digitalmars.D - D Github contributors - enable 2 factor authentification
- Walter Bright (2/2) Aug 09 2016 https://news.ycombinator.com/item?id=12259176
- Kagamin (2/2) Aug 10 2016 They probably wanted his private code, otherwise the attack is
- Walter Bright (3/4) Aug 10 2016 Perhaps, but I don't want a malicious actor being able to hose the dlang...
- Steven Schveighoffer (6/8) Aug 10 2016 Done. Didn't realize about this issue, of course, probably shouldn't use...
- Walter Bright (4/6) Aug 10 2016 Like a castle with its defenses in depth, security should always have mu...
- Seb (4/12) Aug 10 2016 FYI: You (as org admin) can check whether everyone of the
- Walter Bright (2/5) Aug 10 2016 Thanks! OMG, looks like only about a fifth have 2FA.
- Jonathan M Davis via Digitalmars-d (8/15) Aug 10 2016 I just enabled it because of this thread, but in general, I'm paranoid a...
- qznc (7/13) Aug 11 2016 This thread pushed me to enable it for Google and Github. The
- Jonathan M Davis via Digitalmars-d (26/39) Aug 11 2016 I would expect the lockout issue to come from issues with your phone. I
- qznc (5/10) Aug 11 2016 I use Authy. They provide desktop apps and sync in addition. So
- Jesse Phillips (8/13) Aug 11 2016 Google and Steam do this well by marking specific machines as
- Walter Bright (9/19) Aug 11 2016 Yeah, I worry about being locked out as well. There's also nothing priva...
- Chris (4/15) Aug 11 2016 You could also set up an "unsuspicious" dummy repo on Github
- ketmar (13/16) Aug 11 2016 only PRs. would be a refreshing change and autoclearing of PR
- Jesse Phillips (5/11) Aug 11 2016 Don't use your phone, I don't. Use the App and/or hardware, no
- ketmar (8/10) Aug 11 2016 i'm not using smartphones at all, so no "apps". besides, without
- Jesse Phillips (7/12) Aug 11 2016 Simple your github account manages the SSH keys used to
- Steven Schveighoffer (10/37) Aug 11 2016 I don't have much concern on this. I stored the github backup codes in
- Jonathan M Davis via Digitalmars-d (9/11) Aug 11 2016 It probably depends on who you're dealing with. In my case, it was godad...
- qznc (5/14) Aug 11 2016 The code is pretty safe thanks to git. The comments get lost.
- Kagamin (5/7) Aug 11 2016 If github doesn't restore from backup, maybe mirror github repo
- Kagamin (3/4) Aug 11 2016 Irony. Is git still a DVCS? If you lose the central repo, you
- Nick Sabalausky (5/8) Aug 26 2016 The one big thing that always annoyed me about github is that nearly all...
- sldkf (3/4) Aug 11 2016 Somone can rewrite the entire history (i.e patch the commiters
- ketmar (6/10) Aug 11 2016 so what? next "git pull" from any developer (not only core dev,
- H. S. Teoh via Digitalmars-d (10/15) Aug 11 2016 This is not a problem. Rewritten history will have different commit
- sldkf (3/18) Aug 11 2016 Not wrong, one aspect of git is that there's no "central"
- H. S. Teoh via Digitalmars-d (16/19) Aug 11 2016 [...]
- Walter Bright (5/6) Aug 11 2016 Github dlang is our critical infrastructure, we should treat it accordin...
- Nick Sabalausky (7/14) Aug 26 2016 That right there is why gitlab is better. I realize it's too late now,
- Jacob Carlborg (4/10) Aug 26 2016 How is GitLab any different?
- Jesse Phillips (9/11) Aug 10 2016 2 Factor Auth is pretty accessible now days. Definitely enable
- Walter Bright (1/1) Aug 12 2016 Currently 11/35 have enabled 2FA
- =?UTF-8?B?bcO5c2Rs?= (2/3) Aug 12 2016 Have you 5 hidden members ?
- Steven Schveighoffer (3/6) Aug 12 2016 Members have the option of publicly exposing their membership.
- Seb (5/6) Aug 23 2016 FWIW GitHub added a nice feature to track down members without
- Kagamin (6/8) Aug 23 2016 BTW what about this
https://news.ycombinator.com/item?id=12259176 Apparently github users are increasingly being targeted.
Aug 09 2016
They probably wanted his private code, otherwise the attack is futile.
Aug 10 2016
On 8/10/2016 3:40 AM, Kagamin wrote:They probably wanted his private code, otherwise the attack is futile.Perhaps, but I don't want a malicious actor being able to hose the dlang repository. Too many people depend on it to risk that sort of thing.
Aug 10 2016
On 8/10/16 12:20 AM, Walter Bright wrote:https://news.ycombinator.com/item?id=12259176 Apparently github users are increasingly being targeted.Done. Didn't realize about this issue, of course, probably shouldn't use a crappy password on your DNS server... In any case, should be 0 impact, since all my github traffic goes via ssh key. -Steve
Aug 10 2016
On 8/10/2016 9:15 AM, Steven Schveighoffer wrote:Done.Thanks!In any case, should be 0 impact, since all my github traffic goes via ssh key.Like a castle with its defenses in depth, security should always have multiple levels to it to guard against a single point of failure.
Aug 10 2016
On Wednesday, 10 August 2016 at 23:22:24 UTC, Walter Bright wrote:On 8/10/2016 9:15 AM, Steven Schveighoffer wrote:FYI: You (as org admin) can check whether everyone of the organization has 2FA enabled: https://help.github.com/articles/ensuring-that-organization-members-have-enabled-two-factor-authentication/Done.Thanks!In any case, should be 0 impact, since all my github traffic goes via ssh key.Like a castle with its defenses in depth, security should always have multiple levels to it to guard against a single point of failure.
Aug 10 2016
On 8/10/2016 4:41 PM, Seb wrote:FYI: You (as org admin) can check whether everyone of the organization has 2FA enabled: https://help.github.com/articles/ensuring-that-organization-members-have-enabled-two-factor-authentication/Thanks! OMG, looks like only about a fifth have 2FA.
Aug 10 2016
On Wednesday, August 10, 2016 18:34:56 Walter Bright via Digitalmars-d wrote:On 8/10/2016 4:41 PM, Seb wrote:I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out. :( - Jonathan M DavisFYI: You (as org admin) can check whether everyone of the organization has 2FA enabled: https://help.github.com/articles/ensuring-that-organization-members-have-e nabled-two-factor-authentication/Thanks! OMG, looks like only about a fifth have 2FA.
Aug 10 2016
On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out.This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.
Aug 11 2016
On Thursday, August 11, 2016 07:33:45 qznc via Digitalmars-d wrote:On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:I would expect the lockout issue to come from issues with your phone. I almost got locked out by my domain registrar previously, because I changed phone providers, and stupidly, that meant that I couldn't get the SMS messages anymore - even though my phone number hadn't changed. Fortunately, I was finally able to get it fixed with them, but it took a while. But I'd be even more worried about depending on an app on your phone (like is sometimes the case with two-factor auth), since that won't necessarily then work with another phone with the same number, in which case, changing phones could lose you access - and while you might be able to plan for that by doing something like turning off two-factor temporarily when switching phones, if your phone died, you won't have been able to do that. As long as nothing goes wrong with your second factor, you'll probably be fine and won't get locked out of anything, but as soon as something _does_ go wrong with your second factor, you risk being locked out with no recourse. And if the company that you're dealing with for two-factor actually lets you get around the two-factor when you have a problem, then that opens the door for someone else to talk them into letting _them_ in (which is of course what the second factor is supposed to prevent). So, you either end up with a situation where you're fine as long as your second factor doesn't have problems but are screwed when it does, or you're still at risk of someone else getting into your account in spite of having the second factor. So, while in principle, two-factor auth is a great idea, there's definite risk involved with it that makes me very leery of using it. And it all it takes to really screw you over is getting locked out once. - Jonathan M DavisI just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out.This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.
Aug 11 2016
On Thursday, 11 August 2016 at 07:54:48 UTC, Jonathan M Davis wrote:But I'd be even more worried about depending on an app on your phone (like is sometimes the case with two-factor auth), since that won't necessarily then work with another phone with the same number, in which case, changing phones could lose you accessI use Authy. They provide desktop apps and sync in addition. So if my phone fails, I can use my laptop and vice versa. https://www.authy.com/
Aug 11 2016
On Thursday, 11 August 2016 at 07:54:48 UTC, Jonathan M Davis wrote:I would expect the lockout issue to come from issues with your phone. I almost got locked out by my domain registrar previously, because I changed phone providers, and stupidly, that meant that I couldn't get the SMS messages anymore - even though my phone number hadn't changed.Google and Steam do this well by marking specific machines as "private." This removes the need for two factor auth for that machine, but ultimately you want 2FA required for those who don't have physical access anyway. Github has been a little annoying since I can't do that, and Fido U2F is only supported by Chrome and I prefer firefox.
