Hacker News new | comments | show | ask | jobs | submit login

Woah, too many negative comments here. We wanted to model it like Shodan where we would provide a searchable interface for secrets on the web, starting with GitHub.

We are removing the search functionality and account upgrades right now until we can come up with a better solution to inform people about secret leaks. For now, you can simply use the existing Check my GitHub button to scan your public repos.




The data is public, there is absolutely nothing wrong with this and you should put it back online.


I absolutely agree. Most of the negative comments on here are nothing more than apologists for incompetence. Like with all security research the solution is to expose the defect to the world. If people didn't want their passwords and keys exposed to the world then they shouldn't put them on public github for all the world to see.

It would be more helpful though if such a search engine could auto create an issue on github when exposed secrets come up in a search result.


Most of the data on there is not meant to be public. It's just a tool to abuse people's ignorance, disguised as a "research tool".


Yet public it is.


Folks who actually exploit GitHub secrets have scrapers hooked onto GH API (so that if you notice you just pushed a password, quickly reverting it won't help you). IMHO you should re-enable the search functionality as it will ultimately make the developer community better at what it does.


Why not use this info to assign a "leak" score to repos that have such info? Don't give anyone the details via a search interface but do rank the various public repos by the number of such leaks. That way the repo owners get a fair warning and a reputation hit without exposing the details of what is being leaked.


HN can be an echo chamber. Keep it online. The world is bigger then HN.


I don't have a problem with it. The only reason you are getting negative comments is that there will be a few HN members biting their nails.


Of course, that's because you did something morally wrong.

This is different than what people label as 'echo chamber'. In there you'd have either 100% love or hate.

Having mixed responses verging toward hate, says you screwed up and the general public doesn't approve of it.


They didn't do anything morally wrong. The data is already public and easily searchable with a few regex tricks. They just made it a tiny bit more convenient but anyone that's thought of this as a source of credentials can easily scrape it themselves.

If anything what they're doing might help shine a light on how big of an issue this actually is and provide a helpful corpus of data to train algorithms on to detect this better.

The issue at this point is far too big to be able to go around and notify everyone about this. There's also plenty of repositories that are abandoned or maintainers that are MIA so you'll never be able to properly resolve all of it.


Morality depends on current life views, upbringing, societal norms etc. You may disagree and that is fully in your right.

However, account for the fact that not all HN readers are from US. In other countries what they did is in some case against the law (promoting/enabling criminal behaviour and activities/etc).


I'm not from the US so that's already accounted for.


This is part of the disclosure debate that's been going on in the security industry for decades now. Some people take an aggressive full-disclosure stance and believe every flaw should be publicized immediately and some take a non-disclosure stance and say flaws should never be published until they've become entirely irrelevant.

Most have come to the middle and settled on a "responsible disclosure" paradigm, where researchers notify the maintainers and work with them to set a reasonable timeline for the correction of the issue. The issue is publicly disclosed somewhere between 30-90 days after the private disclosure to maintainers; this gives them time to correct the issue and push out updates, and it also incentivizes them to fix the issue instead of sitting on it forever and allowing it to be exploited as a zero-day.

It would've been good to see this paradigm applied here; the search could've sent a message to the repository owner with a note that the result would become public in 60 days, and to ensure all keys had been rotated and that secrets were no longer stored in git after that point.

In any case, none of these people are operating from a morally dubious perspective. I would suggest you refrain from impugning their motives. Virtually everyone in the security community has the end goal of promoting secure software. Aggressive full disclosure advocates believe that their methods will work most effectively not only at getting issues that exist fixed ASAP, but also at ensuring companies adopt strong and safe practices moving forward, since there won't be second chances.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: