Security/Meetings/2011-08-10

From MozillaWiki
Jump to: navigation, search

Black hat & def con debrief

SF office

  • Ian and Lucas will be in SF starting next week. (Ian is on PTO Mon-Wed next week)

Meeting times

  • Moving from Wed 2pm to Wed 10am (starting next week?)
    • Had to be moved in order to accomodate team members in Europe.
      • Jesse tried, unsuccessfully, to bribe Christian into accepting a midnight-in-Europe meeting in so that Jesse wouldn't have to get up early.
    • 11am slots are full, noon slots are lunch.

Team reorganization

  • Many of us will no longer report to Lucas directly.
  • Lucas would like to continue having 1-1s with everyone, but less frequent 1h meetings.
  • This is official; update your phonebook entry.
  • Names of the subteams are subject to change.

New subteams

  • Sid Stamm: Privacy team gets to manage a team of himself
    • more to come
    • Happy to take nominations for victims help
    • Q4 goal: clone Sid
      • Does this have to be a high fidelity copy?
  • Brandon Sterne: “Security Research & Testing” team
    • Christian Holler (decoder)
    • Jesse Ruderman
    • David Chan
    • Gary Kwong - moving to MV
    • Christoph Diehl
  • Dan Veditz: "Security of Releases" team
  • Ian Melven - security features (also has hopes of working on privacy features too)
  • Curtis - more of the same

Prioritization

  • What follows critsmash, putting the authority and accountability where it should be? This will be a long discussion in a future meeting.
  • Brandon is going through sg:want and sg:low bugs, ...

Full screen

Plugin installation and update

SSL certificates

  • Brian Smith will be on a panel on Friday at USENIX Security Symposium 2011
    • Panel title: “SSL/TLS Certificates: Threat or Menace?”
    • Likely topics of discussion: Moxie's proposal, DNSSEC, CA root inclusion policy
    • Weighing pros/cons of various schemes and whether they conflict or can be composed (work together)
    • Lucas recommends the theme: "flexibility of trust"

Malware

  • Cheng: What can we learn from malware reports that come into support.mozilla.com?
  • Chofmann: should we work with anti-virus vendors, giving them more browser APIs and access to our crash data, so they can block things faster and with more reliability?
    • [lucas] will look further into this