Adjusting My Thinking

I have been spending the last 2 weeks in the office in Mountain View (going home Saturday. Yeah!) and have had some really interesting meetings and thoughts that I think I should talk about. And I am going to start with one that occurred today as I think it’s going to end up possibly changing some of the thinking on other topics.

So I decided to attend the bi-weekly Contribute Group Meeting, which is an open forum where we discuss how we can better engage the Mozilla community in our particular areas of focus. I went into the meeting with the idea that we (the product security) team needed to do more or do something different to engage the community to participate more in the things we are trying to accomplish. I know people care about security here and I have been talking about it on my blog, on the official security blog, on mailing lists, on twitter; but results have not really been evident. We have shared a public calendar so people can see when the meetings are, and the how to attend details; and I talk about each weeks upcoming meetings in several venues. We make the notes of these reviews public on our security wiki and try to encourage discussion on our open IRC channel #security. But still the best I’ve seen to date is one person who labeled themselves as “lurker” on an etherpad, they did not speak on the call (if they were there), did not participate in the IRC channel and did not type anything in the etherpad. Other than the paid Mozillians who have been invited directly to the meetings no-one else has really been participating. I really do want more participants in our meetings to help give their cognitive power to improving Firefox security.

The meeting turned out to be very impact-full, not only in ideas but how I perceive the company, the community and my role in all of it. The best quotable for me (and this is from memory) came from David Boswell; “Mozilla is a community that has an organization that supports it, not an organization with a community around it“, in essence the company exists to allow some people to be full time community contributors. It is not above or below or separate from the community but an integral part of it. For me this is a shift in thinking, this is my first experience in open source community development and being unused to the idea I had been thinking of Mozilla as more of a paid guiding hand. That we were here to make decisions that others maybe could not make and in some way apart from the community. In the end that change was realizing that I am part of the community, the community is part of Mozilla; they are inseparable and we need to remember this as we do what we do on a daily basis.

David and I continued our discussion for a bit after the meeting as I was still sort of grasping at this concept and the last key that brought it home for me is the other passion in my life. When I am not working I volunteer with the Boy Scouts of America, my son is a Cub Scout, I am an Eagle Scout and I want to pay back all the great skills and experiences I had as a young man being a Scout. Much like Mozilla the BSA is a non-profit and has a paid staff, many of whom also have children who are or were at some point Scouts. We sometimes don’t treat these paid Scouts as we would the full volunteers there is a mental block of “they are paid so they must be different“, and to be effective in our missions (both BSA and Mozilla) we have to drop this thinking. The paid BSA/Mozilla members are as much the BSA/Mozilla as any of us. We are a community with a goal, we have roles to play in that community that are based on our talents and desires. This sometimes means that decisions are made by people who are paid and sometimes are made by people who are not, but they are all the same community and we all need to show respect for all sides in these decisions.

So thanks to all Mozillians and the Contribute Group, you’ve given me something that goes beyond just my work. You’ve given me a mindset that will help me be more successful in communities that drive my passions. And hopefully I can use what I have learned to engage all of my communities more effectively and in a way that helps others have value too.

Posted in General, Uncategorized
7 comments on “Adjusting My Thinking
  1. Kyle Huey says:

    Glad to see you’re drinking the Koolaid 😉

  2. davidwboswell says:

    Glad to hear the Contribute group meeting was helpful and I’m looking forward to helping try out new things to get people involved in security projects.


  3. nice post! For those of us who’re part of Mozilla project since forever it’s easy to forget that some people joined us just recently, and that we all must help them find their place in the community, cause one is not granted solely due to the act of hiring.

    I hope that I will always have the same kind of sensitivity that you have and documented in this post. 🙂

  4. ian melven says:

    good post, Curtis. i had the same sort of epiphany while at Blackhat talking to folks who work on other browsers. i realized it’s not so much about what i could do for Firefox to make it competitive with other browsers with respect to security, it’s more about what can Firefox do to help secure the whole web and everyone on it. i’m flattered to be part of the community, and especially to be employed working on the open web !

  5. Mook says:

    Sorry if I’m wrong, but it sounds like a lot of you and your team spend large amounts of time in meetings. For me at least, that’s the sort of thing I am least likely to be doing – in my case, because I have a separate job and therefore can’t be making the time to attend; and when I did, it was audio-only (Skype to the 1-800 number) and not nearly useful.

    Of course, face-to-face meetings can be a great boon to productivity; but that doesn’t scale beyond people you can see the faces of 🙂 Don’t stop having them; just consider supplementing them with other things that are not synchronous.

    Also, the blog posts I’ve seen so far (I might have missed some, there didn’t seem to be very many) were process-heavy, and random people off the internet are, I imagine, less likely to follow those. Are the people involved in the projects you’re interacting with leaning towards employees or volunteers? How do you envision outsiders (that’s who we are, after all) to be contributing in your area?

    … I’m rambling, take this with pinches of salt 😉

  6. curtisko says:

    I personally spend a good deal of time in meetings; but that is the nature of my job I’m a program manager. I have to go to status meetings to get and give information to keep things on track that would not be possible one team or group at a time. Most of my team does not spend as much time in meetings as I do. They have better things to do like fuzz code, do penetration tests, or work on technical features.

    As a security team we spend about 4 hours a week in meetings doing security reviews as this is the most efficient way of accomplishing them and yes they are audio only. Part of the reason why is the software to do many to many video costs money and it does not scale to very large groups like the community; it’s just not cost effective to have more video. We do, however, use etherpad and irc to supplement that and we document everything on the public wiki so anyone can add thoughts or comments. And that is the way almost all meetings at mozilla occur unless there is a good reason for video.

    Reviews are done with whomever has the most knowledge about a feature or a patch, that can be paid mozilla or volunteers or both. The process exists so we don’t miss important items, we don’t do process for process sake and we try to keep it as light as possible. As to how I envision “outsiders” getting involved; I don’t view the community as outsiders, as I said in my post we are all Mozilla paid or not. So to some degree that is up to each person. We have volunteer fuzzers who want to work on that kind of stuff. People who want to learn about secure coding can get involved with our patch reviews and security researchers may want to know what we are doing with features so they can help us find flaws we can avoid or do research on new areas to expand security research. Or maybe you just want to learn more, this is a great way to see the kinds of architectural flaws we try to find early and avoid.

    And now I am rambling 🙂 but great questions keep them coming, and keep talking to us. We hang out in a public irc channel at #security on the Mozilla irc servers.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: