GitHub publishes RSA SSH host keys by mistake, issues update:
GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops.
A post on Github's security blog reveals that the company has changed its RSA SSH host keys. This is going to cause connection errors, and some frightening warning messages, for a lot of developers, but it's all right: it's not scary cracker activity, just plain old human error.
Microsoft subsidiary GitHub is the largest source code shack in the world, with an estimated 100 million active users. So this is going to inconvenience a lot of people. It's not the end of the world: if you normally push and pull to GitHub via SSH – which most people do – then you will have to delete your local GitHub SSH key, and fetch new ones.
As the blog post describes, the first symptom is an alarming warning message[.]
For almost everyone, this warning is spurious. It's not that you're being attacked – although that is always a remote (ha ha, only serious) possibility – it's that GitHub revoked its old keys and published new ones. Hanlon's Razor applies, as it most often does:
Never attribute to malice that which can be adequately explained by stupidity. (The word stupidity is often replaced with incompetence, but then, one does tend to lead to the other.)
This time, the reason was – as usual – plain old human error. Someone published GitHub's private RSA keys in a repository on GitHub itself. If you're unclear how SSH encryption works, about public versus private keys, or the different cryptographic algorithms SSH uses, there are many good explanations out there.
(Score: 5, Insightful) by captain normal on Tuesday March 28 2023, @05:40PM (4 children)
"Microsoft subsidiary GitHub..." GitHub jumped the shark about 5 years ago and was eaten by it.
Over 100,000 software engineers with no clear organization or direction, what can possibly go wrong? Same with Google and several other large Corps.
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 0) by Anonymous Coward on Tuesday March 28 2023, @06:29PM (3 children)
Microsoft employs +100k people, but only a small amount of those are engineers. Most of them are non-engineers, as evidenced by the shite they've been putting out under the flimsy cover of "our products".
(Score: 2) by guest reader on Tuesday March 28 2023, @07:27PM (1 child)
It could be also called "sacrificed quality for time to market". It is possible that they just did not receive enough hours for the agile tasks. And they were told that only underperformers would need more time for that. "Underperformers" do not receive bonus salary or a promotion at yearly evaluation.
(Score: 4, Funny) by JoeMerchant on Tuesday March 28 2023, @08:05PM
Like renaming the NSA key before publishing the source?
https://en.wikipedia.org/wiki/NSAKEY [wikipedia.org]
🌻🌻 [google.com]
(Score: 2) by captain normal on Wednesday March 29 2023, @12:32AM
This was a couple of years ago...still,
https://devblogs.microsoft.com/engineering-at-microsoft/welcome-to-the-engineering-at-microsoft-blog/#:~:text=Microsoft%20has%20over%20100%2C000%20software,software%20projects%20of%20all%20sizes. [microsoft.com]
Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--
(Score: 2) by bmimatt on Tuesday March 28 2023, @09:24PM
Things like https://github.com/thoughtworks/talisman [github.com] would've likely prevented this "human error", if people cared just a little more.
(Score: 2) by ElizabethGreene on Wednesday March 29 2023, @02:35PM
(Be gentle, I'm asking in ignorance.)
Shouldn't high-value keys like that be generated by and stored in a Hardware Security module where this can't happen? Like just not possible because the private key is in the HSM and never leaves?