Hello all, There have been news recently of attacks targeting developers using Github, and whose account is part of organizations [1].
Github has been offering 2 factor authentication [2] for quite some time now, with options including a free TOTP phone app like the Google Authenticator or inexpensive U2F hardware tokens. It is well known that having 2FA enabled greatly reduced the chance of having an account compromised, and the damage in case it happens. Dragnet-style attacks become much less effective, and directly targeted attack to compromise both a machine and a token have to be deployed in order to be effective. It is simply put, a really good idea to use 2FA. In the Github ZeroMQ Org we have 114 members, of which 35 have admin permissions. Of the 114 members, 59 do NOT have 2FA enabled. Of the 35 owners, 15 do NOT have 2FA enabled. In case one of the members (especially an admin) had the account compromised, real damage could be caused. So I would like to propose to enforce the use of 2FA, starting with the admin accounts [3]. I can email the individual accounts asking to do so, in case they do not monitor the mailing list. What do you think? Any objections? Kind regards, Luca Boccassi [1] https://arstechnica.com/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/ [2] https://help.github.com/articles/about-two-factor-authentication/ [3] Github has a setting to make it mandatory for an organization, but I'm not proposing to use that just now, as it will automatically kick anyone who does not have 2FA, which is too extreme and not necessary at the moment.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
