[berlinbrown]

Seems a bit excessive for a open source repo site.

[jakobe]

Actually not. I'm the maintainer of a popular Open Source project that is hosted on Github. If someone stole my credentials, they could replace the current release with a binary containing a Trojan.

Looking at the security history page I see a lot of failed login attempts. Makes me glad I enabled 2-factor-authentication!

[enscr]

Your post should be at the top for other Github maintainers to see.

[yukkurishite]

You put compiled files on github?

[jakobe]

Github recently introduced a "Releases" section where you can tag releases and provide binaries: https://github.com/PostgresApp/PostgresApp/releases

It's a great way to distribute Open Source software. (Previously Mattt hosted it on a personal Amazon S3 account which he paid out of his own pocket; now bandwidth is generously paid for by Github)

[ersii]

I don't know about you, but I seldom read through all the source code of the open source/free software I use. Yeah, even when I actually compile it myself.

If someone would slip in rogue code - it's quite likely some to many would actually run it and deploy it. Especially if it's a fast moving piece of software - like being so rapidly developed that distribution packages can't keep up for either time or stability reasons, leading people to compiling/deploying from source themselves.

[est]

lol the real motivation is Ripple offers giveaways. github account == $$$$

[kazagistar]

Many large companies use them as a SaaS dvcs provider for private, closed source repositories. They provide a great tool for an agile workflow at a good price, what more is there to say?

[jader201]

Obviously I have nothing to go on for this, but just guessing, it would seem to make sense that:

- Of all users, only a small subset would have private repos

- Of those users, only a small subset would have private repos that would be of interest to third parties

- Of those users, only a small subset would have a weak enough password to allow brute force

To reverse it, of these accounts that were hacked, I can't see many of them having private repos that would be of interest.

And if so, then this would seem a bit excessive.

I know that's a lot of ifs, but it seems reasonable. I would be interested to see the number of total accounts vs. the number of accounts w/ private repos.

[icambron]

A couple of odd assumptions there:

- That private repos are the only thing worth targeting. What if you could inject a trojan into a popular open source project? You could do a lot of damage that way, probably way more than on private repo, because so many people incorporate them in their products. Imagine they hacked the Rails repo, for example. Worse, some repos host binaries, for which a meddling would be harder to detect (a bad idea, but doesn't mean it doesn't happen).

- That the users being attacked are random and not specifically targeted based on who the user is and what the work on. Not sure if that's the case or not, but I see no reason to assume it.

[ersii]

Well, if you're brute forcing user passwords - you've probably done a cursory crawl of all or some users first.

A good bet to find people with private repositories, would be to aim for all or a subset of those who belong to an Github "organisation".

Likelihood of valuable user greatly increased.

[atgm]

People often reuse user/password combinations. So if attackers can find working combinations here, those are combinations that they can try elsewhere as well.

[akent]

People have private repos too you know.