AWS Urges Devs To Scrub Secret Keys From GitHub

An anonymous reader writes "GitHub contains thousands of 'secret keys', which are stored in plain text and can be used by miscreants to access AWS accounts and either run up huge bills or even delete/damage the users files. Amazon is urging users of the coding community site to clean up their act."

How effective is such an ... urging?

[utnapistim]

If the problem is as widespread as TFA suggests, an article/post/urging by Amazon risks simply triggering the Streisand effect (I was tempted to do a search myself after reading the article).

Then again, I'm not sure what else they could have done.

Re:How effective is such an ... urging?

[gweihir]

You cannot protect stupid people. You can only make sure that you told them they were being stupid in order to prevent that _you_ get blamed for their stupidity. That is what Amazon is doing here. The only other option I would see is forced closing of the affected accounts, but that would likely result in a PR nightmare.

Re:How effective is such an ... urging?

[thaylin]

Poor analogy, a better one would be if you saw someone jump into the ocean, near where sharks have been seen, should be blame you for then deliberately pouring blood near the swimmer in an effort to get him attacked, and yes I would blame you.

Or if someone was speeding, but a drunk ran a stop sign and hit the speeder, do you blame the drunk? Yes.

Or if you leave your front door unlocked and someone walks in and steals all your stuff do we blame the robber? Yes.

Just because someone does something silly does not mean they are not a victim when someone breaks the law targeting them.

Ban 'em

[undulato]

If there is a direct link to be discerned from a Github user to an AWS stack then surely that user should simply be banned and then made to fix their crap before being allowed back on. Back in the 'old days' if the sysadmins on a system I was leasing time off could show that through my action or inaction one of their servers (even my virtual instance) was leaky they wouldn't flinch from shutting my crap down if I didn't comply straight away - and as far as I'm concerned they are quite within their rights to do it.

Re:Everything else is simply too dangerous

Agreed. Also, The People should not have access to:

1. crypto
2. computers with unsigned boot chains.
3. unlicensed programming tools of any kind.
4. untrackable vehicles
5. untrackable currency
6. non networked home appliances

We're only about a decade or two away from this being 'normal'.

Re:Opensource and web services keys

[kthreadd]

I'm sorry but you can't bundle a secret key in either source code or a binary, ship it to a user and somehow think that the user will be unable to extract it.

And?

[ledow]

The summary tries to make it sound like it's Github's - or even Amazon's - fault.

If you're stupid enough to store credentials that allow access to pay-for goods in your name, and to then blindly upload them to a public service, I have little sympathy.

No more than people who upload their SSH keys, or hard-code their credentials into their code in the first place, or those who put the contents of their passwd/shadow/htpasswd file into a public arena. All of which we've had articles about people doing - and others finding via Google or just a quick inspection of certain projects. I'm sure there was even one with a Steam API key of some kind once.

Sure, it's easy to do if you're not paying attention - especially if you blindly upload a ton of hidden files (Why? Quite what hidden files do you need to upload to a public third-party version-management service? Yes, I've svn'd or bzr'd my /etc/ in the past for basic rollback functionality, but when you press commit to a public service, are you not checking WHAT files are going up and/or excluding hidden files by default anyway?)

Sorry, but for such projects Amazon shouldn't warn them, they should just block those credentials. It's a quick, easy lesson in how to manage your access to a third-party resource, and the hassle of having to redo your account verification should be enough of a kick up the bum to get you to never do it again.

And those people who were billed? Sorry, it's like asking the credit card company to refund you after you post your credit card number in a forum - sure, they might do it, but they are not obligated to as you breached the contract by failing to ensure the security of those details in the first place (proving it was your fault can actually make the credit card company not liable for it, even with "credit card protection" in law - it's just that proving it is usually more hassle than just paying it). The resources were consumed, by someone with your valid credentials. Your problem.

Re:Everything else is simply too dangerous

The last school shooting could have been prevented if only crypto was banned!

Oh you mean the one that happened in a GUN FREE ZONE?

It's as though criminals willing to commit murder aren't afraid of jail and don't obey weapons restrictions huh. If only the law-abiding adults on campus had some method of fighting back...

Re:Opensource and web services keys

[Richard_at_work]

Your understanding of the open source license requirements is fairly broken - there is NOTHING in the GPL (any version) which requires the distributor of the code to provide access to third party services where they require the use of that third party service.

You are thinking of the anti-tivoism stuff in the GPLv3, which does not cover this.

Re:Everything else is simply too dangerous

This is a fucking stupid argument. The reason there are loads of school shootings in America but almost nowhere else is not because America has stricter gun laws than everywhere else, but because America has a gun culture which is propped up by easy access to guns.

If it wasn't easy to get a gun, or if guns weren't considered a solution to problems, there wouldn't be so many school shootings.

Gun-fanboys are as subtle with their argument as with the tools they think can be used to end them.