That is not the only disturbing part. SSH private key by itself is not much of a threat, but bundled together with known_hosts is a recipe for disaster.
That is terrifying, I just logged in with three separate accounts and they worked. Obviously I logged out without fucking around with anything; why mess with somebody's professional work.
This is dangerous. But then again, is it Github's responsibility to keep these people from shooting themselves in the foot?
I'm one of the students of App Academy ( which Ned Ruggeri is co-founder of ).
The reason for that is because today one of the tasks was to create a version of HN in ou terminals. HN was blocking people due to repeated requests and thus Ned made a local version of HN for students to use.
I found about that a short time ago while crawling github with Nuuton. A lot of people don't seem to be security aware. This is one of those things that search allows you to have fun with (by fun I mean be surprised, and by with I mean to only look and not use). You should see the stuff to be found on facebook.
Thank goodness. This is the part of GitHub that has been driving me up the wall for months. Google is pretty useless in this area when you're looking for something buried within a repo.
Fantastic job, it works beautifully. Congratulations (to GitHub and to Elastic Search - I'm sure it's a big win for them too!)
It still exists at https://code.google.com/codesearch though it no longer searches everything, only those repositories hosted on googlecode.com itself.
Excellent feature. Thanks for making life a little better for a lot of us.
On a side note, I wonder how long before it'll be used to find security flaws in code (that results in an exploit) - I bet there are hundreds of hard-coded passwords, insecure defaults etc. all over the place.
Is anyone impressed else by how quickly and successfully* GitHub has been rolling out new features over the past few months? I think almost every one of their new features has in some way made my life a little easier.
Readit News
https://github.com/search?p=4&q=secret_token&ref=sea...
https://github.com/search?q=path%3A.ssh%2Fid_rsa&type=Co...
https://www.google.com/search?q=site%3Agithub.com+inurl%3A.s...
This is dangerous. But then again, is it Github's responsibility to keep these people from shooting themselves in the foot?
No.
https://github.com/search?q=fb_secret&type=Code&ref=...
Found via Github search
That's Ned Ruggeri, co-founder of App Academy (http://www.appacademy.io/). His HN account: http://news.ycombinator.com/user?id=ruggeri
Such as when it is a key file, or is a known credential file -- "amazon_s3.yml" for example, they should send a warning to the committer.
And then show a big red flag on the website if the repo is public.
And of course, remove the results from search.
I know it's not github's responsibility, but it would help make the web a bit safer.
Fantastic job, it works beautifully. Congratulations (to GitHub and to Elastic Search - I'm sure it's a big win for them too!)
Here's an interesting article describing how it worked: http://swtch.com/~rsc/regexp/regexp4.html
On a side note, I wonder how long before it'll be used to find security flaws in code (that results in an exploit) - I bet there are hundreds of hard-coded passwords, insecure defaults etc. all over the place.
Kudos to the whole team.
* Granted, uptime might have been a causality.
Bravo, Github!