Just learned that makes account names available 90 days after the account is deleted.

hard enough for

Reclaiming usernames makes it possible to squat a trusted identity that may have hosted projects in widespread use...

...and git pull will just pull from the same URL under the new account holder's control.

So and be squatted or give unto Caesar that which is Caesar's! Why is OK if you get an AI to do it for you?

@vagrantc We've kept our accounts, just overwritten the repos with the SFC's #GiveUpGithub README.

I wouldn't be surprised if MS changed their terms and declared these accounts inactive or otherwise in breach so they can delete them. Or they may not care *shrug*

Reminds me of when we left a certain IRC network not so long ago.

@vagrantc or replace what was there with a statement and leave the account locked.


Don't delete the repository; just push an empty one onto it (other than a README pointing to the new location).

`git push -f `, BTW.

@vagrantc you're going to pull from a repo randomly after 90 days, after seeing no new updates?

@nn Many software projects I use have periods of activity and dormancy sometimes spanning multiple months, years or even occasionally decades. Some things are well designed (or really lucky) and only need infrequent updatates.

Account name squatting seems just as plausible as typo squatting, which has revealed realworld threats in recent years.

@vagrantc If MS cared the solution is easy: don't expire account names till 90 days after the last 404 on that account name.


That doesn't really solve the problem, that *might* delay the inevitable.

@vagrantc stealing an account everyone has stopped referencing makes it a poor target.


But 90 days is arbitrary, what if someone starts using it again on day 91? 180? 540?

Fundamentally the same problem.

@vagrantc someone will. But it wont be the thousands it would have been on 90 days after account deletion.

The attacks we are worried about here tend to be stochastic right, it's not going to work on everyone. So the chances of it working against the few who still fetch that repo will be low. Once the chances are low enough it's not an attack worth doing.

@vagrantc 🍬 How long is long enough before the names of deleted accounts may be recycled? 🍬

All security is about evaluating risks against other benefits.

There is no specific value, it is a security trade-off, the longer the better... 90 days gives some benefit, more days gives more benefit, waiting till the last attempted access to disappeared public repositories after N days gives stronger benefit, never reclaiming account names gives maximal security benefit... for this sort of account replacement/squatting/stealing attack.

Sign in to participate in the conversation

For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).