www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - D Github contributors - enable 2 factor authentification

reply Walter Bright <newshound2 digitalmars.com> writes:
https://news.ycombinator.com/item?id=12259176

Apparently github users are increasingly being targeted.
Aug 09 2016
next sibling parent reply Kagamin <spam here.lot> writes:
They probably wanted his private code, otherwise the attack is 
futile.
Aug 10 2016
parent Walter Bright <newshound2 digitalmars.com> writes:
On 8/10/2016 3:40 AM, Kagamin wrote:
 They probably wanted his private code, otherwise the attack is futile.
Perhaps, but I don't want a malicious actor being able to hose the dlang repository. Too many people depend on it to risk that sort of thing.
Aug 10 2016
prev sibling next sibling parent reply Steven Schveighoffer <schveiguy yahoo.com> writes:
On 8/10/16 12:20 AM, Walter Bright wrote:
 https://news.ycombinator.com/item?id=12259176

 Apparently github users are increasingly being targeted.
Done. Didn't realize about this issue, of course, probably shouldn't use a crappy password on your DNS server... In any case, should be 0 impact, since all my github traffic goes via ssh key. -Steve
Aug 10 2016
parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 8/10/2016 9:15 AM, Steven Schveighoffer wrote:
 Done.
Thanks!
 In any case, should be 0 impact, since all my github traffic goes via ssh key.
Like a castle with its defenses in depth, security should always have multiple levels to it to guard against a single point of failure.
Aug 10 2016
parent reply Seb <seb wilzba.ch> writes:
On Wednesday, 10 August 2016 at 23:22:24 UTC, Walter Bright wrote:
 On 8/10/2016 9:15 AM, Steven Schveighoffer wrote:
 Done.
Thanks!
 In any case, should be 0 impact, since all my github traffic 
 goes via ssh key.
Like a castle with its defenses in depth, security should always have multiple levels to it to guard against a single point of failure.
FYI: You (as org admin) can check whether everyone of the organization has 2FA enabled: https://help.github.com/articles/ensuring-that-organization-members-have-enabled-two-factor-authentication/
Aug 10 2016
parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 8/10/2016 4:41 PM, Seb wrote:
 FYI: You (as org admin) can check whether everyone of the organization has 2FA
 enabled:

 https://help.github.com/articles/ensuring-that-organization-members-have-enabled-two-factor-authentication/
Thanks! OMG, looks like only about a fifth have 2FA.
Aug 10 2016
parent reply Jonathan M Davis via Digitalmars-d <digitalmars-d puremagic.com> writes:
On Wednesday, August 10, 2016 18:34:56 Walter Bright via Digitalmars-d wrote:
 On 8/10/2016 4:41 PM, Seb wrote:
 FYI: You (as org admin) can check whether everyone of the organization has
 2FA enabled:

 https://help.github.com/articles/ensuring-that-organization-members-have-e
 nabled-two-factor-authentication/
Thanks! OMG, looks like only about a fifth have 2FA.
I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out. :( - Jonathan M Davis
Aug 10 2016
parent reply qznc <qznc web.de> writes:
On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis 
wrote:
 I just enabled it because of this thread, but in general, I'm 
 paranoid about two-factor auth and don't use it for much. My 
 domain registrar (and thus DNS) is one of the few places that I 
 have it enabled. I'm just too worried about getting locked out. 
 The very thing that makes it more secure significantly 
 increases the risk of you having a problem that locks you out.
This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.
Aug 11 2016
next sibling parent reply Jonathan M Davis via Digitalmars-d <digitalmars-d puremagic.com> writes:
On Thursday, August 11, 2016 07:33:45 qznc via Digitalmars-d wrote:
 On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis

 wrote:
 I just enabled it because of this thread, but in general, I'm
 paranoid about two-factor auth and don't use it for much. My
 domain registrar (and thus DNS) is one of the few places that I
 have it enabled. I'm just too worried about getting locked out.
 The very thing that makes it more secure significantly
 increases the risk of you having a problem that locks you out.
This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.
I would expect the lockout issue to come from issues with your phone. I almost got locked out by my domain registrar previously, because I changed phone providers, and stupidly, that meant that I couldn't get the SMS messages anymore - even though my phone number hadn't changed. Fortunately, I was finally able to get it fixed with them, but it took a while. But I'd be even more worried about depending on an app on your phone (like is sometimes the case with two-factor auth), since that won't necessarily then work with another phone with the same number, in which case, changing phones could lose you access - and while you might be able to plan for that by doing something like turning off two-factor temporarily when switching phones, if your phone died, you won't have been able to do that. As long as nothing goes wrong with your second factor, you'll probably be fine and won't get locked out of anything, but as soon as something _does_ go wrong with your second factor, you risk being locked out with no recourse. And if the company that you're dealing with for two-factor actually lets you get around the two-factor when you have a problem, then that opens the door for someone else to talk them into letting _them_ in (which is of course what the second factor is supposed to prevent). So, you either end up with a situation where you're fine as long as your second factor doesn't have problems but are screwed when it does, or you're still at risk of someone else getting into your account in spite of having the second factor. So, while in principle, two-factor auth is a great idea, there's definite risk involved with it that makes me very leery of using it. And it all it takes to really screw you over is getting locked out once. - Jonathan M Davis
Aug 11 2016
next sibling parent qznc <qznc web.de> writes:
On Thursday, 11 August 2016 at 07:54:48 UTC, Jonathan M Davis 
wrote:
 But I'd be even more worried about depending on an app on your 
 phone (like is sometimes the case with two-factor auth), since 
 that won't necessarily then work with another phone with the 
 same number, in which case, changing phones could lose you 
 access
I use Authy. They provide desktop apps and sync in addition. So if my phone fails, I can use my laptop and vice versa. https://www.authy.com/
Aug 11 2016
prev sibling parent Jesse Phillips <Jesse.K.Phillips+D gmail.com> writes:
On Thursday, 11 August 2016 at 07:54:48 UTC, Jonathan M Davis 
wrote:
 I would expect the lockout issue to come from issues with your 
 phone. I almost got locked out by my domain registrar 
 previously, because I changed phone providers, and stupidly, 
 that meant that I couldn't get the SMS messages anymore - even 
 though my phone number hadn't changed.
Google and Steam do this well by marking specific machines as "private." This removes the need for two factor auth for that machine, but ultimately you want 2FA required for those who don't have physical access anyway. Github has been a little annoying since I can't do that, and Fido U2F is only supported by Chrome and I prefer firefox.
Aug 11 2016
prev sibling parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 8/11/2016 12:33 AM, qznc wrote:
 On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:
 I just enabled it because of this thread, but in general, I'm paranoid about
 two-factor auth and don't use it for much. My domain registrar (and thus DNS)
 is one of the few places that I have it enabled. I'm just too worried about
 getting locked out. The very thing that makes it more secure significantly
 increases the risk of you having a problem that locks you out.
This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.
Yeah, I worry about being locked out as well. There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that. They do provide an option for a second phone (which I enabled) and sent a set of recovery codes. This you can put into your safety deposit box as a last resort. I keep a rolling set of backups, with one set in the safety deposit box. 2FA is going to become increasingly common, and I expect we'll all have to get used to it.
Aug 11 2016
next sibling parent Chris <wendlec tcd.ie> writes:
On Thursday, 11 August 2016 at 07:59:11 UTC, Walter Bright wrote:

 Yeah, I worry about being locked out as well. There's also 
 nothing private in the dlang repository, but a malicious person 
 could just delete everything and it would be a major problem 
 for us to recover from that.

 They do provide an option for a second phone (which I enabled) 
 and sent a set of recovery codes. This you can put into your 
 safety deposit box as a last resort.

 I keep a rolling set of backups, with one set in the safety 
 deposit box.

