Hacker Newsnew | comments | show | ask | jobs | submitlogin

Interesting: https://github.com/search?p=4&q=gmail_password&ref=s...

https://github.com/search?p=4&q=secret_token&ref=sea...




Or SSH private keys.

https://github.com/search?q=path%3A.ssh%2Fid_rsa&type=Co...

-----


That is not the only disturbing part. SSH private key by itself is not much of a threat, but bundled together with known_hosts is a recipe for disaster.

-----


https://github.com/gomachan/dotfiles/tree/master/.ssh

-----


At least now someone can push to his GitHub account to remove it for him. :-)

-----


Not if he has a passphrase, right?

-----


Correct.

-----


Why would people put dotfiles like ssh keys up on public github?

This kind of thing is best suited for a private repo (github is still ok, just make it private) - cause it's most likely of no use to anyone but that single user.

-----


I would not suggest that it's okay even for a private repo. Never let your private keys leave your machine or its dedicated, encrypted backup.

-----


Although I would never do this myself, if the keys themselves are encrypted with a password and then uploaded, it's not nearly as bad.

-----


In the case of ssh keys, you usually should use a different key per device/home directory and let your server accept all the keys.

-----


And that was just the one on the first page of results I got.

-----


Nothing new about that, you didn't need github's improved search to do it.

https://www.google.com/search?q=site%3Agithub.com+inurl%3A.s...

-----


Or Bitcoin RPC password!

-----


A hacker-with-a-heart-of-gold will write a script to harvest these emails and send them a warning message with a link to this thread.

-----


The one time those spammy GitHub bots could be put to good use

-----


Most of those are examples or dummy data. Most of the messages this bot sends will be annoying and unwanted.

-----


That is terrifying, I just logged in with three separate accounts and they worked. Obviously I logged out without fucking around with anything; why mess with somebody's professional work.

This is dangerous. But then again, is it Github's responsibility to keep these people from shooting themselves in the foot?

-----


is it Github's responsibility to keep these people from shooting themselves in the foot?

No.

-----


http://en.wikipedia.org/wiki/Rhetorical_question

-----


Actually I'd like the presence of a "Report fool user" button just after "Report user"

-----


Out of the ones I tried fb_secret seemed to have the most real results.

https://github.com/search?q=fb_secret&type=Code&ref=...

-----


Or variations of AWS Secret https://github.com/search?q=aws+secret&type=Code&ref...

-----


Someone is interested in what you and I have to say: https://github.com/ruggeri/hn-local-copy

Found via Github search

-----


I'm one of the students of App Academy ( which Ned Ruggeri is co-founder of ). The reason for that is because today one of the tasks was to create a version of HN in ou terminals. HN was blocking people due to repeated requests and thus Ned made a local version of HN for students to use.

-----


Creepy...

That's Ned Ruggeri, co-founder of App Academy (http://www.appacademy.io/). His HN account: http://news.ycombinator.com/user?id=ruggeri

-----


I think github should keep an active list of filters that they apply to all code submitted to their service.

Such as when it is a key file, or is a known credential file -- "amazon_s3.yml" for example, they should send a warning to the committer.

And then show a big red flag on the website if the repo is public.

And of course, remove the results from search.

I know it's not github's responsibility, but it would help make the web a bit safer.

-----


It took me all of two seconds to think of the same thing, too. Here's hoping this is a big net win for parameterized security tokens.

-----


I found about that a short time ago while crawling github with Nuuton. A lot of people don't seem to be security aware. This is one of those things that search allows you to have fun with (by fun I mean be surprised, and by with I mean to only look and not use). You should see the stuff to be found on facebook.

-----


real "crypto_key" is pretty widespread as well :(

-----




Applications are open for YC Summer 2015

Guidelines | FAQ | Support | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: