Edit: when I try to go back to the homepage from the "Install GitHub Integration" page, I'm redirected back. Probably just paranoia.. but still. I want to learn more about the people behind this before clicking this button.
Edit 2: no Twitter, no incorporated entity, no names of the people behind this, nothing to reassure. No account management screen I can see, no way to revoke GitMonkey's access. Is this just a massively dodgy idea?
Otherwise, GH would still have the approval on file (there's no way for them to know you deauthorized on the GitMonkey side) so they'd instantly be able to get a token again.
Posted here a few months ago.
calling attention to detect-private-key and detect-aws-credentials (disclaimer-ish: was original contributor on the latter hook but been way expanded since then)
edit: obviously each dev needs to have this set up, not a catch-all third party tool.
I originally made a bunch of commits that included my config.py file. I realized later that I didn't want that public, so I added it to the ignore and had git remove it. However, if you look through my commit history, you can still see the config.py changes in earlier commits and the keys are buried in there. Since I was/am a git noob, I didn't create branches for those commits. They all went to master, so they're in the commit history of the master branch.
I'm guessing this tool is scanning the branches themselves, but you may want to scan the commit history within those branches if GitHub will let you. Idiots like me that don't know how to use Git properly are probably the ones more likely to make this mistake!
Whether you realize it or not, you're advocating for increasing surface area and risk. You're offering a service to people with bad opsec while simultaneously asking them to trust your opsec; none of which is a good solution to the actual problem.
>(also as a 2nd security layer)
Except when it's not. That means it gives careless folks a false sense of security, which I think conveys more risk than no security at all.
Of course, you'd need to collect all the secrets beforehand, but if you are willing to do that, it would seem to be a better solution.
I was thinking this and later I fell asleep and had this dream, where my girlfriend kept saying, "Hey... Hey... Hey..." over and over again. I woke up and it turns out there was a bird chirping every few seconds at the same interval.
Time is strange, though. I saw a star trek episode recently where there was time dilation on this particular planet. They were trying to beam out the occupants. It got me thinking, if I could beam out to a spaceship where, say every second on the spaceship was a year on planet earth, would I do it? I have this vague feeling of regret, like I'm missing all those moments on between on Earth while I'm there. I suppose I'd experience the same number of moments, spread out as they were, though.
For example, if a dozen EC2 instances are launched with credentials poached from Github to mine bitcoins, I know AWS used to remove the rogue extra charge from the customer bill, as a token of gratitude (to avoid losing the customer by a sense of defenselessness).
"Scan 58f90084fa38b600114b33ea succerssfully started."
Also the "Profile" and "settings" links don't go anywhere.
Pro-tip: use `git add -p`
- No imprint or any other kind of information who is behind this service on their website
- Testimonials which talk about leaked credentials and not about how GitMonkey saved them