How do they differentiate bogus keys from real keys? In my projects I deliberately include keys that are valid, but won't get you into anything but 'local' applications running with no sensitive data. There are plenty of valid reasons (integration tests, clone-and-run dev applications, etc) to have 'valid' but practically useless keys in github.

Except that Amazon is a terible example, as SSL is used for many security intensive purposes. For example, how would there not be a frenzy in the banking and securities industries? My bank, for example, displays account numbers in full on the screen. Seems like they would be forced to shut down accesses indefinitely, and since my bank is online-only, it means huge loss of business if not going out of business.