Slashdot Mirror
AWS Urges Devs To Scrub Secret Keys From GitHub
An anonymous reader writes "GitHub contains thousands of 'secret keys', which are stored in plain text and can be used by miscreants to access AWS accounts and either run up huge bills or even delete/damage the users files. Amazon is urging users of the coding community site to clean up their act."
If the problem is as widespread as TFA suggests, an article/post/urging by Amazon risks simply triggering the Streisand effect (I was tempted to do a search myself after reading the article).
Then again, I'm not sure what else they could have done.
Tie two birds together: although they have four wings, they cannot fly. (The blind man)
If there is a direct link to be discerned from a Github user to an AWS stack then surely that user should simply be banned and then made to fix their crap before being allowed back on. Back in the 'old days' if the sysadmins on a system I was leasing time off could show that through my action or inaction one of their servers (even my virtual instance) was leaky they wouldn't flinch from shutting my crap down if I didn't comply straight away - and as far as I'm concerned they are quite within their rights to do it.
Agreed. Also, The People should not have access to:
1. crypto
2. computers with unsigned boot chains.
3. unlicensed programming tools of any kind.
4. untrackable vehicles
5. untrackable currency
6. non networked home appliances
We're only about a decade or two away from this being 'normal'.
Run it, log it and you too will see a lot of aws
54.193.36.150
54.193.50.3
54.193.73.95
54.193.95.230
54.194.121.137
54.194.145.249
54.194.178.152
54.194.198.11
54.194.198.139
Wont bore you further, not sure informing abuse at amazon does anything though
Depends on how public the knowledge already is.This is the first time I've heard of it, but this kind of thing is done a lot (private stuff thrown on publicly available services that can be found via a Google search) so I'd guess this was already reasonably well known in the bad people circles. By shouting about it Amazon is ensuring that everyone knows without having to track down and inform people individually.
Wow, I should not post when knackered.
Can't you just ship the software and let the user provide the key?
Readily public - even if not specific to AWS:
http://it.slashdot.org/story/1...
Getting the key requires registering an application and may be validated by the company providing the web service. How a normal non-technical user could do it? Even if it is was just creating an account it would be too much for a casual user of an application.
Check out my cross-platform apps
I'm sorry but you can't bundle a secret key in either source code or a binary, ship it to a user and somehow think that the user will be unable to extract it.
The summary tries to make it sound like it's Github's - or even Amazon's - fault.
If you're stupid enough to store credentials that allow access to pay-for goods in your name, and to then blindly upload them to a public service, I have little sympathy.
No more than people who upload their SSH keys, or hard-code their credentials into their code in the first place, or those who put the contents of their passwd/shadow/htpasswd file into a public arena. All of which we've had articles about people doing - and others finding via Google or just a quick inspection of certain projects. I'm sure there was even one with a Steam API key of some kind once.
Sure, it's easy to do if you're not paying attention - especially if you blindly upload a ton of hidden files (Why? Quite what hidden files do you need to upload to a public third-party version-management service? Yes, I've svn'd or bzr'd my /etc/ in the past for basic rollback functionality, but when you press commit to a public service, are you not checking WHAT files are going up and/or excluding hidden files by default anyway?)
Sorry, but for such projects Amazon shouldn't warn them, they should just block those credentials. It's a quick, easy lesson in how to manage your access to a third-party resource, and the hassle of having to redo your account verification should be enough of a kick up the bum to get you to never do it again.
And those people who were billed? Sorry, it's like asking the credit card company to refund you after you post your credit card number in a forum - sure, they might do it, but they are not obligated to as you breached the contract by failing to ensure the security of those details in the first place (proving it was your fault can actually make the credit card company not liable for it, even with "credit card protection" in law - it's just that proving it is usually more hassle than just paying it). The resources were consumed, by someone with your valid credentials. Your problem.
Of course.
Check out my cross-platform apps
Many web services require developers to get keys for their applications. Open source applications cannot provide users with working apps without disclosing the keys.
Depends on your definition of "working app". The source code can contain a random number, and it will work correctly in the sense that it sends the random number to the server to identify itself, and correctly determines that the server rejected it. Like a CD player application; you wouldn't expect the developer to supply CDs with it. Or an app processing credit card numbers for payment.
The last school shooting could have been prevented if only crypto was banned!
Oh you mean the one that happened in a GUN FREE ZONE?
It's as though criminals willing to commit murder aren't afraid of jail and don't obey weapons restrictions huh. If only the law-abiding adults on campus had some method of fighting back...
That's not a problem for the developer of the application, that's a problem for whomever is providing the hosted instance of their code. If a "normal non-technical user" is deploying the code, then they should equally be able to solve the problem of third party webservice keys etc where they are required.
Your understanding of the open source license requirements is fairly broken - there is NOTHING in the GPL (any version) which requires the distributor of the code to provide access to third party services where they require the use of that third party service.
You are thinking of the anti-tivoism stuff in the GPLv3, which does not cover this.
these "developers" are making huge rookie mistakes. Honestly you are not a developer if you make that huge of a mistake. I can see hardcoding a key, but the version you put publicly is set to not function until someone changes it. cripes less than 3 lines of freaking code in nearly any language will make your release puke with "change the default key moron, did you not READ the README?"
Best solution, auto generate a key with the install script. Sadly most developers are too freaking lazy to write an install script.
Do not look at laser with remaining good eye.
Yes you can. and real developers do just that.
Do not look at laser with remaining good eye.
Not if each developer key costs a recurring fee. For example, Amazon Marketplace Web Service requires both the developer of the application and the seller using the application to be current on a $480/yr subscription. Not sure about the rest of AWS though.
If he shoots you on a daily basis, you may want to consider changing cubes after a few days. Maybe mention this behavior to management, too.
In related news...
Google suggests you don't post your username & password to GitHub.
The locksmith's union suggests you don't tape your key to your front door.
The TSA suggests you don't write your combination on your luggage.
No. They could just refuse service to complete morons. Other than that, there is nothing they can do.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Sorry, but people doing that are worse than dumb. They do not care! Anything they get as result of their utter stupidity is well-deserved.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Amazon should assign a junior engineer to personally be responsible to search/scrape the web for leaked keys, and privately contact the owners of those accounts. That would make for good PR.
Closed source applications that access web services have to ship with a key as well. The only difference is how easy it is to access the key. It's the same issue as DVD players. Eventually someone cracked a key, because the DVD player has to be able to read the key.
Closed source applications that access web services have to ship with a key as well. The only difference is how easy it is to access the key. It's the same issue as DVD players. Eventually someone cracked a key, because the DVD player has to be able to read the key.
I think the problem is that with a closed source application, the API key can be somewhere in the source code, and I compile it, and then the API key is invisible except to a determined hacker. That's fine because I don't give you the source with the API key. With open source, I don't mind at all if you get the complete source code - with the exception of the single line with the API key. You would be free to get your own API key and put it into that single line of code and build your own version.
The API key is basically a promise to the service provider "you have my name and email address, and I promise not to abuse the API key by doing DOS attacks against your server or trying to hack into it". I can't make that promise for you, if you get a copy of the source code.
I'm sorry but you can't bundle a secret key in either source code or a binary, ship it to a user and somehow think that the user will be unable to extract it.
The amount of effort can have major legal effects. For example, an easily circumventable copy protection measure turns copying from "copyright infringement" to "DMCA violation". Where I was raised, theft came in different categories for "taking away unprotected items", "taking by circumventing locks or other protection measures", "taking by using force or threat of force against persons", and "armed robbery". So the fact that a user extracted a key from a binary might have strong legal consequences, and that alone may be enough to make a difference.
You mean like IAM Roles for EC2 which makes credentials show up on your instance and the SDK uses them automatically? And which launched in 2012?
Seriously, it's as easy as S3Client s3 = new S3Client(); and the SDK does the rest. If devs are still hardcoding credentials, I have no sympathy.
Why is it deserved?
I do not know why you are modded down. There indeed is that error in the summary which should have been fixed by the submitter or the editor.
But why would a script kiddie on some other continent give a shit about any of that?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Hosted? I was mainly referring to desktop applications.
Check out my cross-platform apps
Then your post makes even less sense.
The AWS keys referred to in the article are for the storage accounts et al, so theres no "registration" or "validation" of an application going on, you just sign up to AWS, create a bucket for S3 or whatever, and supply the connection credentials to the app.
And that is something that the end user most definitely should be doing.
Obligatory RMS
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I have a fair understanding of software licensing, thank you. I was not referring to the GPL in particular, nor any other license. It's not a licensing problem and I don't know why you misread my comment in this sense.
Check out my cross-platform apps
What if I'm developing apps for kids?
Check out my cross-platform apps
But why would a script kiddie on some other continent give a shit about any of that?
Because a country on some other continent has entered into a bilateral trade agreement with the United States.
Then you shouldn't be collecting personally identifying information from them in the first place without verifiable parental consent.
When posting screenshots containing secret keys, just remove a large part of it. Don't use blur or swirl like filters, these can be reversed quite well.
The blurred key posted by itnews is pretty much reversible with the naked eye.
According to the summary the blurred key, and others, are already available in plaintext on Github meaning countless people could have already captured them and possibly still can.
Aren't you supposed to learn fourth grade English before you get to college?
English is not necessarily required if you go to college somewhere other than the United States, Canada, Great Britain, Ireland, Australia, New Zealand, South Africa, or India.
If your FOSS application interacts with a web-based service that requires an API key, the correct way to implement it is to instead have it interact with your own servers, and in turn have your servers interact with the web service via the API key. You should of course then publish the source to the server-side part of your application as well, and advanced users can then (if they really want to) setup their own server, with their own API key for the web service; this also protects users from the possibility that you disappear and shtudown your server or let it rot.
Of course this design assumes it's a web service your users are accessing anonymously. If they have to login to their own accounts, then this model is usually wrong. They should never be providing their account credentials to you, and it can only work correctly with more advanced authentication methods that avoid the need for them to provide credentials to you, which the web service is unlikely to support.
Bull ! Aws has a bad problem with billing because you can't terminate instances until you delete what the instance is running. It re starts after you terminate CRAZY
Which, in combination with $1, will buy you a cup of coffee. I haven't noticed that Eastern European or Chinese spammers and attackers have been deterred one whit by those bilateral trade agreements.
Send mail here if you want to reach me.
If you have to ask, then you are not capable to understand the answer. But you may want to visit a shrink sometime.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I think you may be the one that needs to visit the shrink sometime, because you somehow think that people should be punished just for being stupid, even when they did not cause any harm to other people in the process.
You still have no clue what this is about. Hint: Look up "evolution" and "negative feedback".
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Sure, I know that, but that is still not the only possible way to look at the thing.
English is not necessarily required if you go to college somewhere other than [Britain or one of its ex-colonies].
How can people be allowed in if they don't show a basic competence with the very basics of the language they are supposed to converse in?
In countries whose official language is not English, conversing in English is not necessarily required. For example, universities in France likely conduct classes in French.