We created a static version of this (almost similar to shodan but for keys) using publicly accessible Github dump hosted on Google Cloud in 2017. We then hosted the processed data, website and our search infra on AWS. AWS security team reached out to us for a potential “collaboration” and asked us to send all AWS keys that we discovered and we sent them the whole list. As a tiny startup, we were elated. Few days later they call us and threaten with a cease and desist notice if we do not take down the website. Remember we are not targeting AWS keys, neither are we in violation of any licensing agreements with respect to the data. We refused to shut it down. They then ask us to stop hosting it on AWS or “anywhere” else since we were using AWS credits to host the product or they will shut our account. When their this strategy did not work out, they contacted someone at Stripe who had given us the AWS credits, who then asked us to take it down or face consequences. We eventually had to shut it down since we did not have a lot of money to fight these people.<p>It was a stressful week for us where we learnt that corporates can lie and bully you to get whatever they want and then can shut you down. Unless you have the means to fight back. Does not matter where you live.
Author here. I released the tool a few weeks back and since downsized the EC2 instance. So this post pretty much killed the box. I've just up-sized it again but it's still running fairly slowly due to high load. It typically finds around 5 secrets/a second. Corresponding blog post here: <a href="https://darkport.co.uk/blog/ahh-shhgit!/" rel="nofollow">https://darkport.co.uk/blog/ahh-shhgit!/</a> and you can run your own instance here: <a href="https://github.com/eth0izzle/shhgit" rel="nofollow">https://github.com/eth0izzle/shhgit</a>
Blog post about shhgit: <a href="https://darkport.co.uk/blog/ahh-shhgit!/" rel="nofollow">https://darkport.co.uk/blog/ahh-shhgit!/</a>
This is highly amusing.<p>One of the first things it found was a publicly accessible oracle db. Second thing it found was someone attempting to make an authoritative repo on standards for django, which included this all-too-familiar line in settings.py<p><pre><code> # SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = '(d5%@h=u0m2a5-$4f^n(d%4mkt-@f1%h#3n64%+wmhf(kmx)ga'</code></pre>
This tool should create issues in relevant repos unless the repo whitelists itself explicitly. Or alternatively just create one master issue per repo (should there be more violations in the future)
Rather link: <a href="https://darkport.co.uk/blog/ahh-shhgit!/" rel="nofollow">https://darkport.co.uk/blog/ahh-shhgit!/</a><p>The service is currently overloaded.