> Here’s how the hack went down: Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Don't check secrets into VCS, folks!
I'm surprised Uber doesn't have their engineers set up 2FA for GitHub. Super simple to implement and require organization-wide[1] and would have prevented this. Then again, not storing credentials in GitHub would also have prevented this . . .
[1] https://help.github.com/articles/requiring-two-factor-authen...
This is so gob-smackingly uncommon I started asking "do you require 2fa for your github accounts" as part of my interview questions when I was looking for jobs (i.e. I'd ask my interviewers).
I don't know how to feel knowing that there is even one software-focused company out there that doesn't enforce 2fa on its github accounts. Like... how?! Why?!
To use 2fa on github you need a mobile phone.
Do you give every enployee a mobile phone, or do you ask your employees to use their own personal phones?
Asking them to use their personal phones seems like a very bad solution. Many software companies do not routinely give developers mobile phones...
> To use 2fa on github you need a mobile phone.
This is incorrect.
You only need the ability to generate TOTP or U2F tokens. This is often done using a smartphone app, but can also be done by a desktop app like 1Password or a hardware device like a Yubikey: https://github.com/blog/2071-github-supports-universal-2nd-f...
You can also record the TOTP secret in your automated login script, next to your password, and generate the token on the fly right there.
It's things like that that make me wonder why TOTP tokens are supposed to be conceptually different from passwords. A TOTP scheme involves knowing a master password, and nothing else.
Recording a TOTP secret next to your password would make 2FA worthless, true. That’s why you should use hardware generators whenever possible. However, Github supports Fido/u2f which is conceptually superior to TOTP: The authentication secret is bound to the domain and the token generator verifies this. So even a software u2f implementation protects against phishing for example, while TOTP does not.
Do you know of any open source software implementations of u2f.