Monday, August 17, 2009

The MoCo Meeting

Veteran Mozillians already know about the "MoCo Staff Meeting" which takes place "two minutes" after Mozilla Project meeting every Monday at 11am. Mozilla community members who don't know of this meeting are likely idiots.

What most people outside of the Mozilla Corporation's claws don't know is the content of this meeting. The Mozilla Corporation claims this meeting covers items that are "MoCo-specific", but how does one define such things, especially as the concept of "One Mozilla" is pushed more and more?

Must it be private that Corporation employees will get one free Infectious laptop or iPhone skin? (Quick, fill out the form now!) Or that the Mountain View office is hosting a summer ping-pong tournament? How about the new "Mozilla Conduct Guidelines" which discuss conflict of interests? Anyone interested? (Did I say "Mozilla" instead of "Mozilla Corporation"? That might be because the ignorant fucks at the Mozilla Corporation don't know the difference.)

I've reprinted the original "Mozilla Conduct Guidelines" (taken from Mozilla's internal forum) below—without permission, naturally.

But this post can't end with such a mundane leak. Who gives a flying fuck if Mozilla doesn't allow senior developers to have children because it'd be against their "Conduct Guidelines"? Or if Mozilla employees stop filing bugs against the WebKit project or participating in public working groups that might not be related to their jobs?

That's right, not a damn person (or Lizard) in this world.

Here's what you care about: following the Mozilla Corporation's private discussions.

There are two methods to following the Mozilla Corporation's private, weekly meeting. I'll discuss them both here, starting with the easiest.

Method 1

First off, get yourself Skype. No, really. Go download Skype right this very second. Skype is wonderful. It allows you to dial any 800 number (or 866 or 877 or 888 number) for free from anywhere in the world. If you want to listen in on Mozilla meetings, public or private, use Skype. Mozilla employees will be unable to track where you are in the world and also be unable to block you. (They can't block Skype, their own employees use it!)

Second, dial into the Mozilla Project meeting every Monday and listen for when it ends. Don't worry about anything else at that meeting; it's completely useless and quite likely just another manifestation of Mozilla's lazy attitude. Instead of letting developers do their jobs and earn their pay, Mozilla's overlords force developers to waste 1-2 hours every Monday listening to boring, useless shit that's all reprinted on their public wiki. And, as a developer said at the most recent MoCo meeting, "chop[ing] [his] afternoon into 2 chunks of 1.5 hours each ... is pretty much useless for getting anything done."

Er, sorry; your faithful servant was distracted by some stupidity that needed skewering. Where was I? Ah, yes, listening in on that MoCo meeting. As soon as the Mozilla Project meeting is over, dial in again, but this time to the conference bridge 8611. Unfortunately, you need a six digit PIN to listen in on this conference room. Don't worry I have your PIN below, but first...

Who in their right goddamn minds decided that a six digit PIN was a good idea? Unless the PIN is changed every fucking meeting, it's not hard to hack. There are 1 million possibilities and you can guess that some are very unlikely (e.g., 123456 and 000000). Even if you were too stupid to remove the unlikely PINs, there's still at least a five-day window to try and brute force the PIN, assuming Mozilla changes it every week. At a rate of one per second, you have 432,000 tries, which is nearly half of all possible PINs.

But Mozilla's IT department is a bunch of fucking retards and only changes the PIN monthly. Changing it monthly was for "security" reasons, to keep the general public from getting in after employee changes or other leaks. In case it's not clear, this change was made specifically because of your faithful Lizard and the many leaks received. Prior to that, it hardly ever changed. Of course, now you have (at minimum) a 20 day window to brute force, giving you 1,728,000 tries at one a second. Might as well take your time.

Fucking morons.

Your pin is 949874, which is also the password for #moco on irc.mozilla.org. Enjoy!

Method 2

The problem with the method above is that, invariably, some Mozilla Corporation employee will read this blog and change either the pin or the conference room. Don't worry, I'll tell you when they do, but if you want a more sure-fire way, Method 2 is your homeboy.

This method is a bit more complicated, but I invite true hackers to invest some time into it.

First, some background.

Mozilla uses a backend authentication system called "LDAP" and, specifically, "OpenLDAP". OpenLDAP is mere computer software and is easily hackable. Mozilla has modified their version of LDAP to require password changes from employees every three months. While yours truly doesn't find this to be anything but security theater, Mozilla IT is—as mentioned above—a bunch of fucking retards.

Each week, Mozilla broadcasts its private meeting to Mozilla Corporation employees using the following URL, protected by LDAP authentication.

https://icecast.mozilla.org/corporate.ogg

If you're planning to attempt to brute-force a user account, you should know that they almost all end in "@mozilla.com" and typically take the form of "first initial, last name", e.g. dportillo for Dan Portillo, Mozilla's VP of Organizational Development. Start with marketing (because they're idiots with simple passwords) and move to groups like legal, business development, and recruiting. One thing to note is that OpenLDAP only allows a certain number of failed attempts before cutting you off.

But there is another way...

While I won't give away my specific method, do some googling on OpenLDAP exploits. Spend time investigating exactly what version Mozilla employs and how it can be cracked. Virtually everything is behind LDAP at the Mozilla Corporation. You only need one exploit to get in...

... And once you're in, feast your eyes on their phone book (for a list of all employees), PTO application (makes it easy to find who's around so you can use their login), org chart (what fuckface just got a promotion), forum (where the idiots congregate), and internal wiki (lots of crap and a few good passwords).

If you're smart, you'll use Tor to bounce your location so Mozilla Corporation employees can't find you. If you're really smart, you'll use your new powers to access internal machines and do your browsing from there. Do you truly believe the Mozilla Corporation has logs for every machine behind LDAP? The fucktards don't even know how to protect a PIN!


With that, the great and faithful Lizard returns to you, mind and disk full of Mozilla Corporation leaks ready for you to read. A return to regular posting begins now.

P.S. To all Mozilla employees: Did you really fucking think I left? Are you that stupid? I watched you talk about me last week in #moco. I watched through the eyes of an employee. I've been watching your forums, videos, IRC, and intranet; I've listened to your phone calls. I have enough board slides to last a year, including the ones on video.

P.P.S. To John Lilly: Withholding your board slides from employees doesn't help transparency; it hurts it. Start sending them out to employees again, beginning with the slides from July 15. I have a large set just waiting for public eyes.



Mozilla Conduct Guidelines

The following may seem like obvious behavior guidelines; however, it is worth articulating some legal and policy rules that guide our behavior as employees. The areas where questions arise most often are as follows:
  • Conflicts of Interest
  • Relationships with Related Parties
  • Gifts
  • Alcohol Policy
  • Confidential Information
What’s a Conflict of Interest?
A “conflict of interest” exists when a person’s private interests interfere or conflict in any way with the interests of Mozilla. In particular, the potential conflicts we’re concerned about for the purposes of this policy are those that may arise from: i) positions or activities with a competitor; ii) engagements with someone that the Mozilla Corporation or the Mozilla Foundation has a business relationship; and iii) activities that interfere with the performance of your job.

What’s the Conflicts Policy?
Conflicts of interest are prohibited except, in the case of an employee who has received prior written approval as described herein. Conflicts of interest may not always be clear-cut, so if you have a question, you should consult with HR pursuant to the disclosure procedures. If you are already involved in an activity that may conflict with the policy stated above, please follow the disclosure procedures, and HR will evaluate and try to find a path forward that protects the interests of both you and the organization.

What Should I do to Avoid Conflicts of Interest?
Review and adhere to the guidelines and disclosure guidelines set-forth below. The goal is to both encourage the diverse interests and contributions of Mozilla employees outside of the Mozilla project, and to make sure Mozilla’s interests are protected.

What’s a “Business Relationship” with Mozilla”?
Any relationship between Mozilla and a 3rd party where the parties cooperate in some reasonably structured and organized fashion in the context of a commercial transaction. It may encompass relationships defined by formal contracts and those without. It also includes relationships that do not involve an exchange of financial consideration. The following are examples of activities that constitute business relationships:
  • Add-ons offered via AMO;
  • 3rd party service providers or developers of code that is bundled/integrated with any Mozilla products;
  • Contracts with 3rd parties (e.g. vendor, consultant, search providers, distribution, ecommerce plug-in providers);
  • Involvement with trade associations, standards bodies, or working groups (e.g. XYZ); and
  • Prospective 3rd parties in negotiations with Mozilla that may fall into any of the above categories.
Are Activities with Groups, Projects, or Companies, that Have a Business Relationship with Mozilla OK? It depends. While you are an employee of Mozilla, you are prohibited from accepting simultaneous employment with or otherwise working for (outside your responsibilities as Mozilla employee) any person or entity with which Mozilla has a business relationship, without the prior written consent of Mozilla. Thus, if you want to engage in such an activity, including outside consulting, you should review these guidelines and check with HR via the disclosure process described below to make sure there are no issues.

Can I work for Competitors?
No. During your employment period with Mozilla you are not allowed to work for a competitor in any capacity. Full-time employees of Mozilla are expected to devote substantially all of their business time and attention to their employment with Mozilla.

What’s a Competitor for the purposes of the Conflicts Policy?
This is a difficult area because the definition of competitor changes as the Mozilla technologies and initiatives grow over time. At a minimum, companies that offer browser or mail applications or underlying technology are competitors for the purposes of the conflicts policy; thus, we wouldn’t expect you to work for Microsoft, Opera, or Google (while employed by Mozilla) as you could imagine. Each case should be analyzed independently taking into consideration the current setting, but the definition is certainly fluid. In practical terms, the expectation that substantially all of your business time is devoted to Mozilla related activities is the greater
threshold. If you have questions please contact HR.

Can I become a Director or join Advisory Boards for a Mozilla Competitor?
Not while you’re working as an employee of Mozilla. No current employee Mozilla should ever serve as a director or member of the advisory board for a company that directly competes with Mozilla.

Directorships and Advisory Boards for Projects & Companies that Have a Business Relationship with Mozilla?
You should obtain prior written approval using the disclosure process described below. [LINK TO DISCLOSURE SECTION]

Do I need approval for Directorships and Advisory Boards for Other Projects & Companies?
You don’t need approval, but use your judgment and consider whether and how it may impact the Mozilla project. In addition, any activity must not compromise your duties of confidentiality regarding Mozilla confidential information including confidential information disclosed to Mozilla by 3rd parties.

Is there a Central Place Where I Can Disclose my Associations?
Yes. There’s a table on the [internal] wiki where you may voluntarily disclose any board, advisory, or consulting positions that you may hold. This information is available to all Mozilla employees [NB: make public?].

May I Invest in Companies that have a Business Relationship with Mozilla?
Mozilla does not preclude individuals from investing in public or private companies unless the investment creates a conflict of interest. Many factors should be considered in determining whether a conflict exists, including the size and nature of the investment, your ability to influence decisions of Mozilla or of the other company, your access to confidential information of Mozilla or of the other company, and the nature of the relationship between Mozilla and the other company. In addition, you should never use confidential information obtained through your relationship with Mozilla for investment purposes.

Is it Possible to Enter a Business Relationship with a Relative?
Mozilla bases hiring and other business decisions on merit and not on personal relationships. Individuals must disclose and seek written approval from the company's CEO before awarding a contract or conducting other Mozilla related business with a relative or significant other. See disclosure process below. Relatives include spouse, sister, brother, daughter, son, mother, father, grandparents, aunts, uncles, nieces, nephews, cousins, step relationships and in-laws. Significant others include persons living in a spousal or familial fashion (including same sex) with an employee.

Can I Receive or Give Gifts from/to Suppliers or Contractors? If so, What’s Acceptable?
Receiving and/or giving gifts valued at or below $250 are considered acceptable and do not require disclosure. A gift could be, for example, a modest holiday gift or a modest congratulatory gift upon completion of a contract negotiation. You must report any gifts you receive from an existing or prospective customer or supplier or from a competitor valued at greater than $250 to your direct manager. In addition, if you are giving a gift, it is your responsibility to ensure that you review the appropriateness of the gift with your manager.

Are there any restrictions on the Use of Proprietary or Confidential Information?
Yes. Occasionally, Mozilla employees receive confidential and proprietary information from 3rd parties as part of the trusted relationship between Mozilla and such 3rd party. You may use this information for its intended commercial purposes only. Please use the following guidelines for confidential information:
  • Don’t publicly disclose (e.g. talk, blog, tweet) 3rd party confidential information, including names of partners whom Mozilla may be in discussions, without prior approval from the Vice President of your group.
  • In general, please assume that anything that is discussed within Mozilla concerning third parties – companies like Google or Palm or Yahoo or anyone -- is confidential, unless you know for an absolute certainty that it's public information. If you're at all unsure, ask your group vice president, the discloser, or legal.
  • On Mozilla stuff, we can post most anything that isn't financial, user data, personnel or business deal related -- for third parties, though, err on the side of non-disclosure until you know for sure.

Can I commit Mozilla to financially support or endorse outside activities or organizations?
If you want Mozilla to provide financial support or to endorse any outside activity or organization, you should obtain prior approval from the vice president of your group. Any time you commit the Mozilla name to endorse another project PR should also be notified.

Are there any rules regarding Drug and Alcohol Use?
Yes. All employees need to abide by the following:
  • While the Company permits moderate consumption of alcohol at certain Company sponsored events, we strongly urge employees to be responsible in their use of alcohol and not to drive under the influence of drugs or alcohol.
  • No one under the age of 21 is allowed to consume alcohol at a Company sponsored event or on Company premises. Illegal drugs are never permitted.
What’s the Disclosure and Review Process?
If you are seeking an exception to the conflicts policy or if you have general questions about a potential conflict, please send an email to conflicts@mozilla.com (distribution goes to HR, legal and the CEO). Please cc your manager on the email as well. The email should include the proposed activity, the name of the other party, the duration, and any compensation details associated with the activity. HR will take the lead on an internal review (which is done confidentially) with the CEO or a designee and get back to you with a response within five business days. The evaluation will examine the nature of the potential conflict and the impact of the activity on Mozilla and its ability to conduct its mission.

Sunday, August 16, 2009

The Return.

It is with humble gratitude that I, the intrepid truth-teller known only as the Lizard, return to you, dear readers. Having received dozens of emails as to my whereabouts, it is clear there are many who wish to know the truth, and I cannot deny my loyal readers.

Where have I been? Deep in the lair of the beast, hiding for fear of being discovered. The wrath of the gods was working its way toward your humble Lizard, and hiding was the only way to protect myself and ensure that the truth about Mozilla could still be told.

But be not afraid, dear reader. I bring you good news and great leaks from deep inside the beast known as Mozilla.

In case there was any doubt, I am not Mike Schroepfer.