Security/Meetings/2011-12-28

Stuff (lucas)

• review goals, finalize in Jan
• changes to team embedding, discussion in Jan when everyone is back from PTO

Rapid Impact Team (lucas)

• jpr proposed a rapid impact team idea: "like crashkill and critsmash but with a fuse"
  • defined goals in a defined time, ad-hoc team; fix issue and disband
    • blackhole infection, search hijacking are first 2 proposed items (need people from secteam, will figure out at next team meeting)

Transition Stuff

• bsterne is leaving MoCo at the end of December 2011 :(
  • ಠ_ಠ
  • bsterne's tools --> github, dveditz
  • bsterne's team embedding assignments (WebAPI, Open Web Apps) --> dchan
  • bsterne to continue to work on CSP spec as an invited expert, along with CSP patches and reviews

Reddit IAmA (jesse)

• http://www.reddit.com/r/IAmA/comments/nldoj/iama_member_of_the_mozilla_security_team_ama/ was a success: 924 comments, 11 official answerers from the infrasec & productsec teams,
  • Jesse's comment about the Accuvant paper got ~6 retweets: http://www.reddit.com/r/IAmA/comments/nldoj/iama_member_of_the_mozilla_security_team_ama/c3a3lml

Sync+BrowserID heads up (sid)

• teams looking at using BrowserID to authenticate to sync
• ... and making the setup-new-device flow just BrowserID authentication (rather than password + high-entropy piece for new devices)
  • there was an alternative proposal a week or so ago to have BrowserID service providers store the sync key
• may involve product v. privacy/security trade-offs
  • trying to design best solution for a balance

Survey from project management (jesse)

• Project management wants to know where we need help from other teams in Q1
• Jesse's answers: https://etherpad.mozilla.org/dS1uGGbOfq (will submit later today)

Security review questionnaire

• need to make decisions on this course
• if we decide to do we need IT resources