 2FA is going to become increasingly common, and I expect we'll 
 all have to get used to it.
You could also set up an "unsuspicious" dummy repo on Github which is an identical twin of the official D repo, under a different user and repo name ("Balter Wright", Digital Neptune :)
Aug 11 2016
prev sibling next sibling parent reply ketmar <ketmar ketmar.no-ip.org> writes:
On Thursday, 11 August 2016 at 07:59:11 UTC, Walter Bright wrote:
 There's also nothing private in the dlang repository, but a 
 malicious person could just delete everything and it would be a 
 major problem for us to recover from that.
only PRs. would be a refreshing change and autoclearing of PR queue. besides, authors will just resubmit 'em. there is no reason to mess with 2fa, i believe. the only thing someone can do is pushing some malicious commit, which will be found almost immediately by compromised dev (next git pull will raise an alarm with error). yet in exchange for wery weak protection, one have to give his phone number to the 3rd party, and that 3rd party is known by security faults and overall low level of tech and security. if i'll be asked to give my phone number to such organisation (to *any* organisation, but well, this case even worther), i will deny the requiest immediately.
Aug 11 2016
parent reply Jesse Phillips <Jesse.K.Phillips+D gmail.com> writes:
On Thursday, 11 August 2016 at 11:48:32 UTC, ketmar wrote:
 yet in exchange for wery weak protection, one have to give his 
 phone number to the 3rd party, and that 3rd party is known by 
 security faults and overall low level of tech and security. if 
 i'll be asked to give my phone number to such organisation (to 
 *any* organisation, but well, this case even worther), i will 
 deny the requiest immediately.
Don't use your phone, I don't. Use the App and/or hardware, no need to give out personal information. I forgot Google supports U2F also and I have it enable, but since I don't use Chrome generally I don't get that option.
Aug 11 2016
parent reply ketmar <ketmar ketmar.no-ip.org> writes:
On Thursday, 11 August 2016 at 18:34:30 UTC, Jesse Phillips wrote:
 Don't use your phone, I don't. Use the App and/or hardware, no 
 need to give out personal information.
i'm not using smartphones at all, so no "apps". besides, without sending auth request by some other channel than internet i can't see any value in 2fa at all: how is that different from simply using my ssh key and encrypted internet channel? tbh, i never seen any sense in all that "password" stuff at all. we have asymmetric cryptography, why we still using passwords and "email password resets"?
Aug 11 2016
parent Jesse Phillips <Jesse.K.Phillips+D gmail.com> writes:
On Thursday, 11 August 2016 at 18:44:11 UTC, ketmar wrote:

