Security/Meetings/SecurityAssurance/2014-06-17
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, MTV 217 Star Trek
- Phone (US/Intl): 650 903 0800 x92 Conf: 95217#
- Phone (Toronto): 416 848 3114 x92 Conf: 95217#
- Phone (US): 800 707 2533 (pin 369) Conf: 95217#
Agenda
Hosted by Appsec
- curtis: Metrics
- https://people.mozilla.org/~sarentz/p/dashboard/#!/
- [curtisk] This site replaces the "Stale bugs" weekly whine mail. Check it regularly please.
- [jesse] I'm supposed to type my Bugzilla password into this sketchy URL?
- [sarentz] You can sorta check with devtools that it's client side. Or trust me -- I already have access to most of the same bugs you do :)
- You could also run it locally from a GitHub clone: https://github.com/st3fan/moz-dashboard
- [sarentz] You can sorta check with devtools that it's client side. Or trust me -- I already have access to most of the same bugs you do :)
- [curtisk] New mentoring tags
- When marking bugs as [good first bug], you should now include your email address (?)
- Aabha: Bug bounty Hall of Fame
- We plan to put more metadata (such as who the bounty was awarded to) in the *attachment description* to make this more toolable
- Test instances for Bugzilla and Mozillian have been deployed.
- Able to fetch the required info from both Bugzilla and Mozillian DB
- piyushw: Booting up with Angular JS, experimenting with Minion Code
- dchan - Shumway
- https://people.mozilla.org/~dchan/html5/template.html?full#slide0
- https://github.com/mozilla/shumway/tree/nat
- Written in TypeScript. Types are checked statically, then the type information is removed as it is converted to JavaScript to run in the browser.
- [Jesse] I hope we're not planning to support the intentional security holes in Flash, such as the ability to set the clipboard
- At least two quarters from launching
- Won't be sandboxed the same way as new versions of Adobe Flash Player. But also less room for memory safety issues, because most of it is implemented in JS / TS / AS.
- https://etherpad.mozilla.org/shumway-security-testing
- [Jesse] Who has found Flash security policy bugs in the past? Have we invited them to poke at Shumway?
- [freddyb] I worry about capability leaks due to differences between web and flash security model (in particular, because embedding a flash file and embedding a script have are supposed to have different meanings)
- Should we run a special bounty, like we did for pkix?
- [joe] Introducing GENE WOOD. Welcome to the OpSec team! "gene" on IRC.
- sec-champs now has a mozillians group