Agenda

I [freddy] was asked to talk briefly about the b2g-email app review, can do that.

   * starttls bug https://bugzilla.mozilla.org/show_bug.cgi?id=784816

- Choose your entree of Beef or Fish (column c)
- https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdDAyd0tvaUxmV3BkdV81aDA5UXlINkE#gid=0
[gkw] How much value of a prepaid SIM card can we expense while we're in Paris?
- We have to obtain this before we fly off to France (Le French Mobile, Orange recommended)
- [yvan] will take this on
- http://www.lefrenchmobile.com/en/data-bundles.html
- Yvan to investigate
[curtisk] Sec-Champs (meeting was today)

Agenda

Security Blog changes
- Trying to blog once a week
- Security Champions invited to contribute!
Sec Notification Process (draft) https://etherpad.mozilla.org/security-notification-process
- please give feedback
- wkg asked about how we find sites and APIs for cloning bugs when we have a large number of sites
(curtisk) Quarterly Goal for Security Champions - Roles & Responsibilities
- What we expect from champions
- How champions can make security decisions
- How champions can engage the security team
- planned structure: as a workshop for summit to be presented
Where are we with BREACH?
need to find all the sites where we might be vulnerable
https://bugzilla.mozilla.org/show_bug.cgi?id=903627
- bug is stalled a bit in IT, needs input from SA mgmt, wkg to need-info whom he thinks needs to be involved
- https://github.com/mozilla/minion-breach-plugin (checks HTTP compression, but I think we can be more aggressive and can perform actual attack with an average success; it's a tricky attack....)

Open questions

Sumo and bounties
- possible blog post on using stage to look for bounties
Adding Persona to bounty program (francios)
- email dveditz, chofmann, abillings, rforbes & myself to start discussion

</end Sec-Champs>

* https://people.mozilla.com/~sarentz/talks/ohm2013/firefoxos.pdf
* https://people.mozilla.com/~sarentz/talks/ohm2013/websecurity101.pdf

[curtisk] blog stuff below
blog ideas in communication plans document on gdocs: https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AlDw2hHXmVgCdHN3LWZTZ0hjMElPc1g2clRKb2lNN3c#gid=0
Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdGVNXzUxZkJ0WHJPNG0wMDF3ODF6REE
Metrics
- https://security-review-statistics.vcap.mozillalabs.com/
- https://people.mozilla.com/~sarentz/p/dashboard
Security Reports
- [cr] Some discussions around the SMS-OTA issue, and how it affects Firefox OS, but it's basically in the hand of radio vendors and mobile operators, and thus largely beyond our control.
  - Some background is here: https://srlabs.de/rooting-sim-cards/
[PT] Conference Plan
- Team plan for attending conferences. Get the most out of our time
- Spreadsheet in team share - add any missing conferences
- Need to follow up on AppSecUSA
[pt] campjs was GREAT https://plus.google.com/s/campjs

Upcoming Speaking Engagements

Yeuk Hon's intern presentation on Friday, 3:30 PST (see https://air.mozilla.org/channels/interns-2013/)
AppSec EU - Yvan, Simon, Freddy, Michael