Update: They got & reported him.
Most of you will have seen the news about various private files
being hosted on github as this little has taken the Internet by
storm yesterday. Obviously most of those files can be found via
Google and other means as well, but this exposure is a bit worse
inasmuch people will keep on updating their secret information
automagically and continuously.
Personal favourites that used to work until yesterday
known_hosts (not hashed and in combination with
And various other config and history files for AWS, RT, whatnot.
Plus, it was really easy to search for certain actions
. Another fun thing look for were
variables setting passwords, hosts, etc.
Ironically, having the SSH identity files means anyone is able
to change pretty much anything about a person's repositories on
github. This includes files like
basically allows complete takeover of any account and often machine
that file is sourced from.
Which reminds me that I still need to add a way for vcsh
to only merge commits
that have a tag signed with a trusted key and warn for everything
else, but I digress.
None of this is a problem with github specifically, it's a
problem with users who don't think their actions through. And this
is non-trivial for github or anyone else to fix as there are
potentially endless sources of otherwise secret information.
Initially, I sent email to github's quite responsive security
team asking them to forbid certain queries and to email users who
checked in their private data by accident and left it at that. They
got back to me extremely fast, promising to do their best (as of
right now, no queries I tried work any more) and after some
conversation asked me to link to their help
article on removing sensitive data
if I were to blog about
The topic itself has been covered extensively, github did their
best to keep user data private, and so the above could have been
done without, but...
...I have gotten word of 4chan's
sleuthing their way through various files and at least one
incident of people finding direct evidence of child pornography in
a Zsh history file. Sadly, this story found its way to me without a
link and the person who saw the thread read it on a tablet,
preserving neither the URL nor local cache. They saw it on
2013-01-24 at around 2200 UTC.
If you, or someone you know, saw anything plainly illegal,
immoral, and simply wrong... please report it to the relevant
authorities or at least github. As I suspect that there's some
overlap between the subscribers of the various planets I am
aggregated on and /g/, this may reach the right eyes. Between the
account name, a verified email address, access logs with IPs, and
possibly a real name, it should be comparatively easy to find
anyone you report.