https://mail.haskell.org/pipermail/ghc-devs/2021-August/020102.html On Wed, Aug 18, 2021 at 12:53 PM MigMit wrote:

I did. I have an account there, but no projects.

Sent from my iPhone

...

On Aug 18, 2021, at 19:35, Henk-Jan van Tuyl via Haskell-Cafe < haskell-cafe@haskell.org> wrote:



L.S.,

Did anyone else get a message like the one below?

I did not try to log on to GitLab, as far as I can remember I do not have an account there. Is this some kind of physhing-attempt?

Regards, Henk-Jan van Tuyl

------- Forwarded message ------- From: GitLab To: hjgtuyl@chello.nl Subject: Unlock instructions Date: Wed, 18 Aug 2021 13:26:41 +0200

Hello, Henk-Jan!

Your GitLab account has been locked due to an excessive amount of unsuccessful sign in attempts. Your account will automatically unlock in 10 minutes or you may click the link below to unlock now.

Unlock account

-- Message from Stanford University:

Folding@home

What if you could share your unused computer power to help find a cure? In just 5 minutes you can join the world's biggest networked computer and get us closer sooner. Watch the video. https://foldingathome.org/

-- http://Van.Tuyl.eu https://HenkJanvanTuyl.werkaandemuur.nl/ https://sfeeraandemuur.nl/winkel/nekutimo/ https://github.com/HJvT

https://web.archive.org/web/20201109033750/members.chello.nl/hjgtuyl/tourdem...

...

https://web.archive.org/web/20201111212601/http://members.chello.nl/hjgtuyl/...

...

Haskell programming -- _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.

---

Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.

-- brandon s allbery kf8nh allbery.b@gmail.com

Am 22.08.21 um 14:55 schrieb Christopher Conforti:

On Wed, 18 Aug 2021 12:54:48 -0400 Brandon Allbery wrote:

...

https://mail.haskell.org/pipermail/ghc-devs/2021-August/020102.html

It's almost as if big, single points of failure are not as resilient as a distributed web (or "bazaar") of independently-hosted sources. :-P

https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows

... It's just I see this sort of thing a lot and it can sometimes be incredibly destructive to projects; the solution--hosting one's own git server--is simple, effective, and inexpensive.

The error message reports that there was an excessive amount of wrong logins, not a successful hack. Anybody who knows your public username can stage such an attack against your account - either the account gets locked, or the account gets hammered with password bruteforce attempts until the attacker is successful. This is independently of whether the account is self-hosted or on a big service.

The only reason I can imagine that the practice isn't more widespread is that people are concerned about security. A good host will make that easier, and after the application of a few simple rules a much more secure system is possible with not that much effort at all.

Doing your own security means you have to constantly monitor the threat landscape. Which is pretty much a fulltime job. You can skimp on it if you're hosting just your own data - a single person's data is usually not worth attacking. gitlab.haskell.org is a language community. It is much more valuable to an attacker, so "not that much effort at all" won't worth. (Full disclosure: I am the "security person" for our team. I do not to the threat landscape monitoring, that's - thankfully - done by a full security team, I'm more the guy who just keeps up-to-date on what the security team is doing and passing on what's relevant to the team. Even that minimum task is taking more time off my normal work than I'd like.) Regards, Jo

Am 22.08.21 um 16:31 schrieb Christopher Conforti:

I meant no disrespect, of course;

Me neither. Please note I'm not part of the Haskell team, I'm just a sideline spectator. It's just that the topic is one of the things where I happen to be marginally competent.

forgive my ignorance. What worked for me in the past: Switch from WTF mode to "I want to ask questions to find out what I'm missing" mode. I often learn something of interest if I do it (and sometimes I fail to do it myself).

Regards, Jo