Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Open Source Security IT

AWS Urges Devs To Scrub Secret Keys From GitHub 109

Posted by timothy
from the key-is-under-the-mat dept.
An anonymous reader writes "GitHub contains thousands of 'secret keys', which are stored in plain text and can be used by miscreants to access AWS accounts and either run up huge bills or even delete/damage the users files. Amazon is urging users of the coding community site to clean up their act."
This discussion has been archived. No new comments can be posted.

AWS Urges Devs To Scrub Secret Keys From GitHub

Comments Filter:
  • by QuasiSteve (2042606) on Monday March 24, 2014 @05:55AM (#46562137)

    Wouldn't the Streisand Effect in this context imply that more developers are going to be placing their AWS/API keys in plain view?

    I think you're more referring to the effect of full disclosure, where by making it public you end up not just notifying the potential victims (if they're even awake) but also a not statistically insignificant amount of script kiddies - thus instead of having the effect of less exploited victims, you end up getting more. At least initially - in the long run it should be the other way around.

    I seem to remember this having been a story before, though, so they should have been warned in the past.. or known better regardless.
    Ah, yes: http://it.slashdot.org/story/1... [slashdot.org]

  • by Richard_at_work (517087) <richardprice@@@gmail...com> on Monday March 24, 2014 @08:03AM (#46562439)

    That's not a problem for the developer of the application, that's a problem for whomever is providing the hosted instance of their code. If a "normal non-technical user" is deploying the code, then they should equally be able to solve the problem of third party webservice keys etc where they are required.

... though his invention worked superbly -- his theory was a crock of sewage from beginning to end. -- Vernor Vinge, "The Peace War"