Breathing Freely Update #1

“A goal without a plan is just a wish”

Thanks for taking a look at our second update to the fundraiser!  If you can, please visit the GoFundMe page to share it on social media, or make a donation if you can!

A special shout out to the folks who have donated since the fundraiser started:
Allison Waithe, Joshua Bixby, and the other 3 anonymous donors!  Thank you for your generous donations!

Last week I reached out to a few folks to find out if there was interest in distributing respiration masks to folks in Vancouver, and there was, so this week I sourced some low-cost respirator masks, decided on a funding platform, and launched a GoFundMe campaign to raise money. I have posted on the social media platforms I used, bugged coworkers, friends, and colleagues, and we are now over 50% of the way to our initial $1,000 goal!

Along the way I have spoken to a few other organizations that will help out with distributing the masks we get, but I have also learned a fair bit more about the effectiveness and limitations of the types of disposable masks we aim to hand out. One of the folks I have been discussing this plan with also shared Preparing for Extreme Heat and Poor Air Quality Events, an information seminar on how BC and Vancouver are preparing for this years, and future extreme weather events. The video is below, but the link to the BCNPHA above has more details about who and what the session entails.

The whole video is exceptionally informative, and worth watching, especially if you work with people who are at risk, and to know what resources are available in your neighbourhood. The information in this session was so valuable that it has resulted in a material change to how we will distribute the masks, and there will be more information on that later in this post! In the Question and Answer session at the end, the question came up around the effectiveness of respirator masks, and Dr. Sarah Henderson from the BC Centre for Disease control provided some great guidance on the effectiveness of masks. Overall, the simple question about masks made me question the value and efficacy of donating these masks, and so I reached out to Dr. Henderson for some more information, and she took the time to have a very informative discussion with me. Based on that discussion, I have a few key take-aways to make sure the distribution of these masks is a net positive for protecting at-risk and homeless folks.

  • N95 Masks may provide a false sense of security
  • N95 Respirator Masks are not a first line of defense
  • N95 masks provide protection when properly used
  • The best protection is to remain indoors

False Sense of Security

A key point that Dr. Henderson raises is that using a mask may present a false sense of security and encourage folks who are wearing one to do things they might not otherwise do – the example she uses is wearing a mask and going for a jog, when the same person might choose to jog indoors on a treadmill instead. Dr. Henderson also discussed in brief the protection that an N95 mask provides – protection against particulate matter, but not gases and volatile organics. This one hits close to home as folks with asthma are often more susceptible to the effects of those gases.

Over and above the risks that masks can’t protect against, the masks themselves may introduce a risk – worn properly they make breathing more difficult and could prove more of a hindrance to people with respiratory problems than the actual smoke the mask would protect against.

Not a First Line of Defense

Dr. Henderson (and really, all of the awesome folks involved in the seminar) drive home that the first line of defense are making sure that people have access to cool environments, clean air, and water as a way to cope with extreme weather events. At no point in all of the efforts that the City of Vancouver, BC Housing, and the BC CDC discussed in the session were masks raised – it was brought up in question at the end of the session from one of the delegates! Overall, this portion of the Q&A period made me question the value and efficacy of donating these masks. Based on discussions with other folks in community outreach, the focus on distributing these masks is to folks who are at-risk, and those poepolmay not have access to shelter or indoor locations with clean air. In order to make sure these donations are effective, I am revising the goal to providing the masks with the information at-risks folks need to able to get to and use first-line defenses discussed in the session above.

Properly using an N95 Mask for protection

Both Dr. Henderson and Dr. Schwandt talk about the effectiveness of using masks, and there are a couple of items that came up. First – for masks to be effective, they have to be N95 masks, regular dust masks, surgical masks, and clothing carry all of the negatives of wearing a mask without any of the benefits. Second, once you have an N95 mask, the key variable is fit. The masks are only effective if they are worn properly, and for that to happen they have to fit correctly, and this varies with face shape, size, and features such as facial hair, etc. In order to make sure distribution of masks, we are going to get at least three different types of masks. In addition, we have reached out to the folks who are going to help distribute the masks to figure out how to deliver training on helping the recipients to effectively wear the masks for good fit.

Remaining Indoors with clean air is the best defense

A repeated refrain for all extreme weather conditions is that staying indoors is the best way to protect yourself from wildfire smoke, and this year the City of Vancouver is expanding on the availability of Cooling centres and water fountains by also providing Clean Air centres that will feature locations that have air filters deployed to make sure folks who need to have a place with clean air they can go to. In order to make sure that mask recipients are aware of this, each mask will include an card with more information. So far the goal is to include:

  • a map feature Cooling & Clean Air centres, and water fountains
  • information about self-care during extreme weather
  • details about the benefits and risks of using the masks
  • instructions on how to wear the masks properly and care for them

Updated plan and pricing:

Practically speaking? Not much! I set out with the initial goal of raising $1,000 to provide masks for homeless people, with the goal of providing 1000 masks. The good news is that based on the estimated cost of getting the cards printed is approximately $150 from the first two estimates I got. Ideally, I should be able to find better pricing on the printing. The good news is that I have been able to find reasonable pricing for masks, and even though we are ordering 3 different types of masks, we should be able to find volume savings that that allow us to bring the cost for the masks low enough to cover the cost of printing the cards. At the absolute worst case scenario, we will provide approximately 850 kits rather than the goal of 1000, but

The goal is to have the design work for the information cards done this weekend, and to work with the community outreach groups distributing the kits (since it’s more than a mask now) to make sure that they have awareness of the issues with using the masks.

Our next update will probably be on Monday!

Breathing Freely

Thanks for checking out my brand new blog, I will be incorporating content from previous versions of my blog soon, but this post was more important and has a call to action - if you can, please donate to my GoFundMe campaign to get respirator masks to at-risk folks before we have more days with poor air quality.
Yvan Boily

As a person who suffers from Asthma, I have been to the emergency room several times due to air quality, so this summer Monique and I decided we were going to get respiration masks for the four of us. As I was looking at them I realized that four masks at $40 each is a small price to pay to make sure we can breath for a few weeks a year, but it’s unachievable for alot of people who are living with the affordability crisis in Vancouver. There are cheaper, disposable options, but even those can be too expensive or not enough of a priority for at-risk and homeless folks.

Inspired by posts like this one I decided that I wanted to make sure that homeless and at-risk folks have access to masks in my community. Every bit counts, but when I looked at how much I could personally commit to this, and the cost of buying masks, I realized that there had to be a better way to help out. Having seen so many crowdfunding campaigns, and buying products through them on Kickstarter and other platforms, and donating to several over the years, I decided to explore the different platforms and run a campaign to raise money. While researching this, I realized it wasn’t enough to get money to buy a large volume of masks, there are logistical challenges to getting them to a large number of at-risk folks, and especially making sure that the folks who need them can get them each day that they need them. I could hand out a few masks, but getting them to people consistently isn’t something I can do myself. I reached out to homeless shelters, and to neighborhood outreach groups, and started to build a small network of people who can help to distribute them – it turns out there is a recognized need for this, with just one group expressing a need for 200 masks to help the folks they will work with over the summer.

I did some research and found a bunch of options for acquiring low cost, single use, vented respirators, and depending on volume can get the price down to as low as $1.10 (the price goes lower, but that’s at the 10K plus units). I settled on the 3M 8511 N95 masks, but may choose a comparable product based on funds raised, and community needs to make sure we help as many people as possible.

A picture of a single use 3M N95 respirator mask

While the idea of buying a pile of single use, mostly synthetic disposable products is not ideal for the environment, they make sense for the folks who will receive them:

  • Low cost, so it is easy to replace them if they are lost, damaged, or stolen
  • Can be used more than once (I have used similar masks for contracting and home renovations)
  • Light, small, and somewhat durable if they need to be stuck in a pocket
  • Vented masks are cooler, which is important during the heat waves that are often the driver for the forest fires causing the problem

Now that I have a way to distribute them, and the means to get the product I need your help – I decided to use GoFundMe as a platform to raise the funds I need to help these people. GoFundMe allows me to withdraw money over the course of the fundraiser rather than a Kickstarter style approach that only allows us to get the money if the campaign is succesful. As of this morning we have raised over $200, which means that the first masks will be ordered in the next couple of days! c, but if you can’t donate there are other ways you can help:

  • Share the campaign on social media sites like Twitter, Facebook, and LinkedIn
  • Tell your friends and colleagues about it, especially those who are socially minded
  • Ask me about how you can get involved in starting your own, similar campaign in your own community if people face similar challenges!
  • Work to reduce your carbon footprint and encourage others to be more aware!

Finally, this campaign will be running through the whole summer, and to make sure that these funds go to good use, any extra funds at the end of the campaign will be distributed to the charitable organizations that help out with mask distribution – I will be posting regular updates on the GoFundMe page to provide more information about who these are on that site once we get the masks out to folks!

Thank you so much for your time and effort in helping to promote and raise awareness of this cause!

Security @ Mozilla

I gave a talk at RMLL on July 6th on the structure and organization of the security team at Mozilla, and how we built and supported the security of websites and services across the community.

The talk can be viewed via the RMLL site, or below!

Speeding Up Security Reviews

This post is cross-posted from the Mozilla Security blog.

