back to article Compromised SSH keys used to access Spotify, UK Govt GitHub repos

CloudFlare engineer Ben Cox says the official Github repositories of the UK Government, Spotify, and Python were accessed using likely compromised SSH keys. Cox says the keys revoked this month are subject to a compromised Debian OpenSSL random number generator seed discovered and fixed in early 2008. The security bod …

  1. Guus Leeuw

    Why ?

    Dear Sirs,

    why should github do more to stop users hurting themselves?

    Github is code repository service, not a security service. How the repos are accessed is entirely up to the users.

    It's like saying that Chris Boardman should make saver bikes so that users are saver on them.

    Nannystatism, that. If you yourself are not clever enough to use github in a secure manner, maybe you shouldn't be accessing it to begin with... Why always state that problems are somebody else's fault? Is this what society is coming too? Is this what happened with society and why we ended up in these nannystates? Because nobody is man enough to put there balls on the table any more? What about standing tall and admitting that you made a mistake, that the fault is all yours... Your balls will be busted, but you can leave the room with integrity and be proud and respected for your actions!

    Just my 0.02,


    1. This post has been deleted by its author

    2. Paul Crawford Silver badge

      Re: Why ?

      "If you yourself are not clever enough to use github in a secure manner"

      So Sir, were you clever enough to notice the bad random number generator in Debian's OpenSSL? Did you in fact report it and help fix things?

      If not then STFU and get on with something more useful. The call is not for GitHub to hand-hold users at any point, but to notice said compromised keys and warn users about them. Those keys, most likely, were generated years ago and then kept even when the user's OS was updated to something that has that bug fixed and they probably forgot which version of number generator was used to generate them originally.

      1. John Robson Silver badge

        Re: Why ?

        I took all of my existing keys out of use, and reissued the lot, because I couldn't remmeber exactly when each had been generated (or necessarily on which machine).

        But to expect that level of action from everyone with a github account?

        In the same way I expect browsers to flag up bad certs I'd expect SSH banners to warn about these compromised keys - or simply ignore them (with error in the server log at least, preferably in the banner)

        1. Anonymous Coward
          Anonymous Coward

          Re: Why ?

          If comparing browsers to SSH, surely the end users SSH client needs to flag the compromised key to the user, not GitHub?

      2. Anonymous Coward
        Anonymous Coward

        @Paul Crawford - Re: Why ?

        You're right but you are still wrong.

        If you have important data you want to protect, you will also have specific policies for periodically renewing the encryption keys (like erm... rotating passwords ?). Remember, lad, security is an on-going process not a one-shot deal.

  2. phuzz Silver badge


    Just think, soon Windows users will be able to be compromised via ssh! It's a brave new world.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Soon...

      Joke icon?

      This is the IT equivalent of a fart joke.

  3. PassiveSmoking

    So basically a weakened encryption key put UK government data at risk.

    You paying attention Dave? Got a dictionary handy? Could you do us a favour and look Irony up?

    1. Anonymous Coward

      C'mon, he will say that "If it wasn't encrypted, then the keys wouldn't have be compromised, in turn putting people at risk. So we need to remove encryption to stop these issues happening"

      See, I too could become a bolikician.

    2. Irongut Silver badge

      Irony? That's what nanny does to my shirts to make them all spick and span for meeting my chums.


    3. Flywheel Silver badge

      Wot!? You mean there's no filter in place for that?

  4. Charlie Clark Silver badge

    Fact checking

    Python hosts its own Mercurial repository so there could only be a mirror on Github.

    Oh, it's a Darren Pauli article, so fact-checking by readers is required.

    1. Michael Wojcik Silver badge

      Re: Fact checking

      Python hosts its own Mercurial repository so there could only be a mirror on Github.

      Good point (assuming you're correct - I haven't checked). But if there's a mirror on Github, then probably there are some folks building Python and the Python crypto libraries from that mirror; and if that mirror's been compromised, then those binaries are compromised. So it's worth mentioning.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022