undefined | Better HN

0 pointshangonhn1y ago0 comments

I imagine it might be easier to just compromise a weakly protected account than to actual put in a 2 years long effort with real contributions. If we mandated MFA for all contributors who contribute to these really important projects then we can know with greater certainty if it was really a long con vs. a recently compromised account.

0 comments

tw041y ago

For some random server, sure. For a state sponsored attack? Having an embedded exploit you can use when convenient, or better yet an unknown exploit affecting every linux-based system connected to the internet that you can use when war breaks out - that's invaluable.

eru1y ago

Yes, but even states have only finite resources, so even for them compromising an account would be cheaper.

(But you are right that a sleeper would be affordable for them.)

treflop1y ago

Having one or two people on payroll to occasionally add commits to a project isn't exactly that expensive if it pays off. There are ~29,000,000 US government employees (federal, state and local). Other countries like China and India have tens of millions of government employees.

2 more replies

dgellow1y ago

It’s a very cheap investment given the blast radius

guinea-unicorn1y ago

I find it funny how MFA is treated as if it would make account takeover suddenly impossible. It's just a bit more work, isn't it? And a big loss in convenience.

I'd much rather see passwords entirely replaced by key-based authentication. That would improve security. Adding 2FA to my password is just patching a fundamentally broken system.

ryukoposting1y ago

Customer service at one of my banks has an official policy of sending me a verification code via email that I then read to them over the phone, and that's not even close to the most "wrong" 2FA implementation I've ever seen. Somehow that institution knows what a YubiKey is, but several major banks don't.

eairy1y ago

I'm security consultant in the financial industry. I've literally been involved in the decision making on this at a bank. Banks are very conservative, and behave like insecure teenagers. They won't do anything bold, they all just copy each other.

I pushed YubiKey as a solution and explained in detail why SMS was an awful choice, but they went with SMS anyway.

It mostly came down to cost. SMS was the cheapest option. YubiKey would involve buying and sending the keys to customers, and they having the pain/cost of supporting them. There was also the feeling that YubiKeys were too confusing for customers. The nail in the coffin was "SMS is the standard solution in the industry" plus "If it's good enough for VISA it's good enough for us".

3 more replies

Liquix1y ago

Financial institutions are very slow to adopt new tech. Especially tech that will inevitably cost $$$ in support hours when users start locking themselves out of their accounts. There is little to no advantage to being the first bank to implement YubiKey 2FA. To a risk-averse org, the non-zero chance of a botched rollout or displeased customers outweighs any potential benefit.

4 more replies

gonzo411y ago

Banks are in a tough spot. Remember, banks have you as a customer, they also have a 100 year old person who still wants to come to the branch in person as a customer. Not everyone can grapple with the idea of a Yubikey, or why their bank shouldn't be protecting their money like it did in the past.

1 more reply

krinchan1y ago

Just say BofA.

1 more reply

hangonhnOP1y ago

yeah someone replied to one of my comments about adding MFA that an attacker can get around all that simply by buying the account from the author. I was way too narrowly focused on the technical aspects and was completely blind to other avenues like social engineering, etc.

All very fair points.

1 more reply

fsckboy1y ago

>I'd much rather see passwords entirely replaced by key-based authentication

I've never understood how key-based systems are considered better. I understand the encryption angle, nobody is compromising that. But now I have a key I need to personally shepherd? where do I keep it, and my backups, and what is the protection on those places? how many local copies, how many offsite? And I still need a password to access/use it, but with no recourse should I lose or forget. how am I supposed to remember that? It's all just kicking the same cans down the same roads.

AgentME1y ago

Passkeys are being introduced right now in browsers and popular sites like a MFA option, but I think the intention is that they will grow and become the main factor in the future.

riddley1y ago

From what I've seen they're all controlled by huge tech companies. Hard pass.

5 more replies

apitman1y ago

https://xkcd.com/538/

gamer1911y ago

This PR from July 8 2023 is suspicious, so it was very likely a long con: https://github.com/google/oss-fuzz/pull/10667

bobba271y ago

This is a state sponsored event. Pretty poorly executed though as they were tweaking and modifying things in their and other tools after the fact though.

As a state sponsored project. What makes you think this is their only project and that this is a big setback? I am paranoid myself to think yesterdays meeting went like : "team #25 has failed/been found out. Reallocate resources to the other 49 teams."

LtWorf1y ago

As I said recently in a talk I gave, 2FA as implemented by pypy or github is meaningless, when in fact all actions are performed via tokens that never expire, that are saved inside a .txt file on the disk.

heyoni1y ago

Passwords have full scope of permission while session tokens can be limited.

LtWorf1y ago

In pypi to obtain a token that is limited in scope you must first generate an unlimited token.

True story.

In gh you can generate a limited one, but it's not really clear on what the permissions actually mean, so it's trial and error… which means most people will get tired and grant random stuff to have them working.

1 more reply

CapstanRoller1y ago

Doesn't GH explicitly warn against using non-expiring tokens?

yrro1y ago

I wonder what the point is, I don't remember GitHub warning me that I've used the se SSH key for years...

LtWorf1y ago

And?

EasyMark1y ago

they might not have been playing the long con. maybe approached by actors willing to pay them a lot of money to try and slip in a back door. I'm sure a deep dive into code contributions would clear that up for anyone familiar with the code base and some free time.

bobba271y ago

They did fuck up quite a bit though. They injected their payload before they checked if oss-fuzz or valgrind or ... would notice something wrong. That is sloppy and should have been anticipated and addressed BEFORE activating the code.

