Security/Meetings/2012-01-18

From MozillaWiki
Jump to: navigation, search

Click-to-play Plugins(keeler)

Meeting time

  • meeting time
    • possible solutions
      • Meeting is at a good time AUS every 2 weeks (10 AUS/15 PST/18 EST/00 GER), and a good time GER every other 2 weeks (10 GER / 01 PST/ 04 EST/19 AUS)

(16 GER/07 PST/10 EST/

  • [decoder] Would be fine with a permanent 00 slot for Germany. Most of the time I'm awake then anyway.

This etherpad

  • Move to https://security.etherpad.mozilla.org/ and make public only after the meeting? It's weird to have to ask whether something is public before typing it at all.
    • consensus is the open etherpad is fine for team meetings

Openwebapps (dchan)

Team Embedding

  • In general, one main point of contact for each area.

https://wiki.mozilla.org/Security/TeamEmbedding#Who_is_embedded_where.3F

  • If you're on the list, you are accountable to be point for this team (they should know you and contact you with security needs)

Mobile Security Testing (decoder)

  • Doug and Brad from mobile team added more information to https://etherpad.mozilla.org/mobile-security-testing (Thanks to imelven for pinging them on this)
  • If you're looking for stuff to test/review on mobile that isn't covered by FF on desktop, this list should help
  • If you know about something mobile specific that isn't covered on desktop, add it there :)

(Mobile) Fuzzing Meeting after this meeting (decoder)

Fuzzing on VMs (gkw)

  • Some work on getting fuzzing (jsfunfuzz) on a WinXP VM, with a Mac Lion host.
    • With the refactoring done last week, it is now much easier to do so.
  • Not mathematically measured, but single thread perf seems to take a 2x - 4x hit. (VM was set to dual core, 3Gb RAM)
  • autoBisect disabled for WinXP due to problems with spaces in directories
    • Temp directory is in Documents and Settings, the spaces of which break pymake

Mobile and shipping Fennec Native 1.0 (imelven)

  • elancaster has asked 'what does mobile need to do security wise to ship 1.0 of the Fennec Native UI build
  • meeting with her at 2 pm today to discuss
  • would be great to have some solid answers to give her
  • imelven currently thinks : not too much - i am tracking bugs/doing code reviews of some pieces
  • there are outstanding issues from XUL fennec like geolocation prompting and sdcard usage but these shouldn't stop natve fennec
  • looking for input from the rest of the team if there are reviews people feel we still need to do or questions we would like answered

Security Questionnaire PoC (decoder)

  • Available at https://users.own-hero.net/~decoder/secreview/
    • Radio Button triggers further questions
    • Submit button doesn't do much yet (will soon send an email with results)
    • Questions for web services (when answering "No" to first question), not fully included yet. Answering "No" there brings the questionnaire more into infrasec area, ping them about it?
  • Feedback appreciated
  • Next steps:
    • get feedback from previous secreview participants
    • if possible have them use the form as if it were actually being used
    • questions about usage, what they like, what they don't like, etc

Blog Post Draft (decoder)

  • Covers ASan and Clang Static Analysis
  • Provides unofficial ASan builds for Linux and static analysis results (both on p.m.o)
  • Feedback appreciated
  • planned publish 24-Jan

Aurora/Nightly Updates on mobile (imelven)

  • update.xml is downloaded over SSL
  • APK (android package) is signed by us but downloaded over http
  • app needs to have same signature as app it's updating but there's a possibility

it could be another signed app that would then be installed (but not replace existing fennec)

  • ideas :
    • download hash over SSL, check hash against downloaded APK
    • check signature is same as installed fennec - blassey isn't sure Android APIs can do this
    • seems like a bug should be filed - imelven thinks this is sg:moderate
  • thoughts ?

XSS Filter (imelven)

since both IE and Chrome have XSS protection and Firefox does not.

  • asked riccardo to ping jst to see if anyone other than mrbkap can do the review or get started reviewing the patch to move it along
  • sid & ian will talk to jst

Any other business

  • gkw upcoming PTO
    • Away Friday Jan 20 - Wed Jan 25 night inclusive
    • Hope to be back Jan 26.

Communications (curtis/abillings)

Blog

!Contributor; !!Week Of; !!Topic |decoder || 23-Jan-2012|| | sid || 6-Feb-2012||

BrownBag

  • Jan: -gkw - Fuzzing @ Mozilla 30-Jan 1PM
  • Feb- Imelven\
    • ideas?? still looking for ideas.

Lightning talk

!Contributor; !!Month Of; !!Topic |dveditz||Jan|| |Sid||Feb||

Recent Security Reviews