Coming close to almost a year, I started my journey November of last year. I began a few tutorials and online resources, but the first complete tutorial that I finished was One Month Rails and it was an awesome experience. In only two weekends I followed the instructions step by step to create the site ilikerobot.com. I was so excited about it I even convinced others to use it.
At that time I did not use github at all and barely knew how to use git, but fast forward to the beginning of January and I had mastered the process of pushing to github, so much that I pushed all my projects to public repositories. Little did I remember the warnings from the OMR videos to not publicly posting any files with sensitive information.
You see the sample application is a Pinterest clone which requires users to sign in and post a picture of a robot. In order to save these upload pictures, you need a tool like AWS's S3 service to store these pictures. AWS provides a secret key and bucket names and 1 year free access to this. After the year you will need to pay, but at the rate I was using it, it might of been pennies.
When I pushed the repo to github I neglected to hide all the sensitive information and did not realize until I received a phone call from Amazon out of the blue letting me know my keys were published on github, this was back in May at the time I was interviewing for jobs, so my focus was not this project I created months ago. I had the key inactivated and I deleted the specific file on github (this is not enough) and moved on with my day. Little did I know that there actual charges made to the account from an attackers that scrapes github for all sensitive information, actual clever and I am sure very easy due to the amount of new programmers.
I only found out about the charge because I have been making an effort to update all my old apps and bring them up to speed with Rails 4 in addition to writing previously non-existent test suites. I lost access to the photos on the site and could not log into my AWS dashboard. After getting my login access back I noticed the large bill and had a phone call with Amazon the next day.
I am very pleased with their understanding and effort they put in to having the charges reverse. They also protected my account even with the root of the problem actually being my ignorance. I would highly recommend them to others looking for simple cloud hosting, I do recommend a few things below.
My recommendations to protect your projects:
I am still all for making code public in repos on github but I recommend everyone learn about `.gitignore`. This is something I learned about after OMR but did not put into practice with my first app. You simply create the file in the root folder of your app and place all private file paths there. Git will know to never save these files and you will be responsible for saving your login info outside the repo in a secure location.
I also recommend the figaro gem for Rails projects on heroku. Their github readme is more than enough to get started using it, but it is also helpful in protecting sensitive information like API keys.
*Update: I also suggest this GoRails video on Environment Variables
Holy... this story was suspenseful. I'm so glad it all turned out ok.
ReplyDelete