<div class="csl-bib-body">
<div class="csl-entry">Jungwirth, G., Saha, A., Schröder, M., Fiebig, T., Lindorfer, M., & Cito, J. (2023). Connecting the .dotfiles: Checked-In Secret Exposure with Extra (Lateral Movement) Steps. In <i>IEEE/ACM 20th International Conference on Mining Software Repositories (MSR)</i> (pp. 322–333). https://doi.org/10.1109/MSR59073.2023.00051</div>
</div>
-
dc.identifier.uri
http://hdl.handle.net/20.500.12708/193214
-
dc.description.abstract
Personal software configurations, known as dotfiles, are increasingly being shared in public repositories. To understand the security and privacy implications of this phenomenon, we conducted a large-scale analysis of dotfiles repositories on GitHub. Furthermore, we surveyed repository owners to understand their motivations for sharing dotfiles, and their awareness of the security implications. Our mixed-method approach consisted of two parts: (1) We mined 124,230 public dotfiles repositories and inductively searched them for security and privacy flaws. (2) We then conducted a survey of repository owners (n=1,650) to disclose our findings and learn more about the problems and implications. We found that 73.6 % of repositories leak potentially sensitive information, most commonly email addresses (of which we found 1.2 million), but also RSA private keys, API keys, installed software versions, browsing history, and even mail client inboxes. In addition, we found that sharing is mainly ideological (an end in itself) and to show off ("ricing"), in addition to easing machine setup. Most users are confident about the contents of their files and claim to understand the security implications. In response to our disclosures, a small minority (2.2%) will make their repositories private or delete them, but the majority of respondents will continue sharing their dotfiles after taking appropriate actions. Dotfiles repositories are a great tool for developers to share knowledge and communicate - if done correctly. We provide recommendations for users and platforms to make them more secure. Specifically, tools should be used to manage dotfiles. In addition, platforms should work on more sophisticated tests, to find weaknesses automatically and inform the users or control the damage.
en
dc.description.sponsorship
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds
-
dc.language.iso
en
-
dc.subject
Personal software configurations
en
dc.subject
Secret exposure
en
dc.subject
Github
en
dc.subject
Dotfiles
en
dc.subject
Developer Survey
en
dc.subject
Information Leakage
en
dc.title
Connecting the .dotfiles: Checked-In Secret Exposure with Extra (Lateral Movement) Steps
en
dc.type
Inproceedings
en
dc.type
Konferenzbeitrag
de
dc.contributor.affiliation
Max Planck Institute for Mathematics, Germany
-
dc.relation.isbn
979-8-3503-1184-6
-
dc.relation.doi
10.1109/MSR59073.2023
-
dc.relation.issn
2574-3848
-
dc.description.startpage
322
-
dc.description.endpage
333
-
dc.relation.grantno
ICT19-056
-
dc.type.category
Full-Paper Contribution
-
dc.relation.eissn
2574-3864
-
tuw.booktitle
IEEE/ACM 20th International Conference on Mining Software Repositories (MSR)
-
tuw.container.volume
Piscataway
-
tuw.relation.publisherplace
IEEE
-
tuw.project.title
IoTIO: Analyse des Internet der Unsicheren Dinge
-
tuw.researchTopic.id
I4
-
tuw.researchTopic.name
Information Systems Engineering
-
tuw.researchTopic.value
100
-
tuw.publication.orgunit
E194-01 - Forschungsbereich Software Engineering
-
tuw.publication.orgunit
E192-06 - Forschungsbereich Security and Privacy
-
tuw.publication.orgunit
E194-03 - Forschungsbereich Business Informatics
-
tuw.publisher.doi
10.1109/MSR59073.2023.00051
-
dc.description.numberOfPages
12
-
tuw.author.orcid
0000-0003-1496-0531
-
tuw.author.orcid
0000-0001-7001-4481
-
tuw.event.name
2023 IEEE/ACM 20th International Conference on Mining Software Repositories
en
tuw.event.startdate
15-05-2023
-
tuw.event.enddate
16-05-2023
-
tuw.event.online
On Site
-
tuw.event.type
Event for scientific audience
-
tuw.event.place
Melbourne
-
tuw.event.country
AU
-
tuw.event.presenter
Cito, Jürgen
-
tuw.event.track
Multi Track
-
wb.sciencebranch
Informatik
-
wb.sciencebranch.oefos
1020
-
wb.sciencebranch.value
100
-
item.languageiso639-1
en
-
item.openairetype
conference paper
-
item.grantfulltext
restricted
-
item.fulltext
no Fulltext
-
item.cerifentitytype
Publications
-
item.openairecristype
http://purl.org/coar/resource_type/c_5794
-
crisitem.author.dept
E194-03 - Forschungsbereich Business Informatics
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
E194-01 - Forschungsbereich Software Engineering
-
crisitem.author.dept
Max Planck Institute for Informatics
-
crisitem.author.dept
E192-06 - Forschungsbereich Security and Privacy
-
crisitem.author.dept
E194-01 - Forschungsbereich Software Engineering
-
crisitem.author.orcid
0000-0003-1496-0531
-
crisitem.author.orcid
0000-0001-7001-4481
-
crisitem.author.parentorg
E194 - Institut für Information Systems Engineering
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E194 - Institut für Information Systems Engineering
-
crisitem.author.parentorg
E192 - Institut für Logic and Computation
-
crisitem.author.parentorg
E194 - Institut für Information Systems Engineering
-
crisitem.project.funder
WWTF Wiener Wissenschafts-, Forschu und Technologiefonds