when i wore a younger fool's cap
A few grumpy remarks about the amazing tale of Slack bot tokens on GitHub. Auth tokens used for business accounts get committed into Jurassic Park quote bots saved on GitHub, allowing random passersby to eavesdrop on your paradigm shifting startup’s latest pivot? That didn’t happen back in my day! Of course, since then multiple changes have combined to change the world. A perfect storm of convergence and disruption.
First off, let’s start with the centralized Slack service. Even if somebody stole your chat server credentials, they wouldn’t be of much use if your chat server wasn’t in the cloud. We used to run an IRC server with no credentials at all because it was only on the internal network. Not terribly secure, but we got by. If I built an IRC bot one weekend, it wouldn’t come with credentials for a critical service because it wasn’t developed with credentials for a critical service.
People have been doing weekend hacks for as long as there have been weekends, but you did it to see what was possible. Maybe to look cool in front of your friends. But you didn’t go to a hackathon to build a widget for some product’s API to look good for a panel of judges. If I spent my weekend building a fun hack, it would make some blinklights boop and bop, not some company’s logo zip and zoom.
GitHub isn’t just your resume, it’s your life. Without a profile bursting with activity, your work doesn’t exist and neither do you. Consequently, everything you do, whether of consequence or not, needs to be published for the world to see. If I chose to publish my weekend hack, credentials and all, it would not be on a globally consolidated searchable site, but on a personal site where a friend would perhaps be more likely to discover my mistake.
And finally, even if I were to build a chat bot, upload it complete with my silc credentials, and announce it for all the world, the creds would be for nothing more than my personal lolchat account. Not my serious business integrated with all the production servers account. But these days we achieve work life balance by making them synonymous.
In isolation, these four (to cut myself off before I ramble) changes aren’t necessarily bad, though the combination leads to the potential for widespread mayhem that didn’t exist before. Sometimes the right question is, wouldn’t it be cool? Other times the right question is, what could go wrong? Ah ah ah... you didn’t say the magic word.