Security/Meetings/SecurityAssurance/2014-02-18
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- [Jesse] Self-XSS through developer tools (e.g. recent attacks against Facebook users)
- https://bugzilla.mozilla.org/showdependencytree.cgi?id=dev-self-xss
- Jesse is pushing for making users check a box indicating they understand what's going on -- perhaps labeled "Allow malicious scripts I paste to take over my _facebook.com_ account". https://bugzilla.mozilla.org/show_bug.cgi?id=971613
- The more dangerous case of executing JS against chrome is being partially fixed in https://bugzilla.mozilla.org/show_bug.cgi?id=922161
- Devtools people prefer a light first-run notification and a way for facebook to opt into extra protection.
- possible action item: reach out to facebook? this guy from facebook is behind the self-xss help pages on facebook.com: http://steike.com/ according to http://stackoverflow.com/questions/21692646/how-does-facebook-disable-browsers-integrated-developer-tools
- Mountain View seating
- Major move happening on March 14
- Engineering, QA, and security will be on the second floor
- Dan's team likely on the west side of the second floor ("sci-fi titles" area)
- Security assurance together? Doug's team together? Each security team sit near the development teams they interact with? (e.g. JS/DOM?)
- OpSec will be downstairs with IT
- [freddy] exiting new HTML sanitizer project, dompurify
- approach: use browser's DOM parsing via JavaScript
- demo: http://cure53.de/purify
- code: https://github.com/cure53/DOMPurify
- [yvan] pwn2own competitive program?
- [gkw] PSA: Recent Mac nightlies very unstable, easily-reproducible Zimbra crashes
- https://bugzilla.mozilla.org/show_bug.cgi?id=928168
- We should be blogging about our bounty program (ie highlight all the differences decoder just raised)
- ++ [curtis & rforbes have bits to blog about]
- e.g. highlight the fact that we dont want PoC
- give better cred
- [curtis] - sched a meeting to talk about how we can raise our visibility
- HITB Haxpo
- http://haxpo.nl/hitb2014ams-hackweekday/
- Organising Dhillon to talk to interested people
- still looking for leads for sponsorship (halp?! ) Robyn Chau [ygjb - I suck.. I was supposed to intro the two of you - all good i got an email from her. i need to raise a bug, am doing it at the moment]
- mgoodwin would like to be there. Happy to present, etc. May bring robots also.
- freddyb, happy to present/showcase/talk/babysit :)
- decoder would like to be there (I'm regularly at hitb ams)
- arroway for whatever need to be done
- Security Reports
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
Planned Blog Posts
- https://security.etherpad.mozilla.org/sec-blog-brainstorm
- adamm has a draft up, needs mgr approval
- volunteer for next ?
Security Review Status (curtisk)
- Completed in Q1:23
https://security-review-statistics.vcap.mozillalabs.com/weekly
Metrics
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
- Self-XSS and similar - discuss ;)
