Benjamin Smith is a developer at Pivotal Labs. He has a strong passion for TDD, pairing, Agile and using technologies that get out of the programmer's way. When not writing code, he follows his other passions into the outdoors to rock climb, back country snowboard, kayak and surf.
What's the worst that could happen if your app has a dependency on a malicious gem? How easy would it be to write a gem that could compromise a box?
Much of the Ruby community blindly trusts our gems. This talk will make you second guess that trust. It will also show you what malicious gems can do, how an attack could be executed, how to vet gems, and what the Ruby community can do to increase security around gems.
Paul, it's a fun topic to think about. This talk always gets people talking about creative, interesting, and scary ideas for malicious gems.
That last part of the talk offers concrete actions individuals can take to avoid malicious gems. It also presents steps the Ruby community can take to make gems more secure. There is no silver bullet solution though. Each layer of additional security only makes it harder for someone with malicious intent... but not impossible.
This sounds like it could be fun – and scary! I can already imagine plenty of exploits using gems, so I'm especially interested in the last part: how can we protect against this?
My talk is broken into three parts: What could a gem do? How could an attack be executed? and How can we avoid it?
As one real life example of "How could an attack be executed?", at other conferences I have written a (harmless) gem which at install time gathers usernames (via
whoami). During the conference, I social engineer people into installing my gem. Then during my talk I reveal I am the gem author... and also all the usernames of everyone who installed it. Thus far, the reception to this has been great. People love it, and it tends to be the highlight of my talk.
It is a slightly, risque or shady, thing to do... so I've always left it up to the conference organizers on whether or not I attempt this and the details surrounding it.
We are always open to crazy ideas so feel to share them with us :)
Thanks for the recommendation Clemens!
I agree that this talk works best when scheduled at certain times. It quite entertaining making a good end of day talk when audience energy is low. It also tends to generate a lot of conversations which is good for a beginning of day/conference talk. Depending on the level of involvement/integration the organizers would like (I can provide details directly to the organizers on this if they wish to pursue the talk), this talk can provide a major splash if done near the end of the conference.
I've already seen this talk and it's good fun and interesting – so I can highly recommend it.
If this proposal gets accepted, I suggest to the organizers that it be placed at the beginning or end of a day as it might be a good way to start or round off a day filled with "hard" topics.