Who's watching private repos turn public? We leaked 75 AWS keys to find out - Codatus
codatus.com
We made 75 GitHub repos public on a timer and logged who came. The internet finds a public repo in 6 minutes, and without enterprise tools, you'd never know it flipped.

Live AWS keys in 75 throwaway repos, each made public for one of five windows from 60 seconds to 12 hours, every use logged. The keys were tripwires; the real question was who notices a private repo going public, and what they do once they’re in.

The most useful finding is the dull one: re-hiding the repo does nothing. One busy harvester kept re-validating the captured keys for a day after the repos went private again. Only rotating the key stops it.

This came out of building a monitor for exactly these repo-setting changes.

  • squaresinger
    97·
    5 days ago

    Info for anyone reading, while the read was quite interesting, the whole article turned out to be an ad.

    • FrostyPolicy@suppo.fi
      17·
      5 days ago

      From the post description this made it obvious it’s an ad for something. Otherwise it sounded like someone actually made reasearch on the subject.

      This came out of building a monitor for exactly these repo-setting changes.

    • peternovakdev@programming.devOP
      4·
      4 days ago

      Fair to call out. This did come out of me building a product in the space, and I’d rather disclose that than bury it. The method and numbers are real, happy to get into either.

      • squaresinger
        3·
        4 days ago

        Yeah, the article was a good read, nothing wrong with that. But I think it’s important to make it clear what the intent is.