Answer: It’s absolutely trivial to detect Rails applications in a scalable fashion, but why bother? Fire four HTTP requests at every server on the Internet: if the server is added to your botnet, it was running a vulnerable version of Ruby on Rails.)
Delmoi: allowing auto-update is just as much a security hole as any other vulnerability. The central distribution point doesn't have to get hacked if it's being run by skeevy outfits to begin with.
Can you trust Microsoft or Amazon not to use the auto-update hole to inflict stuff you don't want on you
Like rubygems.org was this past week?
Worse, because the gems themselves have no cryptographic signature to ensure integrity and authenticity, it's basically impossible to establish that any version of a gem has not been tampered with, short of a full audit of every version of every gem available.
Oh yes. Rails, you see, is omakase.
This is a tangent, but DHH alone is the one reason that I disregarded most things Ruby and everything Rails for years. That guy needs to stop talking in public.
Do we *have* to go running to the National Security State to end up providing secure systems? Because I'd really rather not. At the same time, we do have so many small cracks in the infrastructure, that I suppose, it's only a matter of time until *something* happens.
I know Metafilter has a strong IT contingent, and I'm definitely picking up on how serious this is for software creators and internet services providers. Can someone with the smarts tell the rest of us unwashed masses (i.e. "internet = a place to look at cat pictures" type people) what we should be doing to protect ourselves? It would be greatly appreciated. (Can I offer you a cat picture in return?),
That's not to say PHP doesn't have its share of problems. (Uhh... which parameter was the needle and which one was the haystack again?)
« Older On January 28th, students and faculty at Haverford... | Why can't we read the Scientol... Newer »
This thread has been archived and is closed to new comments
Buy a Shirt