Security/Meetings/2012-01-25

[sg:want] detritus (curtisk)

• https://bugzil.la/OPEN+sw%3A%22%5Bsg%3Awant%22 (233 bugs at the moment)
• Triage and pare down this list?
• There are too many of them and many may be old and no longer valid
• could be used as a way to engage community in security activities
  • these could be 'good first bug' candidates
• curtisk & abillings to look at this further

In-browser fuzzers on Android (decoder)

• Wrote proof-of-concept Python code that can run our in-browser fuzzers (jsfunfuzz, domfuzzer, etc.) on remote Android Hardware in Fennec, if you want to play with this, let me know.

Mozilla CTF (decoder)

• https://wiki.mozilla.org/Security/Events/CTF
• http://www.mozillactf.org/
• Organized by freddyb, running right now
• Exactly 100 teams have completed at least one challenge by now

openwebapps API permissions (dchan)

• https://wiki.mozilla.org/WebAPI
• how much do we want to restrict APIs
  • create threat model
    • present to owa team next tues
    • team decision next meeting

services work week (dchan)

• need more people

Security blog

• Announcements vs engaging community and security researchers
• Lucas spoke with Shannon

Team Shuffle (lucas)

• Security assurance. This group will be responsible for security reviews, testing, and fuzzing of both client apps and web apps (whose boundary is blurring).
  • Managers: coates overall, dveditz for the “mostly app sec” people, and yvan managing the “mostly web app sec” people
• Security engineering. This group will be responsible for implementing feature roadmaps.
  • Managers: lucas overall, sid (privacy group)
  • Public meetings, IRC, and mailing lists :)
• “This meeting” goes away? (Nooo :()
• secteam@ goes away, it's not the right group for any discussions
• Lucas continues to report to Damon
• Seating
  • http://xkcd.com/173/
• Team Embedding - long term transition
• mcoates / curtisk taking on privacy reviews and process

Travel

• decoder be in SF from 6th to 11th February \o/
• curtisk in SF 6-Feb to 11-Feb \o/