« previous week | index | next week »

• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Contents 1 Agenda 2 Security Review Status (koenig) 3 Operations Security Update (Joe Stevensen) 4 Project Updates 4.1 Silent updates (rforbes / dveditz) 4.2 B2G (Paul Theriault, David Chan) 4.3 Thunderbird (Adam Muntner) 4.4 Rust (Jesse Ruderman) 4.5 Mobile (Mark Goodwin) 4.6 Sync (Simon Bennetts & Adam Muntner) 4.7 Services (Simon Bennetts & Adam Muntner) 4.8 Social - Pancake (Mark Goodwin) 4.9 Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) 4.10 JS (Christian Holler) 4.11 DOM, XPConnect (Jesse Ruderman) 4.12 Layout, Style (Jesse Ruderman) 4.13 Automation Tools (Gary Kwong) 4.14 Web Developer Tools (Mark Goodwin) 4.15 Networking (Christoph Diehl) 4.16 Graphics (Christoph Diehl) = 4.17 Networking ( Media / Codecs) 4.18 Market (Raymond Forbes) 4.19 Firefox APIs (Raymond Forbes) 4.20 Payment Flow (Raymond Forbes) 4.21 Dynamic API Security Model (Raymond Forbes) 4.22 WebRT (Raymond Forbes) 4.23 BrowserID 4.24 Identity Services (David Chan) 4.25 Addons.M.O (Raymond Forbes) 4.26 Bugzilla.M.O (Mark Goodwin & Eric Parker) 4.27 Mozillians (Raymond Forbes) 4.28 MDN (Raymond Forbes) 4.29 SUMO (Kitsune) () 4.30 Other

Agenda

• Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q3+Goals
• Black Hat / Defcon 2012 wrap-up
  • No new 0-days
  • [gkw] filed bugs for Firefox OS on:
    • Full Disk Encryption implementation
      • https://bugzilla.mozilla.org/show_bug.cgi?id=777917
    • ASLR implementation
      • https://bugzilla.mozilla.org/show_bug.cgi?id=777948
• Work Week Agenda
  • Lightning Talks - who's doing one? 10-15min
  • Schedule
  • Mana Page
  • Infra mana page (see links to etherpad inside that page for the tips about how to get there etc.)
• apps workweek in mv this week
  • notes
  • agenda

Security Review Status (koenig)

• Completed in Q3 2012:
• Number of Reviews Completed (so far this quarter):
• Number of Outstanding Reviews:

Operations Security Update (Joe Stevensen)

• No update this week

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• contacts api review was yesterday
  • not much interesting, a lot of talk about permissions model

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

• Secreview for 776208 this Friday (though nothing mobile specific)
  • plugin extension for content previews

Sync (Simon Bennetts & Adam Muntner)

Services (Simon Bennetts & Adam Muntner)

Social - Pancake (Mark Goodwin)

• Pancake is in review again for Apple App Store (or was yesterday; no news yet)

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• IonMonkey now aiming to land in Fx18 (not in ESR)
• Decompiler being removed from the JS engine, replaced with something simpler \o/

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• [decoder] AddressSanitizer now green on most tests for Linux (mochitest-o still has failures to investigate).

Web Developer Tools (Mark Goodwin)

• Working on Tanvi's "page report" idea - will explain more at the SecAsslathon in London

Networking (Christoph Diehl)

• Working with cjones on a Gecko integrated IPC fuzzer.

Graphics (Christoph Diehl) =

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

• no update

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

• No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

Other

• mgoodwin is on PTO next week

Stuff kang liked at blackhat/defcon (slide available @ fs2/Public/Security/Opsec):

   BlackHat/Defcon

   Arm  exploitation talk - in contact with the speaker, they give courses and  it looked pretty good. Others in Security Assurance (Fennec! FirefoxOS!  ;) may be interested

   NFC exploits talk

Shows that the Android sandboxing via kernel capabilities is effective, as well as using java (=bound checking)

   DDOS  talk - we know most about this, but we aren't blocking all that well.  Have a bug with rate-limit "request" for download.mozilla.org this week.  Note that DDOS via TCP exhaustion and the like, are very common,  according to the talk

   TPM  talk - that was interesting. Some comparisons with ARM TrustedZones,  although TZ is actually much more powerfull (the auhor had only TPM  experience)

   IPv6  talk - mentionned that the ip range banning issue which caught my ear -  too many ips to ban. it is true and we're not really caring for that  yet, but we will have to eventually. Rate limiting may have the same  issue the way we do it atm. I'm thinking per IP rate limit *and* bad  network rate limit on top (cumulative), but it's hard to say if that's  sufficient

   Dan  Kaminsky scanrand (v3) talk, he made a new version, its faster apparently by bypassing the kernel and just sending raw syns without caring for replies (server handle state!) but.. i was disappointed with scanrand 2 which had similar features.. something to check

   Talk  about ICANN/Goverment control/Lobbies vs us and the Internet freedom as  we know it. Interesting. One speaker suggested to regularly remind  authorities how dangerous this could become, without pissing them off  (which would lead them to create laws for the lobbies and against our  freedom)

   Had great feedback for a system-wide colleration mechanism similar to network NSMs+correlation. This one could be huge.

   Badge/boards of defcon are very cool!