
The Case for 2FA, Post Rest-Client Gem CVE - rietta
https://rietta.com/blog/rest-client-cve/
======
rietta
From the article:

"We had a chance to speak to Matt Manning who provided some clues to what may
have led to his account being compromised.

'I probably hadn’t logged into the rubygems web UI since 2011/2012\. I don’t
know if they had 2fa back then, and I wasn’t disciplined about using a
password manager then. I use 1password now, but that login was so old that I
didn’t even have it in 1pass, so I didn’t catch it when I audited dupes, etc
there. I probably haven’t pushed a public gem since 2014. I guess my api key
was cached for that.'

Matt raises a point of interest in which we’ll dive into further later, but,
its worth noting that he hadn’t pushed to a public gem since 2014. This long
predates when 2FA was introduced to RubyGems, which was announced on this blog
post November 2018 RubyGems Updates (rubygems.org) in 12/09/2018."

------
kaushikt
`~>` This operator is a devil

