Firefox’s Windows XP Users’ Upgrade Path

We’re still trying to figure out what to do with Firefox users on Windows XP.

One option I’ve heard is: Can we just send a Mozillian to each of these users’ houses with a fresh laptop and training in how to migrate apps and data?

( No, we can’t. For one, we can’t uniquely identify who and where these users are (this is by design). For two, even if we could, the Firefox Windows XP userbase is too geographically diverse (as I explained in earlier posts) for “meatspace” activities like these to be effective or efficient. For three, this could be kinda expensive… though, so is supporting extra Operating Systems in our products. )

We don’t have the advertising spend to reach all of these users in the real world, but we do have access to their computers in their houses… so maybe we can inform them that way?

Well, we know we can inform people through their browsers. We have plenty of data from our fundraising drives to that effect… but what do we say?

Can we tell them that their computer is unsafe? Would they believe us if we did?

Can we tell them that their Firefox will stop updating? Will they understand what we mean if we did?

Do these users have the basic level of technical literacy necessary to understand what we have to tell them? And if we somehow manage to get the message across about what is wrong and why,  what actions can we recommend they take to fix this?

This last part is the first thing I’m thinking about, as it’s the most engineer-like question: what is the optimal upgrade strategy for these users? Much more concrete to me than trying to figure out wording, appearance, and legality across dozens of languages and cultures.

Well, we could instruct them to upgrade to Linux. Except that it wouldn’t be an upgrade, it’d be a clean wipe and reinstall from scratch: all the applications would be gone and all of their settings would reset to default. All the data on their machines would be gone unless they could save it somewhere else, and if you imagine a user who is running Windows XP, you can easily imagine that they might not have access to a “somewhere else”. Also, given the average level of technical expertise, I don’t think we can make a Linux migration simple enough for most of these users to understand. These users have already bought into Windows, so switching them away is adding complexity no matter how simplistic we could make it for these users once the switch was over.

We could instruct them to upgrade to Windows 7. There is a clear upgrade path from XP to 7 and the system requirements of the two OSes are actually very similar. (Which is, in a sincere hat-tip to Microsoft, an amazing feat of engineering and commitment to users with lower-powered computers) Once there, if the user is eligible for the Windows 10 upgrade, they can take that upgrade if they desire (the system requirements for Windows 10 are only _slightly_ higher than Windows 7 (10 needs some CPU extensions that 7 doesn’t), which is another amazing feat). And from there, the users are in Microsoft’s upgrade path, and out of the clutches of the easiest of exploits, forever. There are a lot of benefits to using Windows 7 as an upgrade path.

There are a few problems with this:

  1. Finding copies of Windows 7: Microsoft stopped selling copies of Windows 7 years ago, and these days the most reliable way to find a copy is to buy a computer with it already installed. Mozilla likely isn’t above buying computers for everyone who wants them (if it has or can find the money to do so), but software is much easier to deliver than hardware, and is something we already know how to do.
  2. Paying for copies of Windows 7: Are we really going to encourage our users to spend money they may not have on upgrading a machine that still mostly-works? Or is Mozilla going to spend hard-earned dollarbucks purchasing licenses of out-of-date software for everyone who didn’t or couldn’t upgrade?
  3. Windows 7 has passed its mainstream support lifetime (extended support’s still good until 2020). Aren’t we just replacing one problem with another?
  4. Windows 7 System Requirements: Windows XP only needed a 233MHz processor, 64MB of RAM, and 1.5GB of HDD. Windows 7 needs 1GHz, 1GB, and 16GB.

All of these points are problematic, but that last point is at least one I can get some hard numbers for.

We don’t bother asking users how big their disk drives are, so I can’t detect how many users are cannot meet Windows 7’s HDD requirements. However, we do measure users’ CPU speeds and RAM sizes (as these are important for sectioning performance-related metrics. If we want to see if a particular perf improvement is even better on lower-spec hardware, we need to be able to divvy users up by their computers’ specifications).

So, at first this seems like a breeze: the question is simply stated and is about two variables that we measure. “How many Windows XP Firefox users are Stuck because they have CPUs slower than 1GHZ or RAM smaller than 1GB?”

But if you thought that for more than a moment, you should probably go back and read my posts about how Data Science is hard. It turns out that getting the CPU speed on Windows involves asking the registry for data, which can fail. So we have a certain amount of uncertainty.


So, after crunching the data and making some simplifying assumptions (like how I don’t expect the amount of RAM or the speed of a user’s CPU to ever decrease over time) we have the following:

Between 40% and 53% of Firefox users running Windows XP are Stuck (which is to say, they can’t be upgraded past Windows XP because they fail at least one of the requirements).

That’s some millions of users who are Stuck no matter what we do about education, advocacy, and software.

Maybe we should revisit the “Mozillians with free laptops” idea, after all?



Who needs the NSA? FLOSS is bad enough.

Here’s a half-hour talk (with 15min of Q&A at the end) from FOSDEM 2014, an open-source software conference held annually in Brussels. But I know you won’t watch it, so here’s the summary.

NSA operation ORCHESTRA has had a successful first year of operation. With a budget of $1B, and breaking no laws (or even using FISA courts or other questionable methods), they have successfully:

  • kept the majority of Internet traffic unencrypted, so that it can be read by anyone
  • centralized previously-decentralized technologies (e.g. Skype) under companies friendly to the NSA (e.g. Microsoft)
  • created a system of finances that encourages outside influences on proprietary software and transparent bribery
  • created a system of patent expectations that allows companies friendly to the NSA to squelch smaller players that might create disruptive technologies
  • encouraged poor community policies and practices in Open Source projects to help derail useful work through arguments about licenses, naming conventions, and bikeshedding

The joke is that ORCHESTRA doesn’t exist (as far as we know). The software community has been doing this by itself, without encouragement or aid, for years.

“kept the majority of Internet traffic unencrypted, so that it can be read by anyone”

Internet traffic is unencrypted largely because it is expensive to encrypt things. Well, this isn’t true, as one could always self-sign a certificate for one’s webserver and then be able to guarantee that the number of parties in the session does not change in the middle of your transaction. This doesn’t happen because a browser connecting to unencrypted sites displays no warning. But a browser connecting to a site with a self-signed certificate shows a big nastygram that is difficult to understand, let alone bypass:connectionIsUntrusted

Emails are unencrypted because using encryption software on email is difficult, not interoperable, and ceases to work as soon as you want to send email to someone who isn’t capable of decrypting your message. In short: if Amazon can’t encrypt their shipping notification when they send it to you, then it won’t work.

Generic traffic is unencrypted or badly-encrypted (which is, in some cases, worse) because encryption is hard, and the premier tool for using it, OpenSSL, is so poorly documented and has such awful default settings that you’re as likely to encrypt your cat as you are your chat.

(This is where Mozilla could step up with its Mozilla Open Source Support program and offer cash incentives to improve the software and documentation and fund needed audits of the codebase.)

“centralized previously-decentralized technologies (e.g. Skype) under companies friendly to the NSA (e.g. Microsoft)”

Skype, once bought by Microsoft, centralized its encrypted communications under Microsoft’s servers. This aided in the directory service and NAT-busting parts of the protocol, sure, but also provided a single target for subpoenas and other court orders.

As Apple is helping make the public aware, it is beginning to seem as though the safest course is to code things so that even the dev can’t read them.

created a system of finances that encourages outside influences on proprietary software and transparent bribery”

The entire system of Venture Capitalism is rife with abuse and corruption. That funding isn’t coming from the NSA is incidental as VCs come in and drop $10k on a startup in exchange for influence and a piece of the pie. If your funding is coming from someone who thinks you should pivot away from usable crypto, you aren’t going to argue with the paycheque.

Also, if you are the NSA and need an easy way to pay an informant, you can say to her “Tell your boss you quit to form a startup. We’ll set you up in the Valley with $1M in investment. Just surf the web for a year or two.” Easy rewards, perfectly legal.

“created a system of patent expectations that allows companies friendly to the NSA to squelch smaller players that might create disruptive technologies”

Software patents in the United States are an easy tool for larger companies to prey on smaller ones. If you are a small company that patents something that amazingly doesn’t infringe on other patents, a large company, friendly to the NSA, can scoop them up and squelch the startup in a fit of managerial pique. If the patent does infringe on a friend-of-the-NSA’s patents, the small company is squished under the lawyers’ boots.

“encouraged poor community policies and practices in Open Source projects to help derail useful work through arguments about licenses, naming conventions, and bikeshedding”

Here’s the kicker for Mozilla and others trying to make a difference in the Open Source space.

The NSA doesn’t need agents provocateurs to derail conversations. Well-meaning contributors do all the time.

The GCHQ don’t need to distract us with fights about licensing or superficial changes. Users do that all the time.

CSIS agents aren’t sowing doubt about what is better to stop us from doing what is good. Our own internal voices shout quite loudly enough.

…so, what do we do? Well, a good start for those of us in Open Source communities, is to think before we type. Bikeshedding slows us down, but software quality is an imperative. Licensing just doesn’t matter as much as you think it does and is as personal a choice as one’s toenail polish colour.

The next step is to realize that these are generally not technological problems. They are political. They are social. They are human. Developers and technical managers and architects might be some of the best people to understand these problems, but not the best people to solve them.

We need outside help. We need politicians who agree to be helped to understand these complex issues and take action. We need community managers who understand the needs of the project and the needs of humans and how to step between or step away. We need each individual to actively and sincerely stop sucking at talking to others because the harm we’re doing reaches beyond the mailing list and affects users.

We have seen the enemy, and it is us. It is also them. But we can fix “us” so that we are able to fight “them”. I think.



Self-Driving Cars: Inside the cabin

The above talk was given at SXSW this year. It’s an excellent talk, but I understand if you don’t want to watch the whole thing.

I especially love how he totally doesn’t mention that the “driving on the freeway” concept is exactly how Tesla’s AutoDrive currently works.

The bit that really caught my attention was at 17:09 where Chris Urmson shows a rendering of what a self-driving car’s interior could look like. No steering wheel, a small display… more like a small living room if the chairs or chesterfield had seatbelts.

A rendering of what the interior of a self-driving car might look like. Instead of a steering column and control surfaces there is a luggage shelf and a small display.

Something in my brain was instantly repulsed by this. Not the design, which is fine. Not the lack of leg room, though my lower back tightened up slightly. Not the complete lack of heating vents, which would make it useless in Canada.

Eventually I realized it was, incongruously, the absence of a steering wheel that caused me to go “Nope.”

But this is a self-driving car! The whole point is that there is no steering wheel! Don’t you get that?

Well, yes, I do. Which is why it took me so long to figure out what was bothering me about the render. I was, and still am, convinced that the lack of a steering wheel and other control surfaces is a benefit, not a detriment. But there are some use-cases I think a lack of a steering wheel will significantly hamper.

Self-driving cars are excellent if the car knows where you are and you can tell the car where you are going. “OK Google Car, take me to work” “OK Google Car, let’s *sigh* go to the in-laws”

But what if you don’t? “OK Google Car, take us someplace nice for dinner”

It can take you to the closest Google+ listing for a restaurant. It can find the most efficient route to take you to a Michelin Star-rated eatery in a neighbouring metropolis. But you can’t browse. You can’t see the line from the street and change your mind and say “Actually, where else could we go?”

But maybe this isn’t a common enough use-case to care about. Maybe having to choose from amongst the available options before you put the car in motion is a good thing.

“OK Google Car, take me to my coworker’s BBQ” << Where is that? >> “According to the invitation, head to the Red Barn past the crossroads, take a left, then keep going until you see the balloons or a sign saying Kalamazoo”

Or: << Arriving at destination >> “OK Google Car, make sure not to park next to the begonias or my mother’ll kill me”

Or: << Arriving at destination >> “Aw nuts the parking lot’s full. Guess we have to park in the field. Watch out for the furrows or we’ll never get out.”

Is it enough to create a car that can only do most of what other cars can do? There is already an understanding of how that works in the snowier parts of the world: there are some cars that can drive before the snowplow gets to your street, and there are other cars that cannot. But will this sort of restriction, like range anxiety for electric cars, slow adoption of this crucial piece of transportation infrastructure?

I think it is necessary that people who cannot drive still be able to get where they need to go. I think it is necessary to eliminate traffic fatalities as an understood fact of life.

I think it is necessary that the Google Self-Driving Car team think some more about how the car interacts with its occupants at the same time they’re thinking about how the car interacts with its adjacent road users.