back to article Hacker publishes GitHub secret key hunter

A researcher has published a tool to help administrators delve into GitHub commits to find high-entropy secret keys. The tool, dubbed TruffleHog, is able to locate high-entropy keys with Github potentially saving admins from exposing their networks and sensitive data. TruffleHog developer Dylan Ayrey, who warned of the …

  1. Anonymous Coward
    Anonymous Coward

    sesnitive

    If only there were a tool that could search if a word was in a dictionary...

    1. Halfmad

      Re: sesnitive

      Has to be more than 20 characters long for them to check.

  2. Lee D Silver badge

    I'd be much more worried about code that hard-codes an API key or password as a variable rather than, say, reads it from an external file (which is outside the commit zone). Accidental commits of files, I could probably "forgive", especially if there are in a separate .h file or similar that contains just the things that should never be committed.

    But finding them just stray in your code?

    There's a reason, for example, that /etc/ssl is heavily locked down, /etc/ssl/private is even heavier, and if you want to use those keys you include them from your config, not just copy and paste them into your website path.

  3. Anonymous Coward
    Anonymous Coward

    Hmm, this worries me.

    If you find GitHub slow today, it may be because of multiple people running this tools to find zero days - code with hard coded keys that can now be exploited. If a dev isn't 100% on the ball on this, you may have problems..

  4. Anonymous Coward
    Anonymous Coward

    Why are all The Register articles about encryption failures illustrated with a picture of an Abloy Protec key - one of the most secure mechanical locks available?

  5. uqrxur

    How does it counterbalance...

    Looks very nice academically but I wonder how it counterbalances with simple string based searches on variable names for "known" patterns? (i.e.: 'key', 'pwd', 'secret', 'token', etc.) that get improved on time. Who wants to run a comparative analysis? :)

  6. This post has been deleted by its author

  7. Al Brown

    See earlier Reg story

    See earlier Reg story:

    http://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_crawling_with_keyslurping_bots/

  8. Pliny the Whiner

    Has anyone else noticed that El Reg now uses encryption? Sure, it's 40-bit DES, but still.

    No, really. Give it a try:

    https://www.theregister.co.uk/

    And remember that Jesus hates encryption. Loves the encryptor, but hates the encryption.

    1. Valeyard

      Hello! The TLS version of the site isn't quite ready for prime time, please bear with us...

      I'm glad they're finally almost catching up with those they criticise, but i wonder why i wasn't already seeing this with https everywhere enabled

    2. Justin Clift

      > Has anyone else noticed that El Reg now uses encryption? Sure, it's 40-bit DES, but still.

      Excellent.

      For me, Opera says my connection is using:

      TLS 1.2 AES_128_GCM ECDHE_ECDSA

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like