this post was submitted on 13 Jun 2026
53 points (83.5% liked)

Programming

27246 readers
217 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 3 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
UlrikHD@programming.dev
bugsmith@programming.dev
Spyro@programming.dev
53
We made 75 private repos public on a timer. The internet noticed in 6 minutes. (codatus.com)
submitted 8 hours ago by peternovakdev@programming.dev to c/programming@programming.dev
13 comments fedilink hide all child comments
 

Live AWS keys in 75 throwaway repos, each made public for one of five windows from 60 seconds to 12 hours, every use logged. The keys were tripwires; the real question was who notices a private repo going public, and what they do once they're in.

The most useful finding is the dull one: re-hiding the repo does nothing. One busy harvester kept re-validating the captured keys for a day after the repos went private again. Only rotating the key stops it.

This came out of building a monitor for exactly these repo-setting changes.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] RamenJunkie@midwest.social 7 points 2 hours ago (1 children)

The real question.

Are people watching private repos go public? Or are people watching for exposed credentials?

Like if I make a Snake game in Python, then make it randomly go public, would anyone notice or care?

[โ€“] peternovakdev@programming.dev 1 points 5 minutes ago

This is what I struggled with myself, whether basing the research on people using the key is even relevant. But to get the key, they first have to be watching repos go public. So the watching is the common step, whatever the motive behind it. That's where the 6 minutes comes from.