A few days ago I received an email from
From: "[REDACTED] (GitHub Staff)" <firstname.lastname@example.org> Date: Wed, 07 Mar 2018 21:55:06 +0000 (UTC) Subject: Re: A note from GitHub regarding your username Hi Joël, I work on GitHub's Support team and I'm contacting you about your GitHub account, 'malware'. I'm so sorry about this, but for technical reasons we need to remove the username 'malware' from being available. We'd like to ask you to change your username by following these steps: https://help.github.com/articles/how-to-change-your-username Changing your username is quick and painless. However, please read this Help article that explains what happens with your account: https://help.github.com/articles/what-happens-when-i-change-my-username Please feel free to take some time to find a new and awesome username. However, due to the technical reasons mentioned above, we will need to change your username in one week if you haven't made the change by then. If that happens, the username will be changed to 'mal-zz-ware' as a placeholder, and you will be able to change it again yourself. Losing a username is not fun, and we get that. To help you get over the loss and start new awesome projects, we'd be happy to apply a coupon to either your 'jperras' account or the 'malware' account (name changed, of course) for a free year of our developer plan. Please let me know if you have any questions, or if you run into any problems! And be sure to let us know to which account you'd like the coupon applied.
I'll save you the trouble: malware doesn't have
any public activity. It doesn't have much activity at all, to be honest: I log
in and poke around a bit once in a while, but really it's an account name that
I picked up not long ago with the intent of working on some new open source
stuff that wasn't tied to my usual
The reason behind the second account isn't anything nefarious or special: I simply liked the idea of being able to publish code in various states of readiness without stressing about how it might look on my "professional" online persona2.
Well, that particular cat is out of the bag now.
But why? Why was I now being asked to change the name of the account?
Is it because there wasn't enough activity on the account and they thought it was being squatted?3 The phrasing of the request seems to rule this out:
for technical reasons we need to remove the username 'malware' from being available.
but it's possible.
If this is some form of security-related censorship, where is the line drawn?
If I worked in infosec and had a repository or a user named
malware-examples, would that also trigger a support
email that required them to change the relevant entity names to
What about anyone with the word
hacker in their username5?
I sent a hasty reply, of which I have transcribed the salient portion:
What "technical reasons" would require changing a username for an account that has existed for some time now, without issue? Is it simply the somewhat nefarious nature of the name "malware"? If so, what other user names are now being banned from Github? Does this apply to composite names, such as `malwares`, or `online-malware`? If so, where is the line drawn? I had been waiting for a good time to switch over most of my non-corporate Github work over to the `malware` user (never enough time in the week). Granted, it sat inactive for a little bit of time, but I figured it would be there when I was ready. I guess my procrastination has saved me some work, in this case.
To which I received a reply a day later:
Thank you for your response. Due to privacy and security concerns, we are unable to discuss the technical reasons behind requesting the change of the malware username. I apologize again for the disappointment. Once the account name has been changed, we will go ahead and apply the year-long coupon to your `jperras` account.
It seems the reason I have to rename my user account is on a need-to-know basis, and that I, as the owner of that account, do not need to know.
As someone who has been a user of Github since 2009 and a paying user not long after that, I figured that I might get someone to give me an explanation, but I've only been met with canned replies or silence.
I know it's not a big deal: I'm not losing an account name that I've invested a lot of time into, and in the grand scheme of things Github is able to curate their own user and repository name blacklists as they see fit.
I just want to know why.
I'll leave the name of the support team member out of this, since they are most likely following company policy and are not directly responsible.
I'm at a point where I have a bit of anxiety over working on open source software (which is odd because it used to be such a huge part of my life), and thought that a secondary, completely separate Github account might help alleviate some of it.
My intention was never to hold on to the account for the sake of holding it. I just hadn't gotten around to publishing a new project; perhaps some lingering anxiety over OSS work was at work, here.
Let's be clear: I have never worked on anything that could be considered malware, nor did I have the intention of publishing actual malware to Github.
It's perhaps disingenuous to create hypothetical situations that all paint Github as an egregious offender here, but you get the idea.