Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Do you ever use "gem install"? What about bundle? What's the worst that could happen if your app has a dependency on a malicious gem? How easy would it be to write a gem that could compromise a box? Much of the Ruby community blindly trusts our gems. This talk will make you second guess that trust. It will also show you how to vet gems that you do choose to use. Help us caption & translate this video! http://amara.org/v/FGfj/
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the talk titled "Hacking with Gems" presented by Ben Smith at Aloha RubyConf 2012, the focus is on the potential dangers associated with using Ruby gems. Smith, a Rails developer, emphasizes that many in the Ruby community often trust gems without proper vetting, which can lead to serious security vulnerabilities. Key points discussed in the presentation include: - **Introduction to the Speaker**: Ben Smith shares his background as a Rails developer and expresses his passion for security, though he admits he lacks formal training in the field. - **Understanding Dependencies**: He recounts a client's inquiry about harmful dependencies, prompting a discussion on the risks associated with malicious gems. - **Example of a Malicious Gem**: Smith created a hypothetical gem called "Awesome Rails Flash Messages" that appears to provide useful functionality but actually logs sensitive information and sends it to a remote server. This serves as an example of how seemingly harmless gems can contain harmful code. - **Demonstration of Exploits**: He explains how he developed another gem, "Net HTTP Detector," to reveal unauthorized POST requests, showcasing how easy it is to capture sensitive data such as emails and passwords. - **Further Exploitation**: Smith describes creating a series of deceptive gems with escalating levels of malicious intent, including one that manipulates database access through a hidden interface, potentially allowing a hacker to gain significant control. - **How Trust Can Be Misplaced**: He warns that trusted gems may also harbor malicious code, using the notion that larger gems can have dependencies that are unverified. - **Community Consideration**: The talk takes a turn towards community practices, advocating for gem signing and private repositories as potential solutions to these security threats. - **Conclusion and Takeaways**: Smith concludes with an important reminder: developers should not blindly trust gems. They should vet code, use tools to monitor for malicious activity, and consider writing their code when feasible. In summary, this talk underscores the significance of vigilance and due diligence in software dependency management within the Ruby community. Smith encourages developers to be proactive in understanding and verifying the gems they use while highlighting tools that can assist in monitoring for potential vulnerabilities. His key message is a call for better practices, urging attendees to think critically about their code dependencies.
Suggest modifications
Cancel