At Mozilla we have a strong commitment to security; unfortunately due to the volume of work underway at Mozilla we sometimes have a bit of a backlog in getting security reviews done.

Want to speed up your security review request? You can dramatically increase the turn around time for your security review request by providing the information below. In addition to this, we are working to expand our overall security review process documentation; you can follow those efforts here.

1. Architecture Diagram

An architecture diagram illustrates how the various components of the service communicate with one another. This information allows the individual doing the security review to understand which services are required, how and where data is stored, and provides a general understanding of how the application or service works. Producing an architecture diagram is a good practice as it allows anyone to get a rapid view of how complex a system is, and can inform how much time it will take to work through a review of the system.


Note that these are just examples; the architecture diagram is intended to help the reviewer visualize what they are assessing. It doesn’t have to be a fancy diagram, and our team has worked from camera shots of whiteboards from meetings!

2. Detailed Application Diagram

A Detailed Application Diagram is essentially a Dataflow diagram; a data flow diagram enumerates each application or service that is a component of a system, and provides a list of the paths that data can flow through. A dataflow diagram helps the security reviewer to understand how data moves through the system, how different operations are performed, and if detailed enough, how different roles within the system access different operations.

While there are a number of different opinions on the “best way” to do a DFD, it is more helpful to have the information than it is to focus on presenting the information “the right way”. Examples

3. Dataflow Enumeration

An enumeration of data flows in the application explains how and what data moves between various components. Note that this doesn’t need to be a rigorous explanation of fields; in this case we want a general description of the message, the origin of the message (browser, third party, service, database, etc), the general contents (e.g. “description of the add-on”, “content to be shared”, etc), and a list of sensitive fields. The BrowserID Dataflow Enumeration is an excellent example.

4. Threat Analysis

The next step is reviewing all of this information to build out a list of the threats to an application. The important bit here is that you, as a developer or contributor, know how an application or system works. You know what a good set of the failure modes of the application are, and you understand the ‘business logic’ of the application. Many developers have a working knowledge of vulnerabilities, and can identify these types of issues. In order to properly perform a threat analysis a reviewer needs to understand how the various components of the system work, what threats exist, and be able to identify what mitigating controls have been put into place. Here is an example of what a threat analysis might look like (links below):

he threat analysis should contain, at a minimum the following information:

  • ID – a identifier for the threat
  • Title – a concise description of the threat
  • Threat – a description of the threat
  • Mitigations – a recommendation for a control that can be implemented
  • Threat Agent – a list of the potential actors considered that would exploit a vulnerability
  • Notes – Related comments that contribute to the analysis, but don’t belong in other columns
  • Rating – A qualitative scoring for a vulnerability in the context of this application
  • Impact – A qualitative score representing the impact should a vulnerability be exploited
  • Likelihood – A qualitative score representing the likelihood of a vulnerability being exploited

Additional information on how we assess and rate threats will be published as part of the documentation for our risk rating and security review process. Examples:

Help us help you!

Part of determining the scope of a security review is understanding how an application works and what the risks are; the documentation described in this post helps us to understand this and will ensure that we can complete a security review as quickly as possible. Beyond that, as teams understand how security reviews are performed it gives them the opportunity to take ownership of security and build it more effectively into their own processes.

As with other Mozilla teams we are actively pursuing better community engagement and always welcome feedback.

Security Conferences are making me sad…

Over the course of my career I haven’t had the opportunity to attend many security conferences, for two reasons:

  • the organizations I worked for didn’t really support sending staff
  • I tend to be socially awkward, and have difficulty talking to people

When I started at Mozilla I was super excited about both attending and participating at conferences since not only could I actually attend them, but pretty much everything important that we do at Mozilla is done in the open! Since presenting and participating in security conferences would help me work on the social anxiety bit, and I would learn stuff, it was a huge win!

The conferences I attended several years ago left me inspired, excited, with a pile of ideas for problems to tackle, and tools to develop. The conferences I have attended in the last year have left me thinking “That was a really great rehash of stuff that has already been done to death, with a minor twist at the end.”

To a certain extent this is likely the result of the degree of advances in the field. Ground-breaking, revolutionary new attacks are going to become increasingly rare; you can read more about why here, but basically, IT Security and InfoSec is starting to mature as a research field. Another reason why is the increasing desire to extract direct value from security research; if it can’t be used for marketing, or sold explicitly in a vulnerability market, the it is a trade secret that can be rehashed as special consulting secret sauce. Coupled with the proliferation of security conferences of varying degree of quality, and the glut of “me too” presentations, I think this is going to get worse before it gets better (at least for offensively focused conferences)

Despite my concerns on this, I have continued to attend because I still want to build a better network; first, because sharing ideas and info is fun and cool, and second, because we have a bunch of neat open jobs, and talking to smart people about Mozillas mission and work is a great way to try to recruit people! Unfortunately this also makes me sad. At virtually every conference I have been to, it is virtually impossible for me to ‘meet people’ and ‘network’. I blame myself for this because of the reason listed above, but it is also the result of the cliquey nature of communities.

There are some exceptions to my conference malaise, and those were the BSidesSF events; even though the talks were less engaging[1] this year than they were in 2011. The BSides events were very interesting because although there were still cliques, they were easy to mix into. The groups were small, and the attitudes of people generally more positive, and everyone I spoke to was interested in chatting and getting to know people.

Rather than just complaining about it, I am going to try to do something about it. A few years ago I had the opportunity to present at a cool conference, but my employer at the time interfered. Now that Mozilla is actively promoting our mission, and supports pushing the security component, I am going to push hard to complete two distinct research projects over the next year, and aim to present the results and tools. Although either of the topics would likely be suitable for a major “mainstream” security conference such as BlackHat, RSA, (Can|Pac|Eu)Sec, I will aim to present at smaller regional conferences, or conferences that are focused on open communities such as MozCamp, OWASP, or BSides events.

My Projects

The first one builds on the Garmr tool that Mozilla released earlier this year, and will help security teams to perform low to moderate risk assessments at scale. I aim to present these application security tools at a conference in Q3 of 2012, with a tool release in late Q2 or early Q3. The focus of this tool will be implementing some the concepts and ideas I wrote about when I joined Mozilla, with the aim to enable teams to perform security work at scale.

The second one will be an attempt to combine some of the AppSensor / Attack Aware Application work that OWASP published with some really cool new technologies to take security event monitoring in a different direction. This is a joint project with another person and will not be ready until sometime in 2013.

I hope to see people at future conferences, and will continue to chip away at building a better network and meeting people, but I really hope that shifting focus can help me to recapture some of the inspiration I used to get from the security community!

[1] YMMV! Several of the talks touched on areas I have done work in the past, so there was not much new ground covered for me.

Scaling Security

This post is cross-posted from the Mozilla Web Application Security blog.

The AppSec space is an extremely challenging field to work in, largely due to asymmetry; when you play defence you have to work to stay on top of each emerging threat, vulnerability, and development that falls into your scope. Working to protect a system or application where there is fixed number of resources to spend on protecting a set of assets, choices have to be made about how to best spend those resources to prevent the attackers from winning. The best way to do that is by applying risk analysis techniques and focusing on the highest risk assets. Once those assets are identified, a decision has to be made about how to invest time and effort in design vs. implementation, static vs. dynamic analysis, and automated vs. manual testing. Regardless of the goal of continuous engagement within the SDLC, decisions are made based on the risk and the pool of limited resources must be split up to work towards a solid defence.

The biggest challenge is that we have a rapidly growing development community; while the security team is growing to meet our needs, we need to find better ways to scale testing and analysis to get the same results with better efficiency. Out of the gate, I am going to deal with one important issue by casually tossing it off to the side. Tooling is a really important part of the discussion, but the bottom line is that tools won’t make a difference in your organization if you don’t have the right people to use them. Good tools might help unskilled workers get good results, but skilled workers with suboptimal tools will still get great results. The adage “It’s a poor craftsman who blames his tools” sums it up neatly.

In order to scale up a team with limited resources (time, people, money), there are a number of things that can be done.

  • Threat Modeling/SDL activities are the best investment; you can fix many problems early, and eliminate extremely costly design weaknesses
  • Bug Bounties are a great way to reward the efforts of community contributors, but many contributions don’t come until the target is in production (i.e. the worst time to find bugs)
  • Automated tools for dynamic and static analysis allow you to trade time and money for results, but you still have to invest in the people to use them properly
  • Manual analysis consumes time and people; it takes a great deal of time and effort by skilled people to fix the problems
  • Training and Education requires investment of time, people, and money, and although valuable, is rarely as effective as working through threat modelling and SDL activities with your development team

Each of these types of activities are already in place in Mozilla, but there is still more we can do. We perform a great deal of manual testing because once we have reached that point in the development life cycle, it is the best way to find implementation or design issues that slipped through the cracks. One area we are investigating is how to make our manual testing and analysis repeatable and reusable.

Some things we plan to do to move in this direction include:

  • Building repeatable security test cases using tools like MozMill, Selenium, etc. where possible, and develop highly specific, but reusable guidance where it isn’t.
  • Run repeatable test cases as regression testing against apps in development and production
  • Identify high risk applications, frameworks, and components, and regularly review changes to them outside of releases and milestones
  • Investigate how to use static and dynamic analysis tools to supplement regression and manual testing to bring the best value

As we get these activities up and running, we will keep the community updated on how we are progressing.