Aug 11 2016
On 8/11/2016 12:33 AM, qznc wrote:On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:Yeah, I worry about being locked out as well. There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that. They do provide an option for a second phone (which I enabled) and sent a set of recovery codes. This you can put into your safety deposit box as a last resort. I keep a rolling set of backups, with one set in the safety deposit box. 2FA is going to become increasingly common, and I expect we'll all have to get used to it.I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out.This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.
Aug 11 2016
On Thursday, 11 August 2016 at 07:59:11 UTC, Walter Bright wrote:Yeah, I worry about being locked out as well. There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that. They do provide an option for a second phone (which I enabled) and sent a set of recovery codes. This you can put into your safety deposit box as a last resort. I keep a rolling set of backups, with one set in the safety deposit box. 2FA is going to become increasingly common, and I expect we'll all have to get used to it.You could also set up an "unsuspicious" dummy repo on Github which is an identical twin of the official D repo, under a different user and repo name ("Balter Wright", Digital Neptune :)
Aug 11 2016
On Thursday, 11 August 2016 at 07:59:11 UTC, Walter Bright wrote:There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.only PRs. would be a refreshing change and autoclearing of PR queue. besides, authors will just resubmit 'em. there is no reason to mess with 2fa, i believe. the only thing someone can do is pushing some malicious commit, which will be found almost immediately by compromised dev (next git pull will raise an alarm with error). yet in exchange for wery weak protection, one have to give his phone number to the 3rd party, and that 3rd party is known by security faults and overall low level of tech and security. if i'll be asked to give my phone number to such organisation (to *any* organisation, but well, this case even worther), i will deny the requiest immediately.
Aug 11 2016
On Thursday, 11 August 2016 at 11:48:32 UTC, ketmar wrote:yet in exchange for wery weak protection, one have to give his phone number to the 3rd party, and that 3rd party is known by security faults and overall low level of tech and security. if i'll be asked to give my phone number to such organisation (to *any* organisation, but well, this case even worther), i will deny the requiest immediately.Don't use your phone, I don't. Use the App and/or hardware, no need to give out personal information. I forgot Google supports U2F also and I have it enable, but since I don't use Chrome generally I don't get that option.
Aug 11 2016
On Thursday, 11 August 2016 at 18:34:30 UTC, Jesse Phillips wrote:Don't use your phone, I don't. Use the App and/or hardware, no need to give out personal information.i'm not using smartphones at all, so no "apps". besides, without sending auth request by some other channel than internet i can't see any value in 2fa at all: how is that different from simply using my ssh key and encrypted internet channel? tbh, i never seen any sense in all that "password" stuff at all. we have asymmetric cryptography, why we still using passwords and "email password resets"?
Aug 11 2016
On Thursday, 11 August 2016 at 18:44:11 UTC, ketmar wrote:i'm not using smartphones at all, so no "apps". besides, without sending auth request by some other channel than internet i can't see any value in 2fa at all: how is that different from simply using my ssh key and encrypted internet channel?Simple your github account manages the SSH keys used to contribute code, it also is what creates pull requests for the contributions to other repos. GitHub and some others support Fido U2F and that doesn't use an internet channel for auth. Check out Yubico's Yubikey for some good hardware.
