Wow, did  you see that? Java.com is down. Now, I’m sure you won’t be seeing it down when you read this in a couple of minutes, but amazingly, what happened for an error 500 to be there? lol, one my Scala tutorial links is Java.com, I can’t take screenshots to show people where to download Java… ugh

So, I’m back from vacation today in this beautiful cottage I was at and there’s nothing like waking up to the smell of a shiny new article about Microsoft and Yahoo making a partnership… Great, I missed a lot during those 5 days (couple of hours of reading on TechCrunch that is). Anyway, while listening to this Floss Weekly podcast that featured DHH from 37 Signals, the creator of Ruby on Rails, my interest for Ruby and Rails naturally rose, kind of like back from the dead.

I’d previously given up on Ruby, and I think I’ll be doing exactly the same thing again, while not actually having picked it up again *. Why? This whole Rails thing and DHH’s “FU” humor prompted me to do a bit of research on to where Twitter was with all their Ruby problems. And so, just when I thought a language didn’t really matter anymore and that a database was the only real hog, boy was I proven wrong by this brilliant article Twitter on Scala.

Yes, I did read all the criticism towards this article, but, really, who do you trust most: angry Rails fan or Twitter developers? As for me, I decided I was going to place my bet on the Twitter developers and I am once again throwing Ruby out the window, and at the same time, throwing any dynamic language too. Ironically this blog runs on PHP, but let’s say I never expect it to really have a need for scaling beyond a simple single-core server and WP Super Cache, for which WebFaction provides ample solutions.

Oh, talking about WebFaction, there’s currently an FTP outage on my server there. Hurray, not even a week and I’m already having problems. Ironically my (mt) account’s FTP still works very well, but I can’t say I haven’t seen hiccups there either. Fortunately my sites are in top shape, but it’s already been 37 minutes since I’ve posted a ticket, and with no response and an FTP still down, it’s not cool.

The only critic I would have to make about Scala applies to every other language that’s not out-the-box like PHP or that isn’t tied to an IDE; that is, the installation process (symbolic links to your compiler, etc.) can be rather shady and is very often not explained in books. In fact, to learn it, I’ve had to figure out myself what was going on, both on Windows and Unix systems, which both have very different ways of doing it. Frankly I think Windows’ way is more simple to comprehend albeit less powerful, but really, I’m thinking of making a well-explained tutorial about that.

Edit: WebFaction finally responsded, although a bit late, but the issue has been fixed before they responded. I’m guessing they had more than me notifying them.

* Edit: I actually just did so, I picked up Rails and threw it away again. Despite having learned quite a bit of Ruby, which I did enjoy, I don’t like Rails as usual

Since our inception of the visual antibot and the question antibot plugin on AMV-Canada’s phpBB board, we’ve completely eliminated the bot problem. Quite simply, since May 4th 2009, we haven’t had ANY bot come through. We’ve even reduced the complexity of the captcha, and eventually disabled it completely, but to no avail, spammers haven’t come back.

Yes, I mentionned the visual antibot, basically an upgrade captcha almost impossible to figure out even for human (puts random pictures in the background, making it REALLY hard to read, we’ve actually had some people complain to us that they couldn’t legitimately register), but we got rid of that. The only thing we have to protect ourselves on top of the default installation is this: The Question Antibot

That thing is holy. Basically it’s question you make up and provide the answer for. Example, a mathematical question. It’s also super easy to set up and change everyday if you want. One big advantage is it putts off just about any bot, because they don’t know what to do with it. And if you have a large traffic site and some body programs the bot to answer the question, just change the question! It’s so efficient you don’t need a captcha.

Unless computers become sentient, I believe this should put off just about any spam bots.
Hit the link: http://www.phpbb.com/community/viewtopic.php?f=69&t=645075&start=0

All of our sites are now with WebFaction and we’ve been really pleased with the results. Nevermind the crazy cool web app setup interface on WF, just looks at statistics.

More up to date

At MT, we were stuck with PostgreSQL 7, PHPMyAdmin 2, and a bunch of other things which lacked fast update.

Now with WF, we’re up to speed wiht the latest versions of everything. It’s just there, and they keep the old versions, so your app never breaks until you decide to migrate it, which is always done in three steps: Make a new app, test it and change your domain to go to that app instead of the older one. The upgrade window with that technique can be so short you may not even have to notice your users about any upgrade (depending on how your app is made).

