Slashdot Mirror

← Back to Stories (view on slashdot.org)

Github Kills Search After Hundreds of Private Keys Exposed

Posted by Soulskill on from the take-care-what-you-make-public dept.

mask.of.sanity writes "Github has killed its search function to safeguard users who were caught out storing keys and passwords in public repositories. 'Users found that quite a large number of users who had added private keys to their repositories and then pushed the files up to GitHub. Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Projects had live configuration files from cloud services such as Amazon Web Services and Azure with the encryption keys still included. Configuration and private key files are intended to be kept secret, since if it falls into wrong hands, that person can impersonate the user (or at least, the user's machine) and easily connect to that remote machine.' Search links popped up throughout Twitter pointing to stored keys, including what was reportedly account credentials for the Google Chrome source code repository. The keys can still be found using search engines, so check your repos."

7 of 176 comments (clear)

  1. At least... by Anonymous Coward · · Score: 5, Funny

    they've been seen by 'many eye balls'.

    That's good right?

  2. Re:This is why developers are not sysadmins by Anonymous Coward · · Score: 5, Insightful

    No. This is actually completely absurd. A developer that cannot grasp the concept that private keys have to be kept private, cannot be trusted to do anything but screw up the most basic security provisions when writing code.

    They should get a kick in the ass, such as three months without any sort of commit privileges, and mandatory code review for an year. THAT should be enough to make it stick, and impress on them the real gravity of their failure. Otherwise, they will just chalk it up as "an annoyance done by those uninteresting people who should learn to code before they go pestering code-gods".

  3. Search engines by ArsenneLupin · · Score: 5, Informative
    On google, the following search string still turns up a goldmine...:

    site:github.com inurl:id_dsa

    Idiots...

  4. I just saw this, sort of by slashmydots · · Score: 5, Interesting

    I was cruising ebay yesterday and saw that one of the laptops had their windows license keys exposed in pictures in a readable format. I poked around some more and found that isn't terribly uncommon. Some people just don't think no matter what website it is.

  5. Re:Deserving by GameboyRMH · · Score: 5, Insightful

    Exactly, GitHub shouldn't disable a site feature to protect the stupid.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  6. Re:This is why developers are not sysadmins by ArsenneLupin · · Score: 5, Insightful
    In some of these instances, all of ~/.ssh/ did actually end up in the project directory. Or maybe they used their entire home directory as the project root? Stoopid, stoopid people.

    (Yes, there is also a nice ~/.ssh/config file, so that you also know which locks those key fits...)

  7. Nothing has changed... by 140Mandak262Jamuna · · Score: 5, Funny
    Back in the days when I was the root (of all evil according my fellow grad students) of our lab, one of the constant problems was people blindly doing chmod 777 .* on the $home. They have .emacs or .profile or .cshrc that was customized ages ago by some grad student, and they want to share it with a new student. Somehow they stumbled on to "chmod 777 .*" as a solution to all their file sharing problems. Now this "magic command" was also being blindly passed around without worrying about security implications. Oh, yeah, they think they are clever and tape the login credentials to the underside of the keyboard and laugh at secretaries who tape it to their monitors.

    Looks like these grad students have all growned up and uploading it all to the cloud.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact