they're as bad as you say, that does not give everyone carte blanche to be awful.
That's how we ended up in this mess. You can't compete in the web browser battles unless you have hundreds of full time engineers behind you. That's a failure of the web.
None of this new decentralized technology is going to mean anything if we haven't learned that lesson. If you want free, open systems, competition needs to be easy. We need to be able to respond to a abusive platforms by making our own, and that means we need to live in an ecosystem where making our own platforms is easy enough that you can have 10-20 viable options simultaneously supported.
Linux distros are a fantastic example of this. It's easy enough to create a viable linux distro that there are 5+ popular ones, and if you don't like those there are 10+ less popular ones which are perfectly viable and reasonable choices for an OS.
We need to take the web back in that direction.
I don't know how you enforce it exactly, and maybe it's redundant with pastebin.
It still nags at me that sometimes I want to go to the web to just read a thing, measured in the tens of kilobytes, and all this other nonsense just gets in the way.
It's my kooky nostalgia probably. Old man yells at cloud. But other times, for fleeting moments, I think about applying for that TLD and feel just a bit like Ray Kinsella...
That would be great -- I'm imagining a whole TLD full of sites like http://text.npr.org and http://lite.cnn.io/en.
There's no reason I should be required to go through the "app" web (Flash, JS, Silverlight) to get something off the "document" web.
... and most use cases don't require an "app" web.
Or allows only the minimal subset required to implement AJAX type functionality.
The argument for expanding web standards has always been "if we don't, then they'll just appify it and we won't have any say" (see DRM debate).
An explicit decoupling of information from interactivity would lessen the pressure for that.
In my experience, of all the websites that don't work without JS, only a minority actually need it. Most of the time it's silly things like articles and blog posts that just show a blank screen without JS, or drop-down menus that rely on JS even though there are perfectly fine non-JS ways to do it, etc.
What does make sense to me is a new platform based on WASM, with related tooling. Photoshop in the browser or something running the Unreal Engine or .Net is not the web enough to maybe deserve its own thing. But a new platform based on what are essentially complaints about complexity or efficiency would be too messy.
Bifurcating the web would provide one.
Or to put it another way, extrapolated down this path README.txt files on the web in the future will only be accessible with a pair of VR goggles.
The web as we know it is much better suited to applications, where websites have behavior as well as content. Whether the rendering is server-side like HN or client-side like Facebook is irrelevant.
I once had a site beg me to enable JS "for a better user experience", one which didn't need it to work. I did, and promptly turned it off again when I realised what the "better" actually meant (see above). Not going to fall for that one again...
Yet for some reason (hint: money) newspaper websites load megabytes worth of scripts to display kilobytes of text.
Just make a separate "document web", with a standard that isn't utterly lovecraftian and has all the functionality that current ostensibly "document-only" sites (i.e news, forums, etc) rely on JS for. Then, disguise it inside some hip web framework where the client end just acts as a viewer, client-side rendering to boot (with a fallback for users with JS disabled). Make sure an independent implementation can access the underlying "document" through the endpoints the clientside rendering uses. Now you're able to essentially fool people into supporting it.
Also, you could choose to represent your document sites as a pile of data and non-Turing-complete "scripts" that do the presentation, with state that can only change upon user interaction. That may seem like a really backwards way of doing it, but if done right, it would give you a really good bang for the buck in terms of functionality/UX vs implementation complexity.
Tech people like those on HN may understand the centralizing corporate control that's embedded in the current structure of the internet.
Average users a) have zero technical understanding b) mainly use JS-heavy, DRM/surveillance-loaded "big tech" websites c) lack the skills, awareness, and desire to change anything for increased user freedom. There's more reward for positive features than lack of negatives.
Unless a compelling case can be made to the minimally-competent user who sees only speed, usability, and immediate real-world social use (I can watch DRM movies, play DRM music, use FB / YT / Google Apps / other "big tech"), any shift seems unlikely.
The problem is less technical than social. DRM / surveillance tech crapware is now a social norm, and there's rarely a good time to have a discussion. Most non-technical people just don't know or care.
I would say Brave is better here. By default Brave blocks 3rd party cookies and ads. Brave has browser fingerprint blocking as well, but that is not enabled by default, presumably because that would break a lot of web applications and give the users a bad first impression of Brave.
Brave also comes with built in cryptocurrency micropayments as an optional way to sustain websites without advertisements.
The least bad actor in my view currently, is Brave.
The problem starts with regulatory capture of standards and standards bodies. It is in the interests of large organizations to pack a standard with every bit of code they have created internally. It slows down the other members and it keeps small groups and independents out entirely.
You could in many cases have a standard that five people sharing an apartment could implement. Or you could have one that only half a dozen groups could, which is just enough competition to make it sportsmanlike.
It’s part of the disconnect between new and old employees. Everyone who has been there for three years learned the system one piece at a time. They don’t understand why the new people look at them like they’re crazy.
Unfortunately it seems the spec by fiat process is the least problematic this way.
Someone standardizes a thing that has been working for them for a while and they want their partners and maybe competitors to work with it.
It has to be a fairly conservative spec as well, something that can be defined concisely.
And let me be clear: this is a necessary but insufficient quality of a good specification. Ramming an opinionated spec down everyone's throat that is clearly tilted to only be achievable with your company's patent portfolio is not playing nice, and people tend to sense the insincerity.
I continue to find it ironic that Mozilla (and to a lesser extent, Google) have been pretty much continuously complaining about Microsoft/IE "holding back the Web", with a lot of people in agreement, when MS/IE's lack of support for the latest standards (not authored by them, naturally) is what keeps the former from having too much power over the Web as a whole. Imagine the company with huge browser marketshare rejecting all proposals to add new and more complex things to the standard, or refusing to implement them.
If you want free, open systems, competition needs to be easy.
By MS/IE "holding back the Web", it's actually making it easier for alternative browsers to compete, and I think that's a good thing. Consider that the non-mainstream alternatives like NetSurf and Dillo are probably at a similar level of Web standards support as IE6/7.
Now that I think about it, I actually miss the Internet when the combination of XP and IE6 ruled --- certainly some sites tried to push the boundaries, but a lot of the rest remained "un-appified" and usable from other simple browsers too, with a bigger emphasis on content...
If GNU/Linux were to die, so would all the distros, because it’s far too much work for any individual distro to maintain all that codebase. In much the same way, the intensive bit of maintenance work with Firefox is the rendering engine; there exist lots of “distros” (forks) of Firefox but they all rely on the same underlying codebase. It’s just not viable to have more than a small handful of rendering engines, much in the same way that there are only a very small handful of operating systems that can run on modern hardware.
But there is no such entity as GNU/Linux. It's hundreds and hundreds of independently working engineers who would all have to be hit by buses at the same time.
What we don't have is any browser that's a multi-company project, though. WebKit used to almost be that, but then the blink fork happened. The closest currently would I suppose be Chromium as it's also backed by Opera.
Furthermore in the study you are referencing, the "8% volunteers" is larger than any company's contribution besides Intel and RedHat - even more if you add in the individual "consultants".
I think the Web is unredeemable at this point; there is so much entrenched complexity, ugly hacks, centralization, and misuse of various technologies that it can never be undone. The only solution is to refuse to contribute to the Web at all, which is hardly an option for most of us here.
The hard part would be enforcing behavior so you don't end up with venders adding their own bits which destroy the entire point of the thing.
Somewhere, an AMP developer coughs indignantly
I like the latter idea.
Go build your new web and leave those of us who believe the existing web, despite its faults, has value, be.
It sounds an awful lot like you are complaining, but about what, I am not sure.
I don't see how I am not letting you be, either. Creating a new system does not involve you at all, until you find a personal interest in that system, or its development.
that doesn't really speak to the value of progress, reflecting on the status quo, or creating something fresh with lessons learned from the past.
i don't really get the 'leave you be' bit.
Simple. More than a few people here seem to believe, as the grandparent comment suggests, that the web is a lost cause, or irredeemable, and all those people seem to want to do is to constantly complain about it.
I'm simply suggesting that if people feel the web has nothing to offer them, that it would be more productive for them to kindly leave it for a network that better suits their needs. Otherwise, rather than wanting to "fork the web and start over" they could consider working to improve what we have.
Why are you taking those complaints so personally?
You don't need us to be content with the status quo. If all we are doing is complaining, we really aren't doing anything to you.
I disagree - if it has something to offer then it's not a lost cause. A lost cause by definition isn't worth saving, or even engaging with.
> 'leaving the web' also doesn't seem very pragmatic, at least until something better is available.
The comment I replied to earlier suggested that the only reasonable solution to the web was to fork it or start over, with starting over being preferable. I'm merely suggesting that someone should actually get started on that.
Or maybe revive Gopher. I hear that's still around.
the real question is whether the New Thing can avoid the problems of it's predecessor.
Yes, that is a lofty goal. That does not make it unreasonable.
> Is the solution to break that into its component parts, so that each part can be maintained by a smaller group, and composed together to produce the browser as a whole?
I think it may be time to start designing something less inherently monolithic.
One advantage to modularity is that we don't need to finish before we can use it.
