Writing

Software, technology, sysadmin war stories, and more. Feed
Sunday, April 7, 2013

Cooking up a half-baked bad idea involving ssh keys

I had another really bad idea earlier this week. Bear with me here, since it's not exactly the most direct path to evil. It's definitely half-baked.

First, start crawling the web for Github usernames. Dig through all of their profile and activity pages and look for links to other users. Keep a note of every single username. Also go to sites like Hacker News and reddit's programming-oriented areas, then try those same usernames on Github if they weren't discovered already. If they turn up more connections, follow them.

Eventually, there should be a giant list of usernames. Now it's time for phase two, which is where the distributed botnet starts hitting https://github.com/(username).keys for every username it already found. github will happily spit out every public key which is currently associated with an account. Did you know that? Before a couple of days ago, I didn't.

I'm pretty sure this is by design. I never wanted my SSH keys, "public" notwithstanding, to be available to the world. There is no reason for it, and of course I see no way to turn it off, so I just removed all of them from the account. It's not like I push anything out there anyway.

Phase three is to set up some kind of honeypot which attracts a bunch of people who are likely to use Github. Invite them to ssh in to your machine to solve your challenge or something like this. Such things have been on HN in recent times. Set up the account to use public key authentication and preload it with all of the keys you collected from phase two.

Phase four involves taking the logs of connections and associating IP addresses with keys, and thus with accounts. Now you have a pretty good idea where that person is or has some kind of account. Further analysis like geolocation is left as an exercise for the creeper who actually tries this.

I'm not a particular fan of their always-visible activity log, either. If I poke around on the site and start following something, there might be a reason I'd rather not have it shared with the world. Maybe I don't want to leak any data about the future directions of my projects.

I find the whole thing rather annoying.