Code locker has figured out it's a giant honeypot for miscreants planning supply chain attacks
GitHub has announced that it will require two factor authentication for users who contribute code on its service.
"The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."
Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.
Hence its decision to require 2FA "by the end of 2023" for users who commit code, open or merge pull requests, use Actions, or publish packages. GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.
(Score: 1, Informative) by Anonymous Coward on Friday May 06 2022, @02:01PM (6 children)
First they go and break compatibility with Pale Moon, now they're tryin' to get me to press more buttons than `git push` requires?
It's not like a self-hosted Gitea doesn't do everything I wanted from GitHub and more. Which is mostly just a git-lfs implementation.
(Score: 2, Informative) by Anonymous Coward on Friday May 06 2022, @02:06PM (4 children)
It's owned by Microsoft, the solution will never be actual security when they can grab credentials under false pretense for a Microsoft owned single sign-on service.
(Score: 2, Informative) by Anonymous Coward on Friday May 06 2022, @02:22PM (3 children)
It's a joint project with Google and Apple. When those three agree on something, you know it's going to be bad for the users.
https://arstechnica.com/gadgets/2022/05/apple-google-and-microsoft-want-bluetooth-proximity-to-replace-the-password/ [arstechnica.com]
(Score: 0) by Anonymous Coward on Friday May 06 2022, @05:58PM (2 children)
Am I the only person who insists bluetooth is disabled on all my devices, at all times?
(Score: 0) by Anonymous Coward on Friday May 06 2022, @06:47PM
No. Complete waste of power if you aren't using it.
(Score: 2) by FatPhil on Saturday May 07 2022, @12:28PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Friday May 06 2022, @10:21PM
You're misunderstanding the purpose of github. It's a social network, and like every social network for the hip and trendy its goal is to milk the tasty luserbase data and sell it to the highest bidder. 2FA is just another way to milk data, which is why it's typically only all the usual suspects in such matters who insist on requiring it.
(Score: 2) by cockroach on Friday May 06 2022, @02:32PM (5 children)
It's been a while since I last sent patches by e-mail. Guess that's coming back.
(Score: 2) by lentilla on Friday May 06 2022, @11:24PM (2 children)
No, patches via email will not be coming back.
Newly minted developers wouldn't know what to do with them, patch isn't natively available on MS Windows (assuming they knew of its existence), and whatever fancy IDE-de-jour won't include that facility.
Not to mention; if you send a patch via email; you are asking the lead developer to do extra work: pull a clean branch that matches your patch, apply the patch, commit the patch, and then fiddle the attribution to match your credentials.
You could send patches by email, but they will likely be ignored unless they fix something the lead developer thinks is really important (and they read their emails).
(Score: 3, Touché) by FatPhil on Saturday May 07 2022, @12:31PM (1 child)
No patch required, no fiddling required.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by lentilla on Sunday May 08 2022, @10:23PM
I had forgotten about that - thanks!
I went and read the manpage and this would fit easily into my workflow: sync mail using OfflineIMAP, bind a key in mutt (my mail client) to pipe the email to git-am, and we are off to the races. Ironically; and currently sitting in my too-hard basket; is that a number of my "corporate" email accounts require some kind of multi-factor magic to access, so I'm stuck using the web-client. Ironic because github wants 2FA, so the workaround is "use email", which requires 2FA. Why can't they just leave us alone? (Yes - I know why - doesn't mean I'm happy about it.)
Thanks again for the pointer. git is truly an awesome tool.
(Score: 2) by jb on Saturday May 07 2022, @06:33AM (1 child)
Sounds like a good thing to me. When patches are contributed by email:
1. Everyone subscribed to the list who wants to gets to review & comment on them.
and
2. They don't get committed *until* they've been reviewed.
That's always struck me as a much more suitable workflow for projects which care about code quality (and to a certain extent also transparency) than the big messy tangle of transient forks that git tends to encourage.
That's also how projects who use version control systems *other* than git still tend to do things.
