Hacker News new | past | comments | ask | show | jobs | submit login

I work in account security, not for GH, but another platform.

Account security with 2FA is a long way from foolproof. Accounts get compromised all the time, especially by phishing or malware.

That's why my company's internal emails are all PGP encrypted and signed, even with managed accounts and YubiKey authentication.

When it really, really matters, you need more than 2FA.




Yes, of course, I agree! Where I disagree is the notion that putting some PGP keys in a github issues comment is going to prevent anything :/

Edit: Like, if I had hacked one of their accounts, what's keeping me from commenting there and just copy-pasting the key they used before, or generating a new one? Are they going to check?


They easily could if they wanted to, which is the point.

If at any point in the future, someone wanted to say, "Well, so-and-so may not really have been the one who posted it," or, on the other hand, one of the signers later wanted to renege and say they didn't really sign it, it's going to be a lot harder for anyone to buy that the account credentials and PGP privkey were stolen and used than just that someone somehow spoofed a post from an account.

It's like the difference between posting a +1 retweet and having a signed document notarized. One of those is a lot harder to claim was faked/unauthorized later.


It's proof that it IS them who posted that comment.


It is proof that someone with a copy of the private key posted that comment. Also this https://xkcd.com/1181/




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: