February 20, 2014

CVE-2104-0081 timeline

Two days ago, a new vulnerability on rails was made public. Since I am subscribed to different mailing lists, and use different security services, I got the information multiple times, and I though it could be interesting to draw a timeline on those alerts, to see which tools/services were faster and how the information flows:

12.Feb.2014 - 02:36 CET - Rafael Modença França commits the fix (private)[1]

14.Feb.2014 - 21:41 CET - RedHat create bugzilla entry (private)[2]

18.Feb.2014 - 17:06 CET - SUSE creates bugzilla entry (private)[3]

18.Feb.2014 - 20:00 CET - Rafael Modença França merges the fix to master[4]
                                         - version 4.1.0.beta2 is released [5]
                                         - version 4.0.3 is released [5]
                                         - version3.2.17 is released [5]

18.Feb.2014 - 20:03 CET - aaron patterson sends email to rubyonrails-security@googlegroups.com, oss-security@lists.openwall.com, secalert@redhat.com[6][7]

18.Feb.2014 - 20:10 CET - redruby.io service sends me an email[8]

18.Feb.2014 - 20:12 CET - aaron patterson sends email to ruby-security-ann@googlegroups.com[9]

18.Feb.2014 - 20:17 CET - Rafael França publishes on weblog.rubyonrails.org [10]

18.Feb.2014 - 20:33 CET - hakiri.io service sends me an email[11]

18.Feb.2014 - 20:36 CET - holepicker adds the security alerts in its database[12]

18.Feb.2014 - 21:06 CET - hacker news publishes in its blog[13]

18.Feb.2014 - 21:38 CET - RedHat removes embargoed[2]

19.Feb.2014 - 03:30 CET - Added to osvdb[14]

19.Feb.2014 - 09:03 CET - SUSE removes embargoed[3]

19.Feb.2014 - 11:49 CET - gemnasium.com sends me an email [15]

20.Feb.2014 - 15:24 CET - ruby weekly publishes the new (ruby weekly is released every Thursday)[16]

[1] https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1065520
[3] https://bugzilla.novell.com/show_bug.cgi?id=864433
[4] https://github.com/rails/rails/commit/1879c259b870938c42d5d52f63123bfa0b8c81c8
[5] http://rubygems.org/gems/rails/versions
[6] https://groups.google.com/forum/#!topic/rubyonrails-security/tfp6gZCtzr4
[7] http://www.openwall.com/lists/oss-security/2014/02/18/8
[8] https://www.redruby.io
[9] https://groups.google.com/forum/#!topic/ruby-security-ann/1PWnwW4jRkY
[10] http://weblog.rubyonrails.org/2014/2/18/Rails_3_2_17_4_0_3_and_4_1_0_beta2_have_been_released/
[11] https://haikiri.io
[12] https://github.com/jsuder/holepicker/commits/master/lib/holepicker/data/data.json
[13] https://www.facebook.com/hnbot
[14] http://osvdb.org/103439
[15] https://gemnasium.com
[16] http://rubyweekly.com

El model de negoci del software lliure a Berga el 27 de Març

El 27 de Març a les 18:00 de la tarda faré una presentació al coworking loficina (loficina.cat) sobre com fer negoci amb software lliure. Animeu-vos a venir :) !

February 6, 2014

2013 and rubygems: 3 times more security issues, 6 times more security tools

3 times 
more security issues

7 times
more security tools

Today I discovered hakiri.io , a web service that scans gems and code, and I have updated the presentation on security and ruby gems with this information as well as added a summary table.


In this presentation I state that 2013 had 3 times more security issues (regarding ruby gems) than 2012 and that 6 times more security tools appeared in 2013 than in 2012.

December 13, 2013

mitoi: kids sourvenirs from barcelona

That is a great idea. A kids toy and a barcelona souvenir all in one! Those conform the Barcelona skyline and I just bought one for myself as a souvenir since I am moving from Barcelona at the end of the year.

I think this is a very nice and innovative idea designed in Barcelona by mitoi .

September 25, 2013

Olé to you nonetheless

Very inspired TED talk:

"If your job is to dance, do your dance. If the divine, cockeyed genius assigned to your case decides to let some sort of wonderment be glimpsed, for just one moment, through your efforts, then "Olé!". And if not, do your dance anyhow. And "Olé!" to you nonetheless."

 The talk is about how artists can get broken because of the anxiety of thinking they may not be able to do a great creation but I think that can actually be applied to any aspect of your life.

 In ancient times, people used to believe there was a God that was ruling our lifes and what was happening was because of his plans. This was a way of managing uncertainty in their lifes, since there were a plan and rules designed for some higher entity, despite people was not able to understand them.

Then, people started to think that we are the center of the universe, ... and then we killed God when we tried to demonstrate every single thing through science and rules that are understandable by humans (well, not by all of them, but a set of humans). And we started believing we are in control and so we are responsibles of our own future (don't get me wrong, I think science has bring very very good things to humanity).

However, believing we can control, brings great responsability on our lifes, new rules (to avoid damages we can avoid because WE are in control), and at the end anxiety and stress. Then ... should we go back to believe in unnatural things?

Well, why not go back to believe we are not in control and that we do our best and then, because of "Gods", coincidences or other unnatural "things" that we don't know, don't understand and can't control, things will go in a way or in another, thus leaving us living with some uncertainty? Is this the next step?