Heh, I didn't say I was going to do it. I was thinking
what happened with ruby-lang.org being hacked. What
really stops someone from violently attacking more
than just one computer? :)

Finding thier identity is irrelavent.

For Example:

Joe PeelHacker decides he wants to screw over the ruby
community. So, he gets a handful of http proxies, and
uses a proxy chain to anonymously create a new
project, create files, and create a gem.

Okay, right now he has accomplished pretty much
everything he needs to do to start attacking. He
releases a gem. It gets copied over without being
looked at by a QA team. Ok, fine.


Assuming the person is installing the RubyGem on
*nix(includes MacOSX as well, its Darwin based) via
root, or running it on Microsoft Windows.The gem
contains 3 programs, a script, a nix version script
that creates a user and alerts the attacker via irc,
and there is a windows trojan that the attacker
created that is also a worm. Okay, the trojan is new,
so Antivirus programs will not detect it. AV programs
perform by the database engine of known viruses.
Norton Bloodhound doesn't pick it up either. 

Okay, this attacker just screwed over not only one
server, but the whole community of Rubyland.

Is this pretty clear now? This scenario would work
perfectly. There is nothing to stop someone from
attacking. Its an open security problem.


-------------------------------------------
David Ross
Phone: 865.539.3798
Email: drossruby / ruby-lang.org
-------------------------------------------


--- Richard Kilmer <rich / infoether.com> wrote:

> Should we remove your rubyforge account now?
> 
> If someone does that, its traced to their project,
> and their identity.  What
> stops someone from putting `rm -rf /` in ANY ruby
> library?  Have you read
> every line of every ruby library and c extension in
> ruby to verify that
> those commands are not present.  Does a packager
> check every line of C code
> in a native extension to make sure that those lines
> are not present?  There
> is a point where trust is assumed...the question is
> at what point.  Not
> saying that QA is bad, just that autonomy is not bad
> either...it scales
> really well.
> 
> -rich
> 
> 
> On 8/12/04 11:50 PM, "David Ross"
> <drossruby / yahoo.com> wrote:
> 
> > Heres food for thought..
> > 
> > What stops someone who has a registered project on
> > RubyForge to abuse Gems? A constructive criticism
> in
> > major design flaw. This is why a central
> repository
> > where there is a QA team is good. They can look at
> > code.
> > 
> > `rm -rf /` :)
> > 
> > ---------------------------
> > David Ross
> > Phone: 865.539.3798
> > Email: drossruby [at] yahoo.com
> > ---------------------------
> > 
> > --- James Britt <jamesUNDERBARb / neurogami.com>
> wrote:
> > 
> >> Richard Kilmer wrote:
> >> 
> >>> Release the file like you would any file (in the
> >> Files tab).  RubyForge
> >>> picks them up and puts them in the repo, and
> they
> >> are (within an hour for
> >>> now) available for remote download.
> >> 
> >> 
> >> Excellent!  Thanks.
> >> 
> >> 
> >> James
> >>> 
> >>> -rich
> >>> 
> >>> 
> >> 
> >> 
> >> 
> >> 
> > 
> > 
> > 
> > 
> > __________________________________
> > Do you Yahoo!?
> > New and Improved Yahoo! Mail - Send 10MB messages!
> > http://promotions.yahoo.com/new_mail
> > 
> > 
> 
> 
> 
> 



		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail