Ian G wrote: > thanks for your response. I understand that you > picked the short straw on that one. When I say > "you" below I really mean Mozilla.
I answered what I thought to be your main issue. > I don't particularly think it productive to debate > all those points - yours or mine or anyone else's, > so I'll try another approach. I'm going to describe > the bigger picture in people terms. Let me clarify from my point of view, and from my experience in the open source world in general and in the Mozilla project in particular: it's not productive debating this here. Code talks. There are some cool ideas worthy of implementation, some ideas worth of experimentation, some research projects worthy of converting to deployable customer features. There's plenty of all of that available. (There's also totally new stuff, and debating the finer points of implementations, but that is separate.) Now the way I see the way forward is: code. Or if you can't code, recruit coders to work on some promising anti-phishing feature. One of the many reasons why nobody from the more active, long time Mozilla coder population seems to have picked these phishing ideas to implement is that they simply don't know. They are busy as is with all the work they are doing currently. Since this is open source and by definition volunteers will work on what interests them, maybe they haven't found phishing interesting. Talk to the coders. Show them an interesting project. Start with something that can be implemented easily and quickly, then move on to more ambitious projects. Griping about the lack of process here is counter-productive. I guess I should clarify that I probably won't be available except for a dirt simple project, since I am more than busy enough with my other open source project. I do have an interest in seeing improvements in this area, hence my messages here. > at different paths ... but I hope I've established that it > is not because they don't know what they are talking > about. I haven't claimed they (you) aren't. > These people are putting time and effort into phishing. > They all happen to know more about phishing than > Mozilla does, on the face of it. They are here to find > out what Mozilla's plan is, and to help if possible. That I find misleading. You talk about Mozilla and in this case I assume you mean the whole Mozilla community. Well, since you et. al. are discussing this phishing here, *you are part of Mozilla*. I see the blame goes on you as well if nothing gets done. See above how I think you could get the tires rolling. > The solution isn't compared with some other solution, > it isn't suggested that maybe they could work on > a better one, and they get don't quizzed on why they > chose path X not path Y. Since you claim the other Mozilla people are not experts, but the list of people you named above are, why are YOU not debating the pros and cons and then come up with a best of breed solutions and get some developers to implement them? > Nobody says "hey we need to talk to this guy" or > maybe "first we need to do XXX to lay the groundwork" > or even "you two guys get together and unify your > approach." Why don't YOU do it? > So when Ping asks "who's in charge," he isn't asking > for a statement that there is someone in charge, he's > asking for a name, a place, an intro so he can take > the discussion to someone who can integrate the > complexities across the teams. And I pointed you and him to the Mozilla Security Group. It has a list of names. You could start down the list and see if you could get anyone committed on implementing some anti-phishing feature. It shouldn't be too difficult to find their email addresses. If you can't, let me know. > case. Or tell us where to find them. I already did. > If they are working on it, then tell them to put up an > announcement saying they are working on it. Tell us > where the suggestion box is. Mail the group. Mail the individuals. Be specific. It's much easier to start with a single, well defined project and go from there once you have the attention. One of the reasons why you may see little contributions from the security group people here is because many have the assumptions that the newsgroups signal to noise ratio is so low that they don't have time to read these groups. > && This is why I wrote about the policy of doing security > work in secret. That policy is now being used now as > a fig leaf to hide the fact that nothing's been done. > That's not good policy and now we can all see it. Implementations are not secret. If someone was working on an anti-phishing feature, it would be public knowledge. > Phishing does not trigger the policy of doing security > work in secret because phishing is public knowledge. > If you doubt this, check the press. We can probably > send you 10 articles per *day* on phishing, just ask. You can drive all the anti-phishing work you want without ever getting into the Mozilla Security Group. Although if you did significant work, you'd probably be invited anyway. I'll leave you with one interesting research paper about Mozilla anti-phishing skin - unfortunately I have not had time to read it through yet, but if this is deemed to be good and usable in a mass-market product for everyday users, then we need to move this project from the research phase into an active extension, or maybe even installed in the default product. See http://www.sims.berkeley.edu/~rachna/papers/securityskins.pdf PS. Sorry if the tone of this email is somewhat frustrated and confrontationable. However, I do think I have provided concrete things on which you can act, and get something done. It's time to stop complaining and start doing. -- Heikki Toivonen _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security