Mengchen was sent from The Temple of Oufei
Qubits | Official account QbitAI
GitHub is anxious right now because of the increasing number of hacks targeting open source software.
After counting the security settings of all accounts, they found a situation: only 16.5% of users have two-factor authentication enabled.
Now GitHub officially announces:
Require all code contributors to enable two-factor authentication by the end of 2023.
In other words, if you don't enable this feature, you won't be able to submit code to the GitHub repository in the future.
The so-called two-factor authentication (Two-Factor Authentication) is that in addition to the account password, an additional way to confirm the user's identity is required.
This practice is already very common in China, such as scanning the code of the mobile app, or receiving sms verification code.
Specific to GitHub, it also supports the use of third-party verification tools such as 1Password or Microsoft Authenticator.
As for the SMS verification code, not all mobile phone numbers can be received, such as our area code +86 is not supported...
For GitHub's approach, users' reactions have also been mixed.
Some people think that GitHub's statistics should be explained as a whopping 83.5% of users are reluctant to use two-factor authentication.
To do this is to lift a rock and drop it on my own feet, and once they ask to do so, I will switch to another platform.
There are also some people who are reluctant to let GitHub know their mobile phone numbers for privacy reasons.
But there are still many developers who agree with this, because software supply chain attacks have caused them a lot of suffering.
What attacks does two-factor authentication prevent?
According to security firm Aqua Security, attacks targeting the software supply chain increased by more than 300 percent in 2021.
Methods such as injecting malicious code directly into commonly used dependent code bases and uploading confusing code bases are constantly emerging
As the largest open source software platform, GitHub is deeply troubled.
More famously, GitHub servers are used by hackers to mine.
In this example, hackers exploit a vulnerability in GitHub Action to white-rob server resources by launching a malicious Pull Request.
Although GitHub can ban illegal accounts after being discovered, hackers have played "guerrilla tactics" and constantly changed vest numbers to evade "pursuit".
Mining hackers were able to commit code on GitHub more than 23,300 times in just 3 days, and the crimes continued to be eradicated for a long time.
The enforcement of two-factor authentication when submitting code can increase the cost of hacking.
In addition to the GitHub platform itself, its well-known package management tool npm is also often targeted by hackers.
And according to statistics, the security awareness of npm developers is even lower, only 6.44% of them have enabled two-factor authentication.
At the end of March, a hacking group code-named "RED-LILI" launched a massive attack on NPM, dropping more than 800 malicious code packets.
A study by North Carolina State University said that many npm developers have expired email domains but are still used to log in.
Without two-factor authentication, hackers can hijack accounts and inject malicious code into open source projects by buying domain names.
In this regard, GitHub has asked the top 100 developers in npm downloads to turn on two-factor authentication, which has achieved good results, and intends to use this experience on GitHub.
Although two-factor authentication does increase security, many developers still oppose it because the user experience is really not bad.
If you bind the login method to the mobile phone, in case the mobile phone is broken, lost or the mobile phone is changed, it is easy to affect the development work.
GitHub has set a deadline for the end of 2023, and it is also planning to use this time to polish it well.
Does your GitHub account have two-factor authentication enabled? Which authentication tool is easy to use, welcome to share it~
参考链接:[1]https://github.blog/2022-05-04-software-security-starts-with-the-developer-securing-developer-accounts-with-2fa/[2]https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/[3]https://github.blog/2022-02-01-top-100-npm-package-maintainers-require-2fa-additional-security/[4]https://it.slashdot.org/story/22/05/04/2028211/github-will-require-all-code-contributors-to-use-2fa?utm_source=rss1.0mainlinkanon&utm_medium=feed
![Apollo 7.0 was released, and Baidu's autonomous driving open platform moved towards the era of instrumentation[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)