Bots Scanning GitHub To Steal Amazon EC2 Keys

New submitter juniq writes: As one developer found out, posting your Amazon keys to GitHub on accident can be a costly mistake if they are not revoked immediately.

"When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes! Turns out through the S3 API you can actually spin up EC2 instances, and my key had been spotted by a bot that continually searches GitHub for API keys. Amazon AWS customer support informed me this happens a lot recently; hackers have created an algorithm that searches GitHub 24 hours per day for API keys. Once it finds one it spins up max instances of EC2 servers to farm itself bitcoins."

Now where have I heard this before...

[JJJJust]

Oh right: http://developers.slashdot.org...

Re:Now where have I heard this before...

[WWJohnBrowningDo]

There ought to be bots scanning /. to weed out duplicates.

Re:Now where have I heard this before...

[DaHat]

This was also covered at Defcon 22... and not just for AWS keys: http://youtu.be/nBR7Kru6JX0?t=...

Re:Now where have I heard this before...

There ought to be bots scanning /. to weed out duplicates.

Nah, this is Slashdot; I think they have bots that search for dupes with the intent to post them.

Re:Now where have I heard this before...

[ofprimes]

Slashdot de-dupe..

Re:Now where have I heard this before...

It would be so quiet in here...

captcha: perfect

Re:Now where have I heard this before...

[TubeSteak]

I imagine it would be rather trivial for Git-Hub and others to scan uploads before they go "live" and either censor keys or ask "are you sure you want to do this"

Re:Now where have I heard this before...

There ought to be bots scanning /. to weed out duplicates.

There ought to be bots to weed out stupid editors, or better yet, replace them!

Re: Now where have I heard this before...

Calm down. Some readers might have missed it the first time. Yay, nerd points for you, though.

The Stupidity of Human Greed

[MrBigInThePants]

They could have achieved so much more by being less greedy.

People....

Re:The Stupidity of Human Greed

How? They got $2000 worth of cpu time from amazon. If they'd waited the guy would have surely thought to change the damn API key the next morning (surely no one is dumb enough, to think just removing the stuff after the fact will help - I guess they also don't bother getting new credit cards when their wallet gets lost and returned by a nice stranger that very same day).

Re:The Stupidity of Human Greed

[swb]

I assume the idea is that you make more money stealing $1 many times from more people over a year than you do trying to steal all of it from all of it at once.

Re:The Stupidity of Human Greed

[jtownatpunk.net]

They're going for The Big Dirty. One big score and they're out.

Re:The Stupidity of Human Greed

I assume the idea is that you make more money stealing $1 many times from more people over a year than you do trying to steal all of it from all of it at once.

Wal-Mart!

Re:The Stupidity of Human Greed

[Cramer]

Doesn't matter if their nuclear road flare gets their instances shutdown before a single shitcoin is mined. Given the speed of CPU hashing, even 1000 instances would take days to amount to anything. (the fastest dedicated miner does 6TH/s, and it would take a week to generate 0.5BTC -- worth about $150)

Re:The Stupidity of Human Greed

[tlhIngan]

I assume the idea is that you make more money stealing $1 many times from more people over a year than you do trying to steal all of it from all of it at once.

It works in real life all the time, actually - companies do this quite routinely. Jack up your bill by $2 and they can rack up millions over the year, and it doesn't matter if it's a contract or not because how much are you going to spend trying to recovery $24/year? If it's a cellphone contract, the max they're going charge you is $48 more over the contract's 2 year lifespan. You going to sue them over that? Now repeat that for a million subscribers and that's an extra $2M a month in free profits.

Maybe you can jack it up by $5 ($60/year) because it's still too low to bother.

It's why they made class-action lawsuits, because someone stealing $48M/year would get sued/arrested/etc if it was against one person, but against 1M people? Worthless.

As for this, well, given it's still "free money", even at Bitcoin's deflated value of around $350 or so, it's still free money. Who cares about efficiency or anything when you can steal CPU cycles like that - just scan github checkins for the key, then use the APIs to automatically create sessions and all that and rack up the bitcoins. Even the github scanner doesn't have to be owned by the user - they probably stole some guy's EC2 credential and are using one of his instances for it unbeknownst to the user. Free money!

Re:The Stupidity of Human Greed

[leonardluen]

but the bot operator isn't paying for it, why do they care how efficient it is? if it takes a week worth of cpu time to generate $150 that is still $150 of pure profit for them. at the same time they can probably also sell cycles on the instances they hijacked to spammers or some other group

Re:The Stupidity of Human Greed

[peragrin]

Not even that.

raise the price by 1% and it goes right to your bottom line. Most people won't even notice that the $99 item costs $99.99. It is how gas companies do it.

