Security/Meetings/2011-08-10
From MozillaWiki
Contents
Black hat & def con debrief
- Several of us have posted notes at Security/Conferences/BlackhatDefcon2011. Keep them coming.
SF office
- Ian and Lucas will be in SF starting next week. (Ian is on PTO Mon-Wed next week)
Meeting times
- Moving from Wed 2pm to Wed 10am (starting next week?)
- Had to be moved in order to accomodate team members in Europe.
- Jesse tried, unsuccessfully, to bribe Christian into accepting a midnight-in-Europe meeting in so that Jesse wouldn't have to get up early.
- 11am slots are full, noon slots are lunch.
- Had to be moved in order to accomodate team members in Europe.
Team reorganization
- Many of us will no longer report to Lucas directly.
- Lucas would like to continue having 1-1s with everyone, but less frequent 1h meetings.
- This is official; update your phonebook entry.
- Names of the subteams are subject to change.
New subteams
- Sid Stamm: Privacy team gets to manage a team of himself
- more to come
- Happy to take nominations for victims help
- Q4 goal: clone Sid
- Does this have to be a high fidelity copy?
- Brandon Sterne: “Security Research & Testing” team
- Christian Holler (decoder)
- Jesse Ruderman
- David Chan
- Gary Kwong - moving to MV
- Christoph Diehl
- Dan Veditz: "Security of Releases" team
- Ian Melven - security features (also has hopes of working on privacy features too)
- Curtis - more of the same
Prioritization
- What follows critsmash, putting the authority and accountability where it should be? This will be a long discussion in a future meeting.
- Brandon is going through sg:want and sg:low bugs, ...
Full screen
- https://bugzilla.mozilla.org/show_bug.cgi?id=545812
- https://wiki.mozilla.org/Platform/Features/Full_Screen_APIs
- https://wiki.mozilla.org/Gecko:FullScreenAPI#Jesse.27s_concerns
- Lucas: if it's just about matching Flash, we should match Flash's use cases with similar security, and discuss other use cases (games?) separately.
- Lucas: in order to give useful feedback from the security perspective, we'd like to know why this feature is desired
- [curtis] schedule a larger conversation with the feature team to discuss
Plugin installation and update
- Plugin update
- Plugin opt-in
- “How do we affect the rate of plugin use?” is out of scope for the security team
SSL certificates
- Brian Smith will be on a panel on Friday at USENIX Security Symposium 2011
- Panel title: “SSL/TLS Certificates: Threat or Menace?”
- Likely topics of discussion: Moxie's proposal, DNSSEC, CA root inclusion policy
- Weighing pros/cons of various schemes and whether they conflict or can be composed (work together)
- Lucas recommends the theme: "flexibility of trust"
Malware
- Cheng: What can we learn from malware reports that come into support.mozilla.com?
- Jesse: Are we likely to learn anything other than "socially engineered installation of malware" (so we should fix https://bugzilla.mozilla.org/show_bug.cgi?id=662819 and improve the web platform) and "plugin exploits" (so we should do https://wiki.mozilla.org/Opt-in_activation_for_plugins and improve the web platform)?
- Chofmann: should we work with anti-virus vendors, giving them more browser APIs and access to our crash data, so they can block things faster and with more reliability?
- [lucas] will look further into this