back to article Bloke clicks GitHub 'commit' button in Visual Studio, gets slapped with $6,500 AWS bill

A web developer from South Africa said a bug in a tool for using Microsoft's Visual Studio IDE with code-sharing site GitHub inadvertently exposed his sensitive data – and the error cost him more than $6,500 (£4,250) in just a few hours. Carlo van Wyk of Cape Town–based Humankode said he used the GitHub Extension for Visual …

Anonymous Coward

almost makes you miss VS6

But but but the cloud and SaS is where its at. Especially with often a software companies crown jewels the source code. Bonus is also getting developers to have to sign into their accounts on the internet to do anything (data sharing (selling) is caring).

18
5

How about...

...writing an extention that scans user code for AWS keys *before* it uploads, & alerts you if it would be publicly exposed?

28
1

Re: How about...

In this case it may not have flagged it up, as the repository it was supposed to go into was private.

But yes, if the plugin scans for AWS keys (full stop) then simply says 'don't do it' upon finding any, it would be a good idea.

On another note, the article doesn't mention who now foots the bill for this. Will GitHub be paying AWS for this cockup?

6
1
Anonymous Coward

Re: How about...

On another note, the article doesn't mention who now foots the bill for this. Will GitHub be paying AWS for this cockup?

In the past Amazon has waived the charges, I'd expect them to do the same here (especially since the charge is so trivial).

1
1
Silver badge
Mushroom

Re: How about...

In the past Amazon has waived the charges, I'd expect them to do the same here (especially since the charge is so trivial).

Must be nice up in that ivory tower you 1%'ers live in, but down here on earth, $6500 is real money and is hardly considered a "trivial" charge.

5
2
Silver badge

Re: How about...

Amazon lives in your aforementioned Ivory Towers, and it is trivial for them. It is also trivial compared to what most of their customers spend, who tend to be companies rather than individuals.

3
0
Anonymous Coward

Re: How about...

Usernames and Passwords is another thing which people frequently feel that it is ok to put in source code -- this is the only way they will learn

1
1
Silver badge

Re: How about...

...using .gitignore before you commit anything?

0
0
Happy

Real men use command line

Here I semi-guiltily felt like a bit of a curmudgeon and dinosaur for always switching back to a Cygwin command line session to do all Git SCM from there instead of the VS built-ins.

That icon is intended to be a "smug face".

19
5
Trollface

Re: Real men use command line

>> That icon is intended to be a "smug face".

You mean this one?

It is the one I got when I RFA, and I thought the same as you.

0
1
Silver badge

Re: Real men use command line

I do everything I can from the command line. I only fire up Venomous Studio when I have to debug managed code (WinDbg still isn't great at that, and mdbg is OK for some purposes but not great with complex systems that have lots of interacting processes), or investigate a customer issue that's specific to the IDE.

But then I've never liked GUI clients for change-management systems. Or for most other things.

0
0

Re: Real men use command line

I thought that was troll face, not smug face. You kids and your memes...

0
0
x 7
Silver badge

this sounds like deja vu.........wasn't there a similar incident around 12 months ago?

2
0
Silver badge
Silver badge
Coat

The voice form the bathtub

"This happened before ... and it will happen again"

11
0
Silver badge

as we push the big, red "Publish" button on this story

Can we have a picture of that?

8
0
Pint

Re: as we push the big, red "Publish" button on this story

Even better would be to have one made with bluetooth so everyone could have an Official El Reg Publish button.

5
0
Silver badge

Re: as we push the big, red "Publish" button on this story

Picture? How about this...

http://www.thinkgeek.com/product/15a5/?pfm=Search&t=big%20red%20button

Sounds like it fits the bill. Sorry it isn't official Reg material.

0
0
Silver badge
Mushroom

Re: as we push the big, red "Publish" button on this story

How about a video?

https://www.youtube.com/watch?v=NITBfc1EOBo

What happens in Vulture Central before an AO article is published.

0
1
Vic

Re: as we push the big, red "Publish" button on this story

Can we have a picture of that?

Here you go.

Vic.

4
0

Re: as we push the big, red "Publish" button on this story

Surely this is more apt?

The Emergency Party Button

0
0
Silver badge

The missing moral...

Don't trust the cloud or SaS. Period.

11
8
Anonymous Coward

Re: The missing moral...

You are looking at the cloud.

You publish your stuff to world & dog, however inadvertently, on the cloud.

The cloud is looking at you.

...but it's not the cloud's fault.

3
1
Silver badge

Re: The missing moral...

Man, that is deep.

5
0
Anonymous Coward

Re: The missing moral...

>You publish your stuff to world & dog

Unless you care about things like privacy or I don't know not exposing your employer's code that you don't own.

0
1
Anonymous Coward

Free account monitoring service for the next year...

I guess since GitHub (and MS?) are responsible for the disclosure of his information, they'll be offering him free credit account monitoring for a year...

Oh what, they're not even doing that?

5
5
Anonymous Coward

Re: Free account monitoring service for the next year...

"I guess since GitHub (and MS?) are responsible for the disclosure of his information"

He is also responsible. Anybody who posts anything with commercially sensitive data to a remote location without encryption is to say the least somewhat careless. I wouldn't wish that kind of attack on anybody, but, wtf was he doing? You always have to consider the possibility of fat finger leakage.