No more sharing, really

It’s a shared environment but it’s not. You could say it’s a managed VPS, somewhat, but it’s even better. No dealing with awkward control panels and complicated app setup, that’s all done for you. What’s more, the RAM you get is your app ram, they handle the OS part, making it way easier to plan ahead on how much RAM your app can use.

And if you really want to get dirty, there’s always shell access for you, just like a VPS.

True scaling! Load-balancing included

You don’t even have to buy the load-balancing DNSes, it’s included. All you do is buy another hosting plan and mirror the two up. The rest is handled by WebFaction’s DNSes.

4 times faster, really

Based on WordPress’s stats on page generation speed from PHP and MySQL (we disabled caching for the purpose, or rather, hadn’t installed it), we’ve gone from 4 seconds to only 1. That’s four times as fast as MT’s (gs), and it shows. It’s even cheaper!

So what are you waiting for, get WebFactionized.

I think the real question to ask would be: Can a CMS really be beneficial for me?

And the answer is: Probably only for a blog (ie. WordPress, Drupal)

Oh my god you say, what is this freak saying, with a CMS, even authors can edit your site, which necessarily makes production much faster. Makes sense, at least, that’s what I thought until very recently.

Consider this: What do you authors know about the web?

They probably don’t know much. Most of your authors use Word, and they most likely don’t know how to use it. Just look at their Word documents and you’ll quickly realized how dirty they are. No one knows what a style is and they all style the document the best they can via manual select and click bold/italic or whatever. The problem? They’ll do the same with a CMS, regardless of the editor, because they just don’t know.

Quite frankly, a CMS is like suicide when it comes to accessibility. Why allow people to edit content on the web when they don’t know how it works. Too often occurrences such as titles in CAPS,  bold + bigger font instead of header, and an absolute horror when it comes to images placed on your website, not mentioning the inconsistencies, will nag your site.

You could establish strict editing rules, but then you start lacking in flexibility, and you’re guaranteed some people just won’t respect those rules unless you tell them directly, which may not be an option in a large enterprise.

Conversely, a good webmaster will know all of these content things naturally. Seriously, if your webmaster writes a title in CAPS, fire him.

Consider this: What CMS is prebuilt to scale?

For a lot of people, having a CMS means avoiding complication. If you give a lot of powers to the authors, you don’t even have to upload the images yourself. However, does an author really know that you need to optimize these images. Forget about teaching them to upload the images to a separate subdomain for static delivery.

A solution may be to make all of this integrated into your CMS. But truthfully, it’s a huge bother and no CMS was probably made to handle such a complex content distribution mechanism. You’ll spend more hours debugging and tailoring your CMS solution then you would if you weren’t using one at all.

Don’t mix it

I think the best solution is to simply not mix content people with web people. They are two very different breeds of thought processes and it’s very rare a good author will know a lot about the web beyond using its user services like email and chat. Real applications are often too complicated to bother with a CMS, which will often put a huge supplementary load on webmasters, especially those who handle the CSS. And so they’ll spend time on managing the CMS they could have spent on managing the actual site code, quality, security and scalability.

In my opinion, even for a largely content-based web site, a CMS is just too much overhead to be worth it. And, you don’t need a CMS to stop copy pasting every menu change on your site, there’s some very simply alternatives with PHP includes, or just about any language/framework you may use to power your application/website.

Choosing between Silverlight, Flash/Flex and JavaFX, or even omitting their use completely à-la-Google with HTML 5 is a very debated subject. However, probably above their feature sets, you have to consider each RIA’s position on the market, making it a very political choice. Let me explain.

To sum up the whole thing, it really has to do with the RIA maker’s motives. Although not an RIA, Windows Live Messenger makes a very good example for this. Yes, it does exist on the Mac, but since Microsoft also has Windows, it wouldn’t want to compete with itself and thus the Mac version of WLM is quite inferior, so to keep WLM users coming back to Windows. The same applies to RIAs, and unfortunately Microsoft has a track record of limiting its own products so that they don’t compete with each other.

Silverlight

Good

Microsoft has a truly stunning developer platform, and it’s way cheaper than Adobe’s. If you wanted to go the Adobe Creative Suite alternative route, Microsoft’s platform sure is inviting. A full software stack to develop web sites with Silverlight will cost you 600$ (Expression Studio + Visual Studio Express) while Adobe’s will cost you 1950$ (CS + Flex Builder). Arguably Adobe’s Creative Suite Web is more complete and using Microsoft’s technologies incurs additional cost on the server-side, but it’s still very tempting. Developing C# with Visual Studio is, as of today, an incredibly more enjoyable experience than developing ActionScript 3.0 with any of Adobe’s tools.

Bad

Silverlight is Microsoft. While not really bad in itself, you’re still tied to a company that has much to do with a lot of other things. One perceivable issue that could and already arises is the availability of the Silverlight plugin on varied platforms. If Google’s Chrome OS is to take off, there’s no guarantee Microsoft won’t use Silverlight as an excuse to sell Windows, which may damage your business if you rely on that technology. You can always turn around once that happens, but it’ll still cost you time, money, retaining and else.

JavaFX

Good

While still not exactly open source per say, Sun is planning on doing so, so JavaFX might seem like a more liberal option that doesn’t really depend on anyone. It also relies on Java of course, which is widespread on all machines, so perhaps you won’t have to make your users download any new plugin, which is always good.

Bad

Unfortunately JavaFX is late behind in every means possible. Quite frankly, JavaFX is really bad. Its load times are horrible, the tools aren’t as integrated as the all-in-one Microsoft and Adobe solutions, and the IDEs built for JavaFX production are confusing (ie. You have to download a specific version of NetBeans not compatible with Java Web to do JavaFX developement). There’s also the looming change at Sun with Oracle buying them. While nothing has really been done yet, Oracle may want to shift Sun products in the proprietary realm. In fact, nobody knows, but one’s thing for sure, it’s probably going to change, and making your bet on JavaFX means making your bet on whatever restriction Oracle may bring. On the other hand, it could also turn out to be better.

Flash / Flex / Air

Good

Adobe doesn’t make an OS. Adobe doesn’t make a browser. Adobe makes a plugin to enhance the web, along with all the tools associated or not associated with it. Since Adobe is a tool maker and only that, they never compete with themselves. They don’t have to care for WordPad not competing with Office, they only have Acrobat, they don’t have to care for Paint competing with Expression Design, they only have Photoshop and Illustrator. In that regard, it’s in Adobe’s interest to bring Flash, Flex and Air to the most places possible. That’s how they make business, so unlike Microsoft, you can be sure that if another OS takes off, be it Mac or Chrome OS, Flash will be there.

Flash, Flex and Air are also arguably more mature than Silverlight, and certainly more than JavaFX. Silverlight is actually playing catch-up on Flash for its streaming technologies, codec availability, etc. that have been powering so many websites for so long. Flash also has an incredible user-base, arguably even better than Java’s for keeping up with the latest version, especially since the Flash plugin, or Air for that matter, is way less heavy than Java.

Bad

Really, the only down-side to developing applications with Adobe’s platform is the lack of good IDEs and server-side components to match. Yes, Adobe is pushing really hard and Flex Builder comes a good way to providing cool features, but with ActionScript 3.0 and whatever language/framework you may use to power the back-end, it’s still a long way from Microsoft’s solution.

HTML 5

Good

HTML 5, JavaScript, AJAX and all of this is a bit of a weird guy in the RIA game. While not technically an RIA framework, HTML 5 and company still compete against those. The biggest plus you could say is that all of this is web standards. No matter what you do, it’ll eventually be integrated in every browser. This means native support for everyone.

Bad

However, those standards can only go so far for now. The development environment for those is hard to learn and really not helpful, making the whole HTML 5 apps thing somewhat of an Arcane art. There’s a ton of features non-existent, a big one being streaming video, and support for various features varies from browser to browser. In a world where browsers are ever more varied, HTML 5 application development and maintainability is the hardest. Using the useful features often means leaving behind a good lump of users, while you could get all of those users the exact same experience across every browser and platform if you’d have used Flash for instance.

So?

Well, in the end, the choice is really up to you. You may choose HTML 5 for moral reasons, but in my opinion its current state is nothing but a gimmick and it’ll always be playing catch-up with what you can do with a plug-in. I don’t think the age of plug-in is over, neither do I think the open source movement is capable of bringing down proprietary products on the client front. As I foresee, Google’s Chrome OS, despite being based on Linux, won’t do much for its cause as it’ll be most likely an entirely Google product, with all the proprietary code per-installed on it in a way communities like Ubuntu’s would never allow, all the while keeping the kernel intact, along with its GPL license. Google never much cared about the open source community, they just use their products and give back nothing in return since doing so would potentially compromise their search engine trade secrets.

