back to article US giant NBC 'leaks' PRIVATE Amazon keys in Github Glenn gaffe

A London-based developer claims he was accidentally given the keys to US broadcaster NBC Universal’s websites – thanks to a username mix up on GitHub. Glenn Shoosmith was an early adopter of Github, and thus bagged the short-and-sweet user ID Glenn in July 2008. Repositories can be public and viewable by all, or private and …

COMMENTS

This topic is closed for new posts.
  1. K Silver badge

    Umm

    "Cloud-based tools are a fantastic way for an organisation of any size to reduce the cost and admin of all kinds of internal and external software platforms,"

    Is this a story? Or a promo?

    1. Anonymous Coward
      Anonymous Coward

      Re: Umm

      No, its a portent of doom!!

      1. Destroy All Monsters Silver badge

        Re: Umm

        Pegged at Ron Paul Doom Level 3, no less!

    2. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Umm

      "Cloud-based tools are a fantastic way ...to reduce the cost and admin..."

      Note the use of the adjective "fantastic." In this case, I would go with the following definition:

      Imaginary or groundless in not being based on reality; foolish or irrational

      It would seem that the maxim "you get what you pay for" applies.

  2. John H Woods

    Umm (2)

    "... some poor project or IT guy just sent all of the keys to NBC’s servers to the wrong guy in one mistyped username"

    Err, no. Those keys should never have been uploaded, unencrypted, in the first place, even if you know who all your GitHub users are; the mistake is a LOT bigger than mistyping a username.

    1. Janir

      Re: Umm (2)

      I second that comment! What in God's Green EARTH were they thinking to put the AWS Access secrets and keys on Git Hub in the FIRST PLACE?!?! Make some local Github server local in your environment and keep them there. If someone else needs those keys then your not using AWS right. Set up some IAM credentials, make a few secondary keys that you can throw away, something other than storing and accessing your primary keys outside of your network domain.

      1. Destroy All Monsters Silver badge

        Re: Umm (2)

        What in God's Green EARTH were they thinking to put the AWS Access secrets and keys on Git Hub in the FIRST PLACE?!?!

        "Mwahahahaha!!! Mwahaha! CURSED! YOU ARE ALL CURSED!! I SAY!!!"

        We see a crooked finger resolutly ress "enter" to confirm "git push" under the otherworldy green glare of a phosporescent glass TTY.

        An immense thunderbolt rents the night, illuminating the baleful scene. The subsequent thunder blows the control room to smithereens.

    2. Anonymous Coward
      Anonymous Coward

      Re: Umm (2)

      Can I upvote that a hundred times please ??

      Putting stuff like that anywhere near GitHub is incompetence beyond belief.

      Baaaaa. Cloud. Baaaaa. Answer to all my problems. Baaaaaa.

      Silly sheep.

  3. ecofeco Silver badge

    Compared to losing your house keys?

    Oh hell NO!

    This is like losing the keys to the multi-million bank account that isn't yours. It doesn't take "tech" of any kind to see this as a Dilbert's boss moment.

    1. Mad Chaz

      Re: Compared to losing your house keys?

      And we all know how that ends.

      http://www.dilbert.com/strips/comic/2014-05-20/

    2. dan1980

      Re: Compared to losing your house keys?

      @ecofreco

      Actually, It's more like lending your car to the wrong person. Except that, for some reason, you keep the swipe card and alarm code for your corporate office in the centre console.

      Yes, you really should have double checked about the car, but what the hell are you doing storing the card and codes in there?

  4. psychonaut

    I sell stuff like this..its crap but buy it

    "As a vendor of cloud software-as-a-service, I’m obviously a big fan and supporter of correctly managed cloud services but, like any tool, cutting costs and reducing security creates risk."

    Bingo.SaaS....so like err not giving the keys to the kingdom out to the rest of the world by simply clicking on someones name?

    Also...

    "Programmers must assume the worse and properly design around a threat model"

    The worse? Think your cloud syntax may be slightly wrong there

  5. WonkoTheSane Silver badge
    Pirate

    Delays..

    "We've asked NBC Universal and GitHub for comment on this reported incident, but we haven't heard back from them."

    Because NBC are already prodding their lawyers into (un)life.

  6. Anonymous Coward
    Anonymous Coward

    Comcast is NBC ! Enough Said.

    Even their TV/Movie division is f*@cking up the Internet.

  7. Crazy Operations Guy Silver badge

    Why the crap are they using GitHub in the first place?

    NBC Universal is part of #46 on the Fortune 500 which pulled in 6.2 Billion dollars in profit last year, so why in the holy hell are they using some 3rd party service to store their most sensitive pieces of data. A company that size must have at least 1 internal document management system like SharePoint. Anything internal at all would be so much safer than any 3rd party service, at the very least you;d be able to have a definitive list of whoever has access.

    1. chris lively

      Re: Why the crap are they using GitHub in the first place?

      Simple. It's cheap and easy.

      The programmer didn't have to call IT and ask them to setup a special location for this type of info. If they had, it likely would have taken between 2 weeks and 2 years to get it pushed through.

      I'm sure IT would have found a hundred reasons why it just couldn't be done with a few clicks. You know, like saying that they'd have to setup a new "secure" server for it (and therefore it needs to be budgeted for), because they wouldn't want an accident to occur where the wrong person got access. They'd also need to make sure it was part of the backup strategy - likely necessitating additional software licenses for the backup program. Also, they'd have to perform PEN testing on it and add it to the list of servers they have to monitor for problems...

      There's a long list here of things any IT admin would likely bring up just to make sure that they don't have to do any more work.

      My favorite real world example that I personally witnessed was seeing a developer be hired a week after a new head of IT was brought in. This developer was issued a new computer that he couldn't even START his development tools on because those required local admin access and the new head of IT refused to grant it. That developer sat in his cube for 6 months before the head of IT was fired. Then he had to wait another month while a new one was hired and got settled in before the absurdity was fixed. Idiocy in action.

  8. theblackhand Silver badge
    Devil

    The moral is...

    Setup as many server instances as possible and mine bitcoin/litecoin/whatever....

    http://vertis.io/2013/12/16/unauthorised-litecoin-mining.html

  9. Stretch

    "Cloud-based tools are a fantastic way to lose all technical competence and fail your PCI audit"

    Fixed.

  10. Destroy All Monsters Silver badge
    Mushroom

    We need a "Cloudwatch" icon here

    Please!

  11. Anonymous Coward
    Anonymous Coward

    @Janir You're on the right lines but really, what on earth were production keys doing in the hands of developers in the first place? Any large company that wants to do business in the USA was forced into SOD compliance by Sarbanes Oxley in 2002. This looks like a big compliance fail to me.

    1. Destroy All Monsters Silver badge
      Trollface

      > 2014

      > 20 years of unceasing regulation resulting in serial failures across the board (It keeps raining Federal Register; 1772 pages this week.)

      > Believing that regulation brings the goods except for bureaucrats

      It's like the Cargo Cult of the Bureaucratic Witch Doctors. The hoi polloi wants to believe, the regulated ones are going crazy, the potlatch goods comes to the ceremony leaders.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019