To facilitate setup of new machines, I keep configuration on GitHub at kristjan/.dotfiles and kristjan/.vim. This way, all I have to do to set up my environment is install Git and clone those repos. .dotfiles comes with an install script that just symlinks each dotfile from ~/.dotfiles/$FILE to ~/$FILE.

A problem, though, is that some tools—like things that talk to GitHub—need a private token or other data to exist somewhere in my configuration. I can’t go putting those in a public repo, so until now I’ve had to either look them up or copy them from an old machine. This time, the old machine is my old laptop sitting at home and available via SSH thanks to Back to my Mac. Rather than remember the ID BTMM assigns me as part of its lengthy hostname, I have another environment variable that also doesn’t belong in a repo. These things were sitting in my configs where I had to git patch around them and ran the risk of at some point accidentally pushing them out.

The solution I’ve landed on is to store these in Dropbox and load them before the rest of my configs and helpers. The top of my .bashrc looks like this:

1
2
3
4
5
6
7
8
9
10
11
12

HELPERS="
  Dropbox/.env
  .aliases
  .functions
  .nvm/nvm.sh
"

for helper in $HELPERS; do
  if [ -f $HOME/$helper ]; then
    . $HOME/$helper
  fi
done

And Dropbox/.env contains:

1
2

export GITHUB_TOKEN=<token>
export BOBBLE_HOST=bobble.<id>.members.btmm.icloud.com

Now my configs are public and easy to trade with people (which I do regularly to learn new tricks), but private or irrelevant data is safely where only I can see it (assuming the integrity of Dropbox). During setup, I just install Dropbox before I clone my dotfiles, and everything is slightly more magical.

I frequently get emailed new account information by people who are some subset of [confused, foreign, children] and believe that my email address is their email address. What I didn’t realize, or perhaps noticed but promptly forgot, is that 10 solid people had used my GMail address as the backup address when they created their Google account. This is the address to which you can send a password reset should you ever lose access to your main account.

There is a rather large security flaw in this system, though granted one only brought on by user error: None of these 10 accounts were verified by me as being validly attached to their primary account. That is, when the confused user listed my address as secondary, I either did not receive a confirmation email before the two could be linked, or I certainly ignored it. The result is that by virtue of a simple typo, a stranger can get full access to your GMail account, and by extension probably everything you do online.

Not only that, but you can find out which accounts list yours as the secondary, so even in the absence of verification notifications, a complete set of exploitable accounts is readily available.

Happily for these 10 hapless internet users, I was not in a playful/evil mood when I discovered this, so I spent the past 15 minutes severing the connections. Which, by the way, is somewhat roundabout unless I missed a page.

1. Enter your email address at https://www.google.com/accounts/ForgotPasswd?service=mail&fuOnly=1
2. For each address sent to you, request a password reset from GMail, or some other Google login
3. At the bottom of each password reset email is a link to disavow the account

I also sent these folks a nice email describing what had happened and recommending that they be more careful in the future. I only hope they speak English / read it properly, because otherwise I’m sure to get a good set of interesting, upset replies.