FUN FACT:
if you build electronic devices which contain a raspberry pi in them, consider what will happen if one of them gets thrown out.
someone might open them up, stick the microSD card in them into a reader, and open up that tantalizing "apps.json" file which has YOUR GOD DAMN AWS KEYS? IN UNENCRYPTED PLAIN TEXT?
@foone sure beats the collection of mediocre MP3s and two full-res DVD movie rips I found on a Raspberry Pi-based advertising interactive I used to maintain
@foone the RPI platform was never meant to be in a remote location. there is no TPM and providing USB based tokens is really hard to carry over remote dist-upgrades... speaking of dist-upgrades on RPI....
@foone I'm pretty sure Google is starting to take a more proactive stance on leaked keys but you can probably still find newly minted ones in GitHub every five minutes. Same is true for the other cloud providers.
@foone Funner fact: I accidentally did this with an Electron app. It packaged up my local .env file in the release. Imagine my surprise finding a .txt on my S3 instance from a well-meaning user.
Good news: That company/product doesn't seem to be active anymore. So these keys have almost certainly expired and been invalidated. I'm just gonna assume that and not check because I don't want to get in trouble for "hacking"
@foone reminded of the time I did infosec for [worldwide retail store] and how we would find AWS keys stored in plaintext on NETWORK SHARES every damn week.