Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Wow key in public git repo๐จ
Dont use GitHub for private repo. TFS and bitbucket both set to private as default... -
Always fun how people try to abuse every mistake they find <3
I generally put my keys in a file then use .gitignore (as I can't always use envvars) -
Maybe it has to do with the way we code, start with quick and dirty with all hardcoded stuff, then once the first proto is working, start refactoring.
I do that most of the times, but with credentials we need to be bit more sophisticated. Either by adding creds in env var or adding in file and adding it to .gitignore or something else.
Need to work on getting better at keeping things secured, maybe if someone write small git plugin to validate for any private info before commits. -
ImCypher667y@yendenikhil I'm 100% in agreement with you here. From the start I'm looking for ways to not have this type of issue.
-
@cyberpro4 I vaguely remember to have heard about someone using entropy measurements for this. Besides binary files, only auto generated keys should have a high entropy and can thus be identified that way.
However I don't remember anymore if it was used to search for others' keys in public repos or if it was used to prevent uploading them. :P
It's an interesting approach either way. -
I did the same mistake, fortunately AWS was quickly to notice and they didn't charge us.
My 2cts: do not initialize the AWS sdk with anything, just leave the constructor empty. Let the sdk figure the credentials of the environment. It will use ~/.aws/credentials (the file used by the cli), env vars, iam roles etc.
Having ~/.aws/credentials available for everything you run in your computer might be dangerous, use `aws-vault` which is a great tool. -
Everyone should use something like this as part of their git work flow
https://github.com/awslabs/... -
susan22-488dA fake bitcoin investor I met on facebook hacked my Binance wallet and took away my $563,200 worth of bitcoin. I almost killed myself until my elder sister in San Diego told me about Reclaim Wizard.๐ ณ๐ ผ(โ๐ทโโ๐ชโโ๐จโโ๐ดโโ๐ปโโ๐ชโโ๐ทโโ๐พโโ๐ฆโโ๐จโโ๐จโโ๐ชโโ๐ธโโ๐ธโโ๐จโโ๐ดโโ๐ฉโโ๐ชโ11 @ โ๐ฌโโ๐ฒโโ๐ฆโโ๐ฎโโ๐ฑ โ, โ๐จโโ๐ดโโ๐ฒโ ) or ( reclaimwizardrecovery @ consultant . com) they saved my life and helped me recover back my hacked wallet and track down the scammer. ๐๐ ท๐ ฐ๐-๐-๐ ฐ-๐ ฟ๐ ฟ(+ ๐ (๐๐๐ ) ๐๐๐ ๐ ๐๐๐)๐ฒ๐จ๐ฎ ๐ฐ๐ข๐ฅ๐ฅ ๐๐ฅ๐ฌ๐จ ๐ฌ๐ก๐๐ซ๐ ๐ฒ๐จ๐ฎ๐ซ ๐ญ๐๐ฌ๐ญ๐ข๐ฆ๐จ๐ง๐ฒ
Related Rants
So I accidentally published my AWS keys to GitHub, stupid me. I realize this the next day.
$ git reset
$ git push
Reset keys in AWS
I was too late. Bot already stole the keys and started up 53 EC2 instances. Racked up $4000+ of compute time (probably Bitcoin mining, I'd assume)
4 weeks later, I finally have this shit disputed and settled.
Don't test with hardcoded keys. You WILL forget about them. Env vars always. That is all.
rant
#hacked
fml
keys
bitcoin
fuck jeff bezos
aws