Aug 11 2016
On 8/11/16 3:59 AM, Walter Bright wrote:On 8/11/2016 12:33 AM, qznc wrote:I don't have much concern on this. I stored the github backup codes in my password/secure note manager, so I will never lose them. I did not know that if you port your number to a new provider, you would be locked out. That's surprising, but makes sense at the same time.On Thursday, 11 August 2016 at 06:21:35 UTC, Jonathan M Davis wrote:Yeah, I worry about being locked out as well.I just enabled it because of this thread, but in general, I'm paranoid about two-factor auth and don't use it for much. My domain registrar (and thus DNS) is one of the few places that I have it enabled. I'm just too worried about getting locked out. The very thing that makes it more secure significantly increases the risk of you having a problem that locks you out.This thread pushed me to enable it for Google and Github. The fear of lock out plagues me as well. However, I asked a few friends and so far I have found nobody who was actually locked out. The fact that they all give you a few backup codes for login helps.There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.Well, the code will all be on everyone's system. The PRs should be pretty safe too, since they are all branches on everyone's private fork. But it would be a pain to restore.2FA is going to become increasingly common, and I expect we'll all have to get used to it.Yeah, definitely. -Steve
Aug 11 2016
On Thursday, August 11, 2016 09:05:49 Steven Schveighoffer via Digitalmars-d wrote:I did not know that if you port your number to a new provider, you would be locked out. That's surprising, but makes sense at the same time.It probably depends on who you're dealing with. In my case, it was godaddy, and it definitely mattered with them. It may not matter with github. But the fact that it _can_ happen makes me that much more nervous about having my access to something connected to a specific device. At this point, I think that I now have two-factor enabled on all of two sites, and I'm not going to be in a hurry to enable it on more. - Jonathan M Davis
Aug 11 2016
On Thursday, 11 August 2016 at 13:05:49 UTC, Steven Schveighoffer wrote:The code is pretty safe thanks to git. The comments get lost. Likewise, deleting bugzilla would be ugly. We could start signing git commits/tags for additional safety.There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.Well, the code will all be on everyone's system. The PRs should be pretty safe too, since they are all branches on everyone's private fork.
Aug 11 2016
On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:The code is pretty safe thanks to git. The comments get lost.If github doesn't restore from backup, maybe mirror github repo into a gitlab repo? http://docs.gitlab.com/ce/workflow/importing/import_projects_from_github.htmlLikewise, deleting bugzilla would be ugly.Bugzilla is backed up.
Aug 11 2016
On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:The code is pretty safe thanks to git. The comments get lost.Irony. Is git still a DVCS? If you lose the central repo, you just lose.
Aug 11 2016
On 08/11/2016 10:56 AM, Kagamin wrote:On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:The one big thing that always annoyed me about github is that nearly all the features it adds on top of git *lack* all the benefit of using git in the first place (ex: decentralization and ability to self-host, git's famed speed, etc.)The code is pretty safe thanks to git. The comments get lost.Irony. Is git still a DVCS? If you lose the central repo, you just lose.
Aug 26 2016
On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:The code is pretty safe thanks to git. The comments get lost.Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
Aug 11 2016
On Thursday, 11 August 2016 at 18:36:11 UTC, sldkf wrote:On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:so what? next "git pull" from any developer (not only core dev, many other people has repo clones too) will fail, that will raise an alarm --> security breach detected. besides, git allows to cryptographically sign each commit. introduce that, and good luck rewriting history, lol.The code is pretty safe thanks to git. The comments get lost.Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
Aug 11 2016
On Thu, Aug 11, 2016 at 06:36:11PM +0000, sldkf via Digitalmars-d wrote:On Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:This is not a problem. Rewritten history will have different commit hashes, and once a trusted copy of the repo is uploaded, e.g., from Walter's local copy, it will become very obvious which commits have been tampered with. In fact, just replace the repo with Walter's (or some other trusted person's) version, and the tampered commits can be simply discarded. T -- MASM = Mana Ada Sistem, Man!The code is pretty safe thanks to git. The comments get lost.Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
Aug 11 2016
On Thursday, 11 August 2016 at 18:50:41 UTC, H. S. Teoh wrote:On Thu, Aug 11, 2016 at 06:36:11PM +0000, sldkf via Digitalmars-d wrote:Not wrong, one aspect of git is that there's no "central" repositoryOn Thursday, 11 August 2016 at 13:35:08 UTC, qznc wrote:This is not a problem. Rewritten history will have different commit hashes, and once a trusted copy of the repo is uploaded, e.g., from Walter's local copy, it will become very obvious which commits have been tampered with. In fact, just replace the repo with Walter's (or some other trusted person's) version, and the tampered commits can be simply discarded. TThe code is pretty safe thanks to git. The comments get lost.Somone can rewrite the entire history (i.e patch the commiters mails). This would be a major problem.