Re:The Stupidity of Human Greed

[yacc143]

Well, you do realize that AWS DOES offer instances for GPU calculations. Still much slower than dedicated hardware, but basically it's free (as in stolen).

Summary without technobabble

Guy stores his password online, is surprised when he gets got.

Re:Summary without technobabble

[ls671]

More like use a fricking passphrase at least to protect your private key and use some kind of agent to save you from typing that passphrase again and again.

I sometimes use passphraseless private key when I control where it is stored but never store a passphraseless private key on line.

Be aware of key loggers and other means to get you passphrase once your private key is stored online also.

Wait! Should I understand they aren't using PKA?

Sorry then, shame on me.

Re:Summary without technobabble

[mwvdlee]

More like don't upload your PRIVATE keys to a PUBLIC repository.

Re:Summary without technobabble

[ls671]

I entirely agree but for some, namely the ones who still use symmetric keys, this has become an old school thought.

In Canada, the government bought 30 millions certificates for all its citizens in oder to authenticate for government on line services for a buck a piece. Total: 30,000,000$

I would have been glad to provide it to them for 10,000$ and guess what? All privaye keys were kept centrally ;-) Us, old school guys just couldn't believe it.

The big thinkers/marketing guys decided that it was just to complicated for citizens to manage and keep their secret key in a secure location.

Re:Summary without technobabble

Entrust was involved in that deal.

Re:Summary without technobabble

[ls671]

In the end, education and instant knowledge is needed.

Re:Summary without technobabble

[gbjbaanb]

The big thinkers/marketing guys decided that it was just to complicated for citizens to manage and keep their secret key in a secure location

It is. Do not underestimate the ignorance of the common user, especially one who just wants to use their computer. Now if the government had charged $5 and sent a USB key with the certificate on it, maybe the end-user would take more care of it as they understand physical keys in a way that they don't with electronic versions.

Look at how many times you have to use the "I forgot my password" feature. For a service you use once or twice a year, the "forgot my password" link would be the login screen.

Secondly, if all keys are stored centrally, by the government, you can use them to decrypt end-user comms. I think someone must have been thinking ahead!

Thirdly, "bought" 30 million certs? They're the government, they can create their own certs and be their own authority. Then they can outsource the delivery of these to citizens to a private company for only a few hundred million dollars. (a company with a minister on the board as a non-exec director, of course)

Re:Summary without technobabble

[bhcompy]

Yup. Apparently it does take a rocket scientist to know that posting your keys in publicly accessible places will get them compromised... maybe that's why they're software developers and not rocket scientists

Re:Summary without technobabble

I'm a Canadian. This is the first time I've heard of these 30 million certificates.

Re:Summary without technobabble

[ls671]

http://www.isacc.ca/isacc/_doc...

Re:Summary without technobabble

[ls671]

I agree it is currently. It is funny although what a little education could do but most of the times, educated people are less easy to profit from. Therefore, marketing guys will rarely suggest educating people as a solution.

Re:Summary without technobabble

[ls671]

>Thirdly, "bought" 30 million certs?

Oh and yes, that's why we were both laughing our hearts out and calling shenanigan at the same time. As I wrote in my OP, I would have been glad to generate those certs for them for 10,000$ instead of the 30,000,000$ they spent. But hey, a buck a piece for certs is a great deal, isn't it?

The usb key solution was suggested as well but the conclusion was that dumb users would lose their usb keys and that it would become too costly to manage.

In the end, we seem to be doomed unless we educate people.

Re:Summary without technobabble

[Falos]

You won't see anyone whining about their rights or "it's MY information!" or intellectual property or "we need to change (git) policy!" here.

Quarantine or bust.

Quite a lot of crazy stuff gets pushed to git

I recall running across someone who had discovered several thousands of PHP files that contained commands like exec($_POST["randomgibberish"]) that was clearly a backdoor exploit that had gotten into the source and then pushed to git for whoever to share.

Re:Quite a lot of crazy stuff gets pushed to git

I remember a couple years ago someone accidentally pushed his .bash_history and it turned out to have a big log of him watching child porn movies. Pretty sure it was a Slashdot story but I really don't want to go searching for that.

Re:Quite a lot of crazy stuff gets pushed to git

[ls671]

Run a WAF, log suspicious packets at the IP level, then you will discover a big underworld...

Re:Quite a lot of crazy stuff gets pushed to git

[ls671]

.bash_history eavesdropping is indeed kidiporn...

