Bugs aside, I think the guy is an idiot. There is absolutely no excuse to store private credentials in a git repository in a server you don't control, even storing the configuration in the repository is bad enough.
3) software actually creates a public repo (woops!)
On problem I seen was that he fixed the problem pretty quickly. he changed his password, deleted the exposed keys. Problem solved, right? Amazon spun up a bunch of other instances with his compromised and now changed credentials.
While he did flub, he did damage control. Amazon allowed new EC2 instances get spun up anyway. I think that's a bigger problem than him letting his keys leak.
Bugs aside, I think the guy is an idiot. There is absolutely no excuse to store private credentials in a git repository in a server you don't control, even storing the configuration in the repository is bad enough.
The basis of the bug is that
1) you explicitly create a private repository
2) software tells you have a private repo (yay!)
3) software actually creates a public repo (woops!)
On problem I seen was that he fixed the problem pretty quickly. he changed his password, deleted the exposed keys. Problem solved, right? Amazon spun up a bunch of other instances with his compromised and now changed credentials.
While he did flub, he did damage control. Amazon allowed new EC2 instances get spun up anyway. I think that's a bigger problem than him letting his keys leak.