• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Goals - Please keep status up to date - https://mana.mozilla.org/wiki/display/SECURITY/2012+-+Q4+Goals
  • [mcoates] If you have goals that rely on other people, contact them this week.
• [curtisk] - SkyDogCon rundown
  • Fun, physical CTF
• [mcoates] B2G & Marketplace "Attestation of security" that a cell phone carrier requested. A lot of it is about making sure malicious software can't take over the phone. The document isn't public, but mcoates and pauljt have access to it.
• [mcoates] B2G updates. We're discussing this with bizdev. https://mana.mozilla.org/wiki/display/SECURITY/FirefoxOS-Updates
• [mgoodwin] Fennec Addons
  • See bugs: 787271 - this is where it starts ... then 794479 and 799631
  • Add thoughts to: https://etherpad.mozilla.org/5OzBXvN3af
• [gkw] Please test your B2G dogfood phone (if you have one) for security issues
  • e.g. javascript protocol was not disabled in the B2G browser ( bug 804446 )
  • at webapi meeting today they mentioned that some mochitests were running on b2g
  • [jesse] Can someone go through all the fixed Firefox frontend security bugs, and make sure B2G isn't vulnerable to the same things?
    • [pauljt] Are there tests for this? or buglist somewhere?
    • [mcoates] And go through all the security UI on the phone to make sure it isn't vulnerable to the text-choice attacks that Jesse loves to talk about?
• [jesse] consistent severity ratings
  • ASLR bypasses: https://bugzilla.mozilla.org/show_bug.cgi?id=806034
    • Jesse and dveditz argued about this for a few minutes.
  • Stopping chrome JS: https://bugzilla.mozilla.org/show_bug.cgi?id=806026
• [joes] New OpSec Engineer position
• [joes/kang] Update on SPAM/PHISHING email issues
  • Tracking bug https://bugzilla.mozilla.org/show_bug.cgi?id=807014
  • After addressing these issues, we will do a security review of Mozilla's email infrastructure
• [gkw] Will/Has Sandy affect(ed) Mozilla?
  • [michal`] somewhat, maybe some CDN nodes are down, also google's closest 8.8.8.8 went down with their NYC data center. Nothing big.
• [gkw] Still no news on MozCamp Asia 2012 paid staff attendees yet
  • Unofficial events start on 15 Nov SG time
  • About 2 weeks left, flights are very expensive and should need approval due to the short timeframe, if folks do get to go
• [stefan] update from the new guy
• Team meetup update
  • Maybe one in late Feb and another in summer (coinciding with our security conference), both in North America
• [mcoates] Goals for individual development
  • What are you enjoying, what are you not enjoying, what do you want to do more of?
  • You'll be discussing this stuff with your manager soon.

Security Review Status (koenig)

• Completed in Q4? 2012: 56
• Number of Reviews Completed (so far this quarter):19(15)
  • https://bugzilla.mozilla.org/buglist.cgi?list_id=4619884;resolution=FIXED;chfieldto=2012-12-31;query_format=advanced;chfield=resolution;chfieldfrom=2012-09-30;type0-0-0=anywords;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Number of Outstanding Reviews: 142 (144)
  • https://bugzil.la/comp%3A%22security%20assurance%3A%20review%20request%22
• Number of reviews without risk rating: 27 (27)
  • https://bugzil.la/component%3A%22Security%20Assurance%3A%20Review%20Request%22%20-sw%3A%22%5Bneeds%20info%5D%22%20-sw%3A%22%5Bscore%3A%22
• Number of reviews without deadline set: 132 (134)
  • https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=cf_due_date;query_format=advanced;resolution=---;type0-0-0=isempty;component=Security%20Assurance%3A%20Review%20Request;product=mozilla.org
• Find Yours:
  • MIssing Risk Rating (Yours)
  • Without Deadlin (Yours)

Operations Security Update (Joe Stevensen)

Project Updates

Please don't leave blank. Add "No Update" if nothing has changed

Silent updates (rforbes / dveditz)

B2G (Paul Theriault, David Chan)

• testing still broken

Thunderbird (Adam Muntner)

Rust (Jesse Ruderman)

Mobile (Mark Goodwin)

• Work is underway to provide more power to Fennec addons - do we want this? Thoughts here, please: https://etherpad.mozilla.org/5OzBXvN3af

Sync (Simon Bennetts)

No update

Services (Simon Bennetts & Adam Muntner)

No update

Jetpack, Add-on SDK, Add-on Builder (Dan Veditz)

JS (Christian Holler)

• [gkw] JS work week was last week, it went pretty well!
• [decoder] Fuzzing with ARM emulation now possible without using full VMs but rather userspace emulation (better speed and scalability).

DOM, XPConnect (Jesse Ruderman)

Layout, Style (Jesse Ruderman)

Automation Tools (Gary Kwong)

• No update

Web Developer Tools (Mark Goodwin)

• No update

Networking (Christoph Diehl)

• No update

Graphics (Christoph Diehl) =

• No update

Networking ( Media / Codecs)

Market (Raymond Forbes)

Firefox APIs (Raymond Forbes)

Payment Flow (Raymond Forbes)

Dynamic API Security Model (Raymond Forbes)

WebRT (Raymond Forbes)

BrowserID

Identity Services (David Chan)

Addons.M.O (Raymond Forbes)

Bugzilla.M.O (Mark Goodwin & Eric Parker)

• No update

Mozillians (Raymond Forbes)

MDN (Raymond Forbes)

SUMO (Kitsune) ()

AddressSanitizer (Christian Holler)

• mozilla-beta builds under ASan, soon regular builds