A RESEARCH HAS PUBLISHED TruffleHog, a tool that will enable administrators, and hackers, to uncover high-entropy encryption keys, to Github.
The "module will go through the entire commit history of each branch, and check each diff from each commit, and evaluate the Shannon Entropy for both the base64 char set and hexidecimal char set for every blob of text greater than 20 characters comprised of those character sets in each diff," according to the project's home page on Github
"If at any point a high entropy string greater than 20 characters is detected, it will print to the screen."
The aim is to save administrators from inadvertently exposing their networks, but will no doubt also be used by hackers to scan existing open-source apps for potential zero-day security backdoors that can be exploited.
Amazon Web Services (AWS) already uses a similar tool to preemptively search GitHub for AWS keys that may have been connected to public repositories by accident, preventing miscreants from making use of them to spin-up AWS instances (to, for example, mine for bitcoin), with users picking up the tab.
According to Reddit users responding to news of the tool, which was released last week, AWS does this precisely to prevent exploits against its users and services.
"I have accidentally committed my AWS secret keys before to a public repository. Amazon actually found them and shut down my account until I created new ones. Kinda neat amazon," wrote one. µ
C3-PO, R2-D2, BB-8 and other Androids
Helpful cyber vigilante gets short changed by customer services
...you know, now it's less confusing...
Firm will no longer provide updates for its first Android mobe