Code locker has figured out it's a giant honeypot for miscreants planning supply chain attacks
GitHub has announced that it will require two factor authentication for users who contribute code on its service.
"The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog. "Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain."
Readers will doubtless recall that attacks on development supply chains have recently proven extremely nasty. Exhibit A: the Russian operatives that slipped malware into SolarWinds' Orion monitoring tool and used it to gain access to over 18,000 companies. GitHub has also had its own problems, such as when access to npm was compromised.
Hence its decision to require 2FA "by the end of 2023" for users who commit code, open or merge pull requests, use Actions, or publish packages. GitHub already offers 2FA, requires contributors of popular packages (including npm) to employ it, and states that 16.5 per cent of active users already employ the technique.
(Score: 2, Interesting) by Anonymous Coward on Friday May 06 2022, @10:23PM (1 child)
I lost 2 github accounts because I made them with temporary emails. I used them for more than 2 years and then one day out of the blue it wanted a "verification" code.
It's hard getting an email these days if you don't want it tied to a phone # and thus your real identity. No matter, I did it. Now it asks for the verification code all the time but at least I can provide it.
2FA maybe has apps you can run without providing a phone number. If they make it so it doesn't, I will say goodbye to github permanently.
Locking people out and de-anonymizing them is just a method to stifle open source. Who is going to file bug reports or answer them now? Only people comfortable being identified. And what happens to all of those projects that aren't exactly illegal but frowned upon by corporate interests? Who indeed wants to get sued by google for contributing to yt-downloader?
Embrace, extend, extinguish.
(Score: 0) by Anonymous Coward on Saturday May 07 2022, @05:16AM
You can always write your own program to generate codes. It can be a great way to learn how to use the mathematical operators of your programming language of choice. I've had enterprising students write programs without using any libraries at all by implementing HMAC and the other algorithm dependencies themselves.
https://datatracker.ietf.org/doc/html/rfc6238 [ietf.org]
https://datatracker.ietf.org/doc/html/rfc6030 [ietf.org]
https://en.wikipedia.org/wiki/HMAC-based_one-time_password#Algorithm [wikipedia.org]