back to article Bloke clicks GitHub 'commit' button in Visual Studio, gets slapped with $6,500 AWS bill

A web developer from South Africa said a bug in a tool for using Microsoft's Visual Studio IDE with code-sharing site GitHub inadvertently exposed his sensitive data – and the error cost him more than $6,500 (£4,250) in just a few hours. Carlo van Wyk of Cape Town–based Humankode said he used the GitHub Extension for Visual …

  1. Anonymous Coward
    Anonymous Coward

    almost makes you miss VS6

    But but but the cloud and SaS is where its at. Especially with often a software companies crown jewels the source code. Bonus is also getting developers to have to sign into their accounts on the internet to do anything (data sharing (selling) is caring).

  2. YetAnotherLocksmith

    How about...

    ...writing an extention that scans user code for AWS keys *before* it uploads, & alerts you if it would be publicly exposed?

  3. Goldmember

    Re: How about...

    In this case it may not have flagged it up, as the repository it was supposed to go into was private.

    But yes, if the plugin scans for AWS keys (full stop) then simply says 'don't do it' upon finding any, it would be a good idea.

    On another note, the article doesn't mention who now foots the bill for this. Will GitHub be paying AWS for this cockup?

  4. Anonymous Coward
    Anonymous Coward

    Re: How about...

    On another note, the article doesn't mention who now foots the bill for this. Will GitHub be paying AWS for this cockup?

    In the past Amazon has waived the charges, I'd expect them to do the same here (especially since the charge is so trivial).

  5. Someone Else Silver badge
    Mushroom

    Re: How about...

    In the past Amazon has waived the charges, I'd expect them to do the same here (especially since the charge is so trivial).

    Must be nice up in that ivory tower you 1%'ers live in, but down here on earth, $6500 is real money and is hardly considered a "trivial" charge.

  6. jonathanb Silver badge

    Re: How about...

    Amazon lives in your aforementioned Ivory Towers, and it is trivial for them. It is also trivial compared to what most of their customers spend, who tend to be companies rather than individuals.

  7. Anonymous Coward
    Anonymous Coward

    Re: How about...

    Usernames and Passwords is another thing which people frequently feel that it is ok to put in source code -- this is the only way they will learn

  8. Mark 65 Silver badge

    Re: How about...

    ...using .gitignore before you commit anything?

  9. Michael Hoffmann
    Happy

    Real men use command line

    Here I semi-guiltily felt like a bit of a curmudgeon and dinosaur for always switching back to a Cygwin command line session to do all Git SCM from there instead of the VS built-ins.

    That icon is intended to be a "smug face".

  10. John Sanders
    Trollface

    Re: Real men use command line

    >> That icon is intended to be a "smug face".

    You mean this one?

    It is the one I got when I RFA, and I thought the same as you.

  11. Michael Wojcik Silver badge

    Re: Real men use command line

    I do everything I can from the command line. I only fire up Venomous Studio when I have to debug managed code (WinDbg still isn't great at that, and mdbg is OK for some purposes but not great with complex systems that have lots of interacting processes), or investigate a customer issue that's specific to the IDE.

    But then I've never liked GUI clients for change-management systems. Or for most other things.

  12. Michael Hoffmann

    Re: Real men use command line

    I thought that was troll face, not smug face. You kids and your memes...

  13. x 7 Silver badge

    this sounds like deja vu.........wasn't there a similar incident around 12 months ago?

  14. Haku Silver badge
  15. Destroy All Monsters Silver badge
    Coat

    The voice form the bathtub

    "This happened before ... and it will happen again"

  16. Ole Juul Silver badge

    as we push the big, red "Publish" button on this story

    Can we have a picture of that?

  17. Anonymous Coward
    Pint

    Re: as we push the big, red "Publish" button on this story

    Even better would be to have one made with bluetooth so everyone could have an Official El Reg Publish button.

