Need a little help from my friends

Lonnie Olson lists at kittypee.com
Sat Mar 23 13:52:50 MDT 2019


According to official documentation (
https://help.github.com/en/articles/what-happens-when-i-change-my-username),
the behavior you described is exactly what is expected and *allowed*.

"After changing your username, your old username becomes available for
anyone else to claim."


There is no indication that the new owner of the username is doing anything
malicious.  No repositories have been created to highjack yours.
The action is disruptive, of course, however it is explicitly allowed by
Github.  This means that using abuse reporting systems for this user are
inappropriate.

Worse yet, your attempt to start a mob campaign to *harass* Github and/or
the new owner of the username is still very unethical.  Everything that
happened follows proper Github procedures and policies.  If you want to
effect a change to those policies, contacting Github using appropriate
channels (https://github.com/contact) will more likely, and more ethically
achieve your desired outcome.

I still reject your request based on both efficacious and ethical grounds.
If you want assistance in lobbying Github to change their policies through
proper and more ethical means, I would be open to those kinds of requests.

I sympathize with your predicament with the loss of your old username/brand
on Github.  It is incredibly unfortunate.


On Fri, Mar 22, 2019 at 6:09 PM AJ ONeal (Home) <coolaj86 at gmail.com> wrote:

> > I'm unclear on what actually happened here.  Did someone steal your
> > credentials?  You say you deliberately closed the account.  I know
> > github shouldn't be reusing usernames (and all the downstream security
> > implications), but how does someone grabbing up your abandoned github
> > username constitute some kind of attack or hijack?
> >
>
> I renamed my account coolaj86 -> solderjs.
>
> That puts a redirect in place.
>
> An account was created that prevents the coolaj86 -> solderjs redirect on
> the main page.
>
> It also disabled old redirects that already existed.
>
> Someone having the account gives them the ability to create a project of
> the same name as a previous project and hijack project redirects as well.
>
> As of yet, no project repository redirects have been hijacked. Only the
> main account redirect has been disrupted.
>
> The only problem that the supposed attacker has caused directly is breaking
> the redirect from my old username to my new username. What appears to be an
> inadvertent result, due to how the platform works is breaking the old
> redirects.
>
> Since my username was very specific and not something that one would come
> up with at random, my assumption is that unless it's actually GitHub
> creating the dummy account in reaction to the March 6th attack, the person
> creating the account is either generally reaping accounts with redirects (
> i.e. iterating over lists such as this one
> https://github.com/redox/top-github-users/blob/master/top-5K.csv - which I
> am on ) or specifically targeting me for an attack on a project. Either
> way, the intent is to be disruptive and opportunistic, and highly, highly
> unlikely to be  an honest "oh, what a cool name that I've always wanted,
> I'll just happen to sign up after this person *just* happened to rename
> their account".
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list