(Score: 0) by Anonymous Coward on Saturday May 07 2022, @04:24PM
https://git-send-email.io/ [git-send-email.io]
(Score: 3, Interesting) by looorg on Friday May 06 2022, @02:48PM (9 children)
How are the alternatives (and what are they?)? Besides having your own at home etc. Anyone with some recommendations?
(Score: 2) by PiMuNu on Friday May 06 2022, @02:51PM (2 children)
https://about.gitlab.com/ [gitlab.com]
No "free" tier.
(Score: 3, Informative) by JoeMerchant on Friday May 06 2022, @03:22PM
There is a free tier if you're small enough:
https://about.gitlab.com/pricing/ [gitlab.com]
Most little / individually developed projects are small enough.
If you're getting serious about your project, maybe you should get serious enough to cough up ~$50/yr for hosting... (not at gitlab, but with generic hosting tools on a generic cloud server instance...)
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Friday May 06 2022, @05:55PM
The gitlab web interface doesn't work without javascript, sourcehut [sourcehut.org] seems to work fine and is free for contributors but not maintainers.
(Score: 2) by PiMuNu on Friday May 06 2022, @02:52PM
https://launchpad.net/ [launchpad.net]
Based around ubuntu's "bzr" DVCS. I really dislike git due to unusability issues, so was thinking about moving anyway.
(Score: 4, Informative) by rigrig on Friday May 06 2022, @03:18PM
Codeberg [codeberg.org] looks promising, or SourceHut [sourcehut.org] if you like like email.
No one remembers the singer.
(Score: 5, Informative) by JoeMerchant on Friday May 06 2022, @03:18PM
Muck Ficrosoft.
Anyone can host a git repo anywhere, it's just about the simplest thing possible to do.
Combine your git repo with a project management tool like trac [edgewall.org] and you're on-par with or better than over 99% of projects hosted on Microsoft's github. Couple it with a continuous integration tool like Jenkins [jenkins.io] and you're now world-class for the cost of hosting and bandwidth.
Not really.
🌻🌻 [google.com]
(Score: 2) by bmimatt on Friday May 06 2022, @07:17PM
Bitbucket.org, owned by Atlassian, offers a number of private repos for free.
(Score: 2) by Thexalon on Saturday May 07 2022, @03:40AM (1 child)
I'll freely admit that for solo projects that I don't anticipate distributing beyond my own boxes, I don't even have a repo, I just use git on my local source directory tree and get most of the benefits for a 1-person project without the (relatively minimal) bother of setting up a server.
Because while I can code, I don't feel like my code is so amazingly awesome the entire world would necessarily benefit from seeing it. I'm happy with it, if I'm doing it under contract my clients are happy with it, if I'm doing it for an employer my bosses are happy enough with it but have their own repos and systems they like, but I've never seen a benefit to putting it up on a public repo.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by maxwell demon on Saturday May 07 2022, @05:42AM
If you use git, you do have a repo. It sits in your source directory tree. As soon as you set up a server, you have two repos. One on the server and one in your source tree.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday May 06 2022, @05:23PM (1 child)
wait waht? did i get this right: in the future, you will have to resister and login to get access (push and/or pull) to free source code?
it's sad that monkey companies that manufacture nothing, now want to require and set a hardware to access their services?
holy sh1t, google/apple/microsoft goes "down" and the people cannot login to the chip manufacturing machine or the bank cannot process requests?
(Score: 1, Insightful) by Anonymous Coward on Friday May 06 2022, @06:51PM
Or if they decide to unperson you. Centralization of power is bad because it makes abuse easier to commit.
(Score: 1, Informative) by Anonymous Coward on Friday May 06 2022, @06:45PM
It was Israel
https://www.thelastamericanvagabond.com/another-mega-group-spy-scandal-samanage-sabotage-and-the-solarwinds-hack/ [thelastamericanvagabond.com]
(Score: 1, Insightful) by Anonymous Coward on Friday May 06 2022, @08:56PM (2 children)
If they support 2FA options based on strong cryptography with open specifications, multiple providers, and hardware token options (like FIDO2, WebAuthn, etc), it's possible that their stated reasons are the actual reasons. But even then, beware of pushes to use FIDO2 instead of a password... it should be in addition to a password, you want both "something you have" and "something you know" - swapping "something you know" for "something you have" just means an attacker will have to steal something, better to make them have to steal something and also capture a password like before.
