Izinyanga ezimbalwa manje sasiphawule ngezincwadi ezimbalwa esikwenzayo nge-pizinkinga zokuphepha okuvelile ku-GitHub kanye nezinyathelo abebehlele ukuzihlanganisa endaweni ukuze bakwazi ukumelana ngokwezinga elikhulu nezigebe zokuvikeleka abagebengu basebenzise ithuba ukuze bafinyelele izinqolobane zephrojekthi.
Futhi manje okwamanje, I-GitHub idalule ukuthi izodinga ukuthi bonke abasebenzisi abanikela ngekhodi endawenikazi vumela uhlobo olulodwa noma ngaphezulu lokuqinisekiswa kwezinto ezimbili (2FA).
“I-GitHub isesimweni esiyingqayizivele lapha, ngenxa nje yokuthi iningi lemiphakathi evulekile yemithombo kanye nabadali bahlala ku-GitHub.com, singenza umthelela omuhle kakhulu ekuvikelekeni kwesimiso sezinto eziphilayo emhlabeni wonke ngokuphakamisa izinga lenhlanzeko yolwazi. ,” kusho uMike Hanley, oyisikhulu sezokuphepha kwaGitHub (CSO). “Sikholwa ukuthi lena ngenye yezinzuzo ezinhle kakhulu ze-ecosystem-wide esingazinikeza, futhi sizibophezele ekuqinisekiseni ukuthi noma yiziphi izinselele noma izithiyo ziyanqotshwa ukuze siqinisekise ukutholwa okuphumelelayo. »
I-GitHub imemezele ukuthi bonke abasebenzisi abalayisha ikhodi kusayithi bazodinga ukunika amandla uhlobo olulodwa noma ngaphezulu lokuqinisekiswa kwezinto ezimbili (2FA) ekupheleni kuka-2023 ukuze baqhubeke nokusebenzisa inkundla.
Inqubomgomo entsha imenyezelwe eposini lebhulogi ngu-GitHub Chief Security Officer (CSO) uMike Hanley, ogqamise indima yenkundla yobunikazi ye-Microsoft ekuvikeleni ubuqotho benqubo yokuthuthukiswa kwesofthiwe ekusongweni okudalwa abadlali abanonya abalawulayo. yama-akhawunti kanjiniyela.
Impela, ulwazi lomsebenzisi lomthuthukisi nalo luyacatshangelwa, futhi uMike Hanley ugcizelela ukuthi le mfuneko ngeke ikulimaze:
“I-GitHub izibophezele ekuqinisekiseni ukuthi ukuvikeleka kwe-akhawunti okuqinile akungeni ngaphandle kokuhlangenwe nakho okuhle konjiniyela, futhi umgomo wethu wokuphela konyaka ka-2023 usinika ithuba lokulungiselela lokho. Njengoba izindinganiso zishintsha, sizoqhubeka sihlola izindlela ezintsha zokuqinisekisa ngokuphephile abasebenzisi, okuhlanganisa ukufakazela ubuqiniso obungenaphasiwedi. Onjiniyela emhlabeni jikelele bangabheka phambili ekuqinisekiseni okwengeziwe nezinketho zokutholwa kwe-akhawunti, kanye
Nakuba ukuqinisekiswa kwezinto eziningi kunikeza ukuvikeleka okwengeziwe kubalulekile kuma-akhawunti aku-inthanethi, Ucwaningo lwangaphakathi lwe-GitHub lubonisa ukuthi u-16,5% kuphela wabasebenzisi abasebenzayo (cishe eyodwa kweziyisithupha) okwamanje vumela izinyathelo zokuphepha ezithuthukisiwe kuma-akhawunti abo, inombolo ephansi ngokumangazayo njengoba inkundla evela kusisekelo somsebenzisi kufanele iqaphele ubungozi bokuvikela iphasiwedi kuphela.
Ngokuqondisa laba basebenzisi ezingeni eliphezulu eliphansi ukuvikelwa kwe-akhawunti, GitHub uthemba ukuqinisa ukuphepha jikelele womphakathi wokuthuthukisa isoftware uwonke.
