This is really silly. The end-game is a coarse geolocation? Most people use real names on Github, or freely discuss their locality on Reddit... You don't even need the ssh keys (or the honeypot!) to tie a username to a specific area.<p>Seriously, if you can design a honeypot that can convince programmers to log in with SSH, maybe you should just launch a Start-up.
Ridiculous. You might as well "honeypot" the Internet by encouraging people to mail a letter to you. Now you have their mailing address because it's the return address on the envelope!!!
A lot of the comments here are along the lines of "My identity is public anyway."<p>That response is ridiculous. Should you have been operating under a pseudonym, this would be a way to tie that pseudonym to your real name.<p>I should be told that my public keys are made available by Github. Had I been, I wouldn't have had a public key on my account.
Better idea: check which of those keys are in the Debian Weak SSH Keys list and own their GitHub accounts (or find if they have any servers and start SSHing into them).<p>Less nefariously: send them an email asking to regenerate the key.
This made me think - It would be kind of awesome to have contest or show of extremely convoluted Rube Goldberg style systems to obtain run of the mill targeting data.<p>My entry would be to mass import everyones commit logs and use a machine learning alg to find gaps that correspond to popular broadcast television shows.
All users' public ssh keys are also available through the API:<p><a href="http://developer.github.com/v3/users/keys/" rel="nofollow">http://developer.github.com/v3/users/keys/</a><p>It seems mostly harmless, but I'm not sure I see the point of making this information available.
Half-baked is right. If I can't trust my public key to be safely available to the public, I might as well just give up and go home.<p>There's perhaps a meta-hack here on how to get to HN front page (albeit on a sunday) with a fairly silly "hack" idea.
If the idea is to demonstrate leaky personally identifying material I'm surprised that your scraping of usernames results in only a list of usernames, and not a big database of different usernames, and fora, and projects, and interconnections.<p>That kind of data mining would probably be reasonably scary.<p>I'm not sure I understood the rest of it. The site rachelbythebay.com would have a public key for Bob from github, and try to get Bob to log in using his private key?
Is it trivially possible to <i>determine</i> the public key based on an SSH authentication attempt (without knowing the private key)? If not, then does it not make it <i>less</i> secure to broadcast it?<p>While maybe this is "okay" for github to publish, they run a security-sensitive service and hidden API surprises like this could give some folks the impression that they don't take security seriously enough.
So, half-baked ideas are the topic, right?<p>Turn the idea on its head: Find a way to use SSH based authentication for services and allow people to connect with their GitHub account, find a clever way to map AuthorizedKeysFile (via fuse or something) to <a href="https://github.com/%u.key" rel="nofollow">https://github.com/%u.key</a> (yeah, won't directly work that way of course).
I'm pretty sure you can find my location from any number of other things, such as geotagged photos I post, so this doesn't seem like such a terrible intrusion. Not to mention that "log in to this server, we already have your public key set up and ready" isn't exactly inviting.
A simpler method and probably just as effective is to ask ... I'm in Boalsburg, PA. The reality is that you can't do much with my public key <i>other</i> than giving me permissions, which I'm free to use or ignore. If I lose my private keys, I'm going to be scrambling!
I went digging to figure out how I came up with this loopy notion, and it brought me right back to HN. It looks like the seed was planted back on the 4th when I saw this post:<p><a href="https://news.ycombinator.com/item?id=5495982" rel="nofollow">https://news.ycombinator.com/item?id=5495982</a><p>Basically, I saw that and went "wait, how does it get the key?", went digging, and found the keys endpoint. The rest evolved from there.
This doesn't make any sense. You could just mail out links to each person and get the same data (IP, geolocation). Usernames themselves leak much more info.
This post has received quite a lot of negativity but I think there's an interesting idea behind it. Whilst it may not be a privacy or security risk, imagine how creepy it would be to connect to a server to see a project or whatever, only to be greeted by your name, job, location, etc. Until you figured out how it was done, it would be quite concerning.
There are people who re-use their github key?<p>I don't think there are that many anonymous githubs accounts out there. Feel free to prove me wrong though.