Re:Quite a lot of crazy stuff gets pushed to git

[iamacat]

ASCII porn in bash is evil man! At least he was not using rc.

Lesson: don't use root AWS API keys

[heypete]

AWS strongly discourages the uses of root API keys, as they give bad guys who find them the "keys to the kingdom". Why should the credentials for one's S3 account also work for creating EC2 instances?

Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

Judicious user of IAM can also reduce user errors: I use Amazon Glacier for backing up certain critical files (e.g. wedding photos, baby photos, copies of wills, passports, etc.). I created an "upload, view, and restore/download" user for Glacier that explicitly does not have the "delete" permission enabled. I have a second IAM user with "view and delete" permissions. API keys for both users are stored in FastGlacier, with the "delete" user credentials stored encrypted so I need to enter a password to switch to that user. The user without delete permissions is the default user and the credentials are not stored with a password. This way I can do the standard backup/restore functions needed while working with backups but significantly reduce the possibility of my accidentally deleting backed-up files if I fat-finger the wrong key.

Re:Lesson: don't use root AWS API keys

they could save themselves a lot of trouble by making a web UI for IAM that isn't shit, and actually documenting the system somewhere

Re:Lesson: don't use root AWS API keys

Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

Agreed, but when you sign up as a new user, Amazon presents you with the root key right there. Someone signing up to test things out is likely to just copy and paste that key wherever it's needed to get off and running. I did that when I was playing with ceph, fortunately I was evaluating locally and didn't leak the key. I think a better option would be for Amazon to give you *no* API key by default, requiring you to make one with the necessary permissions and at least have a cursory look at the options.

Re:Lesson: don't use root AWS API keys

This may be anon but mark it up... very insightful. Yes it is important to create role based accounts/permissions for AWS through IAM, but abso-fucking-lutely the IAM UI and the process for modifying permissions/authorization is positively fucking shit. Garbage. Crap. A cankerous sore on the taint of the internet. It's not very good. And the documentation for it is so poor to the point of being virtually non-existent. I did use it, and on an AWS project I worked on made sure we had specific accounts created permissions limited depending on the roles required. But it is basically hacking at the configuration until you get it right because it is the only real way to figure it out. Not what you want when it involves security. It is too easy to fuck up and leave yourself vulnerable... never mind the people who take one look at it and say WTF? and not set up security at all and just use the root access key/secret key. Saying that this is something that only experts should use so it's OK to be cryptic is not the answer... if only security experts should set up accounts Amazon would likely lose 75% of their business (i.e. a lot of it).

--theshowmecanuck ... posting anon because not only did I want to mod parent up, but hopefully someone from amazon reads /. and will help get their shit together on this.

Re:Lesson: don't use root AWS API keys

[jemmyw]

And I recently found out about their IAM roles, which means that an EC2 instance can have it's own keys, that are automatically rotated, and available to any AWS-SDK you're running on the machine (or fetchable on a local IP). This is safer than passing keys, root or IAM user ones.

Re:Lesson: don't use root AWS API keys

True, but the UI sucks. It needs a better engineered information infrastructure that is resilient against the Republicans. The papers leaked from the Ramstein Air Base Affair certainly show that AWS is not being secured effectively. Amazon should respond in kind.

Re:Lesson: don't use root AWS API keys

[bloodhawk]

As someone that just started to use AWS where I work, I feel you are being far to complementary, a first year computer grad could come up with a better interface. The API's they provide aren't a whole lot better either.

Re:Lesson: don't use root AWS API keys

Surprise! After using IAM for a few years now, it is as crappy and poorly thought at as the UI itself is. You'll find it doesn't do what you need to and there is no way to do a lot of important stuff properly because the means for limiting scope does not exist or so wide in scope as to be useless.

Amazon doesn't know what they are doing, there is not any single thing to fix here, AWS is broken top to bottom in every way and will be forever. Its that way by design.

Re:Lesson: don't use root AWS API keys

they could save themselves a lot of trouble by making a web UI for IAM that isn't shit, and actually documenting the system somewhere

I'm a developer working on various parts of IAM. I do not speak for AWS or Amazon in general but I will say this: if you don't like something about the UI or the APIs or ANYTHING about how something works, please, please, please go to the AWS forums and post what you don't like there. Please suggest alternatives, what you'd like to see changed or things you'd like to be added - we really do listen to what folks have to say about it. Nearly every change or addition we make is based on customer feedback.

Re:Lesson: don't use root AWS API keys

AWS IAM developer here again.

"IAM UI and the process for modifying permissions/authorization is positively fucking shit. Garbage. Crap. A cankerous sore on the taint of the internet. It's not very good."

