72

Dear outsourced developers. Don't send me your private SSH key by email. I don't need it, it allows me to access anything else you can access pretending I'm you, and it shows a misunderstanding of how SSH keys work. 🤦🏻‍♂️

Comments
  • 2
    A nice one.

    We once had to take part in a system where someone signed data with the public key and gave the private key out to the world to check the signature.
    They didn't even know what they did until we told them.

    And sadly there where already other companies who checked the signature and also hadn't noticed that they held the private key.
  • 0
    Wow.
    Never got why you'd just not generate a new one in 3 seconds.
  • 4
    i dont know how ssh keys work, but ffs its called private
  • 1
    @Tommy314 that means you only send it to people you trust, right? 🤔
  • 0
    @endor The guy in question may trust me, but do all the other clients he works with trust me?

    (Unless they use different keys for each client, that is. And it's probably a simple mistake. But I still needed to call it out just in case.)
  • 0
    @d4ng3r0u5 lol, I was joking :P
  • 0
    Wasn't it adobe security team that posted their private key to Twitter not too long ago?
  • 0
    @mbj047 That was the GPG key, not even remotely as important as an SSH key.
  • 0
    @filthyranter ah I don't pay much attention. Meh that depends on the server and the user.
  • 3
    @filthyranter I have to disagree with that one. With GPG you can publish signed software with viruses in it. In our case you need VPN and SSH key to gain access. So a GPG leak is much worse in our case.
  • 0
    @d4ng3r0u5 Holy fuck that is bad and sad. Don't know why they didn't heed your username 🤣
  • 1
    @hjk101 Yes. I didn't say GPG wasn't important, but I'm sure you could do more damage with that SSH key
  • 1
    @filthyranter If there is no firewalling you are right on the money! (so the first thing you would do once you're in, is find the GPG key and sign some crap and let it be hosted by the official server 😈)
  • 1
    Dear outsourced developers.

    DO send me your private SSH keys. In plaintext. From a McDonald's free wifi.

    LOL
Add Comment