Security/Meetings/SecurityAssurance/2012-07-31
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Agenda
- Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/INFRASEC/2012+-+Q3+Goals
- Black Hat / Defcon 2012 wrap-up
- No new 0-days
- [gkw] filed bugs for Firefox OS on:
- Full Disk Encryption implementation
- ASLR implementation
- Work Week Agenda
- Lightning Talks - who's doing one? 10-15min
- Schedule
- Mana Page
- Infra mana page (see links to etherpad inside that page for the tips about how to get there etc.)
- apps workweek in mv this week
Security Review Status (koenig)
- Completed in Q3 2012:
- Number of Reviews Completed (so far this quarter):
- Number of Outstanding Reviews:
Operations Security Update (Joe Stevensen)
- No update this week
Project Updates
Please don't leave blank. Add "No Update" if nothing has changed
Silent updates (rforbes / dveditz)
B2G (Paul Theriault, David Chan)
- contacts api review was yesterday
- not much interesting, a lot of talk about permissions model
Thunderbird (Adam Muntner)
Rust (Jesse Ruderman)
Mobile (Mark Goodwin)
- Secreview for 776208 this Friday (though nothing mobile specific)
- plugin extension for content previews
Sync (Simon Bennetts & Adam Muntner)
Services (Simon Bennetts & Adam Muntner)
Social - Pancake (Mark Goodwin)
- Pancake is in review again for Apple App Store (or was yesterday; no news yet)
Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)
JS (Christian Holler)
- IonMonkey now aiming to land in Fx18 (not in ESR)
- Decompiler being removed from the JS engine, replaced with something simpler \o/
DOM, XPConnect (Jesse Ruderman)
Layout, Style (Jesse Ruderman)
Automation Tools (Gary Kwong)
- [decoder] AddressSanitizer now green on most tests for Linux (mochitest-o still has failures to investigate).
Web Developer Tools (Mark Goodwin)
- Working on Tanvi's "page report" idea - will explain more at the SecAsslathon in London
Networking (Christoph Diehl)
- Working with cjones on a Gecko integrated IPC fuzzer.
Graphics (Christoph Diehl) =
Networking ( Media / Codecs)
Market (Raymond Forbes)
Firefox APIs (Raymond Forbes)
Payment Flow (Raymond Forbes)
Dynamic API Security Model (Raymond Forbes)
WebRT (Raymond Forbes)
BrowserID
Identity Services (David Chan)
- no update
Addons.M.O (Raymond Forbes)
Bugzilla.M.O (Mark Goodwin & Eric Parker)
- No update
Mozillians (Raymond Forbes)
MDN (Raymond Forbes)
SUMO (Kitsune) ()
Other
- mgoodwin is on PTO next week
Stuff kang liked at blackhat/defcon (slide available @ fs2/Public/Security/Opsec):
BlackHat/Defcon
Arm exploitation talk - in contact with the speaker, they give courses and it looked pretty good. Others in Security Assurance (Fennec! FirefoxOS! ;) may be interested
NFC exploits talk
Shows that the Android sandboxing via kernel capabilities is effective, as well as using java (=bound checking)
DDOS talk - we know most about this, but we aren't blocking all that well. Have a bug with rate-limit "request" for download.mozilla.org this week. Note that DDOS via TCP exhaustion and the like, are very common, according to the talk
TPM talk - that was interesting. Some comparisons with ARM TrustedZones, although TZ is actually much more powerfull (the auhor had only TPM experience)
IPv6 talk - mentionned that the ip range banning issue which caught my ear - too many ips to ban. it is true and we're not really caring for that yet, but we will have to eventually. Rate limiting may have the same issue the way we do it atm. I'm thinking per IP rate limit *and* bad network rate limit on top (cumulative), but it's hard to say if that's sufficient
Dan Kaminsky scanrand (v3) talk, he made a new version, its faster apparently by bypassing the kernel and just sending raw syns without caring for replies (server handle state!) but.. i was disappointed with scanrand 2 which had similar features.. something to check
Talk about ICANN/Goverment control/Lobbies vs us and the Internet freedom as we know it. Interesting. One speaker suggested to regularly remind authorities how dangerous this could become, without pissing them off (which would lead them to create laws for the lobbies and against our freedom)
Had great feedback for a system-wide colleration mechanism similar to network NSMs+correlation. This one could be huge.
Badge/boards of defcon are very cool!