MozillaWiki

Security/Meetings/SecurityAssurance/2012-07-31: Difference between revisions

Page Discussion

Security/Meetings/SecurityAssurance/2012-07-31 (view source)

Revision as of 20:27, 7 August 2012

8,734 bytes removed ,  7 August 2012
no edit summary
No edit summary
No edit summary
 
Line 78: Line 78:


     NFC exploits talk
     NFC exploits talk
 
Shows that the Android sandboxing via kernel capabilities is effective, as well as using java (=bound checking)
=Security Review Status (koenig)=
* Completed in Q3 2012:
* Number of Reviews Completed (so far this quarter):
* Number of Outstanding Reviews:
=Operations Security Update (Joe Stevensen)=
* No update this week
=Project Updates =
Please don't leave blank. Add "No Update" if nothing has changed
==Silent updates (rforbes / dveditz)==
== B2G (Paul Theriault, David Chan) ==
* contacts api review was yesterday
** not much interesting, a lot of talk about permissions model
==Thunderbird (Adam Muntner) ==
==Rust (Jesse Ruderman) ==
==Mobile (Mark Goodwin) ==
* Secreview for 776208 this Friday (though nothing mobile specific)
** plugin extension for content previews
==Sync  (Simon Bennetts & Adam Muntner) ==
==Services (Simon Bennetts & Adam Muntner) ==
==Social - Pancake (Mark Goodwin) ==
* Pancake is in review again for Apple App Store (or was yesterday; no news yet)
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) ==
==JS (Christian Holler) ==
* IonMonkey now aiming to land in Fx18 (not in ESR)
* Decompiler being removed from the JS engine, replaced with something simpler \o/
==DOM, XPConnect (Jesse Ruderman) ==
==Layout, Style (Jesse Ruderman) ==
==Automation Tools (Gary Kwong) ==
* [decoder] AddressSanitizer now green on most tests for Linux (mochitest-o still has failures to investigate).
==Web Developer Tools (Mark Goodwin) ==
* Working on Tanvi's "page report" idea - will explain more at the SecAsslathon in London
== Networking (Christoph Diehl) ==
* Working with cjones on a Gecko integrated IPC fuzzer.
== Graphics (Christoph Diehl) ===
== Networking ( Media / Codecs) ==
== Market (Raymond Forbes) ==
==Firefox APIs (Raymond Forbes) ==
==Payment Flow (Raymond Forbes) ==
==Dynamic API Security Model (Raymond Forbes) ==
==WebRT (Raymond Forbes) ==
==BrowserID ==
== Identity Services (David Chan) ==
* no update
==Addons.M.O (Raymond Forbes) ==
==Bugzilla.M.O (Mark Goodwin & Eric Parker) ==
* No update
==Mozillians (Raymond Forbes) ==
==MDN (Raymond Forbes) ==
==SUMO (Kitsune) () ==
==Other==
* mgoodwin is on PTO next week
Stuff kang liked at blackhat/defcon (slide available @ fs2/Public/Security/Opsec):
 
    BlackHat/Defcon
 
    Arm  exploitation talk - in contact with the speaker, they give courses and  it looked pretty good. Others in Security Assurance (Fennec! FirefoxOS!  ;) may be interested
 
    NFC exploits talk
 
=Security Review Status (koenig)=
* Completed in Q3 2012:
* Number of Reviews Completed (so far this quarter):
* Number of Outstanding Reviews:
=Operations Security Update (Joe Stevensen)=
* No update this week
=Project Updates =
Please don't leave blank. Add "No Update" if nothing has changed
==Silent updates (rforbes / dveditz)==
== B2G (Paul Theriault, David Chan) ==
* contacts api review was yesterday
** not much interesting, a lot of talk about permissions model
==Thunderbird (Adam Muntner) ==
==Rust (Jesse Ruderman) ==
==Mobile (Mark Goodwin) ==
* Secreview for 776208 this Friday (though nothing mobile specific)
** plugin extension for content previews
==Sync  (Simon Bennetts & Adam Muntner) ==
==Services (Simon Bennetts & Adam Muntner) ==
==Social - Pancake (Mark Goodwin) ==
* Pancake is in review again for Apple App Store (or was yesterday; no news yet)
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) ==
==JS (Christian Holler) ==
* IonMonkey now aiming to land in Fx18 (not in ESR)
* Decompiler being removed from the JS engine, replaced with something simpler \o/
==DOM, XPConnect (Jesse Ruderman) ==
==Layout, Style (Jesse Ruderman) ==
==Automation Tools (Gary Kwong) ==
* [decoder] AddressSanitizer now green on most tests for Linux (mochitest-o still has failures to investigate).
==Web Developer Tools (Mark Goodwin) ==
* Working on Tanvi's "page report" idea - will explain more at the SecAsslathon in London
== Networking (Christoph Diehl) ==
* Working with cjones on a Gecko integrated IPC fuzzer.
== Graphics (Christoph Diehl) ===
== Networking ( Media / Codecs) ==
== Market (Raymond Forbes) ==
==Firefox APIs (Raymond Forbes) ==
==Payment Flow (Raymond Forbes) ==
==Dynamic API Security Model (Raymond Forbes) ==
==WebRT (Raymond Forbes) ==
==BrowserID ==
== Identity Services (David Chan) ==
* no update
==Addons.M.O (Raymond Forbes) ==
==Bugzilla.M.O (Mark Goodwin & Eric Parker) ==
* No update
==Mozillians (Raymond Forbes) ==
==MDN (Raymond Forbes) ==
==SUMO (Kitsune) () ==
==Other==
* mgoodwin is on PTO next week
Stuff kang liked at blackhat/defcon (slide available @ fs2/Public/Security/Opsec):
 
    BlackHat/Defcon
 
    Arm  exploitation talk - in contact with the speaker, they give courses and  it looked pretty good. Others in Security Assurance (Fennec! FirefoxOS!  ;) may be interested
 
    NFC exploits talk
 
    Shows that the Android sandboxing via kernel capabilities is effective, as well as using java (=bound checking)
 
    DDOS  talk - we know most about this, but we aren't blocking all that well.  Have a bug with rate-limit "request" for download.mozilla.org this week.  Note that DDOS via TCP exhaustion and the like, are very common,  according to the talk
 
    TPM  talk - that was interesting. Some comparisons with ARM TrustedZones,  although TZ is actually much more powerfull (the auhor had only TPM  experience)
 
    IPv6  talk - mentionned that the ip range banning issue which caught my ear -  too many ips to ban. it is true and we're not really caring for that  yet, but we will have to eventually. Rate limiting may have the same  issue the way we do it atm. I'm thinking per IP rate limit *and* bad  network rate limit on top (cumulative), but it's hard to say if that's  sufficient
 
    Dan  Kaminsky scanrand (v3) talk, he made a new version, its faster apparently by bypassing the kernel and just sending raw syns without caring for replies (server handle state!) but.. i was disappointed with scanrand 2 which had similar features.. something to check
 
    Talk  about ICANN/Goverment control/Lobbies vs us and the Internet freedom as  we know it. Interesting. One speaker suggested to regularly remind  authorities how dangerous this could become, without pissing them off  (which would lead them to create laws for the lobbies and against our  freedom)
 
    Had great feedback for a system-wide colleration mechanism similar to network NSMs+correlation. This one could be huge.
 
    Badge/boards of defcon are very cool!
 
=Security Review Status (koenig)=
* Completed in Q3 2012:
* Number of Reviews Completed (so far this quarter):
* Number of Outstanding Reviews:
=Operations Security Update (Joe Stevensen)=
* No update this week
=Project Updates =
Please don't leave blank. Add "No Update" if nothing has changed
==Silent updates (rforbes / dveditz)==
== B2G (Paul Theriault, David Chan) ==
* contacts api review was yesterday
** not much interesting, a lot of talk about permissions model
==Thunderbird (Adam Muntner) ==
==Rust (Jesse Ruderman) ==
==Mobile (Mark Goodwin) ==
* Secreview for 776208 this Friday (though nothing mobile specific)
** plugin extension for content previews
==Sync  (Simon Bennetts & Adam Muntner) ==
==Services (Simon Bennetts & Adam Muntner) ==
==Social - Pancake (Mark Goodwin) ==
* Pancake is in review again for Apple App Store (or was yesterday; no news yet)
==Jetpack, Add-on SDK, Add-on Builder (Dan Veditz) ==
==JS (Christian Holler) ==
* IonMonkey now aiming to land in Fx18 (not in ESR)
* Decompiler being removed from the JS engine, replaced with something simpler \o/
==DOM, XPConnect (Jesse Ruderman) ==
==Layout, Style (Jesse Ruderman) ==
==Automation Tools (Gary Kwong) ==
* [decoder] AddressSanitizer now green on most tests for Linux (mochitest-o still has failures to investigate).
==Web Developer Tools (Mark Goodwin) ==
* Working on Tanvi's "page report" idea - will explain more at the SecAsslathon in London
== Networking (Christoph Diehl) ==
* Working with cjones on a Gecko integrated IPC fuzzer.
== Graphics (Christoph Diehl) ===
== Networking ( Media / Codecs) ==
== Market (Raymond Forbes) ==
==Firefox APIs (Raymond Forbes) ==
==Payment Flow (Raymond Forbes) ==
==Dynamic API Security Model (Raymond Forbes) ==
==WebRT (Raymond Forbes) ==
==BrowserID ==
== Identity Services (David Chan) ==
* no update
==Addons.M.O (Raymond Forbes) ==
==Bugzilla.M.O (Mark Goodwin & Eric Parker) ==
* No update
==Mozillians (Raymond Forbes) ==
==MDN (Raymond Forbes) ==
==SUMO (Kitsune) () ==
==Other==
* mgoodwin is on PTO next week
Stuff kang liked at blackhat/defcon (slide available @ fs2/Public/Security/Opsec):
 
    BlackHat/Defcon
 
    Arm  exploitation talk - in contact with the speaker, they give courses and  it looked pretty good. Others in Security Assurance (Fennec! FirefoxOS!  ;) may be interested
 
    NFC exploits talk
 
    Shows that the Android sandboxing via kernel capabilities is effective, as well as using java (=bound checking)


     DDOS  talk - we know most about this, but we aren't blocking all that well.  Have a bug with rate-limit "request" for download.mozilla.org this week.  Note that DDOS via TCP exhaustion and the like, are very common,  according to the talk
     DDOS  talk - we know most about this, but we aren't blocking all that well.  Have a bug with rate-limit "request" for download.mozilla.org this week.  Note that DDOS via TCP exhaustion and the like, are very common,  according to the talk
Curtisk
canmove, Confirmed users, Bureaucrats and Sysops emeriti
2,776

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/458937"