  18. Herby Silver badge

    Re: as we push the big, red "Publish" button on this story

    Picture? How about this...

    http://www.thinkgeek.com/product/15a5/?pfm=Search&t=big%20red%20button

    Sounds like it fits the bill. Sorry it isn't official Reg material.

  19. Dan 55 Silver badge
    Mushroom

    Re: as we push the big, red "Publish" button on this story

    How about a video?

    https://www.youtube.com/watch?v=NITBfc1EOBo

    What happens in Vulture Central before an AO article is published.

  20. Vic

    Re: as we push the big, red "Publish" button on this story

    Can we have a picture of that?

    Here you go.

    Vic.

  21. Steven Raith

    Re: as we push the big, red "Publish" button on this story

    Surely this is more apt?

    The Emergency Party Button

  22. Mark 85 Silver badge

    The missing moral...

    Don't trust the cloud or SaS. Period.

  23. Anonymous Coward
    Anonymous Coward

    Re: The missing moral...

    You are looking at the cloud.

    You publish your stuff to world & dog, however inadvertently, on the cloud.

    The cloud is looking at you.

    ...but it's not the cloud's fault.

  24. Androgynous Cupboard Silver badge

    Re: The missing moral...

    Man, that is deep.

  25. Anonymous Coward
    Anonymous Coward

    Re: The missing moral...

    >You publish your stuff to world & dog

    Unless you care about things like privacy or I don't know not exposing your employer's code that you don't own.

  26. Anonymous Coward
    Anonymous Coward

    Free account monitoring service for the next year...

    I guess since GitHub (and MS?) are responsible for the disclosure of his information, they'll be offering him free credit account monitoring for a year...

    Oh what, they're not even doing that?

  27. Anonymous Coward
    Anonymous Coward

    Re: Free account monitoring service for the next year...

    "I guess since GitHub (and MS?) are responsible for the disclosure of his information"

    He is also responsible. Anybody who posts anything with commercially sensitive data to a remote location without encryption is to say the least somewhat careless. I wouldn't wish that kind of attack on anybody, but, wtf was he doing? You always have to consider the possibility of fat finger leakage.

    Having said that, if the guy at my former company (who didn't want separate configuration files because it was "too complicated" and so wanted embedded credentials baked in) is reading this - now do you believe me?

  28. JDX Gold badge

    Re: Free account monitoring service for the next year...

    But if they got _hacked_ and his key stolen, wouldn't they be liable?

  29. boltar Silver badge

    Re: Free account monitoring service for the next year...

    "I wouldn't wish that kind of attack on anybody, but, wtf was he doing?"

    Probably just another idiot millenial who thinks The Cloud is a magic place in the sky running on fairydust and unicorns tears where nothing bad ever happens, rather than just someone elses computer with all the attendant risks.

    Any private code our company has goes nowhere near a public computer of any form. Its on our private servers and is backed up to tape every 48 hours. End.

  30. Anonymous Coward
    Anonymous Coward

    Re: Free account monitoring service for the next year...

    >Probably just another idiot millenial

    Can't resist. What do you mean dude they they didn't teach your computer classes in Ruby on Rails? They even made us go bare metal with C# and Java for one class.

  31. Someone Else Silver badge
    WTF?

    @AC -- Re: Free account monitoring service for the next year...

    They even made us go bare metal with C# and Java for one class

    Thanks AC...I needed a good guffaw for the middle of the week.

  32. Anonymous Coward
    Anonymous Coward

    Re: Free account monitoring service for the next year...

    > posts anything with commercially sensitive data to a remote location without encryption ...

    Don't put any keys or passwords in source code -- even encrypted -- the just shouldn't be a need ever.

  33. JDX Gold badge

    Re: Free account monitoring service for the next year...

    Really? Where do you want to put them - in a config file or a DB? But then the config file is in plain text and you can access the DB unless it requires authentication. Oh, but where are you going to put the password to access the DB?

  34. Gerhard Mack

    Re: Free account monitoring service for the next year...

    Config files should NOT be synched with GIT. They should be local to the server in question and if it contains passwords should have it's rights restricted. That is basic security practice.

  35. JDX Gold badge

    Re: Free account monitoring service for the next year...

    So you don't back up your config files? If they're not in Git they're going to be somewhere...

  36. Gerhard Mack

    Re: Free account monitoring service for the next year...

    Not in Git, git is a source code management system and not a backup. If anything, I have an example config with a different name (config.distrib) otherwise you pollute git with a ton of changes to config files, and it gets worse when you have multiple conflicting changes (dev vs live/server 1 vs sever 2 etc).

    Passwords, keys or any other private info should not be stored in Git, instead, they should be in a proper backup system.

  37. Phil Endecott Silver badge

    Trawling

    Has this word now been lost?

    Do we now call fishing boats "trollers"?

  38. maffski

    Re: Trawling

    Do we now call fishing boats "trollers"?

    It might depend on whether said fishing boat is trawling or trolling.

  39. Destroy All Monsters Silver badge

    Re: Trawling

    That would be thrauhlerz in phreakspeak... (apparently a derivative of Lovcraphtianesque)

  40. TeeCee Gold badge
    Coat

    Re: Trawling

    Depends whether or not the crew have internet access and nude pics of you....

  41. BitDr

    Re: Trawling

    Or better yet, it depends on whether it is a fishing boat or a phishing boat. Are phishing boats crewed by trolls?

  42. Anon Adderlan

    This is the kind of thing that keeps me up at night

    If 'I'm' buying over a thousand dollars worth of instances, then I want Amazon to confirm it was actually ME before I'm billed. I also want to set limits on what and how much an AWS key can be used for. I can already do both with credit card numbers, so what's the deal here? This kind of theft seems ridiculously easy otherwise.

  43. This post has been deleted by its author

  44. Daniel Voyce

    Re: This is the kind of thing that keeps me up at night

    You can set limits on what an AWS IAM key does, it sounds like he has put in a root IAM key into his code which basically gives full control over things like this when all he possibly wanted was to be able to access an S3 bucket.

    There are also perfectly valid use cases where one might want to spin up a huge memory instance and then shut it down after a job completes, that is one of the benefits of AWS is that it can respond to changing conditions - having a confirmation required in each of these cases simply wouldn't be possible - hence why you can create different keys with different permissions.

    IAM is extremely flexible, unfortunately it cant protect from stupidity.

  45. Destroy All Monsters Silver badge

    Re: This is the kind of thing that keeps me up at night

    I also want to set limits on what and how much an AWS key can be used for.

    1) Use a specific credit card

    2) Amazon tells you often to use three-factor auth for the root account

    3) Use separate IAM users with specific permissions for specific tasks (this takes some getting into and also queries on stackoverflow, but the interface is really nicely done)

    4) ???

    5) Protect!

  46. Peter 26

    Re: This is the kind of thing that keeps me up at night

    Absolutely AWS is the main fault here, it is open for abuse. The worst thing is this guy phoned AWS support and told them what happened, but they still let all these services be created overnight. Surely you have a big red button that support can hit that says this account has been compromised, don't allow anything else which costs to run. But no support tell him to clean up the system himself and their "block" didn't actually work.

    I'd refuse to pay Amazon saying they were negligent.

  47. Nick Stallman

    Re: This is the kind of thing that keeps me up at night

    Did you miss the bit where they did contact him? Extremely quickly?

    And did you miss the IAM section which lets you specify very fine grained controls over your access keys?

    So....everything is fine then? You can sleep now.

  48. Destroy All Monsters Silver badge
    Windows

    This is like, your programming man.

    Dude, you are getting some advice:

    1) Credentials always in config files in a separate project not under version control. Config file reading is easy and can be done in 5 lines or less. Use XML, atttribute = value, whatever.

    2) When needed, slurp the credential files

  49. werdsmith Silver badge

    Re: This is like, your programming man.

    Yes, and live deploy the config file with the credentials in plain text in the same folder as your app binaries.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018