“NgoNovemba 2021, i-GitHub yazibophezela ekutshalweni kwezimali okusha ekuvikelekeni kwe-akhawunti ye-npm kulandela ukutholwa kwamaphakheji e-npm ngenxa yokonakala kwama-akhawunti kanjiniyela ngaphandle kokuvulwa kwe-2FA. Siyaqhubeka nokwenza ngcono ukuphepha kwe-akhawunti ye-npm futhi sizibophezele ekuvikeleni ama-akhawunti kanjiniyela nge-GitHub.
“Iningi lokwephulwa kwezokuphepha akuwona umkhiqizo wokuhlaselwa kosuku oluyi-zero, kodwa kunalokho kufaka ukuhlaselwa kwezindleko eziphansi njengobunjiniyela bezenhlalo, ukweba imininingwane egcwele noma ukuvuza, nezinye izindlela ezinikeza abahlaseli inhlobonhlobo yokufinyelela kuma-akhawunti ezisulu kanye nezinsiza. basebenzisa. babe nokufinyelela. Ama-akhawunti onakalisiwe angasetshenziswa ukuze kwebe ikhodi eyimfihlo noma enze izinguquko ezinonya kuleyo khodi. Lokhu akuvezi nje kuphela abantu nezinhlangano ezihlotshaniswa nama-akhawunti onakalisiwe, kodwa futhi bonke abasebenzisi bekhodi ethintekile. Ngenxa yalokho, amandla okuba nomthelela ongezansi kuhlelo olubanzi lwe-ecosystem yesofthiwe nochungechunge lokuhlinzeka likhulu.
Ukuhlola osekwenziwe kakade ngengxenye yesethi engaphansi yabasebenzisi benkundla ye-GitHub vele usethe isibonelo sokudinga ukusetshenziswa kwe-2FA nesethi encane yabasebenzisi beplathifomu, ngemva kokuyihlola nabanikele kumitapo yolwazi ye-JavaScript esakazwa nge-npm isofthiwe yokuphatha iphakheji.
Njengoba amaphakheji e-npm asetshenziswa kakhulu angalandwa izikhathi eziyizigidi ngeviki, ayimpokophelo ekhangayo kakhulu yabasebenzisi bohlelo olungayilungele ikhompuyutha. Kwezinye izimo, izigebengu ze-inthanethi zidicilele phansi ama-akhawunti abanikeli be-npm futhi bawasebenzise ukuze bakhulule izibuyekezo zesofthiwe ezazifakwe abantshontshi bamagama-mfihlo kanye nabasebenza nge-cryptominers.
Iphendula, i-GitHub yenze ukuqinisekiswa kwezinto ezimbili kube yisibopho kubanakekeli bamaphakheji aphezulu angu-100 npm kusukela ngo-February 2022. Inkampani ihlela ukunweba izimfuneko ezifanayo kubanikeli bamaphakheji aphezulu angu-500 ekupheleni kukaMeyi.
Ngokujwayelekile, lokhu kusho ukubeka umnqamulajuqu omude wokwenza ukusetshenziswa kwe-2FA kube yimpoqo kuyo yonke isayithi futhi uklame ukugeleza okuhlukahlukene kokugibela ukuze kuqhubekisele abasebenzisi ekutholeni kahle ngaphambi komnqamulajuqu ka-2024, kusho u-Hanley.
Ukuvikela isofthiwe yomthombo ovulekile kusalokhu kuwukukhathazeka okuphuthumayo kwemboni yesofthiwe, ikakhulukazi ngemva kokuba sengozini ye-log4j yangonyaka odlule. Kodwa nakuba inqubomgomo entsha ye-GitHub izonciphisa ezinye izinsongo, izinselele zesistimu zisekhona: Amaphrojekthi amaningi wesofthiwe yomthombo ovulekile asagcinwa amavolontiya angakhokhelwa, futhi ukuvala igebe lezimali kubonakala njengenkinga enkulu embonini yezobuchwepheshe iyonke.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.