
View leaked secrets in Git live - smaslennikov
https://shhgit.darkport.co.uk/
======
thepoet
We created a static version of this (almost similar to shodan but for keys)
using publicly accessible Github dump hosted on Google Cloud in 2017. We then
hosted the processed data, website and our search infra on AWS. AWS security
team reached out to us for a potential “collaboration” and asked us to send
all AWS keys that we discovered and we sent them the whole list. As a tiny
startup, we were elated. Few days later they call us and threaten with a cease
and desist notice if we do not take down the website. Remember we are not
targeting AWS keys, neither are we in violation of any licensing agreements
with respect to the data. We refused to shut it down. They then ask us to stop
hosting it on AWS or “anywhere” else since we were using AWS credits to host
the product or they will shut our account. When their this strategy did not
work out, they contacted someone at Stripe who had given us the AWS credits,
who then asked us to take it down or face consequences. We eventually had to
shut it down since we did not have a lot of money to fight these people.

It was a stressful week for us where we learnt that corporates can lie and
bully you to get whatever they want and then can shut you down. Unless you
have the means to fight back. Does not matter where you live.

~~~
verroq
I know this sounds a bit mean but what did you expect to happen when you host
a page of leaked aws keys?

~~~
thepoet
It included high entropy strings including keys from 30+ API and service
providers, one of which was AWS. We did not target AWS specifically. None of
the other services complained. In fact, a customer service widget company even
took our help and thanked us. AWS tricked us in taking our findings and then
changed their tone.

------
darkport
Author here. I released the tool a few weeks back and since downsized the EC2
instance. So this post pretty much killed the box. I've just up-sized it again
but it's still running fairly slowly due to high load. It typically finds
around 5 secrets/a second. Corresponding blog post here:
[https://darkport.co.uk/blog/ahh-shhgit!/](https://darkport.co.uk/blog/ahh-
shhgit!/) and you can run your own instance here:
[https://github.com/eth0izzle/shhgit](https://github.com/eth0izzle/shhgit)

------
dancek
Blog post about shhgit: [https://darkport.co.uk/blog/ahh-
shhgit!/](https://darkport.co.uk/blog/ahh-shhgit!/)

------
adamparsons
This is highly amusing.

One of the first things it found was a publicly accessible oracle db. Second
thing it found was someone attempting to make an authoritative repo on
standards for django, which included this all-too-familiar line in settings.py

    
    
      # SECURITY WARNING: keep the secret key used in production secret!
      SECRET_KEY = '(d5%@h=u0m2a5-$4f^n(d%4mkt-@f1%h#3n64%+wmhf(kmx)ga'

~~~
cbkeller
Leaving the tab open for a half hour turned up about five of those, a google
oauth key, and what seemed to be an SSL certificate private key, among others.

~~~
tialaramex
If you find "real" SSL private keys (from the Web PKI, ie they would be
trusted by something like a web browser out of the box) you should be able to
get a CA to revoke any certificates issued for that key by proving you know
the key.

The usual format of private keys makes it mechanically trivial to get the
corresponding public key back and then you can ask a public monitor like
crt.sh to determine if that key is seen in any certificates.

Once you identify one or more certificates, you can ask the issuer to revoke
them, offering proof you know the private key as the reason. For Let's Encrypt
or any CA offering the ACME protocol you can use the ACME protocol to do this
without involving any humans (the Certbot software for example has a "revoke"
keyword that can do this).

Other CAs should have at least an email address manned 24/7 to respond to
problems, which can explain how they'd prefer you prove you know the key. Or
if you're just bored of this and want them to shut up and fix it, you could
just email them the private key, whereupon now _they_ know the key for someone
else's certificate they issued and that's prohibited by the rules they're
working under so it's now their problem.

~~~
souterrain
Sounds like a value-add for a CA. “We’ve seen your private key in public,
we’re revoking your certificate for you. You’re most welcome.”

~~~
usr1106
And we sell you a new one :)

------
wczekalski
This tool should create issues in relevant repos unless the repo whitelists
itself explicitly. Or alternatively just create one master issue per repo
(should there be more violations in the future)

~~~
ryannevius
The tool has a flag icon which will open a new issue in the repo. I've seen a
few false positives while watching, so auto-opening issues would be an issue.

~~~
wczekalski
I feel like it's better to err on the safe side.

~~~
dwild
You don't want to flood github with wrong issue, that's a good way to lose the
right to open issue altogether.

------
jsilence
What are recommended tools for team wide secret management?

~~~
endymi0n
We‘re using gopass ( [https://www.gopass.pw](https://www.gopass.pw) )

~~~
janikvonrotz
Btw. this is a go implementation of pass
[https://www.passwordstore.org/](https://www.passwordstore.org/)

~~~
rapnie
The git repo [0] says "All Rights Reverse Engineered" at the bottom. Is that
just a joke, or has it actual meaning?

[0] [https://git.zx2c4.com/password-store/](https://git.zx2c4.com/password-
store/)

------
slawwwc
Nice tool. Is there a similar tool that you can use privately to notify you
before you commit sensitive data to git?

~~~
spydum
Like git-secrets? It’s mentioned on the site.

------
djvdorp
Rather link: [https://darkport.co.uk/blog/ahh-
shhgit!/](https://darkport.co.uk/blog/ahh-shhgit!/)

The service is currently overloaded.

------
happppy
Got this message in alert

Failed to retrieve signatures! Reloading...

~~~
sleavey
Me too. I lock down Firefox pretty hard so it's probably some cookie or
JavaScript being blocked.

------
alacombe
I can't run this in the background more than 5 minutes without getting high
CPU usage and and unresponsive tab :-(

------
solidasparagus
I have to say I'm not a huge fan of making secret theft more convenient. I
don't see many positive uses for this website...

~~~
oarsinsync
There is nothing quite like seeing your password in plain text published
somewhere for the world (or some subset of the world) to see.

Seeing an obscured version doesn’t have quite the same effect as the raw plain
text.

Nothing quite like seeing a failed login attempt for username ‘yourpassword’
emailed to the entire IT team to make you think about changing your password
from your ex’s name to something distinctly less personally identifiable.

~~~
solidasparagus
The chances of you watching this website while _your_ credentials
unintentionally show up are essentially zero. This website is a tool for
watching other peoples' secrets.

~~~
oarsinsync
This website takes a raw firehose and puts a nice human-friendly UI around it.
The live data already exists in a much more machine-friendly format.

If I was going to be watching other peoples' secrets for fun and profit (and
not just for fun), I wouldn't be using the human-friendly version.

