Security/Meetings/2011-12-28
From MozillaWiki
Contents
Stuff (lucas)
- review goals, finalize in Jan
- changes to team embedding, discussion in Jan when everyone is back from PTO
Rapid Impact Team (lucas)
- jpr proposed a rapid impact team idea: "like crashkill and critsmash but with a fuse"
- defined goals in a defined time, ad-hoc team; fix issue and disband
- blackhole infection, search hijacking are first 2 proposed items (need people from secteam, will figure out at next team meeting)
- defined goals in a defined time, ad-hoc team; fix issue and disband
Transition Stuff
- bsterne is leaving MoCo at the end of December 2011 :(
- ಠ_ಠ
- bsterne's tools --> github, dveditz
- bsterne's team embedding assignments (WebAPI, Open Web Apps) --> dchan
- bsterne to continue to work on CSP spec as an invited expert, along with CSP patches and reviews
Reddit IAmA (jesse)
- http://www.reddit.com/r/IAmA/comments/nldoj/iama_member_of_the_mozilla_security_team_ama/ was a success: 924 comments, 11 official answerers from the infrasec & productsec teams,
- Jesse's comment about the Accuvant paper got ~6 retweets: http://www.reddit.com/r/IAmA/comments/nldoj/iama_member_of_the_mozilla_security_team_ama/c3a3lml
Sync+BrowserID heads up (sid)
- teams looking at using BrowserID to authenticate to sync
- ... and making the setup-new-device flow just BrowserID authentication (rather than password + high-entropy piece for new devices)
- there was an alternative proposal a week or so ago to have BrowserID service providers store the sync key
- may involve product v. privacy/security trade-offs
- trying to design best solution for a balance
Survey from project management (jesse)
- Project management wants to know where we need help from other teams in Q1
- Jesse's answers: https://etherpad.mozilla.org/dS1uGGbOfq (will submit later today)
Security review questionnaire
- need to make decisions on this course
- if we decide to do we need IT resources