The author of this article should consider following their own advice, since they have a woefully outdated RSA-1024 ssh key securing their GitHub account.
It would still take a long ass time to brute force a 1024 unless there is no brute force detection. Alternatively capturing the traffic can allow brute forcing the applied algorithm itself.
I wasn't commenting on the strength of RSA-1024, per se, but on the assumed age of that key. OpenSSH's ssh-keygen hasn't defaulted to 1024 bit RSA keys since before version 4.2, in 2005. (I had to look it up: https://www.openssh.com/releasenotes.html)
You can still generate a 1024 bit RSA key, but someone would have to go out of their way to do so, and I can't imagine why they would have done that in the past .. decade?
> I can't imagine why they would have done that in the past .. decade?
Maybe they aren't using software keys, but rather a low quality/older/small-kb hardware token or following the default guide for one? The vast majority supported 2048 in 2010 though..
It's a public key, you can perform the "brute force" (factorisation) entirely offline, to derive the private key. Hypothetically. For now, RSA-1024 is too expensive to crack, for mere mortals.
$ curl -s https://github.com/apenwarr.keys > blah
$ ssh-keygen -l -f blah
1024 SHA256:1IWAUSXOcCKLcmOdAec8JbDt3T75udA4KSpRosEWUaU no comment (RSA)
(update: they have now replaced it with an RSA 2048 bit key. progress.)