GitHub will require all code contributors to use two-factor authentication

GitHub, the code hosting platform used by tens of millions of software developers around the world, announced today that all users who upload code to the site will need to enable one or more forms of two-factor authentication (2FA) by the end of 2023 in order to continue using the platform.

The new policy was announced Wednesday in a blog post by GitHub’s chief security officer (CSO) Mike Hanley, which highlighted the Microsoft-owned platform’s role in protecting the integrity of the software development process in the face of threats created by bad actors taking over developers’ accounts.

“The software supply chain starts with the developer,” Hanley wrote. “Developer accounts are frequent targets for social engineering and account takeover, and protecting developers from these types of attacks is the first and most critical step toward securing the supply chain.”

Even though multi-factor authentication provides significant additional protection to online accounts, GitHub’s internal research shows that only around 16.5 percent of active users (roughly one in six) currently enable the enhanced security measures on their accounts — a surprisingly low figure given that the platform’s user base should be aware of the risks of password-only protection.

By steering these users towards a higher minimum standard of account protection, GitHub hopes to boost the overall security of the software development community as a whole, Hanley told The Verge.

“GitHub is in a unique position here, just by virtue of the vast majority of open source and creator communities living on, that we can have a significant positive impact on the security of the overall ecosystem by raising the bar from a security hygiene perspective,” Hanley said. “We feel like it’s really one of the best ecosystem-wide benefits that we can provide, and we’re committed to making sure that we work through any of the challenges or obstacles to making sure that there’s successful adoption.”

GitHub has already established a precedent for the mandatory use of 2FA with a smaller subset of platform users, having trialled it with contributors to popular JavaScript libraries distributed through the package management software NPM. Since widely used NPM packages can be downloaded millions of times per week, they make a very attractive target for malware gangs. In some cases, hackers compromised NPM contributor accounts and used them to publish software updates that installed password stealers and crypto miners.

In response, GitHub made two-factor authentication mandatory for the maintainers of the 100 most popular NPM packages as of February 2022. The company plans to extend the same requirements to contributors to the top 500 packages by the end of May.

Insights from this smaller trial will be used to smooth out the process of rolling out 2FA across the platform, Hanley said. “I think we have a great benefit of the fact that we’ve already done this now on NPM,” he said. “We have learned a lot from that experience, in terms of feedback we’ve gotten from developers and creator communities that we’ve talked to, and we had a very active dialog about what good [practice] looks like with them.”

Broadly speaking, this means setting a long lead time for making the use of 2FA mandatory site-wide, and designing a range of onboarding flows to nudge users towards adoption well before the 2024 deadline, Hanley said.

Securing open-source software is still a pressing concern for the software industry, particularly after last year’s log4j vulnerability. But while GitHub’s new policy will mitigate against some threats, systemic challenges remain: many open source software projects are still maintained by unpaid volunteers, and closing the funding gap has been seen as a major problem for the tech industry as a whole.

Repost: Original Source and Author Link


Meta VR headsets won’t require a Facebook account to use

The Oculus name may be no more, but there is at least one piece of good news in Facebook’s decision to rebrand itself as Meta. You won’t need a Facebook account to use its Quest headsets. That tidbit of information was nestled in a post from soon-to-be Meta CTO Andrew “Boz” Bosworth detailing what the rebranding means for the company’s various products.    

“We’re working on new ways to log into Quest that won’t require a Facebook account, landing sometime next year,” Bosworth said. “This is one of our highest priority areas of work internally.”

Meta announced in August 2020 it would eventually require all Oculus owners to log into their devices with a Facebook account. At the time, the company said people it would start prompting people to merge their Oculus and Facebook accounts starting in October 2020. Under that plan, Oculus owners would have had until January 1st, 2023 to continue using their headsets without a Facebook account. After that point, Meta said the devices would continue working, but warned some games and apps would not. Unsurprisingly, the Oculus community immediately hated the decision. “What the fuck,” said one of the more tame comments an Oculus owner posted in the comments section of the blog post detailing the policy change.  

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Repost: Original Source and Author Link


Corsair Says New DDR5 RAM Will Require Much Better Cooling

DDR5 memory is on the horizon, and leading manufacturers are gearing up for its release. Corsair is one of the brands that is preparing to release DDR5 RAM soon. The company revealed more about the possibilities of DDR5 RAM, as well as some of the difficulties, including the fact that it will run much hotter than DDR4.

The warm-up is not a surprise. The best RAM in the DDR5 lineup is going to be up to 4 times more powerful than its predecessor, thus generating more heat. However, according to George Makris, Corsair’s DIY Marketing Director, the reason also lies in the design of the memory module itself.

“DDR5 conceivably could run much hotter than DDR4, as they have moved voltage regulation off the motherboard itself, and now it is on the [RAM module], so you actually could be pumping a lot more heat,” said George Makris in a YouTube video posted on Corsair’s channel.

It has already been announced that the new DDR5 memory will feature speeds that were previously unheard of. Even the lowest clock speeds will be equal to or surpass the highest numbers generated by DDR4 RAM. Corsair has said that the data transfer rates will begin at 6,400 MT/s and go as far up as 12,600 MT/s. It’s also expected that the technology will support clocks up to 8,400MHz.

In addition to the speed increase, each RAM stick is going to have a much larger capacity. While DDR4 RAM features a maximum capacity of 32GB per dual in-line memory module (DIMM), new DDR5 memory will be capable of supporting up to 128GB. Such an impressive upgrade is bound to require better cooling. According to Corsair, achieving this kind of step-up is only going to be possible through enabling on-board power management integrated circuits (PMIC) as well as voltage regulating modules (VRM).

Heat spreaders were never really a point of consideration for RAM manufacturers — this applies to both the DDR3 and DDR4 eras. This may still change when it comes to DDR5, as the memory sticks become more complex and power-consuming pieces of hardware. Corsair claims that the current cooling systems it uses in manufacturing new DDR5 RAM will continue to keep the temperatures stable.

Two sticks of Corsair VENGEANCE RGB RAM.

DDR5 technology has been developed with future hardware in mind. For today’s standards, the jump in performance might seem a bit overkill, but in a few years it’s likely to be the norm — and DDR5 is meant to support that advancement.

The future-proof scaling of the data transfer rate is made possible through several design choices. DDR5 RAM modules come with their own PMIC and VRM, allowing for some serious overclocking — but those components will require extra cooling. This is supported by an increase in voltage. Adata is already testing 1.6 Volt designs for its top-of-the-line DIMMs. The standard is 1.1 Volts, meaning a 45% increase from what we are currently used to. This kind of overvoltage will generate more heat.

Corsair is planning to release its first DDR5 memory modules late this year, likely meeting the deadline to launch alongside Intel’s 12th generation of processors. Whether cooling these impressively powerful RAM sticks will become a problem still remains to be seen, but it’s a good sign that Corsair remains aware of it ahead of time.

Editors’ Choice

Repost: Original Source and Author Link


Steam Remote Play Together won’t require a Steam account for one invite

Gaming can be an intensely social activity, despite stereotypes, but most of the interactions among gamers happen online these days. There are video games that are meant to be played together with a small band of friends, often over a local network. COVID-19 restrictions have made it harder to get together for local multiplayer games and some friends might not even live in the same country or continent. Valve made the Steam Remote Play Together feature exactly for that purpose and soon it won’t even require a Steam account to use, at least for some of the players.

Steam Remote Play Together builds on, of course, Steam Remote Play that lets you play Steam games installed on one computer on any other computer running Steam. This allows gamers to have something like a central gaming rig at home with all the hardware you can cram in it and play games on another computer or device that wouldn’t even be capable of running Windows games.

Remote Play Together extends that to allow multiplayer gameplay over the Internet instead of a local network. Given how it works, you’d presume that it requires all players to have Steam accounts to use this feature. While that’s generally true, Valve is relaxing its requirement but for one very specific case only.

The new Invite Anyone beta feature of Steam’s Remote Play Together lets you invite one player to the game via a link that you generate in the Steam Overlay for the game. Only one player can be invited this way, however, and all other additional players have to be invited through your Friends List. Whichever method is used to join, they will be able to enjoy the full benefits of Remote Play Together, including sharing controllers with others in the group.

While it doesn’t require a Steam account, the invite link will direct gamers to at least install the Steam Link app. This means that only platforms that have this app support the Invite Anyone feature, namely Windows, iOS, Android, and the Raspberry Pi.

Repost: Original Source and Author Link