Mozilla's web security guru talks open source