lucasmz , vor einem Monat

@foone I wonder if TPM helps here

mark , vor einem Monat

@foone But SD cards are that form factor specifically so you can smash them to powder so easily!

griibor , vor einem Monat

@foone damn, where do you keep finding this cool e-junk?

foone OP , vor einem Monat

@griibor A local e-waste place that my roommate has access to

scruss , vor einem Monat

@foone sure beats the collection of mediocre MP3s and two full-res DVD movie rips I found on a Raspberry Pi-based advertising interactive I used to maintain

adorfer , vor einem Monat

@foone the RPI platform was never meant to be in a remote location. there is no TPM and providing USB based tokens is really hard to carry over remote dist-upgrades... speaking of dist-upgrades on RPI....

robert , vor einem Monat

@foone
Things are getting better.. I used to find database dumps featuring md5('123456') all over the place. https://blog.irrelevant.com/2011/07/data-breach.html?m=1
Only one result in Google today..

cdamian , vor einem Monat

@foone "someone"

waldi , vor einem Monat

@foone Can you get AWS to revoke published keys, similar to the way CA are supposed to do it?

stormy , vor einem Monat

@foone I'm pretty sure Google is starting to take a more proactive stance on leaked keys but you can probably still find newly minted ones in GitHub every five minutes. Same is true for the other cloud providers.

StarkRG , vor einem Monat

@foone Email them back to the company with the subject line "I think you dropped your keys"

schrockwell , vor einem Monat

@foone Funner fact: I accidentally did this with an Electron app. It packaged up my local .env file in the release. Imagine my surprise finding a .txt on my S3 instance from a well-meaning user.

foone OP , vor einem Monat

it has been zero days since foone has opened up some old tech and accidentally gotten information she was not supposed to have.

foone OP , vor einem Monat

It was literally the first file I opened

momo , vor einem Monat

@foone
Wait, wait, let me grab a bucket of popcorn first! This gonna be good!

Serene117 , vor einem Monat

@foone what was in it?

foone OP , vor einem Monat

I did a little more searching. This raspi was running balenaOS which is a docker-containers-on-raspi thing.

Fun fact: If you pass environment options to a docker image you're building, they get stored in the config.v2.json file for that container!

So there's ANOTHER COPY OF THE AWS KEYS HERE!

eaton , vor einem Monat

@foone i'm imagining planning meetings in which engineers ask, "Realistically, what are the odds any of us will work here when that bill comes due?”

foone OP , vor einem Monat

anyway this is what I have:
https://www.linkedin.com/pulse/ari-introduces-wellness-detector-jonathan-burke/

Good news: That company/product doesn't seem to be active anymore. So these keys have almost certainly expired and been invalidated. I'm just gonna assume that and not check because I don't want to get in trouble for "hacking"

eaton , vor einem Monat

@foone "wellness status: 403”

kastor , vor einem Monat

@foone so, it's like Code Veronica VMU for real life?

A VMU inside a Dreamcast gamepad showing an ECG line during a gameplay of Resident Evil code: Veronica

iDave , vor einem Monat

@foone for a brief, glorious moment, I thought they were some kind of Next Gen Dreamcast Visual Memory Units.

jleedev , vor einem Monat

@foone just pipe them into github, it'll automatically cast remove curse on them

montar , vor einem Monat

@foone publish those keys.

gothodile , vor einem Monat

@foone reminded of the time I did infosec for [worldwide retail store] and how we would find AWS keys stored in plaintext on NETWORK SHARES every damn week.

llewelly , vor einem Monat

@foone a whale of a leak?

JLab8 , vor einem Monat

@foone counterpoint - if you have the device legitimately, you're supposed to have all the information within.