Security/Meetings/2011-12-14
From MozillaWiki
Contents
Silent Update Post Mortem (imelven)
- should this be a seperate meeting? sounds like yes.
- we will set up a separate meeting to discuss this (we can use an open secreview slot)
- paper bsmith mailed out is pretty interesting and worth taking a skim through
- Key Compromise in Software Update Systems (PDF) describes the thought process that led to the design of TUF
- imelven will send out a summary shortly
Address Sanitizer (decoder)
- Finally working, current manual at https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
- http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm
- Fast enough to do browsing with it (unlike valgrind), only a 5x slowdown
- Already found four bugs that cannot be found by valgrind
- Three were stack-based errors (of various kinds)
- One was use-after-free on heap
- Why didn't Valgrind find this?
- Might be a good idea to cc sewardj or njn about this
- Why didn't Valgrind find this?
- Next goals:
- Get regular builds, run them with our tests (tbpl?)
- Integration into fuzzing process
- decoder plans to contact bc & tomcat
Security Communications (curtisk)
- discuss https://intranet.mozilla.org/User:Curtisk/CommsSchedule
- goal 1 lightning talk per year, 1 brownbag per year, 2 blog posts per month to get us talking about security of some type
- [jesse] one lightning talk a month is way too much
- [jesse] if we don't have anything to say, we shouldn't be boring people with old stuff, and we really don't want to waste everyone's time (and our reputation) on a lightning talk
- [curtisk] why old stuff and I propose ppl have at least one interesting thing per year
- goal 1 lightning talk per year, 1 brownbag per year, 2 blog posts per month to get us talking about security of some type
- [jesse] the "trading" idea is almost as much a waste of time, especially if you're looking for someone to trade with
- [curtisk] group seems to think trading is not a big deal
- [jesse] we'll have much higher quality communication with a process that's driven by [having something to talk about] rather than [being given an artificial, stressful, adversarial, open-ended task based on a calendar]. We had enough of those in college.
- [jesse] counterproposal: in security team meetings, we notice things that we want to talk about, and by the end of the meeting it's clear who is going to write about it, in what medium, and when. We should talk about ASAN and choose a medium because ASAN is interesting, not because there's a time-driven schedule.
- [curtisk] this seems like a rush that would not be good for that person
- [jesse] huh? are you worried that one person would be doing a lightning talk, a brownbag, and a blog post? I don't think "all three" is going to be the most common answer to "what's the best medium for this announcement?"
- [jesse] and if you haven't said anything in public for a year, you chat with curtis or your manager about that, or people look at you more when things come up in meetings
- [curtisk] this seems like a rush that would not be good for that person
- [curtisk] if that were true we we would be doing it already as that is the current model that is not working
- [jesse] We haven't tried my proposal.
- [bsterne] talking about product is generally more interesting than talking about process (??)
- [tanvi] in a case where you don't have a topic directly related to your work, there are lots of security concepts and issues that you may be interested in and could have a brownbag or brainstorming session about (???)
- [jesse] we've been quiet because we've been behind on security features. we're not going to fix that by deciding to talk more; we're going to fix that by adding security features.
- [curtisk] as an additional option, we can find someone external to do a security talk instead of talking ourselves.
Resolution: keeping the schedule for now, can be edited. I will move the sched to https://intranet.mozilla.org/SecurityTeam:EditorialCalendar
Mobile Updates
- the nightly updater is broken - people will have to manually update to get off last night's nightly
- click to play plugins has mostly landed in mobile - the platform work here
will help push the feature along on desktop - there's a pref to always/never/click-to-play for plugins
- Does this help with enforced click-to-play for outdated plugins?
- good question - it might ?
- last piece (the platform code) is delayed due to current tree closure - they might try for special approval for this
- looking for people to test it !
- Does this help with enforced click-to-play for outdated plugins?
- local db is mostly finished and should land very soon - the plan is to ship with this and probably not provide an option to use system store in 1.0 (being driven by needs of sync)
Sync Update (dchan)
- Android Sync is implementing J-PAKE (Java)
- https://bugzilla.mozilla.org/show_bug.cgi?id=705765
- This needs an implementation review - when are they trying to ship ? are they trying to hit the 12/20 mobile cut off date ? AFAIK yes
Fuzzing on Releng machines
- DOM fuzzer is running on pvt machines
- jsfunfuzz should be on them too, getting privs
- gkw will work this out with Jesse
ESR decision
- It seems to be a go. agreement in principal, some final details to polish up
- https://wiki.mozilla.org/Enterprise/Firefox/ExtendedSupport:Proposal
Brown Bags
- curtisk had a great brown bag about finding one's towel last Friday (which was great!)
- Neurobiology of decision making
- imelven is trying to find the moz brown bag recording
- The brown bag takes some time to get finalized, it should be somewhere on the Brown Bag page on Intranet
- imelven is trying to find the moz brown bag recording
- Neurobiology of decision making
- gkw has scheduled "Fuzzing at Mozilla" for Jan 25, 2012, Wednesday noon
- Was first presented at MozCamp Asia
Security Questionnaire (decoder)
- As mentioned last week, we have a preliminary questionnaire that got good feedback from different people in secteam: https://intranet.mozilla.org/User:Choller@mozilla.com/SecreviewQuestionnaire
- We should make a decision as a team if this approach seems worth pursuing before any further work is done
- Can we test the questionnaire with some of the teams we are embed in?
- Testing the whole thing requires at least a proof-of-concept implementation except if you want to evaluate it manually (face to face) with certain people
Privacy Reviews
- Opened two reviews for wider/public discussion in dev.planning a week ago: got little feedback, but will continue posting batches of reviews to elicit input