If they only support 2FA options based on SMS or phone calls, all they want is to harvest some phone numbers. Phone company tech support staff do not in any way get paid enough to care about things like simjacking, and in some cases are actively encouraged to help attackers social-engineer your phone number away from you. Depending on the implementation, SMS-based 2FA can be worse than no 2FA at all, in particular if it is any way possible to request a password reset with the second factor without the original password. (If the original password is still required with all uses of the second factor, it's at least not worse than not having the second factor, ignoring the bit about phone number harvesting.) Not sure what the state of SMS eavesdropping is these days.
There are other options in between. eg. if email is an option, yeah that's not great either, and would perhaps indicate that they've been told to do 2FA but don't want to put much effort into it. But at least github already has email addresses of its users so there'd be no harvesting going on... plus there's at least a chance they'll use TLS to transmit the emails so that only you and your email provider would be likely to be able to read the 2FA code, and at least some email providers let you set up more proper 2FA.
(I don't know enough about TOTP to know how it ranks with the above; I assume it's better than SMS, phone calls, and emails; I know there are fully open implementations like oathtool+gpg but also phone apps like Google Authenticator and Authy for people who want something easier. But the lazy option is to run the TOTP client on the same device as you're trying to use to access the service, making it not really a second factor - a single keylogger will likely enable access to both your password and your supposed second factor, though there are also non-lazy options.)
(Score: 0) by Anonymous Coward on Saturday May 07 2022, @12:57AM (1 child)
Apparently a problem with TOTP and authenticator apps that FIDO2 solves to at least some degree is spoofing. If you get a temporary code, and enter it into the wrong site, that wrong site could go and enter it into the right site and impersonate you. But with FIDO2 that won't work at all, a change in origin changes the digital signatures used. Of course, all bets are off if an attacker takes over the origin, but this is harder than sending someone a bad link.
(Score: 0) by Anonymous Coward on Saturday May 07 2022, @04:59AM
There have been suggestions on ways to improve TOTP security against phishing. Like FIDO2 and newer authentication proposals, there are suggestions of having the user agent do more work in the background and entering the code into the user agent to create a response for the site instead of the site itself. Another favorite is adding the option to type an OTP provided by the user agent based on the authenticating domain into the authentication app, which then generates codes dependent on both the one-time, site-dependent PIN and the shared secret. There are others but there are also serious doubts of any of the proposals to make TOTP stronger will get very far since the industry seems convinced that hardware tokens, TPM-based (e.g. Hello), and phone-based authentication is the future.
(Score: 2, Interesting) by Anonymous Coward on Friday May 06 2022, @10:23PM (1 child)
I lost 2 github accounts because I made them with temporary emails. I used them for more than 2 years and then one day out of the blue it wanted a "verification" code.
It's hard getting an email these days if you don't want it tied to a phone # and thus your real identity. No matter, I did it. Now it asks for the verification code all the time but at least I can provide it.
2FA maybe has apps you can run without providing a phone number. If they make it so it doesn't, I will say goodbye to github permanently.
Locking people out and de-anonymizing them is just a method to stifle open source. Who is going to file bug reports or answer them now? Only people comfortable being identified. And what happens to all of those projects that aren't exactly illegal but frowned upon by corporate interests? Who indeed wants to get sued by google for contributing to yt-downloader?
Embrace, extend, extinguish.
(Score: 0) by Anonymous Coward on Saturday May 07 2022, @05:16AM
You can always write your own program to generate codes. It can be a great way to learn how to use the mathematical operators of your programming language of choice. I've had enterprising students write programs without using any libraries at all by implementing HMAC and the other algorithm dependencies themselves.
https://datatracker.ietf.org/doc/html/rfc6238 [ietf.org]
https://datatracker.ietf.org/doc/html/rfc6030 [ietf.org]
https://en.wikipedia.org/wiki/HMAC-based_one-time_password#Algorithm [wikipedia.org]