• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• [coates] Goals Q2 - https://security.etherpad.mozilla.org/2012-q2-goals
• [coates] Blogs
• [curtisk] Extend BZ tag change over to 9-Apr?
• [curtisk] discuss how privacy review work

Second Half

• [decoder] Black Hat Europe Recap
  • In short: Few interesting talks, but those were worth it
  • Met Vincenzo Iozzo (who broke FF in Pwn2Own) and Dan Guido, talked about security strategies for Firefox in the future: In short, need much more focus on mitigation
  • Derived action points from talks:
    • B2G/Appstore: Think about our verification model, how to prevent malware from reaching Appstore
    • Mobile: Inspect our use of the Android Crypto API, ensure we're doing it right
    • Mobile: Audit Fennec for possible cross application attacks (e.g. using Mercury)
    • Password Manager: Check how our master password is protected (how many key derivation rounds, what encryption).
      • Uses secret decoder ring rot13((3DES + ??x PBKDF2?))
      • http://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/
      • http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsSDR.cpp
      • http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/pk11wrap/pk11sdr.c#199
• Crossing the U.S. border with encrypted devices:
  • https://media.blackhat.com/bh-eu-12/Hofmann/bh-eu-12-Hofmann-Defending_privacy_Border-WP.pdf
  • https://media.blackhat.com/bh-eu-12/Hofmann/bh-eu-12-Hofmann-Defending_privacy_Border-Slides.pdf

Project Updates

Static Analyzers

• coverity is already scanning Firefox; we are getting access to the results
• HP is going to induct Firefox (and other stuff) into their Open Scan project

DevTools

• On the DevTools work week; getting lots of info on product stuff, esp the new debugger. Tanvi and I presented some thoughts on how devtools can help webdevs do the right thing with security - slides here: http://people.mozilla.org/~mgoodwin/devtools_ideas/ - which was well received.

Pancake

• they want this running for moco users by end of Q1. I'm still doing frontend testing - I have a big TODO list for pancake but even if I find / fix things, it's unlikely they'll be in before the M1 release (moco users).
• [dchan] there are plans to replace Fx Home with pancake

BrowserQuest

• for release at the end of this week. I'll be closing out this review tonight. No issues beyond casual cheating (local storage hacks). Game server is far more robust than previously tested versions.

JavaScript

• [decoder] Started fuzz testing of IonMonkey on ARM architecture (emulated), found some bugs already
• [decoder] I'd like to have dedicated linux ARM hardware for JS shell fuzzing (in addition to Android ARM devices)
  • We should have machines that are up-to-date, old nvidia tegra arm boards are apparently no longer produced
• [gkw & Jesse] Major revamp of fuzzing harness happening these weeks
  • To prepare for eventual open sourcing of tools
  • Will aid moving jsfunfuzz to releng hardware

Program Management

• Triage Meetings are now weekly on Wed at 1600 PDT (was biweekly)
• Tag Merger page updated per meeting yesterday https://wiki.mozilla.org/Security_Severity_Ratings/Merge
  • need to add items to track queries that need changing
• Planning a lightning talk on the changes for 26-Mar-2012

B2G

• SMS reviews under way