Hiroshi SHIBATA presented on OSS security at the builderscon 2019 conference. The presentation covered:
1. How Ruby handles releases on a regular schedule and processes for stable and development versions.
2. Policies for triaging vulnerabilities based on impact and developing workflow for coordinated security releases.
3. Recent attacks targeting RubyGems where malicious gems were uploaded by hijacking developer accounts or registering typosquatted gems.
4. Steps users can take to improve security like using strong unique passwords, enabling two-factor authentication, and being wary of code injections in gem installations or native extensions.
How to develop the Standard Libraries of Ruby?Hiroshi SHIBATA
I maintain the RubyGems, Bundler and the standard libraries of the Ruby language. So, I've been extract many of the standard libraries to default gems and GitHub at Ruby 3.0. But the some of libraries still remains in only Ruby repository. I will describe these situation.
Developing high-performance network servers in LispVladimir Sedach
Overview of current high-performance Common Lisp web servers and implementation techniques, and description of a new hybrid approach to asynchronous I/O based on separate racing accept() and epoll() thread pools.
Troubleshooting RabbitMQ and services that use itMichael Klishin
Designing a system in terms of [micro] services is hype du jour but it's not without trade-offs. Debugging a distributed system can be challenging. In this talk we will cover how one can start troubleshooting a distributed service-oriented system.
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
How to develop the Standard Libraries of Ruby?Hiroshi SHIBATA
I maintain the RubyGems, Bundler and the standard libraries of the Ruby language. So, I've been extract many of the standard libraries to default gems and GitHub at Ruby 3.0. But the some of libraries still remains in only Ruby repository. I will describe these situation.
Developing high-performance network servers in LispVladimir Sedach
Overview of current high-performance Common Lisp web servers and implementation techniques, and description of a new hybrid approach to asynchronous I/O based on separate racing accept() and epoll() thread pools.
Troubleshooting RabbitMQ and services that use itMichael Klishin
Designing a system in terms of [micro] services is hype du jour but it's not without trade-offs. Debugging a distributed system can be challenging. In this talk we will cover how one can start troubleshooting a distributed service-oriented system.
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
This is a presentation on exploiting Null Byte VM. Null Byte VM is an vulnerable vm available on vulnhub.In this presentation I had exploited vm with various tools available on kali linux and then escalated privileges to become root.In this CTF challenge we have to find a flag i.e. proof.txt.
An overview of Ruby, jRuby, Rails, Torquebox, and PostgreSQL that was presented as a 3 hour class to other programmers at The Ironyard (http://theironyard.com) in Greenville, SC in July of 2013. The Rails specific sections are mostly code samples that were explained during the session so the real focus of the slides is Ruby, "the rails way" / workflow / differentiators and PostgreSQL.
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
Java is everywhere. According to Oracle it’s on 3 billion devices and counting. We also know that Java is one of the most popular vehicles for delivering malware. But that’s just the plugin right? Well maybe not. Java on the server can be just at risk as the client. In this talk we’ll cover all aspects of Java Vulnerabilities. We’ll explain why Java has this dubious reputation, what’s being done to address the issues and what you have to do to reduce your exposure. You’ll learn about Java vulnerabilities in general: how they are reported, managed and fixed as well as learning about the specifics of attack vectors and just what a ‘vulnerability’ actually is. With the continuing increase in cybercrime it’s time you knew how to defend your code. With examples and code this talk will help you become more effective in tacking security issues in Java.
A Post-Apocalyptic sun.misc.Unsafe World by Christoph engelbertJ On The Beach
The announcement that sun.misc.Unsafe will disappear in Java 9 created a huge buzz in the community and lots of people didnt agree with the idea. While Unsafe have to go away eventually the time in not yet and Oracle finally agreed on that. To replace sun.misc.Unsafe we need a clear set of APIs to achieve the same behavior and performance. VarHandle, Foreign Function Calls, Generic Specialization (Templates) and other proposals try to solve this misery and to replace certain aspects of our beloved class. This talk will introduce the alternatives and explain how and why they will help to replace sun.misc.Unsafe. It uses basic examples to demonstrate what a Post-Apocalyptic Unsafe World will look like.
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
Join us for this interactive event and get your hands dirty with some WildFly 9 hacking!
Our host Kabir Khan will explain how you can contribute to the WildFly project at many different levels, from properly reporting bugs in the forums and issue tracker, to actually being able to submit a pull request.
During this interactive event you will have a chance to play with WildFly 9 and try some of the following:
• Find a JIRA you want to work on.
• See how to check-out the code and setup your IDE.
• Build WildFly
• Code walkthrough - code organisation, jboss-modules etc.
• Debug something from a stack trace in a JIRA issue to nail down the problem.
• Try the testsuite
• And more!
As modern, agile architects and developers we need to master several different languages and technologies all at once to build state-of-the-art solutions and yet be 100% productive. We define our development environments using Gradle. We implement our software in Java, Kotlin or another JVM based language. We use Groovy or Scala to test our code at different layers. We construct the build pipelines for our software using a Groovy DSL or JSON. We use YAML and Python to describe the infrastructure and the deployment for our applications. We document our architectures using AsciiDoc and JRuby. Welcome to Babel!
Making the right choices in the multitude of available languages and technologies is not easy. Randomly combining every hip technology out there will surely lead into chaos. What we need is a customized, streamlined tool chain and technology stack that fits the project, your team and the customer’s ecosystem all at once. This code intense, polyglot session is an opinionated journey into the modern era of software industrialization.
Everything-as-code - A polyglot adventureQAware GmbH
Devoxx 2017, Poland: Talk by Mario-Leander Reimer (@LeanderReimer, Principal Software Architect at QAware).
Abstract: As modern, agile architects and developers we need to master several different languages and technologies all at once to build state-of-the-art solutions and yet be 100% productive. We define our development environments using Gradle. We implement our software in Java, Kotlin or another JVM based language. We use Groovy or Scala to test our code at different layers. We construct the build pipelines for our software using a Groovy DSL or JSON. We use YAML and Python to describe the infrastructure and the deployment for our applications. We document our architectures using AsciiDoc and JRuby. Welcome to Babel!
Making the right choices in the multitude of available languages and technologies is not easy. Randomly combining every hip technology out there will surely lead into chaos. What we need is a customized, streamlined tool chain and technology stack that fits the project, your team and the customer’s ecosystem all at once. This code intense, polyglot session is an opinionated journey into the modern era of software industrialization.
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
Ruby has a lot of standard libraries from Ruby 1.8. I promote them democratically with GitHub today via default and bundled gems. So, I'm working to extract them for Ruby 3.4 continuously and future versions. It's long journey for me.
After that, some versions may suddenly happen LoadError at require when running bundle exec or bin/rails, for example matrix or net-smtp. We need to learn what's difference default/bundled gems with standard libraries.
In this presentation, I will introduce what's the difficult to extract bundled gems from default gems and the details of the functionality that Ruby's require and bundle exec with default/bundled gems. You can learn how handle your issue about standard libraries.
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
I will introduce what's the difficult to extract bundled gems from default gems and the details of the functionality that Ruby's require and bundle exec with default/bundled gems. You can learn how handle your issue about standard libraries.
Deep dive into Ruby's require - RubyConf Taiwan 2023Hiroshi SHIBATA
Since Ruby's bundled and default gems change every year with each release, some versions may suddenly happen LoadError at require when running bundle exec or bin/rails, for example matrix or net-smtp.
In this presentation, I will introduce the details of the functionality that extends Ruby's require to provide guidance to users on what they can do to load them. And I will also show how $LOAD_PATH is build behind Ruby and Rails by Bundler.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
9. Release cycle for the new version
We plan to release every Christmas day.
• 2.1.0: 2013/12/25
• 2.2.0: 2014/12/25
• 2.3.0: 2015/12/25
• 2.4.0: 2016/12/25
• 2.5.0: 2017/12/25
• 2.6.0: 2018/12/25
• 2.7.0: 2019/12/25(TBD)
• 3.0.0: 2020/12/25(TBD)
10. We will release the new stable version each 3
months.
Release cycle for the stable version
16. • Code for Work
• We should handle it for our job and organization.
• There is social responsibility.
• Code for Hobby = OSS
• There is only social responsibility. [IMO]
Responsibility for Security
17. • Consider Attack Surface and Attack Vector
• Can attack by anonymous?
