> Takeover of the ctx project was reported on multiple channels overnight and was mitigated as of 6:07 AM Eastern.
Ee,
Thanks for the quick action by the Python infrastructure and security
teams. I don't normally dig into such things, but was curious. I found
the incident report clear, and since the exploit was very simple and
written in Python, I actually understood it. (Many hacks these days
seem obscure, especially stuff involving buffer overruns or
use-after-free.)
But I digress. Reading the report raised a couple questions for me.
1. Would requiring 2FA for all PyPI accounts be reasonable?
2. This might seem odd, but would it also be reasonable to require
accounts to be associated with a large, well-known email service
provider?
Speaking as someone sending from a personal email address, the answer is no. 😉 That might protect folks from re-registering a dead domain, but it doesn't protect against people phishing a password.
That second one would seem to be pretty debatable, but the odds of,
say, gmail.com or outlook.com, expiring and being re-registered would
seem pretty slim. It's much more likely that an individual's account
would simply be hacked. Hmmm... Maybe I should just retract that idea.
-Brett
I think #1 might help, however.
Again, thanks...
Skip Montanaro
_______________________________________________
Security-SIG mailing list -- security-sig@python.org
To unsubscribe send an email to security-sig-leave@python.org
https://mail.python.org/mailman3/lists/security-sig.python.org/
Member address: brett@python.org