Benjamin Smith
Ranked 9 in Phase 1 with 75 unique views, 35 counted upvotes and 9 counted downvotes

About the author

Benjamin Smith is a developer at Pivotal Labs. He has a strong passion for TDD, pairing, Agile and using technologies that get out of the programmer's way. When not writing code, he follows his other passions into the outdoors to rock climb, back country snowboard, kayak and surf.

Hacking with Gems

What's the worst that could happen if your app has a dependency on a malicious gem? How easy would it be to write a gem that could compromise a box?

Much of the Ruby community blindly trusts our gems. This talk will make you second guess that trust. It will also show you what malicious gems can do, how an attack could be executed, how to vet gems, and what the Ruby community can do to increase security around gems.

Previous Next


  • The proposal author responded 8 months ago

    Paul, it's a fun topic to think about. This talk always gets people talking about creative, interesting, and scary ideas for malicious gems.

    That last part of the talk offers concrete actions individuals can take to avoid malicious gems. It also presents steps the Ruby community can take to make gems more secure. There is no silver bullet solution though. Each layer of additional security only makes it harder for someone with malicious intent... but not impossible.

  • 2abf5beb51d5d66211d525a72c5cb39d?d=retro Paul Battley suggested 8 months ago

    This sounds like it could be fun – and scary! I can already imagine plenty of exploits using gems, so I'm especially interested in the last part: how can we protect against this?

  • The proposal author responded 8 months ago


    My talk is broken into three parts: What could a gem do? How could an attack be executed? and How can we avoid it?

    As one real life example of "How could an attack be executed?", at other conferences I have written a (harmless) gem which at install time gathers usernames (via whoami). During the conference, I social engineer people into installing my gem. Then during my talk I reveal I am the gem author... and also all the usernames of everyone who installed it. Thus far, the reception to this has been great. People love it, and it tends to be the highlight of my talk.

    It is a slightly, risque or shady, thing to do... so I've always left it up to the conference organizers on whether or not I attempt this and the details surrounding it.

  • D87dddeb300217e6c6574f5ffae220be?d=retro Nikos Dimitrakopoulos suggested 8 months ago

    We are always open to crazy ideas so feel to share them with us :)

  • The proposal author responded 8 months ago

    Thanks for the recommendation Clemens!

    I agree that this talk works best when scheduled at certain times. It quite entertaining making a good end of day talk when audience energy is low. It also tends to generate a lot of conversations which is good for a beginning of day/conference talk. Depending on the level of involvement/integration the organizers would like (I can provide details directly to the organizers on this if they wish to pursue the talk), this talk can provide a major splash if done near the end of the conference.

  • 5976001c9ebf095c4988855a4e102de5?d=retro Clemens Kofler suggested 8 months ago

    I've already seen this talk and it's good fun and interesting – so I can highly recommend it.

    If this proposal gets accepted, I suggest to the organizers that it be placed at the beginning or end of a day as it might be a good way to start or round off a day filled with "hard" topics.