Ruby Conf Australia 2013 in Review - Hacking with gems | NetEngine

Ruby Conf Australia 2013 in Review - Hacking with gems

Ricardo Friday, 8 March 2013

Yes! We made it. Ruby Conf Australia 2013 exceeded our expectations. So many great talks, amazing people and superb conversations. We’ve met people from all over the world who share the same thoughts and hold different opinions at the same time. This is what brings us even more inspiration to keep up with what we’ve been doing best: developing.

Rob has talked about Boxen, Rowan nailed what he learnt with Keith and Mario’s Guide to Fast Websites and Dan shared his overview about his very first RubyConf. So now it is my turn to close Ruby Conf Australia 2013 in Review.

The Keynote speakers in general were fantastic but the one who took more my attention was Benjamin Smith and his talk: “Hacking with Gems”.

I am not the kind of person who freaks out overly about security, even when you can see source code on Github and follow every step to ensure you are using a good thing.

Ben though, showed just how easy it is to write a gem, in order to compromise a box in matter of few lines of code. For example, the source code which you believe to live in the repository doesn’t necessarily mean the gem itself at Rubygems has exactly the same code. You can infact easily push to rubygems, a different version with just a modified Rakefile that will post all interesting dot files that you have crypted to a URL. This means that your secret keys are at risk of being compromised and the malicious gem’s owner is able to use services you own the way he wants.

A good workflow to prevent yourself not to be caught is to download a gem first and verify its code by doing:

  gem fetch gem-name
  gem unpack gem-name

Rubygems, the main gem’s repository, has gone through an exploit attack based on malicious code that made ruby community stop for a while. Deploys at Heroku went down, Travis CI went down. Not surprisingly, many people got involved to fix it as soon as possible. So it is definitely worthwhile checking what you are really using. At least, you will learn something new.

Here are his slides.

Summing up, great talks and heaps of learnings. Looking forward to next RubyConf Australia 2014.

Last thing, I’ve created a gem recently and would love to get someone helping me to test:

  gem install xmastree

I’d really appreciate.

comments powered by Disqus