Perhaps there isn’t much future for RIA frameworks, I  but I believe there is for Flash and Silverlight as in-page plugins. If there is one area where RIAs could really succeed, it’s online games and production software, like Microsoft Office 2010 web applications which is almost guaranteed to be based on Silverlight. I’m not sure HTML, like Google Docs uses, is powerful enough to accurately describe Word documents, or any other Office document, in a faithful way across browsers. Microsoft is currently making sure Office 2010 documents retain their exact formatting across desktop software, cloud apps and mobile apps, a feet that may be overlooked but that still remains important as no other competitor has succeeded or even attempted at doing that in the past. I like Google Docs, but I still think it’s a weak piece of software.

The outcome of the web has never been so hard to predict. But I guess it’s normal since the web is still in its infancy. As for my site OtakuChannel.com, I decided to stick with Adobe technologies because of their more potent survival chances and the fact that we’ve been using Adobe tools for years now, and we also work on Mac.

For a lot of people in tech industry, the announcement of Google’s Chrome OS was as if a death clock started ticking for Windows. Whenever Google comes out with a new product, apparently it’s going to crush the competition. However, there is the compelling mystery that people tend to forget that although Google might be a giant in the search engine market, that’s pretty much the only place they are.

Let’s talk statistics.

Google Chrome has a usage share of around 2 to 3% of the market. Microsoft Internet Explorer still has around 65% and all of the enterprise market for ease of deployment reasons. Is Google eating at Microsoft’s shares? No, they’re eating Firefox’s, and Firefox is the one Microsoft should be worried about as a browser right now.

In the operating system space, Microsoft still has 90% of the market. As everybody knows, switching to another system is hard, so it’s very easy to percieve how all of these users could potentially stay on Windows while migrating to a more cloud-based Windows in the future that’ll compete with Chrome OS.

In the office space, enterprises won’t switch to Google for the simple reason that Google doesn’t allow hosting its services internally, and since everybody on the planet is using Microsoft Office, it’s easy, again, to see people migrate to the new Office 2010 web services without ever touching base with Google’s alternative.

–

The gaming market is still on Windows, high performance computing applications like creative tools are still on Windows, and even if the future is cloud-based, it’s hard to see any of those things migrate to Chrome OS’s purely cloud-based solution for any reason.

It’s funny how people tend to forget that Google isn’t the master of everything. They just own search, and that’s it. Really, Google has absolutely nothing else on the market, their only revenue is their advertisement on the AdSense network and search.

If you were panicking about your decisions to rely on Microsoft because of Google’s move, it’s time to put a break on that and relax. Nothing’s happening yet. Oh, and in case you were thinking, “yes but the iPhone did crush Windows Mobile”, in fact, it never did. Windows Mobile hardly ever was a real competitor. The iPhone simply hurt BlackBerry’s shares, and got a lot of territory on the regular phone market too.

You could also ponder on this:
- Windows lacks a command line like those found Mac and Linux. However, remember that since recent versions of Windows were designed to run completely without a command-line, you can find everything in the OS via the GUI, something you can’t do on Mac and Linux, of which the GUIs really are just a series of command-line actions mapped to a graphical interface.

EDIT: MODx 1.0, which just got released, has full support for dictionary attack prevention native, even better than WordPress. Additionally, it looks like the hack comes from a key-logger that steals FTP passwords (not MODx or WordPress). In fact, this has been verified with logs by myself and others. What’s more, my friend recently go re-hacked, and she has a pretty unsecure computer, and since she doesn’t have the new password for our FTP and thus didn’t log in, we didn’t get attacked on my sites, so the evidence is there that this is really an FTP issue with a key-logger. Watch out for the security of the computers used to access your administration tools like FTP!

Lessons of life tech you a lot of things, such as the one in the previous post. Having a login system without any anti brute force attack measures is suicide. In fact, the reason why my PHPBB forum wasn’t affected is because it does have an anti dictionary attack mechanism.

How does it work

The premise is simple: if a user fails to log in with the right password, lock him out to prevent brute force attacks. There are a lot of different solutions for this however, so let’s explore.

