trash
43
@aeroplain
link
fedilink
3
edit-2
3 meses

deleted by creator

@southerntofu
link
fedilink
09 meses

I don’t agree:

  1. Encouraging hardware tokens and multi-factor auth paves the way for less pseudonymity across the network: this is the dream of all governments and secret services, and does not help protect users from abuse (nicknames are a useful feature when you’re targeted by harassment campaigns)
  2. Most people don’t have decent security: if you force everyone you use MFA or PGP signatures, the scheme becomes meaningless. It’s supposed to be a marker of additional security measures, but if everyone and their bad practices uses it, malicious code will slip through anyway but we may be desensitized from that idea
  3. As @Ghast@lemmy.ml pointed out, pushing code from scripts is a common pattern. Of course it could be hacked and become a problem for security, but that’s still a more-than-valid usecase.
@jokeyrhyme
link
fedilink
1
edit-2
9 meses

1:

You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967

And security keys can be independently manufactured (even by ourselves) and disposed of when desired: https://www.indiegogo.com/projects/solo-v2-safety-net-against-phishing

I don’t disagree that many governments aim to increase surveillance, but non-SMS 2FA can be used to thwart government access to our accounts, so I don’t think you can accurately state that 2FA is a pro-government mechanism

Anonymity (which I am generally in favour of) can protect victims of abuse, yes, but it can also protect online abusers, so I don’t think absolute statements about it are helpful

2:

It has always been possible (and likely) to misuse encryption technology in ways that jeopardise security

So, I don’t think it’s true that the presence of alleged mechanisms are intended to be marker of quality/security/etc

Independent security audits and reviews are a better marker, as this is the only way you can know if a service is correctly hashing+salting your password in a database instead of storing it in plain text

You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone

3:

I agree, this is a huge current use case

We don’t have the details yet, but, I will speculate that GitHub will leave SSH authentication alone, but you’ll need MFA to use the website/app, so you’ll need MFA to e.g. add a new SSH key to an account/repository

@southerntofu
link
fedilink
19 meses

You don’t need to add a phone number at all: https://lemmy.ml/post/257191/comment/176967

At least they support TOTP. I heard lately a lot of service providers (including banks) are dropping TOTP in favor of hardware tokens and phone apps. That’s a worrying trend.

And security keys can be independently manufactured (even by ourselves) and disposed of when desired

I think that’s part of the problem: we don’t need or want junk electronics for every single person/identity that goes online. It brings little benefits (a hardware token is much easier to steal than a private TOTP key on an encrypted system) and is bound to help destroy the environment ever more.

Anonymity (…) can protect victims of abuse, yes, but it can also protect online abusers

For sure, but there is a power imbalance that pseudonymity helps address. Harassers/stalkers/rapists are often empowered by their local legal system and law enforcement agencies: Facebook introduced a “real name” policy about 10 years ago pretending it would magically stopped harassment… has it?

You’re argument here is like saying HTTPS is meaningless now that almost everyone is using it, when the security uplift is such a huge net positive for everyone

I agree HTTPS is good (although it would be better with encrypted SNI and such). But 2FA for a centralized capitalist platform has nothing to do with security. If you want more-secure code distribution, use PGP git signatures and a distribution mechanism like guix channel introductions.

you’ll need MFA to use the website/app

That’s already the case to some extent, and i hate it. I hate that Github forces me to open my mail client every time i want to login (because my Tor browser doesn’t keep cookies across sessions).

Of course, it depends on your usecase. I use Github for minor contributions to volunteer projects. In this specific case, anything that gets in the way of user contribution is in my view a problem.

Thanks for sharing your thoughts. I hope you understand the nuance i’m trying to bring and that i’m not opposed to security practices in general. Hell, i would love if i could use PGP/SSH auth everywhere… :D

@jokeyrhyme
link
fedilink
19 meses

2FA for a centralized capitalist platform has nothing to do with security.

Really, nothing? Nothing at all? Not even a teensy bit?

Absolute statements like this are almost always inaccurate, because it’s incredibly difficult to know the heart/mind of someone else and what truly motivates them

@southerntofu
link
fedilink
1
edit-2
9 meses

Nope, nothing at all. It’s just a masquerade. I don’t like absolutist statements in general, but in that specific case, multi-factor auth does not provide code signature to other users, it’s just a gatekeeping mechanism for Github to authenticate you. This means whether they have a security breach or someone at Github wants to harm you, they definitely can push out malicious updates in your name, and therefore such measures have nothing to do with security in the context of “who wrote the code i’m downloading?”.

It’s a little bit like banks: they may require all the security measures they like, at the end of the day they can run away with all our money like they did in Greece and there’s absolutely nothing we can do about it.

To be fair, multi-factor authentication can help reduce the most obvious cases of password theft (eg. via a virus on a single device). But it does very little to stop phishing (unless using TOTP precisely, which is slowly becoming unsupported), bit/typo-squatting, etc.

@jokeyrhyme
link
fedilink
1
edit-2
9 meses

It sounds like your use case requires more assurances than can be provided by any external hosting provider

So, your best bet is to self-host, in which case you aren’t using GitHub, and these 2FA changes aren’t impacting you at all, and you don’t have to feel disturbed by them

@southerntofu
link
fedilink
29 meses

For my personal usecase i don’t care too much about code signatures or 2FA. I’m just pointing out that code signature (PGP-signed commits/refs) would do so much more for security than whatever SMS charade they’re gonna setup ;)

@jokeyrhyme
link
fedilink
29 meses

Of course, it depends on your usecase.

This is probably the most important thing anyone has said on this whole page

@angarabebesi
link
fedilink
-19 meses

not really

@Ghast
link
fedilink
59 meses

I’d find this a niussance. I use automatic git merges and pushes through ssh keys.

Perhaps the article is trying to talk about removing ‘password-only’ authentication, but what it says is that it requires ‘one or more forms of two-factor authentication’, which suggests a second or third form of authentication, so ssh-keys-only seems like it’s out.

Privacy
!privacy
Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 9 users / day
  • 20 users / week
  • 94 users / month
  • 298 users / 6 months
  • 5.57K subscribers
  • 2.06K Posts
  • 7.65K Comments
  • Modlog