Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Users With Weak SSH Keys Had Access To GitHub Repositories For Popular Projects 25

itwbennett writes: Earlier this year, researcher Ben Cox collected the public SSH (Secure Shell) keys of users with access to GitHub-hosted repositories by using one of the platform's features. After an analysis, he found that the corresponding private keys could be easily recovered for many of them. The potentially vulnerable repositories include those of music streaming service Spotify, the Russian Internet company Yandex, the U.K. government and the Django Web application framework. GitHub revoked the keys, but it's not clear if they were ever abused by attackers.
This discussion has been archived. No new comments can be posted.

Users With Weak SSH Keys Had Access To GitHub Repositories For Popular Projects

Comments Filter:
  • by Anonymous Coward on Thursday June 04, 2015 @02:19AM (#49837327)

    That is it. I'm moving over to sourceforge!

    • Re: (Score:2, Funny)

      by Anonymous Coward

      After you come back, you should get tested.

  • by Anonymous Coward

    can someone please inform the VLC developers of their expired signing key?

    Here it is:
    https://get.videolan.org/keys/... [videolan.org]

    While it will still sign new VLC releases, it is listed as expired when you import it into GPG.

  • If Only (Score:5, Insightful)

    by OverlordQ ( 264228 ) on Thursday June 04, 2015 @02:38AM (#49837375) Journal

    > GitHub revoked the keys, but it's not clear if they were ever abused by attackers.

    If only GIt allowed a way to see what was changed.

    • Its not just a case of if stuff was changed - what if users had checked in credentials or other keys into private repositories on GitHub? A git clone doesn't show up in a repositories logs, so you would never know that your credentials or keys had been compromised, potentially allowing attackers further access to your infrastructure.

      Yes, we all know that credentials and keys should not be checked into source control, but we all know that it happens on a frequent basis, even if accidentally done.

  • User's fault? (Score:3, Interesting)

    by CurryCamel ( 2265886 ) on Thursday June 04, 2015 @05:38AM (#49837701) Journal

    TFA:

    the Debian developers and the security research community advised everyone who was possibly affected at the time to regenerate their keys.

    However, it seems that a lot of people didn't listen and those weak keys are still used today

    Didn't listen? How about that for a elitistic attitude! This is the main problem and cause for computer insecurities. I would give long odds that the number of people who both herad AND understood the warning, yet failed to take action can be counted with your fingers without even using base-2.

    We end-users need to be spoon-fed (force-fed) the security. The correct action here would have been for (e.g. Github) to revoke these sort of keys already back then. Because while it is unreasonable to expect all end-users to take action, it is reasonable to expect (e.g. Github) to have a security professional to be alert and make that descision for us.
    Well, better late than never, and slip-ups happen sometimes. Lets hope there wasn't too much damage.

Parts that positively cannot be assembled in improper order will be.

Working...