back to article Python Package Index found stuffed with AWS keys and malware

The Python Package Index, or PyPI, continues to surprise and not in a good way. Ideally a source of Python libraries that developers can include in their projects to save time, PyPI has again been caught hosting packages with live Amazon Web Services (AWS) keys and data-stealing malware. Malicious packages are, sadly, nothing …

  1. ecofeco Silver badge

    Security?

    We've heard of that. But it's expensive and we don't have the budget for it this year.

    - manglement as usual.

    1. Version 1.0 Silver badge
      Devil

      Re: Security?

      Security can improve if you hire a hacker to work on everything you do, to try and hack it, but then since they are your employee they can reveal how it's done and everyone can work to stop it ... but keep trying in future - that's hopefully security. Security may exist if your hacker fails to hack items but keep trying.

    2. Dimmer Silver badge

      Re: Security?

      Had a FDIC auditor ask me one time “ Did anyone do a penetration test this year?”

      “Yes, we paid for one but the rest were for free”

  2. Lorribot

    "I believe a fair bit of the blame can be laid at the feet of developers, but this sort of thing may not be part of their core competency"

    never was truer word said.

    Security needs to be a core competency, but interviews for high skill jobs are just a self fulfilling prophecy in that you get you developer to interview the next developer and so on, and if that skill set or you SecOps/InfoSec dude is not on the interview panel it is unlikely any security competency questions will be asked, but then how many Info sec people understand programming enough to be able to ask relevant questions? "this sort of thing may not be part of their core competency"

    1. AndrueC Silver badge
      Boffin

      I don't think it's reasonable to expect all software developers to understand everything they use. That would be like demanding that electricians build their own soldering irons and power supplies.

      For software development to thrive we have to have tools that can just be grabbed off the shelf and slotted into place. The fact those tools can't be trusted is a serious concern but I don't think that expecting every software developer to understand what those libraries do is the answer. The answer is to come up with a system that ensures we can trust those libraries.

      1. wi94e&*L2Xm?

        Electricians don’t typically use soldering irons or power supplies. Electrical engineers and electronic technicians do, and I would expect a competent one to be able easily to design and/or construct both of those items.

        1. AndrueC Silver badge

          I would expect a competent one to be able easily to design and/or construct both of those items.

          I'd have thought someone as pedantic as you would have read my post more carefully. What I actually wrote was:

          That would be like demanding that electricians build their own soldering irons and power supplies.

          Electricians buy the tools and equipment they need without (by and large) wasting their time worrying about how they are constructed. Software developers should be able to do the same with libraries.

          Human innovation has always been about wrapping complicated things up in ways such that other people can use them without need to expend the effort gaining the same knowledge. I don't know enough about the internal combustion engine to repair one but that doesn't stop me driving a car. Although I know a lot about telecommunications most people do not and it doesn't stop them using a telephone.

          The whole point of a software library is to allow a software developer to leverage some other developer's skill and knowledge. Requiring a user of a library to validate the contents of that library is a poor use of their time.

          1. Anonymous Coward
            Anonymous Coward

            Based on what we're seeing, I'd say it was nearly a required use of their time. To use a car analogy, if you outsource your rims, and the come back square, you know something's wrong. But if you outsource, e.g. download a library, it would seem to me that you'd verify that it does what it says on the tin. If it makes an unexpected gethostbyname query using base64($key).miscreant.tld, you have a problem.

  3. Anonymous Coward
    Anonymous Coward

    Githuib...best place to find free AWS keys!

    One of the best sec courses I went on the tutor said on the first day.

    If you ever want to play with some interesting tech and you can't afford it then just poke about Github for around 30-45 mins and you'll find no end of logins, passwords for all sorts of access to services for free, code repos are the best places to find free logins! I'm joking of course, don't do that however....I'm just telling you the honest truth. If you want to litrerally set fire to the company's money by letting people with fewer morales than you have a fun time playing in your cloudy services backyard, then go ahead use public repos like Github to store your company code 'cos I can garantee that within 3 months one of your devs will put keys and logins into code and your cloud costs will literally go up by 10, 20 or 50 times over a couple of days and the company will have to pay for it if the provider finds you let your keys loose in the wild.

  4. trevorde Silver badge

    Free money

    Worked for a company where a contractor committed our private AWS keys to a public GitHub repo. Over the weekend, someone ran up a bill of £150k mining bitcoins. Oops!

    1. yoganmahew

      Re: Free money

      OMG same, but with GCP! Wild!

      Seriously, though, my company runs its own repos and everything is supposed to be committed only to those private repos. Even there, we're not supposed to commit keys.

      Developers! Professional yourselves!

  5. Anonymous Coward
    Anonymous Coward

    Clever

    Publishing to Github to let their doodad take care of notifying the vendors is a great idea, why waste time telling the user or PyPi when you can just let GitHub do it.

    I love little shortcuts like that.

    1. Claptrap314 Silver badge

      Re: Clever

      It's getting GitHub to tell AWS so that the keys can be quarantined that is the real magic, my friend...

    2. anothercynic Silver badge

      Re: Clever

      Well, that's the most straight-forward way, IMO - go directly to the platform, and then let them deal with it, given that it'd be the platform that's exploited.

      Kudos to the man for cooking up this great little scanner. I hope he's not sued or... disappeared.

  6. Phones Sheridan Silver badge
    Trollface

    I haef the solution

    Ban Python! I mean it, ban it, and all other languages while you're at it. No-one should be able to run code of their choosing on their machine. Code should be uploaded to the operating system manufacturer for approval, who in turn could say upload it to an official app repository. Only official app repositories should be allowed. "But" you say "this will put a strain of the OS manufacturers resources!". I hear you, so the manufacturer should be able to charge a small amount for his services, say $99 per year. Ongoing charges could be a reasonable 30% of the apps turnover. They could also provide a single service for credit card processing too with all the security benefits that provides. Everyone's a winner!

    1. TimMaher Silver badge
      Happy

      Re: I haef the solution

      Is that why “app” takes up most of the word “Apple”?

      1. Yet Another Anonymous coward Silver badge

        Re: I haef the solution

        'Their machine'? This machine contains our proprietors technology, you may be able to rent it from us for an unreasonable monthly fee plus support plus OS licencing plus

  7. captain veg Silver badge

    PyTorch

    Does it have a companion library named PytchForK?

    -A.

  8. Cliffwilliams44 Silver badge

    Security ain't that hard

    "I believe a fair bit of the blame can be laid at the feet of developers, but this sort of thing may not be part of their core competency – security is hard to get right at the best of times,"

    BS!

    It ain't hard to store your access keys in Secrets Manager and retrieve the keys when you need them programatically, then rotate those keys on a regular basis and make sure the keys you are using ONLY have access to the resources you need.

    This is just lazyness and/or blatent incompetance!

    1. captain veg Silver badge

      Re: Security ain't that hard

      Even easier to keep your own source code on your own hard drives.

      -A.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like