|
It’s a forcing function so maintainers of packages don’t get easily phished at which point we get a brand new release laden with malware. Pypi and NPM had to do the same thing, and it’s a good way of reducing supply chain risk. It also only impacts GitHub users who upload code, and thus this ultimately reduces the risk of account takeovers and supply chain risk as a whole. It’s a fantastic change, more services should mandate MFA, and I’d love to see it as a requirement for every service provider out there. Considering that forcing MFA will disincentivize short sighted and ignorant users like yourself from accessing the service, it’s kinda insane you think this is a profit seeking activity. I guess it’s good for their stock because a more secure community promotes a more stable, valuable, and productive technology sector as a whole, which ultimately benefits Microsoft? How dare they! The Iron Rose fucked around with this message at 00:35 on Sep 2, 2023 |
#
?
Sep 2, 2023 00:31
|
|
Cat Army 
|
|
| # ? Jun 8, 2024 16:59 |
|
|
The Iron Rose posted:It’s a forcing function so maintainers of packages don’t get easily phished at which point we get a brand new release laden with malware. Pypi and NPM had to do the same thing, and it’s a good way of reducing supply chain risk. As I said: " more secure community". A blatant lie. smoke and mirrors.
|
|
#
?
Sep 2, 2023 00:35
|
|
|
Volguus posted:As I said: " more secure community". A blatant lie. smoke and mirrors. Take your meds
|
|
#
?
Sep 2, 2023 00:35
|
|
|
Volguus posted:As I said: " more secure community". A blatant lie. smoke and mirrors. mfa is smoke and mirrors?
|
|
#
?
Sep 2, 2023 00:41
|
|
|
The Iron Rose posted:Take your meds You can be as sarcastic and dismissive as you want, fact is that while the accounts will be better protected from phishing, the code will not be safer, regardless of what they will tell you. Case in point: https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/. And there are probably thousands more that did not make the news. Pulling from master/latest/develop instead of a commit sha will always be fraught with danger and that should be discouraged in any organization. Have 2FA as a feature? It's an awesome feature indeed, everyone should provide it if possible. Mandating it: no.
|
|
#
?
Sep 2, 2023 00:42
|
|
|
that's an insane take dude mfa is a net good, a service like github mandating it is nothing but positive
|
|
#
?
Sep 2, 2023 00:44
|
|
|
Volguus posted:You can be as sarcastic and dismissive as you want, fact is that while the accounts will be better protected from phishing I’m glad we agree this is a change that will make for a safer community! Also whether it’s good or not, people will pull from latest anyways, and we should make sure that those people and organizations are safer too. ps: it is good that the authors of malicious code like you cited are held accountable, and also your link has three more examples of account takeovers leading to malware lol The Iron Rose fucked around with this message at 00:47 on Sep 2, 2023 |
|
#
?
Sep 2, 2023 00:44
|
|
|
The Iron Rose posted:I’m glad we agree this is a change that will make for a safer community! The Iron Rose posted:Also whether it’s good or not, people will pull from latest anyways, and we should make sure that those people and organizations are safer too. When all code pulled from github (or anywhere for that matter, sourceforge/gitlab/etc/) as a library in an organization, should be vetted before being allowed in, should be treated as hostile until proven otherwise. 2FA or not, that should not be a factor. Instead of the focus being on educating on the importance of validating software that is used in an organization's projects, we're slapping a band-aid. As effective as thoughts and prayers. They could have (and be just as effective) add a label to those accounts that do use 2FA. Is that something that matters to you? Awesome, here it is. edit: At the end of the day, poo poo that's pissing me off is that I have to care about other people's code. I want to continue not giving a poo poo, thank you very much. False sense of security notwithstanding, and while organizations really should validate the code they pull in, it's a personal matter. I did not care before and I would like to not care going forward. Volguus fucked around with this message at 01:12 on Sep 2, 2023 |
|
#
?
Sep 2, 2023 01:04
|
|
|
Volguus posted:Safer accounts does not mean safer community It objectively does. We should strive to make the lives of malicious hackers harder when it will not unduly compromise user accessibility, and forcing authors of code to use 2FA is a good way to do that. quote:Except that the code itself will not necessarily be safer. And the code is what matters. It will lead to a false sense of security where someone, somewhere, will argue against library validation, since hey now github is mandating 2FA, obviously that code is ok since the account most likely has not been compromised. band aids are good! Fixing part of the problem is better than not fixing anything! Nobody is saying you must stop educating users to not pull latest into production environments, but education will never catch everyone. Accordingly, we should focus on raising the bar universally to ensure that people and organizations without good security teams (I.e. almost all of them) have a greater net security posture. Nobody is arguing against reviewing libraries, but let’s be honest, that doesn’t happen most of the time either, and you’re delusional if you think security teams are sufficiently staffed to review every update to every library that exists. This won’t magically stop people from uploading or downloading bad code, but it will make it harder for malicious hackers to turn good code bad. That’s a good thing for GitHub, good thing for software consumers, and a good thing for the community as a whole.
|
|
#
?
Sep 2, 2023 01:12
|
|
|
Volguus posted:There are and will be bad actors on
|
|
#
?
Sep 2, 2023 02:15
|
|
|
I feel like 2fa should be optional for small scale users. Like if Jimmy McCertSchool has a single repo with a README.md and it says nothing but "hello world" it's not a big deal if it gets owned. If they contribute to a dozen large projects repos and are active everyday, yeah, it's a red alert if they get phished. Hit them with that 2fa barrier. All hacks are bad but I just can't force myself to give a poo poo if a tinkerer loses work.
|
|
#
?
Sep 2, 2023 02:21
|
|
|
Large scale projects aren't necessarily the problem. Remember what happened with left-pad on NPM. When you pull out the comments that's a 30-line file, and all it does is provide a single function that lets you pad a string you pass it with an arbitrary number of characters ahead of it.
|
|
#
?
Sep 2, 2023 02:32
|
|
|
Then name and shame. Nothing wrong with that. Repos that are owned by accounts without 2FA get a big banner with "The account is not safe. This code will shard your purplez". Or, to be positive, give a label/icon/whatever to those accounts and repos protected by 2FA. Just don't blanket mandate it. However, it is true, it is both easier and good for Github the organization. It is not necessarily easier and better for the users (pushers and pullers). Some people (itt even) do seem to conflate the two, all while they cannot be more separate in both goals and needs.
|
|
#
?
Sep 2, 2023 02:50
|
|
|
no one is saying that it is easier, but it is definitely better
|
|
#
?
Sep 2, 2023 02:54
|
|
|
Volguus posted:As I said: " more secure community". A blatant lie. smoke and mirrors. I feel like this is a lead-up to one of those “STOP DOING MATH” “They have played us for absolute fools” memes.
|
|
#
?
Sep 2, 2023 03:00
|
|
|
... name and shame? Ain't nobody got time for that. If you can pull and push code, you can use MFA. It's time to get with the program.
|
|
#
?
Sep 2, 2023 03:00
|
|
|
If I have to use 2FA to check my bank balance, you can use 2FA to check in and out code. It's not that hard.
|
|
#
?
Sep 2, 2023 03:23
|
|
|
Enforced MFA is good, except when it’s enforced SMS MFA with no option to use TOTP
|
|
#
?
Sep 2, 2023 05:26
|
|
|
Even Office 365 enforces MFA on administrative roles and it's free if you less than twenty five users or some such thing. It's way too easy to brute-force passwords or guess someone's password based on their social media profile. You can find their date of birth, parents, siblings or kids names, etc.
|
|
#
?
Sep 2, 2023 11:46
|
|
|
Thanks Ants posted:Enforced MFA is good, except when it’s enforced SMS MFA with no option to use TOTP SMS MFA is still fundamentally better than nothing and cell providers have done a lot to try and stop spoofing. It's not perfect but it's way better than it was a decade ago but SMS is still wildly popular in Asia, Latin America, Africa and Eastern Europe.
|
|
#
?
Sep 2, 2023 11:50
|
|
|
Volguus posted:I surely have seen it all - I did not think, in 2023, someone would post without irony (angrily, in fact) that MFA should be optional. Get this: MFA should be mandatory everywhere for everything. In an era where network delineation no longer applies because no reasonable company is limiting access to its cloud resources to one set of specific locations (much less hosting those resources internally at those locations), the security posture HAS TO put a huge amount of weight on verifying the user login is being used only by the person it's assigned to. There can be no variance on that if you want to have the smallest bit of confidence in your user security. And yes obviously anyone can be a bad actor, an employee at a company can blithely login with their MFA protected account and download a bunch of documents to sell to a competitor or whatever scenario you want to construct, but as always that is not a technical problem at that point, it's a management one (and an HR failure). And also this: Thanks Ants posted:Enforced MFA is good, except when it’s enforced SMS MFA with no option to use TOTP edit: and one final note, if you are truly so put out by the 2 seconds it takes to look at a code and type it in, or hit a push notification on your phone, then add the TOTP secret to 1Password and let it fill those for you. They have a post about how that's actually not a security problem because of their security measures, which is patently bullshit since the WHOLE POINT OF MFA is that you can't easily access both factors in the same place at the same time, but whatever, it's still better than no MFA at all. edit2:https://blog.1password.com/1password-2fa-passwords-codes-together/ I guess at least they acknowledge it's not true 2FA, but their weasel words on it are basically assuming that you live your life entirely on your phone and thus if someone's accessed your 1Password account they must have compromised your phone and thus have access to your other TOTP app anyway. Which may be correct for zoomers, but some of us don't see the point of using a tiny screen when we could use (3) 32-inch monitors instead. SyNack Sassimov fucked around with this message at 18:50 on Sep 2, 2023 |
|
#
?
Sep 2, 2023 18:43
|
|
|
The true way to live is a FIDO2 key and a managed endpoint with everything using SSO, and a company position that nothing is purchased unless it can so SSO with your existing IdP. Maybe even be passwordless.
|
|
#
?
Sep 2, 2023 19:13
|
|
|
SyNack Sassimov posted:I surely have seen it all - I did not think, in 2023, someone would post without irony (angrily, in fact) that MFA should be optional. To a free git backup service with an inflated ego? It totally should be optional. No question about it. Oh, you're paying for it? Are you an employee? You make your living off of it? Sure, by all means, MFA the poo poo out of it.
|
|
#
?
Sep 2, 2023 20:24
|
|
|
MFA is cool and good but I do wish number matching wasn't the m365 default. I'm quite tired of listening to boomers bitch about it.
|
|
#
?
Sep 2, 2023 20:52
|
|
|
Diqnol posted:MFA is cool and good but I do wish number matching wasn't the m365 default. I'm quite tired of listening to boomers bitch about it. If they're struggling with the numerical equivalent of a shapes bench for toddlers, it's probably a sign they should retire.
|
|
#
?
Sep 2, 2023 20:57
|
|
|
I had the opportunity, no, the honor, to listen to an IdeaGuy (tm) excitedly tell me over and over and over about how he has discovered ChatGPT and now he doesn't need any developers to build his apps. LOL
|
|
#
?
Sep 2, 2023 21:01
|
|
|
Volguus posted:To a free git backup service with an inflated ego? It totally should be optional. No question about it. if you think this is all github is your mfa opinions aren't the only bad that you have
|
|
#
?
Sep 2, 2023 21:48
|
|
|
Thanks Ants posted:The true way to live is a FIDO2 key and a managed endpoint with everything using SSO, and a company position that nothing is purchased unless it can so SSO with your existing IdP. Maybe even be passwordless. 
|
|
#
?
Sep 2, 2023 22:44
|
|
|
The Fool posted:if you think this is all github is your mfa opinions aren't the only bad that you have You are 100% correct that there are plenty of more bad opinions where those came from. You do, however, seem to be confused about a couple of things: 1. I do not, and never said, that mfa in general is a bad thing. I am using it for paypal, digital ocean, blackblaze, google, (ignoring the lol-sms from the banks), work. You know, important poo poo. Stuff that matters. 2. Mandated MFA is a bad thing for a git backup service (yes, you've read that correctly). Why did I used github? For convenience. Impede that in any way shape or form and im taking my toys and move to another git backup service. "But github cures cancer". I don't care. Never did, never will. Now, they are free to demand whatever poo poo they want, those are, after all, their computers. I am also free to complain about it on a dead gay comedy forum. And you are free to disagree all you want.
|
|
#
?
Sep 2, 2023 23:55
|
|
|
Volguus posted:You are 100% correct that there are plenty of more bad opinions where those came from. You do, however, seem to be confused about a couple of things: So if you had a throwaway email address you used to avoid spam, you'd be against MFA on all email accounts across the entire service because of the specific way you're using that specific account in that one case?
|
|
#
?
Sep 3, 2023 00:12
|
|
|
Volguus posted:You are 100% correct that there are plenty of more bad opinions where those came from. You do, however, seem to be confused about a couple of things: You know you can use tokens with GitHub right?
|
|
#
?
Sep 3, 2023 00:19
|
|
|
I think MFA is good everywhere but I also think we prompt for new authentication too often, based on the stringent security metric of "how much it annoys me." What is best practice for how often you should need to re-enter your second factor?
|
|
#
?
Sep 3, 2023 01:15
|
|
|
Volguus posted:You are 100% correct that there are plenty of more bad opinions where those came from. You do, however, seem to be confused about a couple of things: if you're going to be this mad about a net good for the community you should just self host your garbage
|
|
#
?
Sep 3, 2023 01:59
|
|
|
guppy posted:I think MFA is good everywhere but I also think we prompt for new authentication too often, based on the stringent security metric of "how much it annoys me." What is best practice for how often you should need to re-enter your second factor?
|
|
#
?
Sep 3, 2023 02:36
|
|
|
Volguus posted:You are 100% correct that there are plenty of more bad opinions where those came from. You do, however, seem to be confused about a couple of things: If you just use it to do "git push -f" why does mfa matter in the first place - is mfa required for ssh too? And at what level does mfa for a backup service matter? Being aware that someone is trying to overwrite your backups sounds useful. Second, you remind me of those people who complain about https everywhere. "But data on my site doesn't matter that much and acme is hard  "
|
|
#
?
Sep 3, 2023 07:35
|
|
|
Thanks Ants posted:The true way to live is a FIDO2 key and a managed endpoint with everything using SSO, and a company position that nothing is purchased unless it can so SSO with your existing IdP. Maybe even be passwordless. Maybe one day LiveID/Passport/Hotmail/etc. and even Gmail will support FIDO2 Keys and simply disable passwords.
|
|
#
?
Sep 3, 2023 11:31
|
|
|
Crosby B. Alfred posted:Maybe one day LiveID/Passport/Hotmail/etc. and even Gmail will support FIDO2 Keys and simply disable passwords. Google and microsoft consumer options do support passwordless with option to disable password support. You need to do so in the advanced security options.
|
|
#
?
Sep 3, 2023 11:57
|
|
|
tango alpha delta posted:I had the opportunity, no, the honor, to listen to an IdeaGuy (tm) excitedly tell me over and over and over about how he has discovered ChatGPT and now he doesn't need any developers to build his apps. I hope you really egged him on
|
|
#
?
Sep 3, 2023 15:20
|
|
|
Arquinsiel posted:Today it is CompTIA's recertification requirements. Pentest+ does not recertify Cybersecurity Analyst+. Why? gently caress me, personally, that's why.
|
|
#
?
Sep 4, 2023 18:15
|
|
|
|
| # ? Jun 8, 2024 16:59 |
|
|
A fiber break came in. Project cut the wrong G96 
|
|
#
?
Sep 5, 2023 11:16
|
|
