undefined | Better HN

0 pointsKronisLV2mo ago0 comments

> During development you don't use prod data, though.

I’ve seen projects where testing is done in prod and also projects where API keys for some external services (e.g. Mapbox) are shared across prod and dev. Or cases where credentials end up in Git repos (edit: wrote GitHub originally, but meant typically non-public repos on any platform) due to ease of use and how inadequate secret management solutions can be.

Luckily that’s not the majority of projects, but I bet it happens a lot more elsewhere. Definitely a bunch for your average outsourced/freelance/scrappy/non-funded project.

Whether anyone will actually use your secrets or even code that’s sent to these large AI shops, though, that’s another question. You might as well question using GitHub cause it’s owned by M$.

0 comments

fragmede2mo ago

honey pot that shit. attackers, security companies, GitHub themselves, are all crawling GitHub for leaked credentials and will tell you that they've been leaked. GitHub very much knows what a GitHub API key looks like. So you stick a GitHub API key with the least useful permission you can think of into your secrets file. If that file ever gets uploaded to GitHub, they'll cancel the key and email you about it, so then you know the rest of the keys in that file have been leaked as well.

j / k navigate · click thread line to collapse

0 pointsKronisLV2mo ago0 comments

> During development you don't use prod data, though.

Luckily that’s not the majority of projects, but I bet it happens a lot more elsewhere. Definitely a bunch for your average outsourced/freelance/scrappy/non-funded project.

Whether anyone will actually use your secrets or even code that’s sent to these large AI shops, though, that’s another question. You might as well question using GitHub cause it’s owned by M$.

0 comments

fragmede2mo ago

j / k navigate · click thread line to collapse