What could we add/change/subtract to make it not that?

"But it is basically hacking at the configuration until you get it right because it is the only real way to figure it out."

We added the policy simulator to try to help address this:

IAM Policy Simulator

Did this not help you? If not, why not? What could we do better?

HACKERS ARE SCANNING 24/7

HACKERS, I TELL YOU

Re:HACKERS ARE SCANNING 24/7

IT IS HAXORS! 7337!

Re:HACKERS ARE SCANNING 24/7

[lagi]

Fixed the title: "15 y/o Script Kiddies With Bots Scanning GitHub To Steal Amazon EC2 Keys"

Sounds like multiple failures

[rebelwarlock]

But the user is still mostly to blame. Okay, so you might not find it intuitive that S3 keys can lead to new EC2 instances - I wouldn't have guessed that either, even though I've used both repeatedly. Maybe that shouldn't even be a possibility. But what howling insanity persuaded you to put those keys on github in the first fucking place? And if it was a mistake, why didn't you change them after? This isn't amateur hour, guys - there's real money at stake here.

Re:Sounds like multiple failures

[Paradise+Pete]

This isn't amateur hour, guys - there's real money at stake here.

People make mistakes every day of their lives. We always have, we always will. It's how we learn what not to do. It's just that almost all mistakes are harmless... except on the internet. There it's like living in a minefield. Make a bad step and boom. It's not a question of amateur hour, it's a question of being human.

Re:Sounds like multiple failures

[ls671]

Just fucking use PKI instead of stupid API keys. Are their API keys PKI or not. See my post above:

http://slashdot.org/comments.p...

then, since 1977:

https://en.wikipedia.org/wiki/...

Re:Sounds like multiple failures

[wvmarle]

Easy enough to make this mistake, and not realising it.

Develop something that needs Amazon S3 access, and put it on GitHub. It's easy enough to forget about removing your keys before doing a git commit, putting them on GitHub.

Next time maybe you do remember to do so; possibly not realising your first mistake. The keys remain available in previous versions of your software, and you'll never see this old version until you happen to do a rollback to exactly that revision. Rollbacks don't happen too often; to that specific version even less; and then you still have to look at the bit of code that has the keys and realise it's coming from the rollback.

Others that may download your updated (keyless) version also won't notice your keys are on GitHub, after all they're hidden in an older version, which you never see unless specifically requesting it.

What makes matters worse: with this bot it may take just minutes for your keys to be copied and put in use. TFS mentions just five minutes for that to have happened. Maybe it's specifically looking for new commits?

Anyway, easy enough to make such a mistake and not realising it. As such there are many AWS secret keys out there, that are still valid (owner doesn't realise they're out there so won't revoke them), and that are just waiting to be found and put into use.

Re:Sounds like multiple failures

[loufoque]

By removing the key, I assume he rewrote the history, and not just removed it in a further commit.

Re:Sounds like multiple failures

[kramulous]

No. It is a big fucking problem of Amazon that IAM S3 keys can be used outside S3. A BIG FUCKING problem! A major security incident.

They, Amazon, need to sort their shit out. If I have IAM keys that are S3 read only on a certain bucket, then I EXPECT that it is read only on that bucket. If somebody has those keys, then all I want them to do is to read from that bucket. Not start EC2 instances, or change my Route53 records, or anything else.

This is Amazon's fault. No two way about it.

If somebody got the keys via github, then all they should have been able to do was what they were permitted to by those keys. PERIOD!

Re:Sounds like multiple failures

I don't know. If I were doing something like this, I'd have some single file that had the key in it that was sourced/imported/included/whatever by every file that needed the key, and then that one file that had the key would be put into the .gitignore file to ensure that it didn't accidentally get pushed. Maybe that's just too much common sense though.

Re:Sounds like multiple failures

It makes you wonder why github isn't scanning itself for the same thing and blocking or sabotaging the "hackers". I mean, how is it possible to scan that fast through the whole site unless there's some kind of really simplistic loophole (e.g., a filename pattern) that should be as equally trivial to block or warn on upload of the files or to block from a search?

Also, why the hell does a free trial account allow racking up $2k+ of compute time in a few hours on Amazon!? Wow.

Yes, it's user error, but things should be engineered with the expectation that users are going to do silly things from time to time. It's inevitable if you have many users.

Re:Sounds like multiple failures

This isn't amateur hour, guys - there's real money at stake here.

