Security/Meetings/SecurityAssurance/2012-07-31

From MozillaWiki
Jump to: navigation, search


« previous week | index | next week »
  • Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
  • Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
  • Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
  • Phone (Toronto): 416 848 3114 x92 Conf: 95316#
  • Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

Security Review Status (koenig)

  • Completed in Q3 2012:
  • Number of Reviews Completed (so far this quarter):
  • Number of Outstanding Reviews:

Operations Security Update (Joe Stevensen)

  • No update this week

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

  • contacts api review was yesterday
    • not much interesting, a lot of talk about permissions model

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

  • Secreview for 776208 this Friday (though nothing mobile specific)
    • plugin extension for content previews

Sync (Simon Bennetts & Adam Muntner)

Services (Simon Bennetts & Adam Muntner)

Social - Pancake (Mark Goodwin)

  • Pancake is in review again for Apple App Store (or was yesterday; no news yet)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

  • IonMonkey now aiming to land in Fx18 (not in ESR)
  • Decompiler being removed from the JS engine, replaced with something simpler \o/

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

  • [decoder] AddressSanitizer now green on most tests for Linux (mochitest-o still has failures to investigate).

Web Developer Tools (Mark Goodwin)

  • Working on Tanvi's "page report" idea - will explain more at the SecAsslathon in London

Networking (Christoph Diehl)

  • Working with cjones on a Gecko integrated IPC fuzzer.

Graphics (Christoph Diehl) =

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

  • no update

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

  • No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

Other

  • mgoodwin is on PTO next week

Stuff kang liked at blackhat/defcon (slide available @ fs2/Public/Security/Opsec):

   BlackHat/Defcon
   Arm  exploitation talk - in contact with the speaker, they give courses and  it looked pretty good. Others in Security Assurance (Fennec! FirefoxOS!  ;) may be interested
   NFC exploits talk

Shows that the Android sandboxing via kernel capabilities is effective, as well as using java (=bound checking)

   DDOS  talk - we know most about this, but we aren't blocking all that well.  Have a bug with rate-limit "request" for download.mozilla.org this week.  Note that DDOS via TCP exhaustion and the like, are very common,  according to the talk
   TPM  talk - that was interesting. Some comparisons with ARM TrustedZones,  although TZ is actually much more powerfull (the auhor had only TPM  experience)
   IPv6  talk - mentionned that the ip range banning issue which caught my ear -  too many ips to ban. it is true and we're not really caring for that  yet, but we will have to eventually. Rate limiting may have the same  issue the way we do it atm. I'm thinking per IP rate limit *and* bad  network rate limit on top (cumulative), but it's hard to say if that's  sufficient
   Dan  Kaminsky scanrand (v3) talk, he made a new version, its faster apparently by bypassing the kernel and just sending raw syns without caring for replies (server handle state!) but.. i was disappointed with scanrand 2 which had similar features.. something to check
   Talk  about ICANN/Goverment control/Lobbies vs us and the Internet freedom as  we know it. Interesting. One speaker suggested to regularly remind  authorities how dangerous this could become, without pissing them off  (which would lead them to create laws for the lobbies and against our  freedom)
   Had great feedback for a system-wide colleration mechanism similar to network NSMs+correlation. This one could be huge.
   Badge/boards of defcon are very cool!