Hacker News new | comments | show | ask | jobs | submit login





That is not the only disturbing part. SSH private key by itself is not much of a threat, but bundled together with known_hosts is a recipe for disaster.



At least now someone can push to his GitHub account to remove it for him. :-)


Not if he has a passphrase, right?


Correct.


Why would people put dotfiles like ssh keys up on public github?

This kind of thing is best suited for a private repo (github is still ok, just make it private) - cause it's most likely of no use to anyone but that single user.


I would not suggest that it's okay even for a private repo. Never let your private keys leave your machine or its dedicated, encrypted backup.


Although I would never do this myself, if the keys themselves are encrypted with a password and then uploaded, it's not nearly as bad.


In the case of ssh keys, you usually should use a different key per device/home directory and let your server accept all the keys.


And that was just the one on the first page of results I got.


Nothing new about that, you didn't need github's improved search to do it.

https://www.google.com/search?q=site%3Agithub.com+inurl%3A.s...


Or Bitcoin RPC password!


A hacker-with-a-heart-of-gold will write a script to harvest these emails and send them a warning message with a link to this thread.


The one time those spammy GitHub bots could be put to good use


Most of those are examples or dummy data. Most of the messages this bot sends will be annoying and unwanted.


That is terrifying, I just logged in with three separate accounts and they worked. Obviously I logged out without fucking around with anything; why mess with somebody's professional work.

This is dangerous. But then again, is it Github's responsibility to keep these people from shooting themselves in the foot?


is it Github's responsibility to keep these people from shooting themselves in the foot?

No.



Actually I'd like the presence of a "Report fool user" button just after "Report user"


Out of the ones I tried fb_secret seemed to have the most real results.

https://github.com/search?q=fb_secret&type=Code&ref=...



Someone is interested in what you and I have to say: https://github.com/ruggeri/hn-local-copy

Found via Github search


I'm one of the students of App Academy ( which Ned Ruggeri is co-founder of ). The reason for that is because today one of the tasks was to create a version of HN in ou terminals. HN was blocking people due to repeated requests and thus Ned made a local version of HN for students to use.


Creepy...

That's Ned Ruggeri, co-founder of App Academy (http://www.appacademy.io/). His HN account: http://news.ycombinator.com/user?id=ruggeri


I think github should keep an active list of filters that they apply to all code submitted to their service.

Such as when it is a key file, or is a known credential file -- "amazon_s3.yml" for example, they should send a warning to the committer.

And then show a big red flag on the website if the repo is public.

And of course, remove the results from search.

I know it's not github's responsibility, but it would help make the web a bit safer.


It took me all of two seconds to think of the same thing, too. Here's hoping this is a big net win for parameterized security tokens.


I found about that a short time ago while crawling github with Nuuton. A lot of people don't seem to be security aware. This is one of those things that search allows you to have fun with (by fun I mean be surprised, and by with I mean to only look and not use). You should see the stuff to be found on facebook.


real "crypto_key" is pretty widespread as well :(




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: