[zeromq-dev] ZeroMQ Github Org and 2-factor authentication

Luca Boccassi luca.boccassi at gmail.com
Wed Apr 12 13:55:15 CEST 2017


2 more admins have enabled 2FA (thanks!), that leaves 6 admins without.

As discussed previously I've proceeded to demote those 6 admins to
users, and contacted them again via email, asking to ping me when they
enable 2FA to get promoted again. All ZeroMQ admins now have 2FA
enabled.

Now onto the remaining non-admin members. There are 50 users without
2FA who have an admin role in one or more individual repository
(through teams) but not on the overall org.

Later this weekend I'll compile the list and send the first individual
emails asking to enable 2FA, and after that first wave we'll see how
many are left and decide what to do.

If you are a member of the Github ZeroMQ organisation and do not have
2FA enable and you are reading this, please enable it! Thank you!

On Tue, 2017-04-04 at 16:44 +0300, Doron Somech wrote:
> Sounds good
> 
> On Apr 4, 2017 15:27, "Luca Boccassi" <luca.boccassi at gmail.com>
> wrote:
> 
> > 8 of the admins have now enabled 2FA (thanks!), but 7 still have
> > not.
> > 
> > I would like to propose the following:
> > 
> > - sending a second reminder
> > - if no answer is received or 2FA is not enabled by Monday evening
> > GMT,
> > _temporarily_ demote admins to members (and state this in the
> > reminder)
> > - once 2FA is enabled, promote again to admin
> > 
> > Does this approach sound reasonable?
> > 
> > If the admins have missed the email because they are offline or on
> > holiday, then they will not need admin access anyway in the
> > meanwhile,
> > so it should not cause any major disruption I think.
> > 
> > If there are no objections I will send the email later today.
> > 
> > Unfortunately there is no way to send a communication to the
> > organization via Github, so I had to rely on the email used by each
> > user for their commits. I hope I haven't missed anybody.
> > 
> > On Thu, 2017-03-30 at 13:26 +0100, Luca Boccassi wrote:
> > > I've sent an email to all admins who do not have 2FA enabled.
> > > Hopefully
> > > we can get a good response rate, and in a week's time we can
> > > decide
> > > what to do if there are still some without 2FA.
> > > 
> > > On Thu, 2017-03-30 at 14:41 +0300, Doron Somech wrote:
> > > > Sounds good, can we start with admins only?
> > > > 
> > > > On Thu, Mar 30, 2017 at 2:14 PM, Harald Achitz <harald.achitz at g
> > > > mail
> > > > .c
> > > > om>
> > > > wrote:
> > > > 
> > > > > As a user: please make it an requirement for write access to
> > > > > have
> > > > > 2factor
> > > > > auth.
> > > > > 
> > > > > Thanks for having this idea and doing this initiative!
> > > > > 
> > > > > Regards
> > > > > Harald
> > > > > send from my fairphone
> > > > > 
> > > > > On Mar 30, 2017 12:37 PM, "Luca Boccassi" <luca.boccassi at gmai
> > > > > l.co
> > > > > m>
> > > > > wrote:
> > > > > 
> > > > > > Hello all,
> > > > > > 
> > > > > > There have been news recently of attacks targeting
> > > > > > developers
> > > > > > using
> > > > > > Github, and whose account is part of organizations [1].
> > > > > > 
> > > > > > Github has been offering 2 factor authentication [2] for
> > > > > > quite
> > > > > > some
> > > > > > time now, with options including a free TOTP phone app like
> > > > > > the
> > > > > > Google
> > > > > > Authenticator or inexpensive U2F hardware tokens.
> > > > > > 
> > > > > > It is well known that having 2FA enabled greatly reduced
> > > > > > the
> > > > > > chance of
> > > > > > having an account compromised, and the damage in case it
> > > > > > happens.
> > > > > > Dragnet-style attacks become much less effective, and
> > > > > > directly
> > > > > > targeted
> > > > > > attack to compromise both a machine and a token have to be
> > > > > > deployed in
> > > > > > order to be effective. It is simply put, a really good idea
> > > > > > to
> > > > > > use 2FA.
> > > > > > 
> > > > > > In the Github ZeroMQ Org we have 114 members, of which 35
> > > > > > have
> > > > > > admin
> > > > > > permissions.
> > > > > > Of the 114 members, 59 do NOT have 2FA enabled. Of the 35
> > > > > > owners,
> > > > > > 15 do
> > > > > > NOT have 2FA enabled.
> > > > > > 
> > > > > > In case one of the members (especially an admin) had the
> > > > > > account
> > > > > > compromised, real damage could be caused.
> > > > > > 
> > > > > > So I would like to propose to enforce the use of 2FA,
> > > > > > starting
> > > > > > with the
> > > > > > admin accounts [3]. I can email the individual accounts
> > > > > > asking
> > > > > > to
> > > > > > do
> > > > > > so, in case they do not monitor the mailing list.
> > > > > > 
> > > > > > What do you think? Any objections?
> > > > > > 
> > > > > > Kind regards,
> > > > > > Luca Boccassi
> > > > > > 
> > > > > > [1] https://arstechnica.com/security/2017/03/someone-is-put
> > > > > > ting
> > > > > > -
> > > > > > lots-of-work-into-hacking-github-developers/
> > > > > > [2] https://help.github.com/articles/about-two-factor-authe
> > > > > > ntic
> > > > > > at
> > > > > > ion/
> > > > > > [3] Github has a setting to make it mandatory for an
> > > > > > organization, but
> > > > > > I'm not proposing to use that just now, as it will
> > > > > > automatically
> > > > > > kick
> > > > > > anyone who does not have 2FA, which is too extreme and not
> > > > > > necessary at
> > > > > > the moment.
> > > > > > _______________________________________________
> > > > > > zeromq-dev mailing list
> > > > > > zeromq-dev at lists.zeromq.org
> > > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > zeromq-dev mailing list
> > > > > zeromq-dev at lists.zeromq.org
> > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > > > > 
> > > > 
> > > > _______________________________________________
> > > > zeromq-dev mailing list
> > > > zeromq-dev at lists.zeromq.org
> > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > 
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > 
> 
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20170412/efab641d/attachment.sig>


More information about the zeromq-dev mailing list