On March 13, we will officially begin rolling out our initiative to require all developers who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA) by the end of 2023. Read on to learn about what the process entails and how you can help secure the software supply chain with 2FA.
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2 years weeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.
Though people that have authority over important projects should have proper security, considering how large the internet is, with how many individual parts, the chance of someone being in charge of a large and important project - may it be a browser, compiler/interpreter, utility, library etc. is not even close to zero.
So if a (co-)maintainer of a project included as standard utility in Linux Servers, let’s say bash for example, is somehow breached, the attacker could push and force merge a malicious obfuscated commit, maybe even with normal content included. As it’s from a reputable source, it’s not going to be checked as thoroughly as commits from other people. One hour later, every Arch system, desktop and server, has a trojan. Four hours later also all Gentoo systems (got to compile it first). 2
yearsweeks later regularly updated debian servers now contain malware. A chain of events, fragile to being detected by people monitoring their own activity, other maintainers activity and people reading the source - eg. for security reasons -, but yet, not that unlikely considering the amount of packages present even in a standard install, and needed as dependencies for typical server packages.Organizations can already require 2FA for members of the org. We already had the tools.