> > I do see one other possible option: > It may have been someone who knew about the vulnerability and, fearing > that something might go wrong in the future, decided to take action now. > > In that case, however, I believe that it would have been ethical and > appropriate for them to reach out to me. >
Actually, the date that the account was created (March 9th) is highly correlated to the most recent identity attack to a major project on GitHub (March 6th). I could see another possibility - that GitHub did the quickest possible hack to disable re-registration of accounts with repos with more than 100 stars - insert a dummy user into the database - but didn't go through the effort of coding up redirects for dummy users to the real ones yet. I notice that my new redirects are still intact, just my old redirects (which was one of the ways I was alerted to the problem) are broken. If it's an attacker they could create a repository with the same name as one of my old repos at any time and take it over. However, if it's just a quick duct tape fix from GitHub, that also makes sense and would mostly bring me peace. I would like to be able to slap a "now @solderjs" on there, but if the redirects stay in place and it's not actually an attacker account, that would ease my mind quite a bit. AJ ONeal https://git.coolaj86.com /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