Triage policy for vulnerability
Attack Surface
Software/System
Attack Surface
Attack Vector
Attack Vector
Attack Vector
Attacker
18. • How effect to CIA
• Confidentiality
• Integrity
• Availability
• The decision of other language and libraries
• We always refer Python and Go and others
Triage policy for vulnerability
19. • Accepted case
• Rejected case
• Complex case
The examples of typical workflow
20. • Directory Traversal
• OS command injection
• Vulnerability of bundled code like libffi or libyaml.
• Elevation of Privilege
Accepted Case
Tempfile.create("/../../home/vagrant/blue") {|f| p f.path}
if localfile
f = open(localfile, “w")
# Vulnerable code here. open("| os command","w")
elsif !block_given?
result = String.new
end
30. • Resolve the vulnerability with private
• Discuss with the original reporter
• Avoid the another vulnerability
Code
31. • Distribution maintener, Service Provider
• Other implementation like JRuby, TruffleRuby
• Release date
• We ignore to release at Friday and weekend
• Assign CVE
• Announcement
• We should write a formal information for
disclosing vulnerability
Coordinate
32. • “The Identify number for the potential vulnerability
issue”
• That’s all. It’s not impact or authority
What’s CVE
33. We are working with 3+ people because the
branch maintainers are different people.
Release
34. • We always coordinate to disclose vulnerability to
the original reporter.
• The reports should coordinate to us too.
Disclose
37. • We only set the bug bounty on HackerOne, not
mail.
• It’s provided by IBB
What's bug bounty
https://internetbugbounty.org
38. • $500: Demonstrate the presence of a security bug
with probable remote exploitation potential.
• $1000: Demonstrate that remote exploitation of
this bug is very likely (e.g. good control a
register).
• $1500: Demonstrate that remote exploitation of
this bug can be easily, actively, and reliably
achieved.
Bounty Policy
39. • The configuration of AWS S3
• The configurations of CDN or PaaS
• The configuration of GitHub
• Copy and Paste Web page and spam report
• Copy and Paste the old CVE report
• …
Noise Problem
40. • The scam act is harmful for
all of people
• The people become the
offensive for money
• The vulnerability of other
language or library has
been discovered. We got the
many of reports.
Bounty is no silver ballet
42. • We called its “標準添付ライブラリ” in
Japanese.
• It needs to `require` difference from
embedded libraries like String, Thread, etc.
• It can be used without Bundler or
RubyGems
What’s the Standard library?
43. Classification of standard libraries
Standard
Libraries
Default
Gems
Bundled
Gems
Pure Ruby 44 22 7
C extensions 12 16 0
This matrix shows number of standard
libraries and their classifications in Ruby
2.6.
44. • The ruby core team can release default
gems to the rubygems.org. You can install
them via RubyGems.
!
• Default gems are openssl, psych, json, etc.
>> Gem.loaded_specs["did_you_mean"].default_gem?
=> false
>> require 'openssl'
=> true
>> Gem.loaded_specs["openssl"].default_gem?
=> true
Inside Default gems
45. • : Maintainers can release gem for bugfix, new
feature independent with Ruby core.
• : If upstream is available on GitHub, Ruby
users easily send patch via Pull request.
• : Maintainers need to maintain ruby core and
ruby gems both.
• : Abandoned and complex dependency on
rubygems and bundler.
Pros and Cons of Gemification
50. • RubyGems have the hooks for `gem install`
• Also have hook for native extension
Code injection for `gem install`
Gem.pre_install do |installer|
puts “All your base are belong to us”
end
Gem.post_install do |installer|
puts “All your base are belong to us”
end
51. rubygems.org was attacked with pawned
password.
https://news.ycombinator.com/item?id=20745768
Why your account was hijacked?
“My RubyGems.org account was using an
insecure, reused password that has leaked to
the internet in other breaches."
56. The attacker is not script-kiddy
• “2FA should become mandatory”
• The attackers already got the weak accounts, 2FA
is not prevent to ship malicious gems.
• It can care only in the future.
• “Can we reset the all of credentials?”
Bikeshed for security
57. • “Notice banner for pawned password"
• “Show the verified badge for 2FA"
• But It also show the weak account.
• “Prepare 2FA mandatory with a popular gems"
• How define “popular”?
• The attacker make the fake download count by
theirselves.
What’s do rubygems.org?
58. • “Notify the all owners when gem pushed”(done!)
What’s do rubygems.org?(2)
• “Integrate GitHub commits”
• GitHub is not the central in
the world :)
• BitBucket, GitLab, and
your git sever is
vulnerable?