People make mistakes every day of their lives. We always have, we always will. It's how we learn what not to do. It's just that almost all mistakes are harmless... except on the internet. There it's like living in a minefield. Make a bad step and boom. It's not a question of amateur hour, it's a question of being human.

Oh puh-lease! This is just as bad as someone "mistakenly" writing their login password on a Post-It note and putting it on their keyboard. That's not a "mistake", it's an idiot doing something completely stupid (that they should KNOW is bad) that can have catastrophic consequences. A typo is a mistake. Forgetting your keys and locking yourself out of the house is a mistake. Putting confidential information in an unsecured place is NOT a mistake. In some cases it's criminal or at least a terminable offense. "Insightful" my ass...

Re: Sounds like multiple failures

[Fwipp]

Even if you rewrite history, the dangling commits are still in github and can be accessed - you have to clone the repo and delete the original.

Which isn't something you'd expect unless you understand how git works.

Re:Sounds like multiple failures

I don't see how PKI would fix this. Instead of accidently committing their API key, they'd accidently commit their private key. In either case, it's just a random looking string of letters.

Re: Sounds like multiple failures

[loufoque]

They'd need to know the SHA-1 to find it though.

Re:Sounds like multiple failures

IAM developer here again.

"Just fucking use PKI instead of stupid API keys. Are their API keys PKI or not. See my post above:"

We've discussed this but we don't think it would help in these particular instances. Developers would just accidentally upload their private RSA keys to GitHub. Unless you mean something different?

Re:Sounds like multiple failures

[Slashdot+Parent]

Okay, so you might not find it intuitive that S3 keys can lead to new EC2 instances - I wouldn't have guessed that either, even though I've used both repeatedly.

Actually, S3 keys either can or can't be used to launch EC2 instances, depending on user configuration. Using IAM, you can grant AWS keys only as many rights as are necessary, so if your program only needs to write to a certain S3 bucket, you should grant access to the key only to write to that bucket. Then, that key couldn't be used for any other purpose (like launching EC2 instances).

Also, IAM roles can be used to avoid using AWS keys in your code/config files at all if your code will be running within EC2. Just give your instance an IAM role with permissions to make only the necessary calls, and let AWS handle your key acquisition and rotation for you.

Bots are not "algorithms"

...nor are algorithms usually created. Algorithms are discovered, devised, or designed. Software is created. Bots are created. Algorithms exist independent of their discovery.

Anyway, I'm getting sick of hearing the word "algorithms" used as it seems to be in the movies a lot lately.

Re:Bots are not "algorithms"

[Paradise+Pete]

Anyway, I'm getting sick of hearing the word "algorithms" used as it seems to be in the movies a lot lately.

I once came up with an algorithm that wasn't very good, so I just commanded the computer to "Enhance!", and it got much better.

Re:Bots are not "algorithms"

What are you smoking? An algorithm is defined as "A finite set of unambiguous instructions performed in a prescribed sequence to achieve a goal, especially a mathematical rule or procedure used to compute a desired result. Algorithms are the basis for most computer programming".

From a fundamental level, a program as a whole is an algorithm made up of smaller algorithms which are in turn made up of smaller algorithms.

If you want to jump out of standard computer programming and go into "pure CS" and go into Turing machines, then an algorithm is simply a Turing machine which is guaranteed to halt, both on success and on failure, rather than just on the success case.

I guess i am old

[codepigeon]

I guess i am too old to understand how loose people treat the internet these days. 'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way! You shared the keys to your kingdom and someone abused it?? Shocking.

As a complete side note: I hate when people like the author don't know the difference between 'where' and 'were'....fuck, no wonder he was easy fodder

Re: I guess i am old

[glitch23]

I agree. It grinds my gears too. I just want to ask the person how the hell do you spell "where" if you spell "were" like "where" so I can see the look of confusion sweep over their face.

Re:I guess i am old

[caferace]

'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way!

If you're going to ding someone on grammar I'd suggest you at least spell correctly while doing it.

Re:I guess i am old

[fnj]

Do you think maybe there is a fundamental difference between a missed keypress and having gross dyslexia?

Re:I guess i am old

[Kjella]

I guess i am too old to understand how loose people treat the internet these days. 'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way! You shared the keys to your kingdom and someone abused it?? Shocking.

He wasn't surprised they were abused. He's surprised what he thought was keys to S3 unlocks the entire kingdom. Like you lose a card for electronic bus tickets and you think the worst they can do is ride the bus for free. Except the card doubles as a "secure ID" and they order thousands of dollars worth of goods from cooperating merchants, which you didn't even know was possible. Sure posting them on Github was ignorant and entirely his fault, but if you try to assess the risk then it's probability * impact and I think he just got a big surprise when it came to impact. I think you're being too hard on him.

