I am using a Raspberry Pi device for experimentation purposes, and I had to temporarily enable SSH on it via the public Internet, which can be a monumentally bad idea if the machine where the service is enabled is not properly secured. The problem is less related to SSH itself, and more to the default configuration which is used by some folks. That is - they use passwords to authenticate.
When building tools that authenticate against other APIs, more often than not I need to manage private keys and secrets. The challenge is that sometimes it’s very easy to forget the fact that the key is sitting somewhere in a configuration file, and it will be accidentally checked in to the repository. With the proliferation of tools like trufflehog, that’s generally not a position you want to be in. A lot of services are being proactive about it, and when a leaked key is detected, it will be automatically revoked (notice how it someone attempted to use it within minutes of the leak).
This weekend I’ve spent some time to rework foggycam, the open-source tool to record Nest camera footage locally and to the cloud.