[zeromq-dev] ZeroMQ Github Org and 2-factor authentication

Luca Boccassi luca.boccassi at gmail.com
Tue Apr 4 14:20:51 CEST 2017


8 of the admins have now enabled 2FA (thanks!), but 7 still have not.

I would like to propose the following:

- sending a second reminder
- if no answer is received or 2FA is not enabled by Monday evening GMT,
_temporarily_ demote admins to members (and state this in the reminder)
- once 2FA is enabled, promote again to admin

Does this approach sound reasonable?

If the admins have missed the email because they are offline or on
holiday, then they will not need admin access anyway in the meanwhile,
so it should not cause any major disruption I think.

If there are no objections I will send the email later today.

Unfortunately there is no way to send a communication to the
organization via Github, so I had to rely on the email used by each
user for their commits. I hope I haven't missed anybody.

On Thu, 2017-03-30 at 13:26 +0100, Luca Boccassi wrote:
> I've sent an email to all admins who do not have 2FA enabled.
> Hopefully
> we can get a good response rate, and in a week's time we can decide
> what to do if there are still some without 2FA.
> 
> On Thu, 2017-03-30 at 14:41 +0300, Doron Somech wrote:
> > Sounds good, can we start with admins only?
> > 
> > On Thu, Mar 30, 2017 at 2:14 PM, Harald Achitz <harald.achitz at gmail
> > .c
> > om>
> > wrote:
> > 
> > > As a user: please make it an requirement for write access to have
> > > 2factor
> > > auth.
> > > 
> > > Thanks for having this idea and doing this initiative!
> > > 
> > > Regards
> > > Harald
> > > send from my fairphone
> > > 
> > > On Mar 30, 2017 12:37 PM, "Luca Boccassi" <luca.boccassi at gmail.co
> > > m>
> > > wrote:
> > > 
> > > > Hello all,
> > > > 
> > > > There have been news recently of attacks targeting developers
> > > > using
> > > > Github, and whose account is part of organizations [1].
> > > > 
> > > > Github has been offering 2 factor authentication [2] for quite
> > > > some
> > > > time now, with options including a free TOTP phone app like the
> > > > Google
> > > > Authenticator or inexpensive U2F hardware tokens.
> > > > 
> > > > It is well known that having 2FA enabled greatly reduced the
> > > > chance of
> > > > having an account compromised, and the damage in case it
> > > > happens.
> > > > Dragnet-style attacks become much less effective, and directly
> > > > targeted
> > > > attack to compromise both a machine and a token have to be
> > > > deployed in
> > > > order to be effective. It is simply put, a really good idea to
> > > > use 2FA.
> > > > 
> > > > In the Github ZeroMQ Org we have 114 members, of which 35 have
> > > > admin
> > > > permissions.
> > > > Of the 114 members, 59 do NOT have 2FA enabled. Of the 35
> > > > owners,
> > > > 15 do
> > > > NOT have 2FA enabled.
> > > > 
> > > > In case one of the members (especially an admin) had the
> > > > account
> > > > compromised, real damage could be caused.
> > > > 
> > > > So I would like to propose to enforce the use of 2FA, starting
> > > > with the
> > > > admin accounts [3]. I can email the individual accounts asking
> > > > to
> > > > do
> > > > so, in case they do not monitor the mailing list.
> > > > 
> > > > What do you think? Any objections?
> > > > 
> > > > Kind regards,
> > > > Luca Boccassi
> > > > 
> > > > [1] https://arstechnica.com/security/2017/03/someone-is-putting
> > > > -
> > > > lots-of-work-into-hacking-github-developers/
> > > > [2] https://help.github.com/articles/about-two-factor-authentic
> > > > at
> > > > ion/
> > > > [3] Github has a setting to make it mandatory for an
> > > > organization, but
> > > > I'm not proposing to use that just now, as it will
> > > > automatically
> > > > kick
> > > > anyone who does not have 2FA, which is too extreme and not
> > > > necessary at
> > > > the moment.
> > > > _______________________________________________
> > > > zeromq-dev mailing list
> > > > zeromq-dev at lists.zeromq.org
> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > > > 
> > > 
> > > _______________________________________________
> > > zeromq-dev mailing list
> > > zeromq-dev at lists.zeromq.org
> > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > > 
> > 
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20170404/d99dfb8b/attachment.sig>


More information about the zeromq-dev mailing list