Re:I guess i am old

[Sqr(twg)]

Yep. Not checking your own spelling while attacking someones grammar on slashdot is stupid.

Dyslexia, on the other hand, does not appear to be correlated to intelligence.
 

Re:I guess i am old

[LordLucless]

No, he was surprised that what he *thought* were keys to S3 unlocked the whole kingdom. In reality, the keys he was using were root credentials, and were always intended to unlock the whole kingdom.

Re:I guess i am old

'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way!

If you're going to ding someone on grammar I'd suggest you at least spell correctly while doing it.

If you're going to ding someone on spelling I'd suggest you at least use proper grammar while doing so.

Re:I guess i am old

As another side note, I hate when people don't capitalize the personal pronoun "I". I must be older than you!

Re: I guess i am old

or just ask them, if they were really trying to spell "were", where exactly do they spell "where" and were they taught where the extra "h" goes?

Re:I guess i am old

[emj]

No, he was surprised that what he *thought* were keys to S3 unlocked the whole kingdom. In reality, the keys he was using were root credentials, and were always intended to unlock the whole kingdom.

This is entirely Amazons fault they should improve their crappy credential system. The is point that everyone makes mistakes so root keys are a really bad idea. Especially since you generate them when you are in a "just get this shit working" mode, not "lets design a super secure key management system" mode.

Re:I guess i am old

He accidentally posted them and delete all traces of them five minutes later. I don't know if you left that important fact out, because you're old or for some other reason.

Re:I guess i am old

[Mal-2]

That's English.

How do you say the "were" part of "werewolf"? You say it just like "where". Or like "wear".

How do you pronounce "read", or "lead"? Is that "reed" or "read"? Is that "red" or "read"?

Some people can remember the rules, but not all of the exceptions. It's far worse if it's not even their native language and they didn't have this drilled in from early childhood. The fact that we write everything down with 26 letters is quite handy. Not so much the fact that there is no unique mapping of symbols to sounds.

ghoughpteighbteau tchoghs? ghoti?

If you can spell accurately, that's nice. It does make you seem more intelligent, or at least more literate. But it's really hard to lay this all at the feet of the people who have problems with it.

Re:I guess i am old

IAM Developer again

"The is point that everyone makes mistakes so root keys are a really bad idea."

We agree. However getting customers to stop using root keys is really, really hard. IAM was created so that customers would not have to use root keys but unfortunately their use is still prevalent. We're working on ideas. And we'd love to hear any suggestions you might have about this.

Re:I guess i am old

[Slashdot+Parent]

He's surprised what he thought was keys to S3 unlocks the entire kingdom.

Why? Is there even such a thing as an "S3 key"? I've been using AWS for a long time, and I've never seen one of these (unless you count the goofball time-limited key pre-signing thing, and those keys can't be used for any purpose outside of S3).

There are, of course, AWS keys, and those keys can be granted privileges. If you grant an AWS key full access, then yes, it can be used for any API call. But really that's bad practice. If your application needs only access to a specific S3 bucket, you'd create an AWS key for your app and grant it access only to that bucket.

Since I haven't done it in a while, I tested this out. I just created an AWS key and here's what I found: it has no access at all. I can click "attach user policy" and it gives me a ton of choices for what type of access I can give the key, including "Amazon S3 Full Access" and "Amazon S3 Read Only Access", or I can use a custom policy generator.

So I think AWS is doing a halfway decent job here, giving people simple options for simple situations and complex options for complex situations. If a user is going to create an admin-level AWS key and post it to github, what is AWS supposed to do about that?

Dumb

Dumbass.

searches 24 hours per day?

Their algorithm will crash on March 8, a 23-hour day.

Fucking idiot....

Amazon shouldn't have refunded him any money. We really need idiot taxes.

Re:Fucking idiot....

[OrangeTide]

With his money refunded he probably didn't file a police report. Which means Amazon doesn't have to deal with nosy investigators.

Re:Fucking idiot....

[coolsnowmen]

PR. Amazon doesn't want to be perceived as "too dangerous to use".

Another young idiot

Why the f*ck would you post your S3 keys on github anyway? I sincerely hope you are not looking for sympathy because you won't find any here (nor do you deserve any).

God-damn "social media" generation that feels they need to share everything. Good riddance.

