Security/Meetings/2011-10-19

From MozillaWiki
Jump to: navigation, search

Goals

We have four team goals this quarter:

  • [NEW] Unify our security & privacy review operations with User Data Council work
    • Identify and document single point of contact for privacy+security by design.
    • Socialize flow for getting security/privacy/UDC involved early-on for in-flight aid in design and development.
  • [NEW] Mobile Fuzzing
    • Get LangFuzz to ARM architecture (Linux/Tegra)
    • Get LangFuzz to mobile (Browser on Android) - has dependency on Jetpack
  • [NEW] Finalize security criteria, ready to socialize along with a few other areas of non-feature work
  • [NEW] Telemetry/User Research - prioritize feature development and code hygiene work
    • Get stats on features we want to end-of-life (enablePrivilege, etc)
    • Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting).

Start working on CA - scope of problems, avenues to explore, supporting experimentation

  • Meeting at 2 PT today

MozCamps

  • https://wiki.mozilla.org/MozCamp
  • Evangelize security, both our team and processes, as well as security in general
  • Gary is going to Malaysia. Nov 18-20
    • Main topic: High level fuzz-testing overview
    • Security bug bounties
    • (not yet notified Gen or Mary)
  • Curtis is going to Berlin. Nov 10-14
    • Speaking: neurobiology of decision-making (?) > waiting to see if talk idea accepted
  • If you're interested in going and/or talking, ask Mary and Gen if you can get yourself invited?

Etherpad

  • Please use light/pastel background colors.
  • The new “private pads” feature is not as easy to use as we hoped.

User Research/Studies

Effort estimates

What would it take to use TestPilot or Telemetry to do studies? Here are some rough estimates for each study we wish to deploy:

  • TestPilot: (Roughly 3wks to data) ~1 week of coding, 2-5 days of UR team help, then duration of study deployment
    • Appropriate for web usage measurements (perhaps related to individuals' behaviors)
  • Telemetry: (Roughly 3wks to limited data) ~1 week of coding, time for review (2-5 days), in nightly immediately
    • Bigger sample every six weeks (as it graduates to Aurora, Beta, Release)
    • Appropriate for software performance measurements and feature usage measurements.

Ideas for studies

Any study will require at least cursory privacy review.

Malcrash

Recently Completed SecReviews

Recently Completed Privacy Reviews

Action Items

  • [dchan] will look at TP and telemetry studies to see how involved the coding is, and decide whether or not he wants to champion a study
  • [curtisk] Process request: send reminder mail to secreview attendees day before