[zeromq-dev] ZeroMQ Github Org and 2-factor authentication

Brian Knox bknox at digitalocean.com
Wed Apr 12 14:44:00 CEST 2017 

Thanks Luca!

On Wed, Apr 12, 2017 at 7:56 AM Luca Boccassi <luca.boccassi at gmail.com>
wrote:

> 2 more admins have enabled 2FA (thanks!), that leaves 6 admins without.
>
> As discussed previously I've proceeded to demote those 6 admins to
> users, and contacted them again via email, asking to ping me when they
> enable 2FA to get promoted again. All ZeroMQ admins now have 2FA
> enabled.
>
> Now onto the remaining non-admin members. There are 50 users without
> 2FA who have an admin role in one or more individual repository
> (through teams) but not on the overall org.
>
> Later this weekend I'll compile the list and send the first individual
> emails asking to enable 2FA, and after that first wave we'll see how
> many are left and decide what to do.
>
> If you are a member of the Github ZeroMQ organisation and do not have
> 2FA enable and you are reading this, please enable it! Thank you!
>
> On Tue, 2017-04-04 at 16:44 +0300, Doron Somech wrote:
> > Sounds good
> >
> > On Apr 4, 2017 15:27, "Luca Boccassi" <luca.boccassi at gmail.com>
> > wrote:
> >
> > > 8 of the admins have now enabled 2FA (thanks!), but 7 still have
> > > not.
> > >
> > > I would like to propose the following:
> > >
> > > - sending a second reminder
> > > - if no answer is received or 2FA is not enabled by Monday evening
> > > GMT,
> > > _temporarily_ demote admins to members (and state this in the
> > > reminder)
> > > - once 2FA is enabled, promote again to admin
> > >
> > > Does this approach sound reasonable?
> > >
> > > If the admins have missed the email because they are offline or on
> > > holiday, then they will not need admin access anyway in the
> > > meanwhile,
> > > so it should not cause any major disruption I think.
> > >
> > > If there are no objections I will send the email later today.
> > >
> > > Unfortunately there is no way to send a communication to the
> > > organization via Github, so I had to rely on the email used by each
> > > user for their commits. I hope I haven't missed anybody.
> > >
> > > On Thu, 2017-03-30 at 13:26 +0100, Luca Boccassi wrote:
> > > > I've sent an email to all admins who do not have 2FA enabled.
> > > > Hopefully
> > > > we can get a good response rate, and in a week's time we can
> > > > decide
> > > > what to do if there are still some without 2FA.
> > > >
> > > > On Thu, 2017-03-30 at 14:41 +0300, Doron Somech wrote:
> > > > > Sounds good, can we start with admins only?
> > > > >
> > > > > On Thu, Mar 30, 2017 at 2:14 PM, Harald Achitz <harald.achitz at g
> > > > > mail
> > > > > .c
> > > > > om>
> > > > > wrote:
> > > > >
> > > > > > As a user: please make it an requirement for write access to
> > > > > > have
> > > > > > 2factor
> > > > > > auth.
> > > > > >
> > > > > > Thanks for having this idea and doing this initiative!
> > > > > >
> > > > > > Regards
> > > > > > Harald
> > > > > > send from my fairphone
> > > > > >
> > > > > > On Mar 30, 2017 12:37 PM, "Luca Boccassi" <luca.boccassi at gmai
> > > > > > l.co
> > > > > > m>
> > > > > > wrote:
> > > > > >
> > > > > > > Hello all,
> > > > > > >
> > > > > > > There have been news recently of attacks targeting
> > > > > > > developers
> > > > > > > using
> > > > > > > Github, and whose account is part of organizations [1].
> > > > > > >
> > > > > > > Github has been offering 2 factor authentication [2] for
> > > > > > > quite
> > > > > > > some
> > > > > > > time now, with options including a free TOTP phone app like
> > > > > > > the
> > > > > > > Google
> > > > > > > Authenticator or inexpensive U2F hardware tokens.
> > > > > > >
> > > > > > > It is well known that having 2FA enabled greatly reduced
> > > > > > > the
> > > > > > > chance of
> > > > > > > having an account compromised, and the damage in case it
> > > > > > > happens.
> > > > > > > Dragnet-style attacks become much less effective, and
> > > > > > > directly
> > > > > > > targeted
> > > > > > > attack to compromise both a machine and a token have to be
> > > > > > > deployed in
> > > > > > > order to be effective. It is simply put, a really good idea
> > > > > > > to
> > > > > > > use 2FA.
> > > > > > >
> > > > > > > In the Github ZeroMQ Org we have 114 members, of which 35
> > > > > > > have
> > > > > > > admin
> > > > > > > permissions.
> > > > > > > Of the 114 members, 59 do NOT have 2FA enabled. Of the 35
> > > > > > > owners,
> > > > > > > 15 do
> > > > > > > NOT have 2FA enabled.
> > > > > > >
> > > > > > > In case one of the members (especially an admin) had the
> > > > > > > account
> > > > > > > compromised, real damage could be caused.
> > > > > > >
> > > > > > > So I would like to propose to enforce the use of 2FA,
> > > > > > > starting
> > > > > > > with the
> > > > > > > admin accounts [3]. I can email the individual accounts
> > > > > > > asking
> > > > > > > to
> > > > > > > do
> > > > > > > so, in case they do not monitor the mailing list.
> > > > > > >
> > > > > > > What do you think? Any objections?
> > > > > > >
> > > > > > > Kind regards,
> > > > > > > Luca Boccassi
> > > > > > >
> > > > > > > [1] https://arstechnica.com/security/2017/03/someone-is-put
> > > > > > > ting
> > > > > > > -
> > > > > > > lots-of-work-into-hacking-github-developers/
> > > > > > > [2] https://help.github.com/articles/about-two-factor-authe
> > > > > > > ntic
> > > > > > > at
> > > > > > > ion/
> > > > > > > [3] Github has a setting to make it mandatory for an
> > > > > > > organization, but
> > > > > > > I'm not proposing to use that just now, as it will
> > > > > > > automatically
> > > > > > > kick
> > > > > > > anyone who does not have 2FA, which is too extreme and not
> > > > > > > necessary at
> > > > > > > the moment.
> > > > > > > _______________________________________________
> > > > > > > zeromq-dev mailing list
> > > > > > > zeromq-dev at lists.zeromq.org
> > > > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > zeromq-dev mailing list
> > > > > > zeromq-dev at lists.zeromq.org
> > > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > zeromq-dev mailing list
> > > > > zeromq-dev at lists.zeromq.org
> > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > >
> > > _______________________________________________
> > > zeromq-dev mailing list
> > > zeromq-dev at lists.zeromq.org
> > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > >
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20170412/36a06197/attachment.htm>

More information about the zeromq-dev mailing list