Thanks Luca! On Wed, Apr 12, 2017 at 7:56 AM Luca Boccassi <[email protected]> wrote:
> 2 more admins have enabled 2FA (thanks!), that leaves 6 admins without. > > As discussed previously I've proceeded to demote those 6 admins to > users, and contacted them again via email, asking to ping me when they > enable 2FA to get promoted again. All ZeroMQ admins now have 2FA > enabled. > > Now onto the remaining non-admin members. There are 50 users without > 2FA who have an admin role in one or more individual repository > (through teams) but not on the overall org. > > Later this weekend I'll compile the list and send the first individual > emails asking to enable 2FA, and after that first wave we'll see how > many are left and decide what to do. > > If you are a member of the Github ZeroMQ organisation and do not have > 2FA enable and you are reading this, please enable it! Thank you! > > On Tue, 2017-04-04 at 16:44 +0300, Doron Somech wrote: > > Sounds good > > > > On Apr 4, 2017 15:27, "Luca Boccassi" <[email protected]> > > wrote: > > > > > 8 of the admins have now enabled 2FA (thanks!), but 7 still have > > > not. > > > > > > I would like to propose the following: > > > > > > - sending a second reminder > > > - if no answer is received or 2FA is not enabled by Monday evening > > > GMT, > > > _temporarily_ demote admins to members (and state this in the > > > reminder) > > > - once 2FA is enabled, promote again to admin > > > > > > Does this approach sound reasonable? > > > > > > If the admins have missed the email because they are offline or on > > > holiday, then they will not need admin access anyway in the > > > meanwhile, > > > so it should not cause any major disruption I think. > > > > > > If there are no objections I will send the email later today. > > > > > > Unfortunately there is no way to send a communication to the > > > organization via Github, so I had to rely on the email used by each > > > user for their commits. I hope I haven't missed anybody. > > > > > > On Thu, 2017-03-30 at 13:26 +0100, Luca Boccassi wrote: > > > > I've sent an email to all admins who do not have 2FA enabled. > > > > Hopefully > > > > we can get a good response rate, and in a week's time we can > > > > decide > > > > what to do if there are still some without 2FA. > > > > > > > > On Thu, 2017-03-30 at 14:41 +0300, Doron Somech wrote: > > > > > Sounds good, can we start with admins only? > > > > > > > > > > On Thu, Mar 30, 2017 at 2:14 PM, Harald Achitz <harald.achitz@g > > > > > mail > > > > > .c > > > > > om> > > > > > wrote: > > > > > > > > > > > As a user: please make it an requirement for write access to > > > > > > have > > > > > > 2factor > > > > > > auth. > > > > > > > > > > > > Thanks for having this idea and doing this initiative! > > > > > > > > > > > > Regards > > > > > > Harald > > > > > > send from my fairphone > > > > > > > > > > > > On Mar 30, 2017 12:37 PM, "Luca Boccassi" <luca.boccassi@gmai > > > > > > l.co > > > > > > m> > > > > > > wrote: > > > > > > > > > > > > > Hello all, > > > > > > > > > > > > > > There have been news recently of attacks targeting > > > > > > > developers > > > > > > > using > > > > > > > Github, and whose account is part of organizations [1]. > > > > > > > > > > > > > > Github has been offering 2 factor authentication [2] for > > > > > > > quite > > > > > > > some > > > > > > > time now, with options including a free TOTP phone app like > > > > > > > the > > > > > > > Google > > > > > > > Authenticator or inexpensive U2F hardware tokens. > > > > > > > > > > > > > > It is well known that having 2FA enabled greatly reduced > > > > > > > the > > > > > > > chance of > > > > > > > having an account compromised, and the damage in case it > > > > > > > happens. > > > > > > > Dragnet-style attacks become much less effective, and > > > > > > > directly > > > > > > > targeted > > > > > > > attack to compromise both a machine and a token have to be > > > > > > > deployed in > > > > > > > order to be effective. It is simply put, a really good idea > > > > > > > to > > > > > > > use 2FA. > > > > > > > > > > > > > > In the Github ZeroMQ Org we have 114 members, of which 35 > > > > > > > have > > > > > > > admin > > > > > > > permissions. > > > > > > > Of the 114 members, 59 do NOT have 2FA enabled. Of the 35 > > > > > > > owners, > > > > > > > 15 do > > > > > > > NOT have 2FA enabled. > > > > > > > > > > > > > > In case one of the members (especially an admin) had the > > > > > > > account > > > > > > > compromised, real damage could be caused. > > > > > > > > > > > > > > So I would like to propose to enforce the use of 2FA, > > > > > > > starting > > > > > > > with the > > > > > > > admin accounts [3]. I can email the individual accounts > > > > > > > asking > > > > > > > to > > > > > > > do > > > > > > > so, in case they do not monitor the mailing list. > > > > > > > > > > > > > > What do you think? Any objections? > > > > > > > > > > > > > > Kind regards, > > > > > > > Luca Boccassi > > > > > > > > > > > > > > [1] https://arstechnica.com/security/2017/03/someone-is-put > > > > > > > ting > > > > > > > - > > > > > > > lots-of-work-into-hacking-github-developers/ > > > > > > > [2] https://help.github.com/articles/about-two-factor-authe > > > > > > > ntic > > > > > > > at > > > > > > > ion/ > > > > > > > [3] Github has a setting to make it mandatory for an > > > > > > > organization, but > > > > > > > I'm not proposing to use that just now, as it will > > > > > > > automatically > > > > > > > kick > > > > > > > anyone who does not have 2FA, which is too extreme and not > > > > > > > necessary at > > > > > > > the moment. > > > > > > > _______________________________________________ > > > > > > > zeromq-dev mailing list > > > > > > > [email protected] > > > > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > zeromq-dev mailing list > > > > > > [email protected] > > > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > > > > > > > > > > > > > > > _______________________________________________ > > > > > zeromq-dev mailing list > > > > > [email protected] > > > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > > > > > _______________________________________________ > > > zeromq-dev mailing list > > > [email protected] > > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > > > > > > > _______________________________________________ > > zeromq-dev mailing list > > [email protected] > > https://lists.zeromq.org/mailman/listinfo/zeromq-dev > _______________________________________________ > zeromq-dev mailing list > [email protected] > https://lists.zeromq.org/mailman/listinfo/zeromq-dev
_______________________________________________ zeromq-dev mailing list [email protected] https://lists.zeromq.org/mailman/listinfo/zeromq-dev