Time-out

One technique I like a lot is locking out the user for a given amount of time. This can be frustrating for a user that forgot his password, but a link towards a message explaining why such a measure is being inforced can ease the pain. There’s a major flaw with this technique however, it only delays a dictionary attack, it doesn’t prevent it. However, most robots designed for dictionary attacks give up and move on if such a mechanism is in place.

Lock-out

This radical way involves deleting the user’s access completely, rendering further attempts completely useless. You can leave the login fields and simply tell the user it’s impossible to login with that ID, or remove the login fields entirely for that given IP for a limited amount of time. Once a user is locked-out, an email, or some sort of external communication, is sent to the user so that he can make a new password. This technique doesn’t really have any flaw if implemented correctly, except that a compromised email also makes the attacked account compromised.

Human Verification

Google does it and so des PHPBB. All it involves is asking to fill in a captcha code or a question of some sort to verify if the person trying to log-in is a human. If it’s well-made, chances are the bot making the attack won’t be able to pass it, or won’t even know what to do with the extra form fields. Fortunately attack bots aren’t sentient yet. This technique has the flaw of being easily bypassable if a human explores it. Programming a bot to answer a math question correctly or pass a captcha test isn’t that hard. That’s why I more consider this as an add-on rather than a complete solution, since it’s totally useless against a targetted not entirely automated attack.

WordPress Plugin – User Locker

I now use the User Locker Plugin on my WordPress install, as well as a way better password as shown in the previous article, to prevent any brute force attacks from hapenning again. Download the plugin here.

MODx Plugin…?

Unfortunately there isn’t a single plugin for MODx that does such a thing. The closest is a captcha add-on, but it’s only compatible with the beta 2 of MODx Revolution (v.2) as of this writing, which is pretty lame since the stable version isn’t even 1.0 yet.

Yes, when you heard PHP was insecure,
it’s because people make insecure apps with it

Unfortunately, WordPress does need a plugin for that sort of security. One would think that it should be included in the whole package out of the box. But no, the Blog Engine used by some of the biggest news companies of the world doesn’t support it natively, despite other ameliorations of lesser importance being given a lot of attention, like interface overhauls.

MODx is simple a no-go since it doesn’t support any such measure and fortunately PHPBB does support this natively, although I think it only supports captcha verification. I haven’t exactly tested it, but entering those captchas every time gets really long after 10 tries, so I believe it’s the only anti brute force measure it has.

PHP is being blamed a lot for that, seeing a lot more insecure web sites in PHP than in other languages, but I believe this is more attributable to the fact PHP is really easy to learn and use. Making a site in Java requires significant studies, which often include a lot of attention on security, preventing anything as such from happening first-hand. No, PHP isn’t inhenrently insecure. If Java developers didn’t care for security, it’d be as worse.

There used to be a time adding a number to the password “cat” meant your kid couldn’t figure out the password to your computer. There also used to be a time where trumping dictionary attacks was a simple as adding complicated characters or using words that weren’t words.

And yes, my whole point today is: there used to be.

My Story

At 14:45 of July 17th 2009, I realized I was hacked. Some malicious JavaScript line got inserted on three of my sites, two MODx CMS installs and yes, one WordPress. My first reaction was to panic. My second was to search Google on the act. My third was to blame it on MODx and WordPress, and then PHP, until I read multiple forum posts mentioning FTP dictionary attacks.

Oh boy, dictionary attacks, on my password? I though. How could have they figured the password out!?

So, with my friend, we tried and go on different paths where the hacker could have attacked and see if it made sense. We quickly discovered the problem, the index.php on our MODx and WordPress installs had been modified. Her other site was also attacked, and on a different host.

We’re hosted at Media Temple, and her site is at 1and1. I’m very much doubtful Media Temple would have such a security hole, so we dismissed any Hosting Provider vulnerability possibility.

The next entry would have been PHP, MySQL, or all sorts of other security wholes. It could have also been a security whole on MODx and WordPress, but if it had been, big blogs on the NewYork Times would have been hacked (they weren’t) and we would have heard about it. No news to be found on the subject, older posts dated back to early 2009, and the attack just came in today for us. So no, it’s not a security vulnerability, neither is it a virus, our platforms would have long detected it (Media Temple’s Grid Service for example).

There was only one option left. The hacker had managed to infiltrate our accounts on either the FTP service, hosting account, or MODx/WordPress install. The hosting got cleared out of the way again. It’s impossible to upload or modify files via the control panel on 1and1, so my friend couldn’t have been hacked there. The FTP password of my friend was much too complex (some auto-generated gibberish) for it to have been dictionary hacked. Thus, we turned to our MODx and WordPress installs.

Too easy, both MODx and WordPress allow editing of the main index.php’s code directly in their control panel, and all of our installs had moderately insecure passwords.

The morale? We got hacked because the automated bot figured out our passwords like nothing.

How freak do you have to be with your password?

Ever heard: Ugh, your password is long…
Prepare to hear it more, as it probably wasn’t long enough.

Without disclosing our old passwords, here is what it averaged to:
mategma55

This password doesn’t mean anything and even has numbers. There wasn’t a chance it could have been dictionary hacked in the past. Today, that’s peanut. It’s a hyper insecure password.

However, my WordPress installation got breached too, and it featured what is commonly known as a strong password today:
Ukyn762!

The full range, caps, lower-case, numbers and a special character. It’s not even a word! While this may have revealed a very secure password in the past for most applications, today it isn’t. Trust me, my blog isn’t really popular, but it still got in-filtered.  Think your protected because “oh, you don’t need that crazy password, it’s not like you were anyone famous”, think again, this happens to anyone now.

How freak must it be? Something like this:
uU#!DX==HFM+9X@Z

OMG How am I gonna remember that!?!?

The truth is, if you use it a lot, eventually you’ll remember it. Yes, most of you probably know all of your friends phone numbers by heart, this shouldn’t be too difficult. However, carrying a paper around with the password on it, or worse, storing it in the open on your computer in a txt file for the first few weeks isn’t the best thing to do.

Instead, you can use clever techniques so that no one can find the password, but you can remember it. One of those is GRC’s Perfect Paper Passwords. What it does is generate three passcards that contain a myriad of random characters in the set of your choice. Characters are grouped under a bing-like grid as A1, A2, B1, B2, etc. In other words, you print it, and all you have do to is remember which combination of A1, F2, etc. you chose for your password. If someone ever finds the paper, he’ll have to figure out the combination you used to discover your password. For additional security, you could ever say that your D4 is only the first two characters, so that way the password is practically impossible to guess.

If you gauge your password at a humping 63 characters, incidentally the WPA2 WiFi network protection scheme’s maximum number of characters, it’s supposed to take about a trillion years to dictionary-breach it. Add the usual anti-dictionary attack modules that block you from logging in for a certain time after a number of attempts, or force you to enter a Captcha code or some kind of human verification, and you could easily multiply the dictionary-attack time by 100. Even more intelligent systems may be able to prevent it altogether, with random questions that can never be answered by a machine unless it comes sentient, and science has yet to crack that.

For those who have been hacked

It’s actually not very difficult to remove that hack. But do it quick, as Google may block you from their search engine if they discover the malicious script on your site.

1. Change your password to fend off repeated attacks
2. Go to your WordPress or MODx CMS installation root and open index.php
3. Edit out the malicious code on the last line
4. Your done

It’s also easy to know if you have been hacked. To make the hack possible, the hacker has to integrate an iframe of 1 by 1 pixel on your site. The code right at the bottom of the page in your source, and you can also see a weird dot-like border somewhere on the end of your page, in effect, the iframe. If you stumble on a weird dot-like element on your site, check your code, you may have been hacked.

Every web developer knows it, it just seems like to compete with IE, the only way is to go open source to get a community going on. While this may be true, some people just don’t seem to get it. The good folks at Opera Software ASA are a prime example. Opera is still proprietary and nobody knows why. They’re not even selling the software. If the concern is having a myriad of other browsers use their engine, why not just make it open source but non-redistributable. And besides, having others use the Gecko engine doesn’t prevent Firefox from ever more rising to glory.

However, an article from computerworld, despite dating back to 2006, made me realize that it doesn’t need to be open source. After-all, Opera has always been faster than Firefox, less buggy, more feature-full and more standards-compliant. If the closed source team is capable of delivering such quality, why should I care for it to be open source.

And even though other browsers that make use of the Gecko engine never hurt Firefox, open sourcing your engine can be at a disadvantage. One example is Google Chrome, which I certainly don’t believe to be friendly towards Safari. With the wake of Chrome OS, Apple’s very own efforts have turned into a competitive monster for its products. Open sourcing technologies isn’t always the right thing to do.