> Guys, there is a _reason_ why microkernels suck. This is an example of how things are _not_ "independent". The filesystems depend on the VM, and the VM depends on the filesystem. You can't just split them up as if they were two separate things (or rather: you _can_ split them up, but they still very much need to know about each other in very intimate ways).
I imagine so.
This is essentially how teams that build huge software systems work. Like for instance, operating systems like windows/linux. The various teams at Microsoft, or trusted comitters for Linux, organize their various modules, components, subsystems, etc. independently, and eventually compose them into a coherent functioning whole to ship the whole system.
There are a few methods:
1. Libraries linked by binaries.
This is the usual method, but it generally demands modules share some things, which usually couples them too tightly to their implementation.
2. IPC (Inter-Process Communication)
There are a few ways to accomplish this. Some are OS specific (named pipes), others are fairly generic (sockets). This requires modules to share a language, and has some overhead, but at least they aren't coupled.
Essentially the best points of 1 and 2, but generally a design challenge itself.
The biggest advantage to modular design is that you don't need to create all the modules before you get something useful.
Not only do they all rely on Torvalds and everyone else for the kernel (heavily funded by donations, companies, etc), but most Linux distributions are just cosmetic variations of the largest upstream distros.
If Debian died tomorrow, Ubuntu is on life support.
Plenty are not. I am impressed by how usable community-based (non-corporate) distros are (e.g. Gentoo, Arch). This is truly indigenous technology.
> they all rely on Torvalds and everyone else for the kernel (heavily funded by donations, companies, etc)
This is an interesting thought. I believe the Linux kernel would continue to be viable on a purely volunteer basis, without corporate subsidies; I can't prove it though.
And you're right about "most" being wrong. "Many" would have been a better word, particularly if talking about the most popular.
(Another non-upstream-reliant distro that I find fascinating is GoboLinux. Very against the grain/orthodoxy!)
If anything the major distributions are defined by their package managers, of which there is a large and healthy number - aptitude, dnf, pacman, protage, and a heap of weird and wonderful other ones with minuscule usage.
My understanding is that Mozilla is supposed to be a nonprofit first and foremost: the Mozilla Foundation. The for-profit Mozilla Corporation is a subsidiary which is owned by the Foundation. I don't know whether this is still reflected in practice nowadays, but this is how it's supposed to be structured...
But isn't this the same as all the Chromium/Firefox forks? I mean I understand they aren't as popular as the major players but you could say the same about all the Linux distributions compared to Windows or OS X.
So yeah the web is complex but so are most popular runtimes.
C++ is at least an order of magnitude more complex, but there have been plenty of C implementations, some even entirely the work of a single person. "I wrote my own C (subset) compiler" seems to be a reasonably common thing on HN too.
On the other hand, I haven't see very many "truly independent" webpage rendering engine implementations (e.g. HTML4 or HTML5-subset, CSS2.x), so if anyone wants to give it a go (or Go, if you like...), they are more than welcome to, if only to increase the diversity of available implementations --- something that could probably handle HTML4/CSS2 might not be all that difficult, and especially so if you don't care for 100% identical results to the mainstream browsers (which often differ slightly too.)
As someone who did a lot of the work to implement a from-scratch HTML4/CSS2 engine, I struggle to come up with words that would adequately express to you just how much you are underestimating the difficulty of this.
If anything, the monstrosities produced by committees are less powerful and less beautiful. (That we put up with them says more about us.)
Yes, it is huge and gigantic, but worth it's weight in gold. The stuff "just works" and has almost no limits. I'd say that spec is a masterpiece.
Also, do we count all the pages expended on SRFI's? Or not?
Mozilla is great because they have good management, not just because they have great coders. The rest of us should take an example if this. This means that we should stop scratching our itches, and do some real thinking and have discussions before engaging in our next side project.
There has been tons of attempts at this. Maybe we should start examining why these attempts have failed to succeed.
In light of recent events, this would seem to be up for debate.
What do you suggest to do to make competition easy? We could throw out most of features, but then the resulting standard won't be useful, and almost no one will use it.
I'm still looking for a Linux distro that runs on my phone without hassles.
Interestingly Mozilla Foundation is not asking for donations.
Mozilla Corporation is selling traffic to ad-supported search engines, and profiting handsomely.
Instead they are asking for user cooperation in their experiments.
Why not create a different breed of browser that does not expose users to advertising. Profit motive?
Let users support it with donations.
This should be the mission.
That's the price of doing business, isn't it? It's why communism doesn't pan out as well as capitalism. What's that a red flag against? The human animal?
I agree--let's replace 'em with super AI instead or something, but, in the interim...
>we need to live in an ecosystem where making our own platforms is easy enough that you can have 10-20 viable options simultaneously supported. Linux distros are a fantastic example of this.
They are not. Pale Moon is about as "viable" against Firefox or Chrome as Ubuntu or Mint are "viable" against Windows or MacOS for the average user. (And one of those [the better, much more popular one] has a corporation backing it!)
Funny, I appreciate the Pale Moon community (I'm "officially" part of it since I use the browser) more than I appreciate or support anything to do with Mozilla for years now. I don't see it being non-viable, because there are plenty of people who are actively involved in providing a better browser with specific goals. And, there are plenty more people on top of that who act as concerned watchdogs to make sure the browser doesn't lose sight of those goals. That's what Mozilla lost. When the powerusers turned into an echo chamber, Mozilla lost the way. When the community openly approved of the offloading of plugins (the start of multi-process nonsense), the new interface, the move to WebExtensions... this is the fault of the people who kept saying, 'yes keep changing stop being Mozilla stop being Firefox be Chrome-2'.
Firefox 57 gained a ton of good will from a lot of users, and they pull this crap right after. They absolutely should know better. They should have known better with Pocket; they should have learned from Pocket.
"Fork it" is not an acceptable answer. The problem is not with Firefox, it's with Mozilla. Mozilla is a good company at heart and they're an important pillar of the web. Losing them to stupid stuff like this sucks, we should fight for them. There's tons of Firefox forks, none of them get the point though, you might as well use Chromium. If Firefox disappears and the fork remains, the fork dies because maintaining a web browser is work that needs a corporation's backing behind it (or a government's).
Mozilla's role goes beyond the web browser as well. Its mission was to "keep the web open", "keep the web free". This goal was reflected in projects such as Firefox OS, Hello and Persona (and to some extent, Thunderbird)... but atrocious management made those projects a waste of time and money.
It's not Firefox you need to fork, it's Mozilla.
There's a lot of power in branding, apparently. People keep saying things like, "Mozilla is a good company at heart", and I'm at a loss. Mozilla 2017 is nothing like the Mozilla that existed when the Foundation was established, or when the Mozilla Manifesto was adopted. Tons of key people left in a few different waves: first when Google pulled them off the project to go build Chrome, and then lots more who trickled out over the years during and after the Kovacs/FirefoxOS era. What remains is (a derivative of) the codebase + the name "Mozilla" + and, like, Mitchell. But that's it. Keep calling it the same thing, though, and somehow folks act like we're talking about the same thing.
Mozilla imploded—or rather, got Netscapified—years ago. To believe that Mozilla or Firefox is your old friend who's still helping you fight the good fight is incredibly naive and can only come from someone who hasn't actually been paying attention and is easily fooled by (trivially contradicted) surface-level details (like a name). I mean, it's not even like some philosophically tricky ship-of-Theseus problem. Mozilla is dead, people, and this isn't news.
Mozilla is still today doing incredible work. The work on Quantum was extremely forward-thinking in a way that most corporations cannot support; it brought us Rust, which is a fantastic contribution to the ecosystem.
Furthermore, Mozilla has always had troubles with judgement and mismanagement, this is not new. The problems that have been surfacing are old problems, they're just getting more severe.
Their whole mission is to have better judgement and management, advocating for the user instead of a corporation (or foundation). So it sounds like you're in agreement with the GP that Mozilla's decay is not news.
Are there? I see no evidence to support that assertion and a lot of evidence against it.
Market share matters. The last vote at the W3C about DRM video being the most recent example.
I mean, I probably qualify as reasonably savvy, and I have used exactly 4 browsers in the last 10 years: Firefox, Chrome, IE/Edge, and Safari.
I probably don't count as savvy, but my browser experience over the last 10 years has been a somewhat broader list. Having started with Firefox at V2, I switched (around '06) to my primary browser being Opera, with SeaMonkey as a secondary - especially when I want IRC; Firefox, K-Meleon, and Links are all in the background ready to go. I also used QtWeb for a brief period.
When Opera switched to being a Chrome clone, I jumped ship. SeaMonkey didn't provide the ease-of-use I wanted for an everyday browser, so I went back to Firefox. I'm now more often on Pale Moon.
Which Mozilla enthusiastically and Fully supported Google, MS, and Netflix in support of DRM.
Their fake unwillingness from 2014 was about as transparent as netflix's where by netflix claims it is "all the MPAA/Studios" why at the same time closing down all Open Access API's, and Locking down all their own wholey owned content behind DRM
This is not the first time user privacy has been invaded on Firefox or by Mozilla and it will not be the last
The fact that these Data Reporting features, and allowing FF to run "studies" on you is a OPT-OUT setting not a OPT-IN setting is all the proof I need that the Mozilla of old is long dead.. A Privacy respecting company would make such things OPT-IN, not OPT-OUT..
That is with out even getting into the whole Orwellian Ministry of Truth they are creating, or about 100 other things
The engineers at mozilla are NOT the problem.
Doesn't the fact that that's even allowed to happen point to a larger problem?
I don't know, Rust and Servo seem to show that there's still the hacker spirit that was there at the beginning, it's just they accumulated a lot of 'business types' if you will over the years and they need to put that engineering face back at the top, instead of being too focused at running a multi-million dollar enterprise.
I hope you're not pretending that Servo is somehow the fastest way to browse the web...
Firefox 57+ is absolutely not the fastest way to browse the web. I'm sorry, I tried.
it hogs my memory if there's no other software running
Maybe your system is different, but for me, FF 57+ uses much more CPU than Chrome, and unlike RAM, that's a statistic that actually affects something in a meaningful way (increased power consumption).
If you're worried about Chrome using RAM when nothing else is, you might be fetishizing the concept of free RAM.
I've stuck with FF because I'm a web developer-- sadly, the money led me there from other more interesting lines of dev work-- and I don't want to see a single browser dominate the web the way IE used to.
elsewise, I'd say, try creating a new FF profile, unfortunately afaik older profiles can still jank up the browser a bit
I see Mozilla as suffering from a crisis of identity, internally; it's acting as though it is staffed by believers in the manifesto but is now steered by those enamoured with The Bay Area and its ways.
Rust, Firefox 57, and even FirefoxOS are/were noble efforts to succeed in delivering on the manifesto. Pocket and this latest advert update smack of an executive that is thirsty to exploit the Mozilla brand for profit.
The Iron Law of Bureaucracy applies to do-good missions just as easily as it does to the worst of avaricious corporations or bloated gov't depts.
First, there will be those who are devoted to the goals of the organization. Examples are dedicated classroom teachers in an educational bureaucracy, many of the engineers and launch technicians and scientists at NASA, even some agricultural scientists and advisors in the former Soviet Union collective farming administration.
Secondly, there will be those dedicated to the organization itself. Examples are many of the administrators in the education system, many professors of education, many teachers union officials, much of the NASA headquarters staff, etc.
The Iron Law states that in every case the second group will gain and keep control of the organization. It will write the rules, and control promotions within the organization." 
E.g. the company owner remains a company owner only as long as they are willing to go sufficient far to keep the company profitable; those who don't go bankrupt and lose their position.
The bureaucrat is not special in that respect - they are "just" the natural foot soldier of those who want to maintain an organisation for the sake of the organisation.
As such the backbone of any long-lasting organisation will be made up of those who are good at both maintaining their position in an organisation, and in protecting the organisation against inside and outside "threats".
Unfortunately such threats can include those who want to focus resources on the original goal of the organisation, at the risk of diminishing the role of the organisation.
Since Pournelle mentions the Soviets: to me this is one of the most dangerous parts of Leninist party theory: it involves rules meant to strengthen a party organisation against the threat of outside force, but it also made the Bolshevik party ideally suited for party bureaucrats and power mongers, whose prime goal quickly became the perpetuation of the party and the privileges of power.
A lesson should be to make any organization as weak as it can possibly be while retaining its ability to function. Unfortunately to function that needs an even playing field, or "as weak as it can possibly be" in the face of competing with multinational corporations quickly means something much bigger than we might hope.
this works for company, bureaucracies and everything else in life and is part of the entropy an organization accrues with time.
giving bureaucrats a weaker initial position will only extend the time before takeover.
If you can't be financially self-sustaining, then no level of desire to do good in the world will result in the long term ability to continue doing good.
It is like the phrase, Justice without power is inefficient and power without justice is tyranny. You need both profit and philosophy to do good.
After that they got into all kinds of "social signaling" shenanigans, and the rest is history.
They are horribly mismanaged on every level.
They have burned hundreds of millions of dollars to produce a second rate browser that has seen its market share collapse.
They took hundreds of millions from Google and in exchange unquestioningly supported Google's advertising and surveillance agenda.
They have consistently failed to introduce new features that would actually benefit new users.
They blame the "standards process" for their lack of innovation and features that benefit users when they know that the standards process is a b.s. game. For profit corporations break standards whenever it benefits them. Firefox is the only browser that follows standards written by Google, Microsoft, and Apple, while the other 3 break them, or force through their own changes whenever it benefits them.
Apple blocked 3rd party cookies and Microsoft defaulted to Do Not Track while Firefox kept doing Google's bidding to collect their checks. Just one example of many.
