Now that github is mandating that I add 2FA to "secure the supply chain", is there a standard way to say "I am not part of your supply chain"?
-
Now that github is mandating that I add 2FA to "secure the supply chain", is there a standard way to say "I am not part of your supply chain"?
Seriously, the code I write is barely fit for purpose. I use github to make available things like Elevation of Privilege, have a place where the Four Question Framework for threat modeling can evolve in a constrained way, and to report bugs.
I've also posted some code that Claude wrote, with an explicit security warning.
(https://gist.github.com/adamshostack/ca17e69e3145f11d20c871a4a186be51)No one should use any of that code.
-
Erik van Stratenreplied to Adam Shostack :donor: :rebelverified: last edited by
@adamshostack : demanding stronger authentication usually has nothing to do with code that *you* publish(ed).
It is intended to make it harder for criminals to publish malicious code (or other information) *in your name*.
The better your reputation, the more interesting you are as a target for impersonation.
-
@ErikvanStraten @adamshostack thing I learned (that could have been linked to):
The Four Question Framework: https://shostack.org/resources/threat-modeling
-
@risottobias : I prefer threat modeling over risk management, but in the end we (security people) often overlook simple things.
Like users not looking at domain names in the address bar of their web browser at all, not knowing how to interpret domain names, not knowing about IDN's, and (last but not least) not knowing how to figure out that a given domain name does NOT belong to the organization that the webpage (and preceding message) suggests it belongs to: https://infosec.exchange/@ErikvanStraten/113459213340803062
Phishing is one of the (if not THE) biggest problems on the internet (and MFA using TOTP does not fix that problem).
-
yeah, you can use evilginx to MITM TOTPs to get session tokens, but webauthn / yubikey based auth is resistant to that,
etc etc
it's a damn rabbit hole