Security/Meetings/2011-10-19
From MozillaWiki
Contents
Goals
We have four team goals this quarter:
- [NEW] Unify our security & privacy review operations with User Data Council work
- Identify and document single point of contact for privacy+security by design.
- Socialize flow for getting security/privacy/UDC involved early-on for in-flight aid in design and development.
- [NEW] Mobile Fuzzing
- Get LangFuzz to ARM architecture (Linux/Tegra)
- Get LangFuzz to mobile (Browser on Android) - has dependency on Jetpack
- [NEW] Finalize security criteria, ready to socialize along with a few other areas of non-feature work
- [NEW] Telemetry/User Research - prioritize feature development and code hygiene work
- Get stats on features we want to end-of-life (enablePrivilege, etc)
- Frequency of cert errors (counting each of: expired, self-signed, wrong domain) and OCSP success/failures (nonresponses, server errors, revoked, valid) and frequency of mixed-content encountered (bucket mixed display and mixed scripting).
Start working on CA - scope of problems, avenues to explore, supporting experimentation
- Meeting at 2 PT today
MozCamps
- https://wiki.mozilla.org/MozCamp
- Evangelize security, both our team and processes, as well as security in general
- Gary is going to Malaysia. Nov 18-20
- Main topic: High level fuzz-testing overview
- Security bug bounties
- (not yet notified Gen or Mary)
- Curtis is going to Berlin. Nov 10-14
- Speaking: neurobiology of decision-making (?) > waiting to see if talk idea accepted
- If you're interested in going and/or talking, ask Mary and Gen if you can get yourself invited?
Etherpad
- Please use light/pastel background colors.
- The new “private pads” feature is not as easy to use as we hoped.
User Research/Studies
Effort estimates
What would it take to use TestPilot or Telemetry to do studies? Here are some rough estimates for each study we wish to deploy:
- TestPilot: (Roughly 3wks to data) ~1 week of coding, 2-5 days of UR team help, then duration of study deployment
- Appropriate for web usage measurements (perhaps related to individuals' behaviors)
- Telemetry: (Roughly 3wks to limited data) ~1 week of coding, time for review (2-5 days), in nightly immediately
- Bigger sample every six weeks (as it graduates to Aurora, Beta, Release)
- Appropriate for software performance measurements and feature usage measurements.
Ideas for studies
Any study will require at least cursory privacy review.
- Previously: https://wiki.mozilla.org/Security/Meetings/2011-10-05#Goals_for_us
- Installation and use of plugins (Telemetry)
- We already have installation data, and another team is planning to do this bug 695589
- Privacy/Reviews/Telemetry/Encountered_Plugin_Types
- How users respond to various outdated-plugin UIs (Test Pilot)
- how many/which CA's and/or intermediates are seen?
- quality of certs seen? (key strength, cipher suites) maybe get that from ssllabs already
Malcrash
- Reached public alpha stage
- Data automatically mined every day
- Docs at https://intranet.mozilla.org/User:Choller@mozilla.com/Malcrash
- Needs MPT VPN + your LDAP login (username without @mozilla.com)
- bsterne and I will improve the design
Recently Completed SecReviews
Recently Completed Privacy Reviews
Action Items
- [dchan] will look at TP and telemetry studies to see how involved the coding is, and decide whether or not he wants to champion a study
- [curtisk] Process request: send reminder mail to secreview attendees day before