Security/Meetings/2012-01-04
From MozillaWiki
Contents
What needs testing (especially fuzzing) on mobile?
- curtisk, imelven, decoder, gkw => flesh out?
- https://etherpad.mozilla.org/mobile-security-testing is my list. Brandon said he has a "master plan", but I don't know anything about it yet.
- Mobile UI fuzzer idea is floating in the air, gkw is embedding into ateam meetings to find out how this might turn ou
- I [decoder] can probably give hints about the crash triage automation etc. on Android because LangFuzz has that builtin already.
- A-team might have some APIs we can use
- I [decoder] can probably give hints about the crash triage automation etc. on Android because LangFuzz has that builtin already.
Goals
- Develop prototype for automation and scalability of ARM and mobile fuzzing
- Some of our machines under upgrading
- Almost done - jsfunfuzz now running on Mac OS X Lion
- Certain releng machines are only running DOM fuzzer now, should get jsfunfuzz / LangFuzz running too
- Some of our machines under upgrading
- sync auth & BrowserID
- Define options for better UX that still ensure secure auth and content security
- Plugin experience - drive update, click to play
Other Possible Goals
- Get stats on features we want to end-of-life (enablePrivilege, etc)
- How can we be more specific than "etc"?
- We can look at features that chrome/IE have removed for security reasons e.g. user:pass@host in URLs
- Telemetry
- commoncrawl.org might help, for public web anyway (enablePrivilege tends to be used on intranets, not public)
- It could be replaced by an addon
- How can we be more specific than "etc"?
- Security Questionnaire
- Proof of concept implementation
- Evaluation with previous security review participants
- Overall improvements and decision if this is helpful and should be adopted into the process, or not
can we write these goals in a SMART format so we have clear targets? (Specific, Measurable, Actionable, Resourced, Time frame)
Rapid Impact (aka Rapid Response) Team+ (lucas)
- proposed by jpr
- temporary (1-2 month) task forces
- likely topics
- reduce blackhole exploit kit effectiveness against firefox users (lucas)
- mostly, plugin mitigations
- plugin click to play is on track: david keeler's patches in https://bugzilla.mozilla.org/show_bug.cgi?id=711618 and https://bugzilla.mozilla.org/show_bug.cgi?id=711552
- plugin update experience -- partners / biz dev??
- identifying sites that use the exploit kit is difficult, because the exploit is reliable (or at least, when it fails, it doesn't cause a crash)
- mostly, plugin mitigations
- search hijacking (abillings)
- reduce blackhole exploit kit effectiveness against firefox users (lucas)
Team Embedding
- We completely reshuffled https://wiki.mozilla.org/Security/TeamEmbedding assignments
- Mobile - Ian
- Engineering meeting - 930-1030 Wed (overlaps with secteam)
- Demo showcase - 1200 Wed
- web developer tools - tanvi
- 10-11 Th https://wiki.mozilla.org/DevTools
- Sync & services - dchan - tanvi also interested
- 9:15-10 on Tuesday: Services https://wiki.mozilla.org/Services/Meetings
- Normally ends before 10, mconnor has his team meeting after this
- 9:15-10 on Tuesday: Services https://wiki.mozilla.org/Services/Meetings
- Identity, Sync Auth Project - Sid
- 9:30-10 on Monday (Identity) https://wiki.mozilla.org/Identity/WeeklyMeeting
- B2G, WebAPI - Lucas
- Apps - curtis (involved sort of), dchan
- https://wiki.mozilla.org/Apps/StatusMeetings
- 11-12 Th weekly sync-up with infrasec
- Jetpack, Add-on SDK, Add-on builder - Dan
- Thunderbird - dveditz; gkw is interested as well
- JS - no meetings; covered pretty well by jesse / gkw / decoder
- Rust - jesse (been inactive)
- UX - tanvi, jesse interested
- 11 on Thursday
- DOM, XPConnect - no meetings, jesse is interested
- Layout, Style - no meetings, jesse is interested
- Firefox - Curtis
- Channel meeting + Triage Tue/Thu 1400
- Dev Mtg Tue 10
- Delivery Mtg Wed 10
- Automation tools (Robocop, Marionette) - gkw, decoder are interested
- 10-11 on Mon (general ateam meeting, includes robocop)
- 10-11 on Thu (Marionette)
- Mobile - Ian
SecReview MediaWiki Template (curtisk)
- https://wiki.mozilla.org/Form:SecReview
- What it looks like
- Similiar to Feature Page template
- Queryable for action items https://wiki.mozilla.org/Security/Reviews/ActionItems
- Possible other uses
- Request for Review (like feature inbox)
- Much thanks to Dria for guiding me in this
- Gives us a list https://wiki.mozilla.org/Category:SecReview ( similar to https://wiki.mozilla.org/Category:Privacy/Reviews ) without having to remember to tag
- Action item for curtis: can we use this with infrasec as well [[category:SecReview ]] for the finding of all wiki via the category
Travel
- curtisk in MV https://intranet.mozilla.org/User:Curtisk
- Ian at INFILTRATE Conference 1/11-14 (Wed-Fri next week)
- sid on PTO Monday (1/9)
- decoder on PTO on Friday (traveling around), reachable via mail
Fuzzing at Mozilla Brown Bag (gkw)
- Possibly on Jan 30, 1PM (rescheduling as we speak)
- curtisk will cancel SecReview slot for this day
Comms (curtisk)
Blog
Contributor; | Week Of; | Topic |
---|---|---|
curtisk | 9-Jan-2012 | |
decoder | 23-Jan-2012 | |
sid | 6-Feb-2012 |
BrownBag
- Feb- Imelven
Lightning talk
Contributor; | Month Of; | Topic |
---|---|---|
dveditz | Jan | |
Sid | Feb |
Crypto code
- decoder met with Kai Engert in Berlin (around CCC)
- According to him, PSM and NSS need more developers. Ex: need better APIs