
L.S.,
Did anyone else get a message like the one below?
I did not try to log on to GitLab, as far as I can remember I do not have
an account there. Is this some kind of physhing-attempt?
Regards,
Henk-Jan van Tuyl
------- Forwarded message -------
From: GitLab

I did. I have an account there, but no projects. Sent from my iPhone
On Aug 18, 2021, at 19:35, Henk-Jan van Tuyl via Haskell-Cafe
wrote:
L.S.,
Did anyone else get a message like the one below?
I did not try to log on to GitLab, as far as I can remember I do not have an account there. Is this some kind of physhing-attempt?
Regards, Henk-Jan van Tuyl
------- Forwarded message ------- From: GitLab
To: hjgtuyl@chello.nl Subject: Unlock instructions Date: Wed, 18 Aug 2021 13:26:41 +0200 Hello, Henk-Jan!
Your GitLab account has been locked due to an excessive amount of unsuccessful sign in attempts. Your account will automatically unlock in 10 minutes or you may click the link below to unlock now.
Unlock account
-- Message from Stanford University:
Folding@home
What if you could share your unused computer power to help find a cure? In just 5 minutes you can join the world's biggest networked computer and get us closer sooner. Watch the video. https://foldingathome.org/
-- http://Van.Tuyl.eu https://HenkJanvanTuyl.werkaandemuur.nl/ https://sfeeraandemuur.nl/winkel/nekutimo/ https://github.com/HJvT https://web.archive.org/web/20201109033750/members.chello.nl/hjgtuyl/tourdem... https://web.archive.org/web/20201111212601/http://members.chello.nl/hjgtuyl/... Haskell programming -- _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.

https://mail.haskell.org/pipermail/ghc-devs/2021-August/020102.html
On Wed, Aug 18, 2021 at 12:53 PM MigMit
I did. I have an account there, but no projects.
Sent from my iPhone
On Aug 18, 2021, at 19:35, Henk-Jan van Tuyl via Haskell-Cafe < haskell-cafe@haskell.org> wrote:
L.S.,
Did anyone else get a message like the one below?
I did not try to log on to GitLab, as far as I can remember I do not have an account there. Is this some kind of physhing-attempt?
Regards, Henk-Jan van Tuyl
------- Forwarded message ------- From: GitLab
To: hjgtuyl@chello.nl Subject: Unlock instructions Date: Wed, 18 Aug 2021 13:26:41 +0200 Hello, Henk-Jan!
Your GitLab account has been locked due to an excessive amount of unsuccessful sign in attempts. Your account will automatically unlock in 10 minutes or you may click the link below to unlock now.
Unlock account
-- Message from Stanford University:
Folding@home
What if you could share your unused computer power to help find a cure? In just 5 minutes you can join the world's biggest networked computer and get us closer sooner. Watch the video. https://foldingathome.org/
-- http://Van.Tuyl.eu https://HenkJanvanTuyl.werkaandemuur.nl/ https://sfeeraandemuur.nl/winkel/nekutimo/ https://github.com/HJvT
https://web.archive.org/web/20201109033750/members.chello.nl/hjgtuyl/tourdem...
https://web.archive.org/web/20201111212601/http://members.chello.nl/hjgtuyl/...
Haskell programming -- _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
-- brandon s allbery kf8nh allbery.b@gmail.com

On Wed, 18 Aug 2021 12:54:48 -0400
Brandon Allbery
https://mail.haskell.org/pipermail/ghc-devs/2021-August/020102.html
It's almost as if big, single points of failure are not as resilient as a distributed web (or "bazaar") of independently-hosted sources. :-P https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows I promise I'm not trying to be rude here, and the GHC team may already utilize one of these models; I freely admit that I do not know those details. It's just I see this sort of thing a lot and it can sometimes be incredibly destructive to projects; the solution--hosting one's own git server--is simple, effective, and inexpensive. (I have one and it costs me only $3.50/mo so I have basically no reason not to have one.) The only reason I can imagine that the practice isn't more widespread is that people are concerned about security. A good host will make that easier, and after the application of a few simple rules a much more secure system is possible with not that much effort at all. Food for thought. -- Christopher Conforti

Am 22.08.21 um 14:55 schrieb Christopher Conforti:
On Wed, 18 Aug 2021 12:54:48 -0400 Brandon Allbery
wrote: https://mail.haskell.org/pipermail/ghc-devs/2021-August/020102.html
It's almost as if big, single points of failure are not as resilient as a distributed web (or "bazaar") of independently-hosted sources. :-P
https://git-scm.com/book/en/v2/Distributed-Git-Distributed-Workflows
... It's just I see this sort of thing a lot and it can sometimes be incredibly destructive to projects; the solution--hosting one's own git server--is simple, effective, and inexpensive.
The error message reports that there was an excessive amount of wrong logins, not a successful hack. Anybody who knows your public username can stage such an attack against your account - either the account gets locked, or the account gets hammered with password bruteforce attempts until the attacker is successful. This is independently of whether the account is self-hosted or on a big service.
The only reason I can imagine that the practice isn't more widespread is that people are concerned about security. A good host will make that easier, and after the application of a few simple rules a much more secure system is possible with not that much effort at all.
Doing your own security means you have to constantly monitor the threat landscape. Which is pretty much a fulltime job. You can skimp on it if you're hosting just your own data - a single person's data is usually not worth attacking. gitlab.haskell.org is a language community. It is much more valuable to an attacker, so "not that much effort at all" won't worth. (Full disclosure: I am the "security person" for our team. I do not to the threat landscape monitoring, that's - thankfully - done by a full security team, I'm more the guy who just keeps up-to-date on what the security team is doing and passing on what's relevant to the team. Even that minimum task is taking more time off my normal work than I'd like.) Regards, Jo

On Sun, 22 Aug 2021 15:35:05 +0200
Joachim Durchholz
(Full disclosure: I am the "security person" for our team. I do not to the threat landscape monitoring, that's - thankfully - done by a full security team, I'm more the guy who just keeps up-to-date on what the security team is doing and passing on what's relevant to the team. Even that minimum task is taking more time off my normal work than I'd like.)
Regards, Jo
_______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
I meant no disrespect, of course; forgive my ignorance. I've never worked with another person, let alone a team, so I can only speak from what's worked for me. -- Christopher Conforti

Am 22.08.21 um 16:31 schrieb Christopher Conforti:
I meant no disrespect, of course;
Me neither. Please note I'm not part of the Haskell team, I'm just a sideline spectator. It's just that the topic is one of the things where I happen to be marginally competent.
forgive my ignorance. What worked for me in the past: Switch from WTF mode to "I want to ask questions to find out what I'm missing" mode. I often learn something of interest if I do it (and sometimes I fail to do it myself).
Regards, Jo
participants (5)
-
Brandon Allbery
-
Christopher Conforti
-
Henk-Jan van Tuyl
-
Joachim Durchholz
-
MigMit