May 5, 2019

Proof of concept: Snotify

Hi IH,

I came up with an idea during my day job and took a week to build it out.
The emailing functionality doesn't work yet at the moment (I'm still messing with DNS a bit and that takes time to propagate) but I would already like to ask you for feedback.

In particular,

  • Is it clear what Snotify is for?
  • Would you use it? (why/why not?)

This is the link: https://snotify.cs-syd.eu

#landing-page-feedback

  1. 3

    I'd recommend the same suggestions @duliba mentioned.

    However, I'm on the fence about using it myself. Idea is cool and I'd want to use it at my full-time job and side projects. However, how/why should I trust you with access to read all my source code? Also, in the event that you did find a secret, I would now be worried that your tool saw the secret itself. Might be worth showcasing some of your security practices (e.g. what data you store, how you send notifications, what you do when reading my code, where will encryption be used, etc.). Could look to GitHub or BitBucket for inspiration on this as people already trust them with their code.

    1. 1

      Hi! Thank you for your response.

      At the moment snotify only works for public repositories, so all data that snotify can see is already publicly available.

      But I will keep this in mind if snotify ever supports private repositories.

    2. 1

      Good suggestion, maybe develop at first as a Bitbucket plugin? Will also get you early exposure.

  2. 2

    Hi Tom!

    The name, as mentioned by others, made me kind of wonder what to expect (the "snot" aspect raised my eyebrows).

    Initially I did not know what you meant with secrets but then when I saw "SSH and Stripe secrets" I understood you are talking about sensitive content such as passwords that are open to the public.

    I'd personally go with a different name like, I don't know, Gitlock or something, and mention "sensitive content" such as passwords and keys instead of going with "secrets".

    Neat idea though, although I wonder that once you are aware of such problems (having passwords or sensitive data open to the public), which you have to be when you want to use your product, if you still actually need it. Do you understand? Once I am aware this might be an issue in my projects, just being aware of this might already allow me to simply take out the sensitive data.

    Hope that helps a bit. All the best!

    Valentijn

    1. 1

      Neat idea though, although I wonder that once you are aware of such problems (having passwords or sensitive data open to the public), which you have to be when you want to use your product, if you still actually need it. Do you understand? Once I am aware this might be an issue in my projects, just being aware of this might already allow me to simply take out the sensitive data.

      I do have this exact concern, and I'm not sure how to deal with it yet.

      But as suggested by @brendan0powers, maybe it would work for a team.

      1. 1

        Got point. The value will be in the streamlining of finding and hiding all this sensitive data. I think especially for people that work with that at scale (maybe in teams) a simple tool that eliminates the risk of exposing the data should be helpful.

  3. 2

    I read the name as rhyming with "Spotify" (sounds like the word snot) which I'm pretty sure isn't the intent. Just something to think about.

    1. 1

      Actually this was a happy accident. I find it quite funny.

    2. 1

      Ditto, read it as Snot-ify. Was struggling to imagine what it'd do.

  4. 2

    Yep, I understood what you mean by secrets but that's because I'm a developer. I think you should add a section there explaining what "secrets" are (passwords, API keys, etc.), and perhaps show some code examples (connection to server via SSH with a password, implementation of Google authentication with an API key)?

  5. 1

    Thank you for the great response, everyone!

  6. 1

    Clever idea that would be very useful to some organizations. It's similar to an uptime or SSL monitor, you don't need it until you do. Many organizations can never open source older projects because the history is riddled with sensitive data.

    1. 1

      It's similar to an uptime or SSL monitor, you don't need it until you do.

      This is a great piece of feedback, thank you!

  7. 1

    @Norfair I could see this being useful for a small co that runs a few WordPress sites, or other CMS - If it were a plugin that called out "secrety" stuff, like commented out usernames/passwords in code snippets etc...

  8. 1

    Who's the target audience for the page? Targeting software developers who already understand the problem of leaking credentials may not be that profitable. As such a developer, I'm pretty careful about not committing credentials, and wouldn't be likely to purchase this service for my own repositories.

    It might make sense to target larger teams who may have developers that might accidentally commit credentials without understanding the consequences. Perhaps it might make sense to target the page at non-technical managers in that organization? Heading off the potential damage caused by leaked credentials might be an appealing message.

    1. 1

      Hi! Thanks for commenting!

      Perhaps it might make sense to target the page at non-technical managers in that organization?

      This is great feedback, thank you.

  9. 1

    I understood what "secrets" are but I didn't get what notifications are (even if I'm a dev). Is it about changes? setting up? removing? adding?