Security/Meetings/SecurityAssurance/2013-08-06
From MozillaWiki
< Security | Meetings | SecurityAssurance
- Time: (Weekly) Tuesday at 13:30 PM PDT / 16:30 PM EDT / 21:30 PM UTC.
- Place: Mozilla HQ, 3A-All Your Base (3rd Floor)
- Phone (US/Intl): 650 903 0800 x92 Conf: 95316#
- Phone (Toronto): 416 848 3114 x92 Conf: 95316#
- Phone (US): 800 707 2533 (pin 369) Conf: 95316#
Contents |
Agenda
- [yeukhon] Minion's next-generation documentation
- https://minion-yeukhon.readthedocs.org/en/latest/ (feedback, plz! <3)
- Bonus - info went out. any questions on it?
- Peach
- https://blog.mozilla.org/blog/2013/07/30/mozilla-continues-to-build-the-web-as-a-platform-for-security/
- We'll write on the security blog once we've actually released the tool and/or have some bugs to show
- press misread TechCrunch's post (which one?)
- http://www.smartcompany.com.au/information-technology/056792-firefox-os-developer-mozilla-forges-security-collaboration-with-blackberry.html
- answer: http://techcrunch.com/2013/07/30/mozilla-launches-minion-automated-security-testing-platform-collaborates-with-blackberry-to-secure-browsers/
- forwarded to Press to reach out with clarification
- Team meetup Update
- Need an owner for the schedule - yvan volunteers
- Last call for proposed sessions
- OWASP Event (Monday Evening)
- Security Researchers who found Persona bugs coming to give a talk (where?)
- Research ideas for Yeuk Hon: https://security.etherpad.mozilla.org/research-ideas
- [psiinon] Plug-n-Hack
- A project to make browsers and [web app?] security tools work better together
- "Plug-n-hack" and "Plug-n-hack contacts" added to shared dirve
- Feel free to add more contacts, add comments etc etc
- [mgoodwin] BREACH and Django
- [ulfr] BREACH and Mozilla https://bugzilla.mozilla.org/show_bug.cgi?id=902114
- Goals - Please keep status up to date - https://docs.google.com/a/mozilla.com/spreadsheet/ccc?key=0AmLct3lOMM6ZdGVNXzUxZkJ0WHJPNG0wMDF3ODF6REE
- 1/3 through the quarter. Are your goals up to date?
- Metrics
- Tor bundle exploit (Sunday)
- Heated discussion on security-group touches on sandboxing; how we interact with the Tor team; ... (there is no real sandboxing on b2g, at least until 1.2. Currently shipped version is 1.0.1)
- We (and developers) scrambled to figure out what versions of Firefox were affected. Our communication during this period included https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
- Keeping up with Mozilla News
- Planet - planet.mozilla.org
- Main mozilla blog - blog.mozilla.org
- Mitchell's blog - lizardwrangler.com
- Brendan's blog - brendaneich.com
- Security Reports
Upcoming Speaking Engagements
(List it at these two locations too: https://developer.mozilla.org/en-US/events & https://wiki.mozilla.org/Security/Talks )
- [mgoodwin] OWASP Louisville 30-Aug something Firefox OS apps something (remote)
- Limerick OWASP day - psiinon on ZAP stuff, mgoodwin on Firefox OS apps stuff (28-31 Oct)
- Raymond, OWASP Canada (from Vancouver), 2013-08-07
- Yvan, Minion at VanCitySec, 2013-08-07
Planned Blog Posts
Security Review Status (curtisk)
- Completed in Q1:64 / Q2: 72
https://security-review-statistics.vcap.mozillalabs.com/weekly
Operations Security Update (Joe Stevensen)
Project Updates
Please add your name to the update so we know who to follow up with
Firefox Desktop
Firefox Mobile
Firefox OS
Firefox Core
MarketPlace
Web Apps
Services
Operation Security
- http://breachattack.com/ (BREACH)
- we have a document that explains it as well (https://bugzilla.mozilla.org/show_bug.cgi?id=902114)