[zeromq-dev] ZeroMQ Github Org and 2-factor authentication
Luca Boccassi
luca.boccassi at gmail.com
Thu Mar 30 14:26:29 CEST 2017
I've sent an email to all admins who do not have 2FA enabled. Hopefully
we can get a good response rate, and in a week's time we can decide
what to do if there are still some without 2FA.
On Thu, 2017-03-30 at 14:41 +0300, Doron Somech wrote:
> Sounds good, can we start with admins only?
>
> On Thu, Mar 30, 2017 at 2:14 PM, Harald Achitz <harald.achitz at gmail.c
> om>
> wrote:
>
> > As a user: please make it an requirement for write access to have
> > 2factor
> > auth.
> >
> > Thanks for having this idea and doing this initiative!
> >
> > Regards
> > Harald
> > send from my fairphone
> >
> > On Mar 30, 2017 12:37 PM, "Luca Boccassi" <luca.boccassi at gmail.com>
> > wrote:
> >
> > > Hello all,
> > >
> > > There have been news recently of attacks targeting developers
> > > using
> > > Github, and whose account is part of organizations [1].
> > >
> > > Github has been offering 2 factor authentication [2] for quite
> > > some
> > > time now, with options including a free TOTP phone app like the
> > > Google
> > > Authenticator or inexpensive U2F hardware tokens.
> > >
> > > It is well known that having 2FA enabled greatly reduced the
> > > chance of
> > > having an account compromised, and the damage in case it happens.
> > > Dragnet-style attacks become much less effective, and directly
> > > targeted
> > > attack to compromise both a machine and a token have to be
> > > deployed in
> > > order to be effective. It is simply put, a really good idea to
> > > use 2FA.
> > >
> > > In the Github ZeroMQ Org we have 114 members, of which 35 have
> > > admin
> > > permissions.
> > > Of the 114 members, 59 do NOT have 2FA enabled. Of the 35 owners,
> > > 15 do
> > > NOT have 2FA enabled.
> > >
> > > In case one of the members (especially an admin) had the account
> > > compromised, real damage could be caused.
> > >
> > > So I would like to propose to enforce the use of 2FA, starting
> > > with the
> > > admin accounts [3]. I can email the individual accounts asking to
> > > do
> > > so, in case they do not monitor the mailing list.
> > >
> > > What do you think? Any objections?
> > >
> > > Kind regards,
> > > Luca Boccassi
> > >
> > > [1] https://arstechnica.com/security/2017/03/someone-is-putting-
> > > lots-of-work-into-hacking-github-developers/
> > > [2] https://help.github.com/articles/about-two-factor-authenticat
> > > ion/
> > > [3] Github has a setting to make it mandatory for an
> > > organization, but
> > > I'm not proposing to use that just now, as it will automatically
> > > kick
> > > anyone who does not have 2FA, which is too extreme and not
> > > necessary at
> > > the moment.
> > > _______________________________________________
> > > zeromq-dev mailing list
> > > zeromq-dev at lists.zeromq.org
> > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> > >
> >
> > _______________________________________________
> > zeromq-dev mailing list
> > zeromq-dev at lists.zeromq.org
> > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
> >
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> https://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20170330/0cc94979/attachment.sig>
More information about the zeromq-dev
mailing list