And this can be ratcheted down further by leveraging something like the measurement protocol. It would eliminate the 3rd party calls/code in the browser while giving GitHub the ability to anonymize the source (e.g. IP address, user agent, etc.). Twitter does this with some of their 3rd party integrations.
Many sites don't support U2F yet, but that's improving. An alternative for Google Authenticator sites is a set of one-time codes, which can also be stored in the safe deposit box.
I don't exactly see the point of using another site as backup, since you'll want 2FA on that site as well.
Expecting everyone to jump through the hurdles you describe is why we're in this terrible state we are in today. It's just not practical, affordable, or even possible for many.
$38 is a lot of money to a lot of people. Some people just simply don't have a safe storage space either.
To some, but I wouldn't have called $38 a lot of money even when I made $8/hour. Note, however, that my approach doesn't require spending that $38, since stored backup codes with Authenticator are also a workable solution. Anyone in the U.S. who owns a smartphone or computer with internet access isn't likely to be so poverty-stricken that they can't easily afford $20/year. Storing copies in a couple less-secure places is another option.
In any case I'm not seeing how outsourcing the backup token to another site is much of an improvement compared to not having 2FA at all. In this case, either:
- You set up 2FA with Facebook as well, in which case you're still locked out if you lose the device, or...
- You don't set up 2FA with Facebook, and that allows someone to bypass the 2FA on Google by just guessing your passwords.
So this seems to me a very marginal benefit over just skipping 2FA in the first place. If you're not willing or able to deal with real 2FA, then why pretend? Just set up a free password manager and leave it at that.
You seem to be failing to acknowledge your privilege to live in the US and earn $8 an hour. There are people who live outside of the US and earn far less. Also, delivering a yubikey might be actually impossible.
> - You set up 2FA with Facebook as well, in which case you're still locked out if you lose the device, or...
Not necessarily. What if one was totp and one was sms? What if you forgot to setup one but not the other? Also, 2FA on Facebook is not required to use this feature. I have been in this situation before.
> - You don't set up 2FA with Facebook, and that allows someone to bypass the 2FA on Google by just guessing your passwords.
This is based on partial information, which I admit has not been well publicized. Facebook implements a time-based lockout after a password is recovered allowing a user to notice activity. It will also issue a "step up challenge" for risky users. Must be known device, known location, etc. or another factor is required to initiate recovery. Those with 2FA will answer a 2FA challenge, those without will fall back to other means or simply not be able to initiate a recovery.
> So this seems to me a very marginal benefit over just skipping 2FA in the first place. If you're not willing or able to deal with real 2FA, then why pretend? Just set up a free password manager and leave it at that.
Password manager adoption amongst the world is still terrible. This is an option that anyone can use without any additional tools or tricks.
While there are many ways to catch this sort of thing (code review, static analysis, education) I have to place the "blame" here on ActiveRecord. The 'order' API takes an arbitrary string by default. 99.999% of the time, this value can be restricted to a column name or can safely be escaped. For the 0.0001% of the time that something more complex (e.g. Sorting by a calculation like sum(column)) should require a separate, more cautious or complex API call. The common assumption is that all ActiveRecord APIs are "safe" and that simply isn't the case. Brakeman couldn't catch this since it's in Sinatra code and not rails code. Code review didn't catch this because the API was assumed safe by reviewers. Education didn't catch this because not everyone has seen rails-sqli.org. Mind boggling, but still very possible.
> Today, Twitter is excited to announce participation in the first major release of the Pants open source project: 1.0.0, an open source build tool for monorepo-style source repositories.
They (for the most part) had two repos as of 11/2014. They certainly were moving towards one. Here's a public thread mentioning the two repos: science (mostly jobs, shared code) and birdcage (mostly services). https://groups.google.com/forum/#!topic/pants-devel/60Vzkole...
"Automate that and spend the rest of your time reviewing for things that can't be trivially automated" - pretty much the mantra behind any successful security program. A false-positive/negative is usually fixed faster than any feature. <3
Having used static analysis security tools for other languages, no. Ignoring the fact that it is open source, it blows away every single other tool I have used in terms of speed, accuracy, and actionability.