Horrible design on part of Amazon

[iamacat]

When you sign up for a developer account, you should be asked how much you plan to spend per month. $2375/day would not be a common option for an individual. Given proliferation of free 15GB storage accounts, a very low end developer account with no credit card is not a crazy option. People will learn the API and use it in future, but neither them nor hackers will have enough quota to run a production site. This is just like limited data cell plans where a single buggy app can run up crazy charges. Good that they refunded money, but fundamental structural problem must be fixed.

Re:Horrible design on part of Amazon

But this is not the case of "a single buggy app", this is totally the fault of an idiotic user. Why post your S3 keys on github? That's just plain stupid.

Hopefully, he considers this a "life lesson" and should be thankful that he got his money refunded.

Re:Horrible design on part of Amazon

[Charliemopps]

It reminds me of the stories of teenagers getting themselves a website and then hosting some video that went viral overnight... they wake up to a $16k bill.

Who is stupid enough to hardcode keys?

[gweihir]

Really, leaving your money on a park-bench somewhere exposes it to be stolen...

Re:mod 0p

[ls671]

You almost spelled Rivest right:

https://en.wikipedia.org/wiki/...

Keep on the good work!

people mess up. Bank calls before approving $10,00

[raymorris]

People mess up. An API key will occasionally get into a file that's in a source tree. It is an API - an Application Programming Interface, so programs will have that key. Program source gets posted to github. Shit happens.

My bank knows shit happens and I could get my card stolen, so when I make a large purchase which appears unusual my cell phone rings - the bank's security company calling to verify the purchase. That's the bank doing a good job.

People should watch where they're walking. That doesn't mean you leave an open manhole in the middle of the sidewalk unmarked - someone is likely to mess up and fall in.
 

dem haxxorz

dey be haxxin amazon2

"ON accident"?

Oh, wait... you're American...

WTF?

"posting your Amazon keys to GitHub ON accident"

Why do Americans have such trouble with two letter words? Idiots.

Re:"ON accident"?

Let us see... are you:

a) A resident of a country that the USA defended in a war?
b) A resident of a country that the USA assisted economically?
c) A resident of a country that greatly benefits from innovations and inventions made in the USA?
d) A resident of a country that owes its ongoing freedom to the protection of the USA?

You get the idea.

Re:"ON accident"?

[MillionthMonkey]

I've lived all over the U.S.A. for decades, near plenty of stupid people, and I have never heard anyone use the phrase "on accident" in my life. That's the type of error you see in technical manuals from Asian countries. People do say "on purpose", which can easily confuse people who learn English as a second language into saying "on accident" instead of "by accident".

To spot Americans with two-digit IQs on the Internet, look for two unforgivable homonym goofs: confusion between "they're", "their", and "there", and also between "you're" and "your". Those are big warnings that you're reading something stupid written by a native-English speaker. Foreigners don't seem especially prone to goof over these words, but half-illiterate native English speakers just type the way they hear themselves talk, and if it passes the spell check they'll remain oblivious.

Re:"ON accident"?

[MillionthMonkey]

Let us see... are you:

• a) A resident of a country that the USA defended in a war?
• b) A resident of a country that the USA assisted economically?
• c) A resident of a country that greatly benefits from innovations and inventions made in the USA?
• d) A resident of a country that owes its ongoing freedom to the protection of the USA?

You get the idea.

What makes you so sure the guy is from Israel?

Give the man some slack

[hankwang]

To all posters who are blaming the man for being so stupid: please RTFA. He had just opened an amazon AWS 1-year free trial to practice what he'd just learnt about Ruby on Rails. He made a mistake:

I knew my API key needed to be safe, so I installed the Figaro gem (a rails API key security gem, which typically works great), and trusted it to keep my API key off of git when I pushed. (...) deleted all traces from GitHub. I was able to clean it up within about 5 minutes (...) After a close call, I went to bed.

Surely it is not that unreasonable to (1) realize that those keys will be scraped within 5 minutes after uploading to an obscure project, and (2) not realize that an S3 key in a free trial subscription wouldn't allow racking up $2375 in EC charges within 10 hours?

Re:Give the man some slack

In his defense this is exactly what you can expect from Amazon so this "trial" is *perfect* - AWS is awful, is full of traps, and does all kinds of extremely expensive unpredictable things. Then when it happens to you and it isn't a PR disaster for you they go "its your fault" - in fact everything is your fault, you can see it in the docs, where they will tell you stuff like "this doesn't work but if that is a problem its because you don't know how to do your job" where "this doesn't work" is a perfectly reasonable thing.

This is the kind of stuff you would never know until using AWS for a few years.

Re:Give the man some slack

>Ruby on Rails
>made a mistake

You said it, man.

Re:Give the man some slack

[hankwang]

The mistake he made was not understanding the tools he was using. (...) Signing up for a service and then using it without reading the documentation is foolish.

