logo

blog

My little blog can’t be this cute!
commit: 1988df04bfcd2821505a814f6e42bb1ec9495574
parent: 811dabe746e30cb16310b5ba0272a15c085b814d
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Sun, 21 Oct 2018 02:23:20 +0200

articles/My issue with Github (and Microsoft buying it): Update about the anti-tokens

Diffstat:

Marticles/My issue with Github (and Microsoft buying it).xhtml8++++++++
Mfeed.atom5+++--
Aimages/github_confirm_recovery.png0
Aimages/github_confirm_recovery_expanded.png0
4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/articles/My issue with Github (and Microsoft buying it).xhtml b/articles/My issue with Github (and Microsoft buying it).xhtml @@ -29,4 +29,12 @@ Pull Requests also puts more burden on the contributor than on the maintainer, i <p>Also GitHub is very inpopular with designers and others non-coders, and for a good reason, git is meant for versioning code/text files and it does that well. But for other stuff? No, it’s basically a hack and every contributor shouldn’t have to learn git. (note: coders don’t all know git and not having PRs would just mean knowing how to use <code>diff(1)</code>).<br/> And one of my favorite thing from coders is <q>but GitHub allows you to edit with a web browser</q>. Yeah, but where is rebase, ammending commits, …? There is just only one commit and a broken push. Could be acceptable for a patch, not really acceptable in most cases for something that is made to be directly merged in a branch.</p> <p>GitHub is a registered trademark of Github Inc. ; Microsoft is a registered trademark of Microsoft Corporation.</p> +<h2>False Security</h2> +<p>I posted about this on the fediverse before, probably on social.hacktivis.me (RIP). So here github with their dark pattern (Update is highlighted, so not enough privacy given?) is randomly asking me to confirm my account recovery settings. And it is actually bad for security because here it means that Facebook could gain access to Github Accounts. What could go wrong? (Note: I do have a bit of write access to few projects on github).</p> +<p>Also I use the <abbr title="Time-based One-time Password Algorithm">TOTP</abbr> token regularly and I have recovery codes in case I would lose it (actually all stored and encrypted with <a href="https://password-store.org/">pass</a>, maybe I should change that).</p> +<figure> + <img src="images/github_confirm_recovery.png" alt="Github asking me to confirm my account recovery settings, I could risk getting locked out of my account"/> + <img src="images/github_confirm_recovery_expanded.png" alt="Same but tooltips extended to see that “Recovery Tokens” is actually a sign-in with facebook in disguise"/> +</figure> +<p>One thing I wonder is: <a href="https://queer.hacktivis.me/objects/aeb38dc5-61c9-47c9-b2c6-2827dc80dcb9">Is github putting a similar thing to people not using token?</a>. 2FA is quite useless in my case so I could remove tokens, and I could quite imagine other people doing that but on which 2FA actually increases security. Woops, less people being secure because of a bad design. (Also security ≠ usability is bullshit, but that will be for a later time)</p> </article> diff --git a/feed.atom b/feed.atom @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8"?> <feed xmlns="http://www.w3.org/2005/Atom"> <title>Home feed — Cyber-Home of Lanodan</title> - <updated>2018-09-24T05:48:13Z</updated> + <updated>2018-10-21T00:22:30Z</updated> <id>https://hacktivis.me/feed</id> <link href="https://hacktivis.me/feed" rel="self" /> <link href="https://hacktivis.me/home" rel="alternate" /> @@ -13,7 +13,8 @@ <title>My issue with Github (and Microsoft buying it)</title> <link rel="alternate" type="text/html" href="/articles/My%20issue%20with%20Github%20(and%20Microsoft%20buying%20it)"/> <id>https://hacktivis.me/articles/My%20issue%20with%20Github%20(and%20Microsoft%20buying%20it)</id> - <updated>2018-09-24T05:23:13Z</updated> + <published>2018-09-24T05:23:13Z</published> + <updated>2018-10-21T00:22:30Z</updated> <content type="xhtml"><div> <!--#include file="/articles/My issue with Github (and Microsoft buying it).xhtml"--> </div></content> diff --git a/images/github_confirm_recovery.png b/images/github_confirm_recovery.png Binary files differ. diff --git a/images/github_confirm_recovery_expanded.png b/images/github_confirm_recovery_expanded.png Binary files differ.