 i'm not using smartphones at all, so no "apps". besides, 
 without sending auth request by some other channel than 
 internet i can't see any value in 2fa at all: how is that 
 different from simply using my ssh key and encrypted internet 
 channel?
Simple your github account manages the SSH keys used to contribute code, it also is what creates pull requests for the contributions to other repos. GitHub and some others support Fido U2F and that doesn't use an internet channel for auth. Check out Yubico's Yubikey for some good hardware.
Aug 11 2016
prev sibling next sibling parent reply Steven Schveighoffer <schveiguy yahoo.com> writes:
On 8/11/16 3:59 AM, Walter Bright wrote:
 On 8/11/2016 12:33 AM, qznc wrote:
 On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:
 I just enabled it because of this thread, but in general, I'm
 paranoid about
 two-factor auth and don't use it for much. My domain registrar (and
 thus DNS)
 is one of the few places that I have it enabled. I'm just too worried
 about
 getting locked out. The very thing that makes it more secure
 significantly
 increases the risk of you having a problem that locks you out.
This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.
Yeah, I worry about being locked out as well.
I don't have much concern on this. I stored the github backup codes in my password/secure note manager, so I will never lose them. I did not know that if you port your number to a new provider, you would be locked out. That's surprising, but makes sense at the same time.
 There's also nothing
 private in the dlang repository, but a malicious person could just
 delete everything and it would be a major problem for us to recover from
 that.
Well, the code will all be on everyone's system. The PRs should be pretty safe too, since they are all branches on everyone's private fork. But it would be a pain to restore.
 2FA is going to become increasingly common, and I expect we'll all have
 to get used to it.
Yeah, definitely. -Steve
Aug 11 2016
next sibling parent Jonathan M Davis via Digitalmars-d <digitalmars-d puremagic.com> writes:
On Thursday, August 11, 2016 09:05:49 Steven Schveighoffer via Digitalmars-d 
wrote:
 I did not know that if you port your number to a new provider, you would
 be locked out. That's surprising, but makes sense at the same time.
It probably depends on who you're dealing with. In my case, it was godaddy, and it definitely mattered with them. It may not matter with github. But the fact that it _can_ happen makes me that much more nervous about having my access to something connected to a specific device. At this point, I think that I now have two-factor enabled on all of two sites, and I'm not going to be in a hurry to enable it on more. - Jonathan M Davis
Aug 11 2016
prev sibling parent reply qznc <qznc web.de> writes:
On Thursday, 11 August 2016 at 13:05:49 UTC, Steven Schveighoffer 
wrote:
 There's also nothing
 private in the dlang repository, but a malicious person could 
 just
 delete everything and it would be a major problem for us to 
 recover from
 that.
Well, the code will all be on everyone's system. The PRs should be pretty safe too, since they are all branches on everyone's private fork.
The code is pretty safe thanks to git. The comments get lost. Likewise, deleting bugzilla would be ugly. We could start signing git commits/tags for additional safety.
Aug 11 2016
next sibling parent Kagamin <spam here.lot> writes:
On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
 The code is pretty safe thanks to git. The comments get lost.
If github doesn't restore from backup, maybe mirror github repo into a gitlab repo? http://docs.gitlab.com/ce/workflow/importing/import_projects_from_github.html
 Likewise, deleting bugzilla would be ugly.
Bugzilla is backed up.
Aug 11 2016
prev sibling next sibling parent reply Kagamin <spam here.lot> writes:
On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
 The code is pretty safe thanks to git. The comments get lost.
Irony. Is git still a DVCS? If you lose the central repo, you just lose.
Aug 11 2016
parent Nick Sabalausky <SeeWebsiteToContactMe semitwist.com> writes:
On 08/11/2016 10:56 AM, Kagamin wrote:
 On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
 The code is pretty safe thanks to git. The comments get lost.
Irony. Is git still a DVCS? If you lose the central repo, you just lose.
The one big thing that always annoyed me about github is that nearly all the features it adds on top of git *lack* all the benefit of using git in the first place (ex: decentralization and ability to self-host, git's famed speed, etc.)
Aug 26 2016
prev sibling parent reply sldkf <sldkf sldkf.fr> writes:
On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
 The code is pretty safe thanks to git. The comments get lost.
Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
Aug 11 2016
next sibling parent ketmar <ketmar ketmar.no-ip.org> writes:
On Thursday, 11 August 2016 at 18:36:11 UTC, sldkf wrote:
 On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
 The code is pretty safe thanks to git. The comments get lost.
Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
so what? next "git pull" from any developer (not only core dev, many other people has repo clones too) will fail, that will raise an alarm --> security breach detected. besides, git allows to cryptographically sign each commit. introduce that, and good luck rewriting history, lol.
Aug 11 2016
prev sibling parent reply "H. S. Teoh via Digitalmars-d" <digitalmars-d puremagic.com> writes:
On Thu, Aug 11, 2016 at 06:36:11PM +0000, sldkf via Digitalmars-d wrote:
 On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
 The code is pretty safe thanks to git. The comments get lost.
Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
This is not a problem. Rewritten history will have different commit hashes, and once a trusted copy of the repo is uploaded, e.g., from Walter's local copy, it will become very obvious which commits have been tampered with. In fact, just replace the repo with Walter's (or some other trusted person's) version, and the tampered commits can be simply discarded. T -- MASM = Mana Ada Sistem, Man!
Aug 11 2016
parent sldkf <sldkf sldkf.fr> writes:
On Thursday, 11 August 2016 at 18:50:41 UTC, H. S. Teoh wrote:
 On Thu, Aug 11, 2016 at 06:36:11PM +0000, sldkf via 
 Digitalmars-d wrote:
 On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:
 The code is pretty safe thanks to git. The comments get lost.
Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
This is not a problem. Rewritten history will have different commit hashes, and once a trusted copy of the repo is uploaded, e.g., from Walter's local copy, it will become very obvious which commits have been tampered with. In fact, just replace the repo with Walter's (or some other trusted person's) version, and the tampered commits can be simply discarded. T
Not wrong, one aspect of git is that there's no "central" repository
Aug 11 2016
prev sibling parent reply "H. S. Teoh via Digitalmars-d" <digitalmars-d puremagic.com> writes:
On Thu, Aug 11, 2016 at 12:59:11AM -0700, Walter Bright via Digitalmars-d wrote:
[...]
 There's also nothing private in the dlang repository, but a malicious
 person could just delete everything and it would be a major problem
 for us to recover from that.
[...] Thankfully, it's not that bad thanks to git. Everyone who has a local clone of the dlang repo would have a copy of the code (complete with the history too!). It would be troublesome to recover from it, but not impossible, and definitely easier than other revision control systems where you may potentially have to reconstruct the repo from scratch. We *would* lose PRs and the discussions attached to them, though. That would be unfortunate, though not fatal. It might even give us a clean slate in the PR queue, which could be construed to be a good thing! ;-) The PR submitters would still have their code intact in their local repo, so no actual code would be lost. T -- My program has no bugs! Only undocumented features...
Aug 11 2016
parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 8/11/2016 7:34 AM, H. S. Teoh via Digitalmars-d wrote:
 so no actual code would be lost.
Github dlang is our critical infrastructure, we should treat it accordingly. I agree we wouldn't lose the code history, but would lose just about everything else. It would take us days, maybe weeks, to get things set up again. Why risk it?
Aug 11 2016
parent reply Nick Sabalausky <SeeWebsiteToContactMe semitwist.com> writes:
On 08/11/2016 05:25 PM, Walter Bright wrote:
 On 8/11/2016 7:34 AM, H. S. Teoh via Digitalmars-d wrote:
 so no actual code would be lost.
Github dlang is our critical infrastructure, we should treat it accordingly. I agree we wouldn't lose the code history, but would lose just about everything else. It would take us days, maybe weeks, to get things set up again. Why risk it?
That right there is why gitlab is better. I realize it's too late now, but I kinda wish we had standardized on that instead of github. Unlike gitlab, github takes all the philosophy, purpose, goals and values of git (the very tool it's built for) and throws them straight out the window, replacing them with a traditional, very non-git-like MS/Facebook-style single-point-of-failure walled garden.
Aug 26 2016
parent reply Jacob Carlborg <doob me.com> writes:
On 2016-08-26 17:11, Nick Sabalausky wrote:

 That right there is why gitlab is better. I realize it's too late now,
 but I kinda wish we had standardized on that instead of github. Unlike
 gitlab, github takes all the philosophy, purpose, goals and values of
 git (the very tool it's built for) and throws them straight out the
 window, replacing them with a traditional, very non-git-like
 MS/Facebook-style single-point-of-failure walled garden.
How is GitLab any different? -- /Jacob Carlborg
Aug 26 2016
parent reply ketmar <ketmar ketmar.no-ip.org> writes:
On Friday, 26 August 2016 at 16:54:14 UTC, Jacob Carlborg wrote:
 How is GitLab any different?
at least it's engine is opensourced, and it's employers doesn't make public racists and chauvinist statements.
Aug 26 2016
parent reply ketmar <ketmar ketmar.no-ip.org> writes:
employees, lol.
Aug 26 2016
parent Basile B. <b2.temp gmx.com> writes:
On Friday, 26 August 2016 at 23:51:50 UTC, ketmar wrote:
 employees, lol.
and "its" 2 times and "don't" and "racist"
Aug 27 2016
prev sibling next sibling parent Jesse Phillips <Jesse.K.Phillips+D gmail.com> writes:
On Wednesday, 10 August 2016 at 04:20:51 UTC, Walter Bright wrote:
 https://news.ycombinator.com/item?id=12259176

 Apparently github users are increasingly being targeted.
2 Factor Auth is pretty accessible now days. Definitely enable for Gmail to if you're using that service. I'd recommend using Yubikey, but the two places I've been able to make use of it is a paid for LastPass account and Github. If you do go for a key, choose one with U2F. These keys don't get firmware updates so as they develop new technology on the key it requires buying a new key. https://www.yubico.com/
Aug 10 2016
prev sibling next sibling parent reply Walter Bright <newshound2 digitalmars.com> writes:
Currently 11/35 have enabled 2FA
Aug 12 2016
next sibling parent reply =?UTF-8?B?bcO5c2Rs?= <mdsdl msdl.fr> writes:
On Friday, 12 August 2016 at 08:10:15 UTC, Walter Bright wrote:
 Currently 11/35 have enabled 2FA
Have you 5 hidden members ?
Aug 12 2016
parent Steven Schveighoffer <schveiguy yahoo.com> writes:
On 8/12/16 10:53 AM, mùsdl wrote:
 On Friday, 12 August 2016 at 08:10:15 UTC, Walter Bright wrote:
 Currently 11/35 have enabled 2FA
Have you 5 hidden members ?
Members have the option of publicly exposing their membership. -Steve
Aug 12 2016
prev sibling parent Seb <seb wilzba.ch> writes:
On Friday, 12 August 2016 at 08:10:15 UTC, Walter Bright wrote:
 Currently 11/35 have enabled 2FA
FWIW GitHub added a nice feature to track down members without 2FA more easily. One can now filter members with `two-factor:disabled` (or select this via the new UI Filter).
Aug 23 2016
prev sibling parent Kagamin <spam here.lot> writes:
On Wednesday, 10 August 2016 at 04:20:51 UTC, Walter Bright wrote:
 https://news.ycombinator.com/item?id=12259176

 Apparently github users are increasingly being targeted.
BTW what about this https://www.reddit.com/r/programming/comments/4z2nue/dear_programmer_dont_shorten_your_fingerprint/ I'm not familiar with pgp, but was surprised to see short identifiers in dlang keyring. Anything 32 bit can't possibly have anything secure about it?
Aug 23 2016