I assume that you also blame the subprime borrowers for signing a contract that they didn't fully understand without putting most of the blame on the banks that knew damn well what they were doing?

The fact that one person can be blamed for a mistake due to lack of experience does not mean that there is not someone else (i.e., Amazon and the people who actually abused the keys) who deserves a lot more blame.

Re:Give the man some slack

[gpoul]

The mistake he made was not understanding the tools he was using. Apparently neither do you.

(1) The key could have been scraped at any time once it was pushed, because you can't actually "delete[d] all traces from GitHub" (some ways are more thorough than others, but nothing is foolproof with Google wandering the earth). He needed to revoke his keys immediately.

You do realize that you actually can modify a git repository to delete all traces of a file you previously comitted, don't you? If not, check out http://git-scm.com/book/en/v2/Git-Tools-Rewriting-History

Re:Give the man some slack

You realize that people getting real-time feeds of your commits don't care if you later try to rewrite history?

Simple solution

Amazon issues several fabricated keys, posts them to GitHub. Once they are used, they ban the IP and inform the police.

Re:people mess up. Bank calls before approving $10

put the real key in a single file and include that file in any file that needs access to said key, and then include the file with the real key in .gitignore so it doesn't accidentally get uploaded?

It's not rocket science.

And my bank is going to get pretty pissed at me if they find out I published my bank details on a public access website and then ask them to fix it.

Spoofing EC2 Instances?

I'm wondering if Amazon couldn't post fake keys and pretend to spin up fake EC2 instances? Delay, delay, delay ... increase the cost of having a "hit"?

Countermeasures?

Would it be perhaps useful to now have a bunch of bots to commit bogus AWS keys to github repos, so the harvesting bots have chaff to weed through as well as accidental wheat?

Re:Some Questions

Can somebody answer please? I am serious.

Re:people mess up. Bank calls before approving $10

[iamacat]

He did exactly that and .gitignore was accidentally lost.

Service providers are responsible for 90% of work by designing solutions secure by default and in depth. It should take multiple explicit steps and dismissed warnings for an inexperienced developer to incur a catastrophic financial liability.

Talk about being on the wrong side of .zsh_history

[MillionthMonkey]

That was too funny not to search for; it obviously got taken down from github, but someone posted the (very NSFW) .zsh_history on a paste site when the story broke in 2012. If you search for lines starting with "mplayer", you can see how they're clustered into several obvious jerkoff sessions... ROTFL! The file names were so sick they made my eyes pop open.. I had to push them back into their sockets!

This wins the prize for the worst commit I've ever seen. There's a lesson for pedophiles here: echo ".zsh_history" >> .gitignore

Per usual, you had to repost a horrible story.

[Mondragon]

This type of problem has been reported many times before, with much more knowledgable writeups.

The original poster is so naive that they didn't even bother to read enough Amazon documentation to realize there is no such thing as an "S3 key" - API access by AWS keys is limited only by the IAM profile of the key (and my guess is that the OPs keys were unrestricted). They also apparently didn't realize how version control systems work, otherwise they would have known that deleting the key from a revision doesn't actually remove it from the history of the repository.

This article isn't doing anyone any favors - if you want to actually help the community then maybe source an original article reminding people that they should read the docs and understand the services they're using, with pointers to the relevant warnings for commonly used services (both github and amazon have prominent notices with service-relevant notes about how to protect your sensitive data).

Give the man some slack

[Mondragon]

The mistake he made was not understanding the tools he was using. Apparently neither do you.

(1) The key could have been scraped at any time once it was pushed, because you can't actually "delete[d] all traces from GitHub" (some ways are more thorough than others, but nothing is foolproof with Google wandering the earth). He needed to revoke his keys immediately.

(2) There is no such thing as an "S3 key". There are only AWS API keys, which potentially have access to every service that you have enabled (plus the default ones). You need to use IAM profiles to restrict what services they can access, and what rights they have.

Signing up for a service and then using it without reading the documentation is foolish.

5 min? Actually those keys are STILL on GitHub

[gurnec]

In addition to the various other oversights already mentioned, OP doesn't seem to understand Git (or perhaps SCMs in general) given that those (now revoked) keys are still on GitHub -- there was no need for a bot to be all that quick.

Although I wouldn't blame OP for any single one of these oversights -- nobody's perfect -- it's fair to say that it took a number of different oversights / misunderstandings on OP's part for this to become a real problem.

Keys in plain sight

[frisket]

WFT would anyone want to post keys to anything anywhere public?