Forgot your password?
typodupeerror
Encryption Security IT

Github Kills Search After Hundreds of Private Keys Exposed 176

Posted by Soulskill
from the take-care-what-you-make-public dept.
mask.of.sanity writes "Github has killed its search function to safeguard users who were caught out storing keys and passwords in public repositories. 'Users found that quite a large number of users who had added private keys to their repositories and then pushed the files up to GitHub. Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Projects had live configuration files from cloud services such as Amazon Web Services and Azure with the encryption keys still included. Configuration and private key files are intended to be kept secret, since if it falls into wrong hands, that person can impersonate the user (or at least, the user's machine) and easily connect to that remote machine.' Search links popped up throughout Twitter pointing to stored keys, including what was reportedly account credentials for the Google Chrome source code repository. The keys can still be found using search engines, so check your repos."
This discussion has been archived. No new comments can be posted.

Github Kills Search After Hundreds of Private Keys Exposed

Comments Filter:
  • by slashmydots (2189826) on Friday January 25, 2013 @10:04AM (#42690055)
    I was cruising ebay yesterday and saw that one of the laptops had their windows license keys exposed in pictures in a readable format. I poked around some more and found that isn't terribly uncommon. Some people just don't think no matter what website it is.
  • by h4rr4r (612664) on Friday January 25, 2013 @10:12AM (#42690145)

    Sysadmins should also know how to code. Nothing better than showing them their screwup and the solution to it.

    Plus, since all sysadmins, real ones anyway, are already competent in several scripting languages it is not that hard a skill to add if all you need to do is be better than bottom of the barrel programmers.

  • by KingMotley (944240) on Friday January 25, 2013 @12:16PM (#42691593) Journal

    I dunno about that here. Ever since they rolled out Sophos Full Disk Encryption on every desktop and server here, it's contributed more to downtime than any virus/malware ever has. I think literally every person in this office has had to have their machine completely rebuilt after it got corrupted somehow, and that includes our testing servers as well.

    All I can say is, thank god our production servers are out of our company's control. They haven't had any issues, but then again, they also don't have Sophos malware on them either.

  • Re:Search engines (Score:5, Interesting)

    by tlhIngan (30335) <slashdot@wor f . n et> on Friday January 25, 2013 @01:04PM (#42692271)

    Heck, Google disabled searching number ranges after some enterprising folks used them to harvest credit card numbers - doing searches for numbers between 4000000000000000 and 5999999999999999 which will get back lists of credit cards (Visa/MC) that Google indexed because someone put the list up.

  • by xaxa (988988) on Friday January 25, 2013 @01:20PM (#42692473)

    Someone in my class installed a game in the officially-public network share. He was writing an AI for it, for a project. Other students found it, and played it.

    It had taken a lot of hacking to get the game to run on Linux, and he was annoyed other students had played it without putting in that effort. So, he altered the 'start.sh' script to generate an ssh key, add the public part to the user's authorized_hosts file, and move the private key somewhere obscure.

    He then got bored with the AI project.

    Some time later, while helping in a tutorial, I was showing a student how to set up an SSH key. The authorized_keys file already contained about 20 entries. The AI guy was sitting at the next computer, and told me what he'd done (I knew him quite well, but he hadn't told me what he'd done until now). He found over 200 private keys in the obscure place. He deleted them, chown -R go-rwx'd the game, and we thought that was the end of it...

    About a year later, Debian had that OpenSSL bug. The sysadmins ran a script across everyone's authorized_keys file, and removed any entries from keys generated by Debian OpenSSL. The email ended (I still have it):

    By the way: some of you have FAR TOO MANY authorized_keys ENTRIES
      and we seriously recommend that you radically shrink these down.
      As I said, we recommend kerberos tickets or ssh-agent instead!

    ...so I don't think they knew how they got there.

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Working...