You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Arnaud Le Hors <le...@us.ibm.com> on 2021/12/14 19:25:02 UTC
Free MFA hardware tokens for your project
Hi!
I work with the Developer Best Practices Working Group of the
Linux Foundation's Open Source Security Foundation (OpenSSF)
<https://github.com/ossf/wg-best-practices-os-developers> "Great
Multi-Factor Authentication (MFA) Distribution Project"
<https://github.com/ossf/great-mfa-project>.
We'd like to give your project *free* MFA hardware tokens from Google
and GitHub, for use by your maintainers. We'd especially like to give
them to any of your maintainers who aren't already using any. Our
goal is to help improve the security of open source software
(OSS)/Free Software projects. For example, these tokens can counter
attacks that release source code updates and/or packages using stolen
passwords.
By **2021-12-20** and preferably much sooner, please let me know
for HttpCore and HttpClient:
1. If you want any tokens, and if so...
2. How many Titan tokens from Google (up to 5 for each, 10 total)
3. How many Yubikey tokens from GitHub (up to 5 for each, 10 total)
4. The *private* email address to send codes to
(this email must *not* go to the public, as these are use-once
codes that can be used to get the tokens)
5. If you could use more, how many more.
We would send you coupon codes and validation codes to the private
email address. You would then distribute those codes to the
maintainers you choose. The recipients would use the coupon codes and
validation codes to "buy" the tokens from the Google Store and/or
GitHub Shop, who would ship the tokens directly to recipients. These
codes are use-once, so make sure you can keep the codes private until
they're used by the intended person.
**Important**: The Google coupon codes **must be used by 2021-12-31**
on the Google Store or they expire.
How can you trust us? You don't need to. You would get the MFA tokens
from Google and GitHub; we're simply offering codes to make them
no-cost. We'll provide some documentation on how to use them, but you
don't need to use our documents.
To qualify, each token recipient must:
1. Be a maintainer or contributor to this critical open source software
(OSS)
project, or to another OSS project that this project depends on
(the dependency may be indirect).
2. Try to use an MFA token once they receive the token.
We'd like recipients to use MFA tokens from then on, but at least try.
3. Not reuse the token between different people (the token must not be
shared).
4. Consider providing feedback to us (so we can try to fix problems).
We also need each project that receives coupon codes and/or validation
codes
to tell us these numbers (preferably within 30 days of getting the codes):
1. How many tokens did you distribute from just Google? From just GitHub?
2. How many people received tokens from just Google? From just GitHub?
From both?
3. How many people didn’t have hardware tokens they used for OSS who
received tokens from just Google? From just GitHub? From both?
We ask for this information so we can tell others some simple
measures of success. We don't need nor want the names of any
individuals participating. It's fine to ask the people who got the
codes for that information and provide a best-effort summary.
The MFA tokens are shipped from the US. They can be shipped
internationally, but there are various limitations on where each
can be shipped.
In particular, we can't ship somewhere if that is forbidden
(sanctioned) under US law. So at this time we are unable to ship
to individuals in China, Afghanistan, Russia, Ukraine, North Korea,
Iran, Sudan, and Syria. Sorry about that. See the Google and
GitHub sites for more shipping information. More sanction information
is available at
<
https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information
>.
For more information including how-tos and other setup information
can be found at the "Great Multi-Factor Authentication (MFA)
Distribution Project" site: <https://github.com/ossf/great-mfa-project>.
Please, let me know if you have any questions.
Thank you.
--
Arnaud Le Hors - Senior Technical Staff Member - Open Technologies, IBM
RE: Free MFA hardware tokens for your project
Posted by Arnaud Le Hors <le...@us.ibm.com>.
> > By **2021-12-20** and preferably much sooner, please let me know
> > for HttpCore and HttpClient:
>
> Wrong mailing list or wrong projects? The above are dev@hc.apache.org
This is really meant for Httpd. Please, ignore the reference to HttpCore
and HttpClient in the text. Sorry about the confusion.
--
Arnaud Le Hors - Senior Technical Staff Member - Open Technologies:
Blockchain, Edge Computing, Web - IBM
Re: Free MFA hardware tokens for your project
Posted by Eric Covener <co...@gmail.com>.
> By **2021-12-20** and preferably much sooner, please let me know
> for HttpCore and HttpClient:
Wrong mailing list or wrong projects? The above are dev@hc.apache.org
Re: Free MFA hardware tokens for your project
Posted by Benson Muite <be...@emailplus.org>.
On 12/18/21 5:15 PM, Arnaud Le Hors wrote:
>> From: "Christopher Schultz" <ch...@christopherschultz.net>
>>
>> Any particular reasons why TOTP won't work just as well and not generate
>> electronic waste?
>>
>
> In contrast, hardware tokens are single-use devices, so most of the
> attacks that work against software TOTP do *not* work on hardware devices.
>
> Software TOTP also tends to be less convenient, since you have to retype
> the code, or allow copy/paste, or allow a camera to view it. For
> security, it's important to be convenient where practical; things that
> are a pain to do are often worked around.
Would you also expect to support Open TOTP hardware, for example:
https://github.com/rrozestw/TOTP-Arduino
This would allow for reduced shipping costs, development of technical
ability in many regions, critical review of both hardware and software,
some innovation in ease of use and hence increased security.
>
> Of course no solution is perfect and all can be defeated under certain
> circumstances but overall hardware tokens provide significant advantages.
>
> I hope that helps.
> --
> Arnaud Le Hors - Senior Technical Staff Member - Open Technologies:
> Blockchain, Edge Computing, Web, Security - IBM
>
RE: Free MFA hardware tokens for your project
Posted by Arnaud Le Hors <le...@us.ibm.com>.
> From: "Christopher Schultz" <ch...@christopherschultz.net>
>
> Any particular reasons why TOTP won't work just as well and not generate
> electronic waste?
>
Security is on a continuum and TOTP is better than simple passwords.
However, software TOTP is nowhere near as secure as a hardware token.
The fundamental problem is that software-based TOTP applications typically
run on hardware that runs other software (other apps, JavaScript, etc.)
and often that hardware has network connectivity (WiFi, cellular, wired
Internet, etc.). That makes the software TOTP much easier to break into
and steal the underlying secrets.
In contrast, hardware tokens are single-use devices, so most of the
attacks that work against software TOTP do *not* work on hardware devices.
Software TOTP also tends to be less convenient, since you have to retype
the code, or allow copy/paste, or allow a camera to view it. For security,
it's important to be convenient where practical; things that are a pain to
do are often worked around.
Of course no solution is perfect and all can be defeated under certain
circumstances but overall hardware tokens provide significant advantages.
I hope that helps.
--
Arnaud Le Hors - Senior Technical Staff Member - Open Technologies:
Blockchain, Edge Computing, Web, Security - IBM
Re: Free MFA hardware tokens for your project
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
On 12/14/21 14:25, Arnaud Le Hors wrote:
> I work with the Developer Best Practices Working Group of the
> Linux Foundation's Open Source Security Foundation (OpenSSF)
>
> [snip]
>
> We'd like to give your project *free* MFA hardware tokens from Google
> and GitHub, for use by your maintainers.
Any particular reasons why TOTP won't work just as well and not generate
electronic waste?
Also no-cost and provides the same benefits as hardware tokens. And
doesn't suffer from things like [1].
-chris
[1]
https://www.theverge.com/2019/5/15/18625028/google-titan-security-keys-bluetooth-vulnerability-replacement-free