Security/Meetings/2011-10-12
From MozillaWiki
Contents
Derp
- 15-20 minutes spent on calendaring & videoconferencing fails
NonFeature
- criteria & metrics (lucas mail)
- stuff that is not a "sec bug" is also part of this (sg:want)
- Lucas has discussed with Blizzard
- Top-down prioritization of security vs performance etc is not necessary (?)
- We should have a process that works even if individual bugs aren't given precise priorities.
Should we use modified DREAD? [curtis]
- DREAD
- Curtis's proposal: https://wiki.mozilla.org/Security/DraftDREAD
- Estimation of “Reproducibility” / “Reliability”, “Exploitability”, and “Discoverability” is difficult and probably not worth the time. Security researchers will prove you wrong.
- That leaves “Damage” and “AffectedUsers”, which we already use. (We focus on Damage, but allow AffectedUsers to drop down a level.)
Security bug analysis [curtis]
- Goal: explain to the entire project why it's important to fix security bugs quickly, even if they were reported privately
- Looking for responses to email titled "Security bug analysis"
- non-parallelizable resources (devs, reviewers)
- bugs per developer
- time for 0-day fix > working on getting this data
- review gap ?
Evangelizing security topics [curtis]
- Blog posts, brownbags, MDN articles
- https://developer.mozilla.org/en/Security could use work
- working on more evangelism / discussion
- Who is willing to talk about what?
- [sid] privacy and you™ (privacy design + reviews + documentation in your design/dev cycle)
- [imelven] willing to work on MDN docs, would welcome ideas on topics
- Brainstorming
- Securing your Firefox extensions
Security reviews
- triage later today (go through feature list and decide what needs review)
PTO / Travel
- Curtis PTO Oct 14
- Curtis in MV Oct 17-22
- Sid PTO Oct 13-14
- dveditz PTO Oct 24-28
- Jesse's birthday Oct 13 Happy Birthday! ♫HBTY, HBTY, HBDJesse, HBTY♫
- Ian at Toronto office all next week for Mobile Work week - will also meet with Stefan on Pancake and Ehsan on mobile private browsing, will probably skip most reviews/meetings except for interviews and Mobile Safe Browsing backend review
"Big Changes" to address the CA problem
- what is our appetite for making changes?
- who do we need to buy-in to be able to move forward?
- Should we just add an extension point for now and let researchers experiment? Or should we champion one possible solution?
- Some of the people who could help implement the extension point would prefer us choosing a solution, but we haven't chosen a solution, so we're not doing anything? :(
- Perspectives, Convergence, Langley(?)
- bsterne will set up another meeting(?)(public?) to discuss this in more detail. Let's invite Blizzard.
Feature push / product
- Anyone who wants to help drive a sec/privacy feature: see Sid
- Product is interested in picking some up, but needs better specs/designs in feature pages
- Sid can help you see that a feature gets picked up and shipped, if you're willing to spend time pushing it.
- What does it mean to "push" it? How much work is that committing to?
- depends on the feature (some are simple, some need spec work)
- What does it mean to "push" it? How much work is that committing to?
Integer overflow (Jesse)
- Jesse is in contact with John Regehr regarding https://bugzilla.mozilla.org/show_bug.cgi?id=633560
Soft-blocking vulnerable plug-ins
- Should we softblock versions of plug-ins that are both known-vulnerable and old? Perhaps using the criteria of what's being widely exploited? {bug?} (several exist on various plugins)
- Some data for plugin exploitation: http://cm-fs01:8088/malinspect/search/?src=mdl&malwareinfo=exploit&exacturl=1 (moco + MPT only + s-g)