In the place of real innovation, being truly independent, and actually standing up for users Mozilla gives people dumb crusades like Net Neutrality.
Firefox could have used their market share to develop truly innovative features, like what Opera tried. For that matter they could have partnered with Opera to create standards for a true open web, but of course they never did that because the Google bucks were just to sweet for them.
Mozilla has been a failed organization for a long time. This is only the latest reminder.
You even say, "maintaining a web browser is work that needs a corporation's backing behind it (or a government's)".
I suppose we should expect the goodwill of corporate sponsorship, but this relationship can quickly turn into the "sponsor" asking for things in exchange for donations.
This situation exposes a weakness and requires the recognition of the fragility of the open source model (at least for larger-scale projects). We've seen weird corporate-backed things in NPM projects before. It happens, but what is the better alternative? How do we prevent it? Most corporations only support open source projects out of self-interest: that is, they have a stake in seeing a particular project succeed because their stack may depend on the software.
They are due to poor understanding of your own userbase. Poor communication with users and employees. Complete lack of judgement.
These are sticks Mozilla puts in its own wheels. It's hard to make money, but it's easy to know what not to do. Simply asking your employees: "Is this a good idea?" would have yielded a clear "Fuck no". That they did not do that (or did, but chose to ignore it) is a terrible sign, open source or not.
To call advertisements "user-enhancing" is an affront and betrays values like privacy that Mozilla claims to espouse
I do not (now -- at the time that person made that tweet, I did, but not on the browser) work at Mozilla.
However. The "tiles" concept was literally an experiment in whether it's possible to construct an ad system that does respect privacy.
The basic idea was:
* Advertisers submit their ads to Mozilla. Mozilla wraps them up into "bundles", made up of a bunch of different ads along with metadata to use in determining which to show.
* The browser downloads the "bundles" from Mozilla, and caches them locally.
* The browser, based on local data only it has access to, and the metadata in the bundles, decides which ads to show.
In other words, unlike a Google-style model where the ads are stored remote, loaded on demand, and the decision of what to show is made on the server side, this stored all ad content locally and the decision of what to show was also made entirely locally. So neither the advertiser nor the distributor could know whether a particular person saw an ad or (if they happened to) why the decision was made to show them that ad rather than a different one.
You may not like that, and you're free not to like it. But to argue that it "betrays" privacy is simply factually false. And Mozilla's mission is, in large part, to find ways to advance and sustain the web in ways that respect the users. Trying to develop a privacy-respecting way to deliver ads -- since so much of the web is dependent on ads -- is entirely within that mission.
Running a company by polling random employees is not an established successful management style. Its only you who is suggesting it, and then claiming that because they didn't do it, its a bad sign.
A developer is not a subject matter expert on how to market a product. Maybe you can restate your opinion.
Most development experience I have had (open source, exclusively) comes with continual interaction with, and and feedback from, a subset of users who use the software. This subset is populated mostly by power users, those who rely on the software for work, and those who use it regularly. They are the ones who understand which needs the software is meeting and which it is failing to meet, and who ask for intelligent and sensible features to be added.
The marketing departments don't have this built in compass. They create ideas that they think will be profitable to the company, and they simply don't have the necessary connection with the users and with the software to know which of these ideas will be perceived as awful by the user.
The ones creating the software are the subject matter experts on what that software should do, how it should behave, and what the users will find most useful, in this instance.
The marketers are subject matter experts on... Other stuff? Advertisements and buzzwords and increasing revenues by targeting certain demographics of peoples? I have experience with the marketing side of business that has perhaps reflected poorly on that profession, so I'd love to hear from anyone that can fill my knowledge gap.
He's suggesting that the most simple, stupid check one could think of (polling random employees) would already have shown this to be a terrible idea. They didn't even go that far. That is indeed a bad sign.
What are you basing this on?
I'm just a FF user, and I don't think it was a terrible idea, even though I personally wouldn't have gone that route.
Sure, and not doing any of that isn't a "terrible sign" as the OP claimed. Which is the point I'm countering.
"grab random people in your hallway and see if they approve of the new developer you hired" - HR
"grab random people in your hallway and see if they approve of the fan choice for the new cafeteria's HVAC system " - Building Management
"grab random people in your hallway and see if they approve of the calculations in the spreadsheets that the company CFO produced". - Finance department.
Hey, I think you're on to something here. We could eliminate entire departments here ! :)
Maybe it needs to cost $100k for someone in a suit to say "ask your employees, make use of their knowledge" before it sounds respectable?
This clearly wouldn’t work for a consumer product like a web browser.
