• Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
• Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
• Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
• Phone (Toronto): 416 848 3114 x92 Conf: 95316#
• Phone (US): 800 707 2533 (pin 369) Conf: 95316#

Agenda

• Next team meetup - in planning - Week Sept 16 - Paris
• Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdHU3a2lJRV8xckZXclZJdkNlN3dUYVE&usp=sharing
• Metrics
  • https://security-review-statistics.vcap.mozillalabs.com/
  • https://people.mozilla.com/~sarentz/p/dashboard
• Two Factor Auth Google Drive
  • Your second factor can be a phone (SMS)
  • can we get one of those token key things? (where do we get one) (YubiKey?)
• [mcoates] Map of bug filers to category (employment status, whether they focus on security)
  • Only Google Drive users who have enabled TFA will be allowed to access this spreadsheet
    • [gkw] Do we access this via the shared folder?
    • [mcoates] no - it will be a new folder
• [Jesse] Do we need (or have we done) a security reviews for productivity software popular among Mozilla employees, especially when they have cloud sync features? (Things, Wunderlist, Evernote, Google Keep, Astrid (which just got bought by Yahoo))
  • Things stores data in Google App Engine (reversed it a while ago :)
  • [mcoates] These tools aren't on the list of approved cloud stores for Mozilla data
    • https://intranet.mozilla.org/Cloud_Guidelines
  • [mcoates] So it's best if you don't use Things sync with confidential info
  • [joes] Most of these tools don't have individual-user-level encryption
• [gkw] Networking (in SCL3?) broke when I updated my Linux machine.
  • https://bugzilla.mozilla.org/show_bug.cgi?id=873710
  • [Jesse] Are we the only ones who are even trying to update machines that IT gave us?
    • [decoder] I updated mine and things were fine...
• [st3fan] Quick Minion Update
  • dogfooding beginning with two internal websites (support, input.mozilla.org - staging sites)
• [pt] XSS & innerHTML (answered below, doesnt need vocalising)
  • who knew that innerHTML wasn't idempotent (sp?)
  • http://www.slideshare.net/x00mario/the-innerhtml-apocalypse
  • anyone aware of current bypasses of this?
    • [Jesse] https://bugzilla.mozilla.org/show_bug.cgi?id=475216 was mentioned in Mario's presentation
    • [Jesse] I'm not aware of others, but I haven't been thinking about this for long.
    • [Jesse] Is there some subset of HTML, and some rule, that we could fuzz?
      • [pt] not sure about that but I can give examples
  • Does this affect our sites, Firefox OS apps, or Firefox UI use of innerHTML?

http://mxr.mozilla.org/gaia/source/apps/sms/js/fixed_header.js#57 v1.0.1 has 142 instances of "innerHTML" (though most assign from literals) Most apps use basic sanitisation routines like regexp: http://mxr.mozilla.org/gaia/search?find=%2Fapps%2F&string=escapeHTML

• [gkw] Anyone else going to Black Hat in Las Vegas?
  • incl. Codenomicon, Defcon....
  • Early bird registration for BH ends on 31 May 2013
  • Tell Abillings this week if you're going!

Upcoming Speaking Engagements

(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )

• OWASP EU Tour - The Trouble with Passwords - Bucharest, Romania June 5th (remote) (mgoodwin)
• OWASP EU Tour - Your Browser as a Security tool - Dublin, Ireland June 26th (mgoodwin)
• How To Avoid Online Security Headaches.
  • Michael Coates
  • http://sfnewtech.com/2013/05/20/5-29-how-to-avoid-online-security-headaches-with-facebook-mozilla-impermium-dhs-ars-technica/
• FTC to Host Public Forum on Threats to Mobile Devices
  • Michael Coates
  • http://ftc.gov/opa/2013/02/mobilethreats.shtm

Planned Blog Posts

• https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c

Security Review Status (curtisk)

• Completed in Q1 2013: 66

https://security-review-statistics.vcap.mozillalabs.com/weekly

Operations Security Update (Joe Stevensen)

Project Updates

Please add your name to the update so we know who to follow up with

Firefox Desktop

Firefox Mobile

Firefox OS

• [cr] opened bug to request Remote Debugging timeout https://bugzilla.mozilla.org/show_bug.cgi?id=874484
• [pt] Review! email coming...

Firefox Core

• Eyes on Jetpack / protocol handling bugs: bug 779197 and 820213, please

MarketPlace

• [cr] trying to solve the multi marketplace threat with reputation, will suggest a Meta Marketplace ("marketplace for marketplaces") concept.

Web Apps

Services

Operation Security