We made 75 private repos public on a timer. The internet noticed in 6 minutes.

submitted by peternovakdev to programming 31 points | 7 comments https://codatus.com/blog/we-leaked-75-aws-keys-to-see-who-watches-public-repos/ Live AWS keys in 75 throwaway repos, each made public for one of five windows from 60 seconds to 12 hours, every use logged. The keys were tripwires; the real question was who notices a private repo going public, and what they do once they’re in. The most useful finding is the dull one: re-hiding the repo does nothing. One busy harvester kept re-validating the captured keys for a day after the repos went private again. Only rotating the key stops it. This came out of building a monitor for exactly these repo-setting changes.