Posted on

A few days ago I received an email from support@github.com1:

From: "[REDACTED] (GitHub Staff)" <>
Date: Wed, 07 Mar 2018 21:55:06 +0000 (UTC)
Subject: Re: A note from GitHub regarding your username

Hi Joël,

I work on GitHub's Support team and I'm contacting you about your GitHub
account, 'malware'. I'm so sorry about this, but for technical reasons we need
to remove the username 'malware' from being available.

We'd like to ask you to change your username by following these steps:

Changing your username is quick and painless. However, please read this Help
article that explains what happens with your account:

Please feel free to take some time to find a new and awesome username. However,
due to the technical reasons mentioned above, we will need to change your
username in one week if you haven't made the change by then. If that happens,
the username will be changed to 'mal-zz-ware' as a placeholder, and you will be
able to change it again yourself.

Losing a username is not fun, and we get that. To help you get over the loss
and start new awesome projects, we'd be happy to apply a coupon to either your
'jperras' account or the 'malware' account (name changed, of course) for a free
year of our developer plan.

Please let me know if you have any questions, or if you run into any problems!
And be sure to let us know to which account you'd like the coupon applied.

I'll save you the trouble: malware doesn't have any public activity. It doesn't have much activity at all, to be honest: I log in and poke around a bit once in a while, but really it's an account name that I picked up not long ago with the intent of working on some new open source stuff that wasn't tied to my usual jperras handle.

The reason behind the second account isn't anything nefarious or special: I simply liked the idea of being able to publish code in various states of readiness without stressing about how it might look on my "professional" online persona2.

Well, that particular cat is out of the bag now.

But why? Why was I now being asked to change the name of the account?

Is it because there wasn't enough activity on the account and they thought it was being squatted?3 The phrasing of the request seems to rule this out:

for technical reasons we need to remove the username 'malware' from being available.

but it's possible.

Is it because the word malware has negative connotations in the world of software? Am I a victim of a programmer version of a clbuttic filter4?

If this is some form of security-related censorship, where is the line drawn? If I worked in infosec and had a repository or a user named malware-research or malware-examples, would that also trigger a support email that required them to change the relevant entity names to mal-zz-ware-examples?

What about anyone with the word hacker in their username5?

I sent a hasty reply, of which I have transcribed the salient portion:

What "technical reasons" would require changing a username for an account that
has existed for some time now, without issue? Is it simply the somewhat
nefarious nature of the name "malware"? If so, what other user names are now
being banned from Github? Does this apply to composite names, such as
`malwares`, or `online-malware`? If so, where is the line drawn?

I had been waiting for a good time to switch over most of my non-corporate
Github work over to the `malware` user (never enough time in the week).
Granted, it sat inactive for a little bit of time, but I figured it would be
there when I was ready. I guess my procrastination has saved me some work, in
this case.

To which I received a reply a day later:

Thank you for your response. Due to privacy and security concerns, we are
unable to discuss the technical reasons behind requesting the change of the
malware username.

I apologize again for the disappointment. Once the account name has been
changed, we will go ahead and apply the year-long coupon to your `jperras`

It seems the reason I have to rename my user account is on a need-to-know basis, and that I, as the owner of that account, do not need to know.

As someone who has been a user of Github since 2009 and a paying user not long after that, I figured that I might get someone to give me an explanation, but I've only been met with canned replies or silence.

I know it's not a big deal: I'm not losing an account name that I've invested a lot of time into, and in the grand scheme of things Github is able to curate their own user and repository name blacklists as they see fit.

I just want to know why.


I'll leave the name of the support team member out of this, since they are most likely following company policy and are not directly responsible.


I'm at a point where I have a bit of anxiety over working on open source software (which is odd because it used to be such a huge part of my life), and thought that a secondary, completely separate Github account might help alleviate some of it.


My intention was never to hold on to the account for the sake of holding it. I just hadn't gotten around to publishing a new project; perhaps some lingering anxiety over OSS work was at work, here.


Let's be clear: I have never worked on anything that could be considered malware, nor did I have the intention of publishing actual malware to Github.


It's perhaps disingenuous to create hypothetical situations that all paint Github as an egregious offender here, but you get the idea.