Anyway. This team got caught. What are the odds that this state-actor that did this, that this was the only project / team / library that they decided to attack?

account421y ago

Using sockpuppets to pressure the original maintainer into granting commit access in the first place backs the long con theory.

the84721y ago

github already mandates MFA for members of important projects

rvense1y ago

Doesn't it mandate it for everyone? I don't use it anymore and haven't logged in since forever, but I think I got a series of e-mails that it was being made mandatory.

ryukoposting1y ago

It will soon. I think I have to sort it out before April 4. My passwords are already >20 random characters, so I wasn't going to do it until they told me to.

1 more reply

loeg1y ago

It mandates it for everyone. I'm locked out of Github because fuck that.

1 more reply

rst1y ago

Which helps with some kinds of threats, but not all. It keeps someone from pretending to be the maintainer -- but if an actual maintainer is compromised, coerced, or just bad from the start and biding their time, they can still do whatever they want with full access rights.

the84721y ago

You probably should have replied that to the GP, not me. I only clarified that what they were suggesting already is the case.

beginner_1y ago

Not MFA but git commit signing. I don't get why such core low-level projects don't mandate it. MFA doesn0t help if a github access token is stolen and I bet most of use such a token for pushing from an IDE.

Even if an access token to github is stolen, the sudden lack of signed commit should raise red flags. github should allow projects to force commit signing (if not already possible).

Then the access token plus the singing key would need to be stolen.

But of course all that doesn't help in the here more likley scenario of a long con by a state-sponsored hacker or in case of duress (which in certain countries seems pretty likley to happen)

account421y ago

Git signing would not have helped here. In fact, the tags and release archives were signed.

__s1y ago

This seems like a great way to invest in supporting open source projects in meantime if these projects are being used by these actors. Just have to maintain an internal fork without the backdoors

Maybe someone can disrupt the open source funding problem by brokering exploit bounties /s

j / k navigate · click thread line to collapse

0 comments

tw041y ago

eru1y ago

Yes, but even states have only finite resources, so even for them compromising an account would be cheaper.

(But you are right that a sleeper would be affordable for them.)

treflop1y ago

2 more replies

dgellow1y ago

It’s a very cheap investment given the blast radius

guinea-unicorn1y ago

I find it funny how MFA is treated as if it would make account takeover suddenly impossible. It's just a bit more work, isn't it? And a big loss in convenience.

I'd much rather see passwords entirely replaced by key-based authentication. That would improve security. Adding 2FA to my password is just patching a fundamentally broken system.

ryukoposting1y ago

eairy1y ago

I pushed YubiKey as a solution and explained in detail why SMS was an awful choice, but they went with SMS anyway.

3 more replies

Liquix1y ago

4 more replies

gonzo411y ago

1 more reply

krinchan1y ago

Just say BofA.

1 more reply

hangonhnOP1y ago

All very fair points.

1 more reply

fsckboy1y ago

>I'd much rather see passwords entirely replaced by key-based authentication

AgentME1y ago

Passkeys are being introduced right now in browsers and popular sites like a MFA option, but I think the intention is that they will grow and become the main factor in the future.

riddley1y ago

From what I've seen they're all controlled by huge tech companies. Hard pass.

5 more replies

apitman1y ago

https://xkcd.com/538/

gamer1911y ago

This PR from July 8 2023 is suspicious, so it was very likely a long con: https://github.com/google/oss-fuzz/pull/10667

bobba271y ago

This is a state sponsored event. Pretty poorly executed though as they were tweaking and modifying things in their and other tools after the fact though.

LtWorf1y ago

heyoni1y ago

Passwords have full scope of permission while session tokens can be limited.

LtWorf1y ago

In pypi to obtain a token that is limited in scope you must first generate an unlimited token.

True story.

1 more reply

CapstanRoller1y ago

Doesn't GH explicitly warn against using non-expiring tokens?

yrro1y ago

I wonder what the point is, I don't remember GitHub warning me that I've used the se SSH key for years...

LtWorf1y ago

And?

EasyMark1y ago

bobba271y ago

Anyway. This team got caught. What are the odds that this state-actor that did this, that this was the only project / team / library that they decided to attack?

account421y ago

Using sockpuppets to pressure the original maintainer into granting commit access in the first place backs the long con theory.

the84721y ago

github already mandates MFA for members of important projects

rvense1y ago

Doesn't it mandate it for everyone? I don't use it anymore and haven't logged in since forever, but I think I got a series of e-mails that it was being made mandatory.

ryukoposting1y ago

It will soon. I think I have to sort it out before April 4. My passwords are already >20 random characters, so I wasn't going to do it until they told me to.

1 more reply

loeg1y ago

It mandates it for everyone. I'm locked out of Github because fuck that.

1 more reply

rst1y ago

the84721y ago

You probably should have replied that to the GP, not me. I only clarified that what they were suggesting already is the case.

beginner_1y ago

Even if an access token to github is stolen, the sudden lack of signed commit should raise red flags. github should allow projects to force commit signing (if not already possible).

Then the access token plus the singing key would need to be stolen.

But of course all that doesn't help in the here more likley scenario of a long con by a state-sponsored hacker or in case of duress (which in certain countries seems pretty likley to happen)

account421y ago

Git signing would not have helped here. In fact, the tags and release archives were signed.

__s1y ago

This seems like a great way to invest in supporting open source projects in meantime if these projects are being used by these actors. Just have to maintain an internal fork without the backdoors

Maybe someone can disrupt the open source funding problem by brokering exploit bounties /s

j / k navigate · click thread line to collapse