Aug 11 2016
On Thu, Aug 11, 2016 at 12:59:11AM -0700, Walter Bright via Digitalmars-d wrote: [...]There's also nothing private in the dlang repository, but a malicious person could just delete everything and it would be a major problem for us to recover from that.[...] Thankfully, it's not that bad thanks to git. Everyone who has a local clone of the dlang repo would have a copy of the code (complete with the history too!). It would be troublesome to recover from it, but not impossible, and definitely easier than other revision control systems where you may potentially have to reconstruct the repo from scratch. We *would* lose PRs and the discussions attached to them, though. That would be unfortunate, though not fatal. It might even give us a clean slate in the PR queue, which could be construed to be a good thing! ;-) The PR submitters would still have their code intact in their local repo, so no actual code would be lost. T -- My program has no bugs! Only undocumented features...
Aug 11 2016
On 8/11/2016 7:34 AM, H. S. Teoh via Digitalmars-d wrote:so no actual code would be lost.Github dlang is our critical infrastructure, we should treat it accordingly. I agree we wouldn't lose the code history, but would lose just about everything else. It would take us days, maybe weeks, to get things set up again. Why risk it?
Aug 11 2016
On 08/11/2016 05:25 PM, Walter Bright wrote:On 8/11/2016 7:34 AM, H. S. Teoh via Digitalmars-d wrote:That right there is why gitlab is better. I realize it's too late now, but I kinda wish we had standardized on that instead of github. Unlike gitlab, github takes all the philosophy, purpose, goals and values of git (the very tool it's built for) and throws them straight out the window, replacing them with a traditional, very non-git-like MS/Facebook-style single-point-of-failure walled garden.so no actual code would be lost.Github dlang is our critical infrastructure, we should treat it accordingly. I agree we wouldn't lose the code history, but would lose just about everything else. It would take us days, maybe weeks, to get things set up again. Why risk it?
Aug 26 2016
On 2016-08-26 17:11, Nick Sabalausky wrote:That right there is why gitlab is better. I realize it's too late now, but I kinda wish we had standardized on that instead of github. Unlike gitlab, github takes all the philosophy, purpose, goals and values of git (the very tool it's built for) and throws them straight out the window, replacing them with a traditional, very non-git-like MS/Facebook-style single-point-of-failure walled garden.How is GitLab any different? -- /Jacob Carlborg
Aug 26 2016
On Friday, 26 August 2016 at 16:54:14 UTC, Jacob Carlborg wrote:How is GitLab any different?at least it's engine is opensourced, and it's employers doesn't make public racists and chauvinist statements.
Aug 26 2016
On Friday, 26 August 2016 at 23:51:50 UTC, ketmar wrote:employees, lol.and "its" 2 times and "don't" and "racist"
Aug 27 2016
On Wednesday, 10 August 2016 at 04:20:51 UTC, Walter Bright wrote:https://news.ycombinator.com/item?id=12259176 Apparently github users are increasingly being targeted.2 Factor Auth is pretty accessible now days. Definitely enable for Gmail to if you're using that service. I'd recommend using Yubikey, but the two places I've been able to make use of it is a paid for LastPass account and Github. If you do go for a key, choose one with U2F. These keys don't get firmware updates so as they develop new technology on the key it requires buying a new key. https://www.yubico.com/
Aug 10 2016
On Friday, 12 August 2016 at 08:10:15 UTC, Walter Bright wrote:Currently 11/35 have enabled 2FAHave you 5 hidden members ?
Aug 12 2016
On 8/12/16 10:53 AM, mùsdl wrote:On Friday, 12 August 2016 at 08:10:15 UTC, Walter Bright wrote:Members have the option of publicly exposing their membership. -SteveCurrently 11/35 have enabled 2FAHave you 5 hidden members ?
Aug 12 2016
On Friday, 12 August 2016 at 08:10:15 UTC, Walter Bright wrote:Currently 11/35 have enabled 2FAFWIW GitHub added a nice feature to track down members without 2FA more easily. One can now filter members with `two-factor:disabled` (or select this via the new UI Filter).
Aug 23 2016
On Wednesday, 10 August 2016 at 04:20:51 UTC, Walter Bright wrote:https://news.ycombinator.com/item?id=12259176 Apparently github users are increasingly being targeted.BTW what about this https://www.reddit.com/r/programming/comments/4z2nue/dear_programmer_dont_shorten_your_fingerprint/ I'm not familiar with pgp, but was surprised to see short identifiers in dlang keyring. Anything 32 bit can't possibly have anything secure about it?
Aug 23 2016