Having said that, if the guy at my former company (who didn't want separate configuration files because it was "too complicated" and so wanted embedded credentials baked in) is reading this - now do you believe me?

4
2
JDX
Gold badge

Re: Free account monitoring service for the next year...

But if they got _hacked_ and his key stolen, wouldn't they be liable?

1
1
Silver badge

Re: Free account monitoring service for the next year...

"I wouldn't wish that kind of attack on anybody, but, wtf was he doing?"

Probably just another idiot millenial who thinks The Cloud is a magic place in the sky running on fairydust and unicorns tears where nothing bad ever happens, rather than just someone elses computer with all the attendant risks.

Any private code our company has goes nowhere near a public computer of any form. Its on our private servers and is backed up to tape every 48 hours. End.

3
1
Anonymous Coward

Re: Free account monitoring service for the next year...

>Probably just another idiot millenial

Can't resist. What do you mean dude they they didn't teach your computer classes in Ruby on Rails? They even made us go bare metal with C# and Java for one class.

1
0
Silver badge
WTF?

@AC -- Re: Free account monitoring service for the next year...

They even made us go bare metal with C# and Java for one class

Thanks AC...I needed a good guffaw for the middle of the week.

1
0
Anonymous Coward

Re: Free account monitoring service for the next year...

> posts anything with commercially sensitive data to a remote location without encryption ...

Don't put any keys or passwords in source code -- even encrypted -- the just shouldn't be a need ever.

1
0
JDX
Gold badge

Re: Free account monitoring service for the next year...

Really? Where do you want to put them - in a config file or a DB? But then the config file is in plain text and you can access the DB unless it requires authentication. Oh, but where are you going to put the password to access the DB?

0
1

Re: Free account monitoring service for the next year...

Config files should NOT be synched with GIT. They should be local to the server in question and if it contains passwords should have it's rights restricted. That is basic security practice.

0
0
JDX
Gold badge

Re: Free account monitoring service for the next year...

So you don't back up your config files? If they're not in Git they're going to be somewhere...

0
0

Re: Free account monitoring service for the next year...

Not in Git, git is a source code management system and not a backup. If anything, I have an example config with a different name (config.distrib) otherwise you pollute git with a ton of changes to config files, and it gets worse when you have multiple conflicting changes (dev vs live/server 1 vs sever 2 etc).

Passwords, keys or any other private info should not be stored in Git, instead, they should be in a proper backup system.

0
0
Silver badge

Trawling

Has this word now been lost?

Do we now call fishing boats "trollers"?

14
0

Re: Trawling

Do we now call fishing boats "trollers"?

It might depend on whether said fishing boat is trawling or trolling.

10
0
Silver badge

Re: Trawling

That would be thrauhlerz in phreakspeak... (apparently a derivative of Lovcraphtianesque)

0
0
Gold badge
Coat

Re: Trawling

Depends whether or not the crew have internet access and nude pics of you....

0
0

Re: Trawling

Or better yet, it depends on whether it is a fishing boat or a phishing boat. Are phishing boats crewed by trolls?

8
0

This is the kind of thing that keeps me up at night

If 'I'm' buying over a thousand dollars worth of instances, then I want Amazon to confirm it was actually ME before I'm billed. I also want to set limits on what and how much an AWS key can be used for. I can already do both with credit card numbers, so what's the deal here? This kind of theft seems ridiculously easy otherwise.

23
0

This post has been deleted by its author

Re: This is the kind of thing that keeps me up at night

You can set limits on what an AWS IAM key does, it sounds like he has put in a root IAM key into his code which basically gives full control over things like this when all he possibly wanted was to be able to access an S3 bucket.

There are also perfectly valid use cases where one might want to spin up a huge memory instance and then shut it down after a job completes, that is one of the benefits of AWS is that it can respond to changing conditions - having a confirmation required in each of these cases simply wouldn't be possible - hence why you can create different keys with different permissions.

IAM is extremely flexible, unfortunately it cant protect from stupidity.

13
0
Silver badge

Re: This is the kind of thing that keeps me up at night

I also want to set limits on what and how much an AWS key can be used for.

1) Use a specific credit card

2) Amazon tells you often to use three-factor auth for the root account

3) Use separate IAM users with specific permissions for specific tasks (this takes some getting into and also queries on stackoverflow, but the interface is really nicely done)

4) ???

5) Protect!

4
0

Re: This is the kind of thing that keeps me up at night

Absolutely AWS is the main fault here, it is open for abuse. The worst thing is this guy phoned AWS support and told them what happened, but they still let all these services be created overnight. Surely you have a big red button that support can hit that says this account has been compromised, don't allow anything else which costs to run. But no support tell him to clean up the system himself and their "block" didn't actually work.

I'd refuse to pay Amazon saying they were negligent.

4
10

Re: This is the kind of thing that keeps me up at night

Did you miss the bit where they did contact him? Extremely quickly?

And did you miss the IAM section which lets you specify very fine grained controls over your access keys?

So....everything is fine then? You can sleep now.

1
0
Silver badge
Windows

This is like, your programming man.

Dude, you are getting some advice:

1) Credentials always in config files in a separate project not under version control. Config file reading is easy and can be done in 5 lines or less. Use XML, atttribute = value, whatever.

2) When needed, slurp the credential files

6
0
Silver badge

Re: This is like, your programming man.

Yes, and live deploy the config file with the credentials in plain text in the same folder as your app binaries.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018