Hello, welcome to the Friday, December 18th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida, but teaching virtually in Washington, D.C.

I'm teaching the defending web application security class.

If you are interested in learning more about how to defend

web applications, the next run of this class will be on January 11th and you'll find links

to the class in the show notes. GitHub announced that starting August 13th next year, you will no longer be able to use passwords

when you're authenticating Git operations. So if you're making updates to your repository,

if you're pushing code, you will need either an Oath key GitHub app installation, or you

need to use S.S.H in order to push the update and then

of course as H with keys.

Until then you should be looking out for any warnings that you're using an outdated third

party integration.

That may mean that your client does not support these authentication methods, and you should definitely

update. Also, in order to essentially warn developers of this change, GitHub will implement

two brownouts, as they call it. This will happen on June 30th and July 28th. During a couple hours on each day,

you will be unable to log in with password and basically they will temporarily already

implement the behavior that will become normal on August 13th to kind of give you a warning

that it's now really time

to update your off vacation. Of course, what I'm trying to solve here is fishing that has often

been used in the past to gain access to developers' GitHub repostories and then has been used

to compromise code and inject backdoors, for example.

...