Github Kills Search After Hundreds of Private Keys Exposed 176
mask.of.sanity writes "Github has killed its search function to safeguard users who were caught out storing keys and passwords in public repositories. 'Users found that quite a large number of users who had added private keys to their repositories and then pushed the files up to GitHub. Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Projects had live configuration files from cloud services such as Amazon Web Services and Azure with the encryption keys still included. Configuration and private key files are intended to be kept secret, since if it falls into wrong hands, that person can impersonate the user (or at least, the user's machine) and easily connect to that remote machine.' Search links popped up throughout Twitter pointing to stored keys, including what was reportedly account credentials for the Google Chrome source code repository. The keys can still be found using search engines, so check your repos."
This is why developers are not sysadmins (Score:3, Insightful)
This is why developers are not sysadmins.
These kinds of repositories need to learn that and not let these folks do this sort of thing. If would be simple to use a regex to filter out the posting of these sorts of files. Maybe Devs should even be charged a couple dollars to get a decent review of these things.
Re:This is why developers are not sysadmins (Score:5, Insightful)
No. This is actually completely absurd. A developer that cannot grasp the concept that private keys have to be kept private, cannot be trusted to do anything but screw up the most basic security provisions when writing code.
They should get a kick in the ass, such as three months without any sort of commit privileges, and mandatory code review for an year. THAT should be enough to make it stick, and impress on them the real gravity of their failure. Otherwise, they will just chalk it up as "an annoyance done by those uninteresting people who should learn to code before they go pestering code-gods".
Re:Deserving (Score:5, Insightful)
Exactly, GitHub shouldn't disable a site feature to protect the stupid.
overreaction? (Score:4, Insightful)
Re:This is why developers are not sysadmins (Score:5, Insightful)
(Yes, there is also a nice ~/.ssh/config file, so that you also know which locks those key fits...)
Stupid people... (Score:4, Insightful)
These stupid people should be had their accounts suspended.
People should be accountable for their actions, and these idiots are potentially compromising third party data security!
ICO didn't fined Sony for the information leak on that Anonymous attack? Why in hell GITHUB user's should be less accountable for things THEY ARE FSCKING COMMITING in their accounts?
Re:overreaction? (Score:4, Insightful)
Because some of these might be test keys or place holders. If the key is not valid on any system and is just test data, it should not be a big deal to post publicly.
Re:This is why developers are not sysadmins (Score:4, Insightful)
I've seen several people comment that they have their home directory config files under version control. If you're using git for that, it's a fairly simple next step to then "backup" the repo to github.
"It's only config files; nobody would be interested in those."
Not so many (Score:4, Insightful)
Hundreds of keys from a million accounts; less than one in a thousand developers screwed up. Call a doctor at once! Then ask him about outliers in large populations.
Re:This is why developers are not sysadmins (Score:4, Insightful)
Developers are the best sysadmins you can have, since they're actually somewhat competent.
It's just that they've got better things to do and are paid more.
Developers are normally careless sysadmins. Sysadmins are usually inept programmers. Someone that really can do both well is a great asset.
Good sysadmins get paid about the same as good developers. At least that's my experience.