Mozilla has accrued a lot of money over the years. So much money that they could have funded--just on interest--a comfortable loft somewhere filled with hackers on a decent salary who are fanatical about the open web, and maybe a single guy with a tie to "call google", in perpetuity.
That should have been the base case for Mozilla: open web, modern browser, users first.
Unfortunately, brass doesn't vote itself out for the greater good. A modern browser is a delivery platform. The "open web" is a marketing tool. And users are not as important as advertisers.
The rationale is that without clout, they'll be unable to prevent worse things from happening, so they have to allow for these compromises on the open web to maintain that clout, and every setback is relegated to "not our hill to die on," with every next hill becoming "not our hill."
It seems like an unavoidable tragedy, but if we look at similar organisations, can we imagine the FSF or the EFF making compromises on their respective missions, even if they lose popularity or even run out of funding?
I feel they would rather cease to exist than allow for corruption of their stated mission.
The problem with this is that the people working on this peripheral expansion missions don't think of themselves as peripheral. When there's a money crunch or a values conflict they will fight hard for theirs even at the expense of what the organization was always supposed to be about.
Yes, it might mean scaling back, which is one of the swear words in a growth-oriented belief, but that way, the money should be enough - it was enough for a decade, what changed?
Pocket, most certainly not, though it's nice I suppose. Hello was... I don't know what it was. Checking if the market is there at all? Not something I expected to be in a browser.
That is leagues ahead of native PDF plugins which are slow, buggy, full of vulnerabilities, closed source, require a deprecated plugin infrastructure and usually can't edit documents either.
PDF.js is one of the better things to come out of Mozilla.
Sure if it piques my interest I would download it, organize it but I wouldn't go through the pains of doing that for every pdf I lay my eyes upon.
You don't have to do that. Just set your browser to open the file in a real application. It'll automagically download to some temp dir (ie, /tmp) and you won't have to care about file paths or organization at all (unless you want to).
I have tens of research papers open in my tabs at all times. But for a good experience reading I open the full text in my pdf reader.
We can dislike it, but we need to reconcile it.
For some saving bookmarks isn't effective while a solution like Pocket fits them better. Hello was an experiment to see if making video communication more accessible would connect people. Consider the saying about how no one uses every part of Microsoft Word, yet everyone uses a different ~10%.
Anyway, I think it's great that Mozilla experiment and try pushing the web forward. If only they were more transparent and consistently made these things opt in.
Seems that's no different than opening with external program, or using a plugin, or using an extension. After all,those things can be updated, whereas the browser should have more core functionality that enable new document types to being opened.
The problem isn't that they're doing too much - it's that they have nearly no business model, and any attempt to create a business model appears to be selling out to users.
There are a lot of companies doing this now and Mozilla would be far more successful if they followed this model instead of trying to copy chrome's user experience on top of their inferior browser engine.
They hijacked Mozilla to have a private playground for fun projects paid for by the search engine integration.
I like my niche obscure anti marketing parasite browsers. But I am well aware there's a lot of Mozilla code in Waterfox and Pale Moon.
And ultimately its MS, Mozilla and Google who run this show. And out of those Mozilla is still the least bad.
Some guy posted here a week ago in wonderment over how Mozilla can maintain a browser for a mere $400M+ a year. $400M+ a year!!!
If it takes that much engineering to deliver something which is not substantially different than what we were using 17 years ago, I'd count that as an engineering failure.
* Display web pages
* Show images
* Play songs and videos
* Download files, and more!
Almost anywhere outside of NYC and SoCal, $400M is still an epic shitload of money.
Well, how do you suggest doing this when it appears that the relevant decision-making parts of Mozilla do not answer to anyone "on our side" in any meaningful way?
It seems to me that the only solution is to make an organisation with a fundamentally different system of governance. By virtue of institutional inertia, I figure it would be very hard to do this by actually raising a competing project from the ground up and hoping to capture any of Mozilla's market share or developer base (not to mention the amply made elsewhere in this thread point that Mozilla is big and expensive for a reason).
The far easier, and quite well-tried, solution is to put financial and social pressure on the current leadership to voluntarily open itself to downstream control. The former may be most easily achieved by having an Iceweasel-style "condom organisation" gain traction - that is, someone who tries their best to replicate all of Mozilla's user-facing I/O (releases, sync servers...) in a timely fashion, systematically acts as a QC layer to strip bad decisions like this or Cliqz and otherwise does not waste developer time on niche interests like classic UIs. For the latter, whatever you may think of the person of the tactic, the Brendan Eich story unfortunately shows that pitchfork mob tactics work on Mozilla. Even more cynically, it may be the case that they are the main way anything gets done these days. The (very significant, in my eyes) moral reservations aside, from a result-oriented perspective of what is most useful to reform Mozilla as an organisation, is there any good argument against the "identify a representative set of heads behind this latest measure and call for them" approach?
Yes. If anyone wants to do a git bisect to find when the Mozilla Corporation lost its integrity, we can say it was definitely "bad" by the time they forced out Eich in April 2014.
He was the only one higher up keeping that from happening and they didn't even wait until the body was cold to push that agenda.
This was the new interface, right? I just saw this the other day and though it looked pretty good; was actually considering a trial switch back (after moving to chrome years ago, when a single bad tab would take down the entire browser).
That’s now put on hold - a compulsory extension is one thing, but having it be purely for advertising is a massive “No” flag to me.
I’m of the view that getting (most) people to consider switching browsers only comes every few years and requires a very large incentive; “We’ve fixed that one incremental problem” isn’t enough. A complete revamp would do it, but takes time to permeate into conciousness. And in the meantime they do this. “Squandered goodwill” seems to be spot-on.
so that's why you stick with chrome, a browser designed to send all your browsing habits straight to google, the largest online advertising company and commercial tracker in the world?
Edit: (+) Sir_Cmpwn, At least not working for me when I try seeing the pages with H264 encoded ones, and when I search, this is what I find:
"What Chrome Has That Chromium Doesn’t
AAC, H.264, and MP3 Support.
Adobe Flash (PPAPI)."
Chromium is not equal Chrome.
Remember, the extension was not there to advertise the show!
I don't know if that affects the way you're using the term "for advertising", but it affects how I care a lot.
Google’s behavior with Android/AOSP suggests they’re more than willing to make the open source version of Chrome useless in practice the second there is no viable competition.
I don’t see any organization other than Mozilla that can keep them honest.
Nope. According to their financial statement, the Mozilla Foundation had $69M in "cash and cash equivalents" at the end of last year, about $329M in investments, and literally gave away millions of dollars in grant funding. It's not entirely clear to me how the financial interaction works between them, but the privately-held Mozilla Corporation (i.e. the 1000+(!) employee company that actually makes Firefox, and which the Foundation owns as a subsidiary) had over $500M in revenue from their search engine deals...
See "State of Mozilla 2016" https://www.mozilla.org/en-US/foundation/annualreport/2016/ and also check out the Foundation's financial statement and tax form PDFs on the bottom for more details.
The original reason behind them establishing Mozilla Corporation over Mozilla Foundation was that they can keep this practice going while being safe from taxmen reprimanding them for pocketing what is a charity income from tax standpoint.
Now, Mozilla Corporation bills Mozilla Foundation for "service offered at a market price" to do its "socially beneficial, free of charge and any expectation of remuneration" activity, which is selling ads.
You touch on an interesting point, maybe Firefox should be soliciting donations from governments who are concerned about the US surveillance state instead of relying so heavily on search ad revenue and being forced to turn to things like this to make a buck.
Although they should probably not be in charge of the actual development, is it really crazy to think that Firefox could be funded by governments? At some point it is a public service.
Let's not overstate things. Firefox 57 gained good will from some users. It also seriously annoyed others, both because of the loss of many useful extensions, and because the new version is horribly buggy and crashes all the time.
The one thing Mozilla still had going for them compared to Google or Microsoft was the emphasis on privacy and respecting the user, and yet I've read about several different cases in recent weeks where that trust has been undermined, this being the latest.
Really? I haven't experienced a single crash, and I was on nightlies before 57 was released, so I could try Quantum.
That has not been my experience, so let's not overstate personal anecdotes as facts.
I happen to be an existence proof for the bad experience group, but a few seconds with your favourite search engine will readily confirm that I am not alone. I don't know what the ratio of lucky to unlucky users is, nor did I claim to.
It was a poor taste joke at the wrong time.. Mozilla is gonna regret this.
This is such a terrible way to make an argument, present a case, or say anything that can't be said in a few dozen words. He has a blog, it's linked right there. I can't understand why people use twitter like this.
That said, everyone uses Twitter differently. I tweet a lot. Some people don't. I personally blog when I have a long-form, well thought out thing to say. I tweet whatever is on my brain at a given moment. Twitter is more raw, more personal. This is a raw, personal issue for me.
This is pretty bad though, I'd say this is worse than the Pocket thing because it's abusing the trust and good will of their users
What a difference a week makes!
Then this thing blew my machine up the other day, I lost days of work, and...hmm. I don't know why a company would ever do something like this, it's incredibly foolish.
Perhaps the problem is the fact that the Web is so complex that popular web browsers could only possibly be developed by corporations to begin with.
Not since the incident.