Security/Meetings/2011-08-10

Black hat & def con debrief

• Several of us have posted notes at Security/Conferences/BlackhatDefcon2011. Keep them coming.

SF office

• Ian and Lucas will be in SF starting next week. (Ian is on PTO Mon-Wed next week)

Meeting times

• Moving from Wed 2pm to Wed 10am (starting next week?)
  • Had to be moved in order to accomodate team members in Europe.
    • Jesse tried, unsuccessfully, to bribe Christian into accepting a midnight-in-Europe meeting in so that Jesse wouldn't have to get up early.
  • 11am slots are full, noon slots are lunch.

Team reorganization

• Many of us will no longer report to Lucas directly.
• Lucas would like to continue having 1-1s with everyone, but less frequent 1h meetings.
• This is official; update your phonebook entry.
• Names of the subteams are subject to change.

New subteams

• Sid Stamm: Privacy team gets to manage a team of himself
  • more to come
  • Happy to take nominations for victims help
  • Q4 goal: clone Sid
    • Does this have to be a high fidelity copy?
• Brandon Sterne: “Security Research & Testing” team
  • Christian Holler (decoder)
  • Jesse Ruderman
  • David Chan
  • Gary Kwong - moving to MV
  • Christoph Diehl
• Dan Veditz: "Security of Releases" team
• Ian Melven - security features (also has hopes of working on privacy features too)
• Curtis - more of the same

Prioritization

• What follows critsmash, putting the authority and accountability where it should be? This will be a long discussion in a future meeting.
• Brandon is going through sg:want and sg:low bugs, ...

Full screen

• https://bugzilla.mozilla.org/show_bug.cgi?id=545812
• https://wiki.mozilla.org/Platform/Features/Full_Screen_APIs
• https://wiki.mozilla.org/Gecko:FullScreenAPI#Jesse.27s_concerns
• Lucas: if it's just about matching Flash, we should match Flash's use cases with similar security, and discuss other use cases (games?) separately.
• Lucas: in order to give useful feedback from the security perspective, we'd like to know why this feature is desired
• [curtis] schedule a larger conversation with the feature team to discuss

Plugin installation and update

• Plugin update
• Plugin opt-in
  • https://wiki.mozilla.org/Opt-in_activation_for_plugins
• “How do we affect the rate of plugin use?” is out of scope for the security team

SSL certificates

• Brian Smith will be on a panel on Friday at USENIX Security Symposium 2011
  • Panel title: “SSL/TLS Certificates: Threat or Menace?”
  • Likely topics of discussion: Moxie's proposal, DNSSEC, CA root inclusion policy
  • Weighing pros/cons of various schemes and whether they conflict or can be composed (work together)
  • Lucas recommends the theme: "flexibility of trust"

Malware

• Cheng: What can we learn from malware reports that come into support.mozilla.com?
  • Jesse: Are we likely to learn anything other than "socially engineered installation of malware" (so we should fix https://bugzilla.mozilla.org/show_bug.cgi?id=662819 and improve the web platform) and "plugin exploits" (so we should do https://wiki.mozilla.org/Opt-in_activation_for_plugins and improve the web platform)?
• Chofmann: should we work with anti-virus vendors, giving them more browser APIs and access to our crash data, so they can block things faster and with more reliability?
  • [lucas] will look further into this