Yes, but the attacker would need to inject code into every .gem file that's pushed to rubygems.org. Because that source code would be highly visible, it would be simple to figure out what they're trying to do.
A more hidden attempt would be to simply alter the existing .gem files on S3. Once they have the access tokens from the configuration YAML files, they can do that from anywhere, not just the rubygems.org host. That keeps their activity under the radar and is slightly harder to track.
In that case, only newly installed gems in your system that were uploaded to rubygems.org before this incident would be at risk. If you run bundle update and pull in gems built from today onward, there is not as much to worry about. If you're updating gems and the bundle is pulling in gems from a few days ago, then you are at high risk.
I'm not disputing anything here, but I just want to emphasize that if they have the S3 credentials, replacing any gem is trivial. And they wouldn't need to replace every gem. Picking the 10 most popular ones would have pretty big fallout.
And, if like most people you don't verify your installed gems (not that you really can if they're not signed), you're going to have a very bad day. The "tracking" aspect is a situation where it doesn't matter because at that point, you're hosed anyway.
Also, walking S3 is not particularly fast. So if the plan is to walk all gem files to verify them, expect that to take a while. Hopefully they have bucket logging enabled.
If everyone is really going to take the route of "My X Framework is fine b/c nothing's been reported" then I'd like to contribute these links showing vulnerability break downs...
You are shooting your own feet with these links you know. According to your data Django had -ZERO- sql injections & code execution repots, now compare that to RoR which had 6 sql injections & 3 code execution reports since 2009. Even if you went by just the numbers RoR had way more vulnerabilities, now if you also take in consideration the kind of vulnerabilities i can tell you i feel way safer on django than RoR.
How many times did you have to stay up late at night to patch your framework ?
That seems a little unfair on PHP if taken at face value. I don't know PHP, but doesn't it come with things like database client libraries and templating? That's not really comparable with the core Python distribution.
Presumably a fairer comparison would compare (Python + Django) with (Ruby + RoR) with PHP?
This is the first picture of Mars that made me say "wow" -- literally out loud. The image is truly awesome, not only from visual aspect, but also because of the amazing technological achievement(s) it took to obtain it.
The clarity of the terrain, and the mountains/hills in the background, makes Mars feel much more tangible to me; It almost feels like I was there to take the shot myself.
I've thought about that and I still don't have a good answer. My guess is that it is only marginally more theft-prone than the self checkout stations. It probably helps that the store is in an affluent suburb. They won't be setting up such a system in Baltimore where I live any time soon.
When I lived in the area I only used the system once because it just took too long. My mom stopped using it because she found on one trip she had effectively stolen two items by forgetting to scan them and was so horribly embarrassed she gave up on it.
Indeed. Google Wallet? As he described the scan-and-walk process, it sounds more like Google Shoplift -- but maybe that's just the first thing that came to my mind. Of course, if you had some kind of disposable "smart bag" to do an RFID scan of its contents, you might be getting somewhere with this.
I think that's overengineering. Why not just use weight, like they already do in the self-checkout line? Weigh the shopping cart full of groceries, subtract the weight of the cart itself, and compare to what they're paying for. If it seems wrong, investigate.
Running `$ bundle update` will not inject this into your app.
You'd have to intentionally add `gem "exploit", "~> 22.31.31"` to your Gemfile.