[giobox]

I really don't think using 2FA and the direct hacking of an individual developer's machine are all that comparable here.

Who cares about access to individual dev's machines if the credentials to access code on github are obtained - 2FA at least offers some degree of protection in this scenario. The scope for attack is extremely different.

[eeZah7Ux]

Laptops and desktops are by far the weakest link and a trove of passwords, tokens, code, logs, chats, emails.

They run browsers, communication tools, all sort of product experiments and testbeds, and they even connect to random airport/hotel wifi.

Attack a laptop and all software and hardware 2FA tokens are useless. A backdoor can sit around and wait for the user to press the button.

[deathanatos]

> A backdoor can sit around and wait for the user to press the button.

There exist 2FA protocols[1] that permit tying the 2FA challenge to a particular context: you can't just take the response from the 2FA hardware and use it anywhere. In this regard, the malware doesn't get anything more than what they already have, and the 2FA still adds protection: if the malware is able to compromise your password (e.g., through keylogging) it doesn't immediately get access to everything you have access to. Now, of course, if you 2FA for some resource, then yes, at that point, you're probably doomed, but I don't believe that gets the malware anything new (e.g., once the auth is complete, if that results in a "user is logged in" cookie, the malware could just read that, and go to town.)

Compromise of a local machine is definitely bad, and not what you want, but 2FA tokens are not useless, even in that situation.

[1]: https://developers.yubico.com/U2F/Protocol_details/Overview....

[21]

The hackers wanted access to the code to look for Amazon keys. For them it doesn't matter if they get the code from the internal GitHub or from a developer machine.

If you have an ultra-secure door, the thiefs will just enter through your regular window.

[IncRnd]

How do you know they "wanted" access to look for Amazon keys? Do you know it wasn't from a blanket scan of github?

Sure, there are only 13 projects on https://uber.github.io/, but there are 169 on https://github.com/uber, and it only takes a short while to scan for access keys. There are plenty of open tools that will scan github for keys.

This may not have been targeted at Uber but a net for all of github with Uber being just one company that was hit up for cash. Unless you're saying that you know the motivations of the attackers.