> “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (ahemcough cough the Russians cough) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon.
If it looks like a duck, walks like a duck, swims like a duck and quacks like a duck, then at some point you gotta assume it's a duck. No need to run a DNA test.
Ask Rudy Giuliani or any architect foolish enough to take a project from him. While Trump might know more about protecting people who help him than he did then, it would be out of character for him to expend the time it takes to sign something if his benefit in the transaction is over.
Exactly as you describe, and I'm sure for other foreign interests, everyone at DOGE became massive targets for very highly directed nation-state level interest for phishing/malware/compromise.
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
Likely not the choice of the engineers, who appear not to know that they're being used as pawns in an international spy game that could send them to prison for a very long time.
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
Knowing their choice of targets too (definitely not left up to the engs), by which I mean only DOGEing and compromising the security of what they consider left-leaning agencies: with that targeting and their care to cover their tracks digitally, why not choose a strategy that lets the Russians in quietly? Shortly after they compromised the security of the NRLB they were making blackmail threats by taking drone videos of people (who threatened to reveal their malfeasance) where they lived and worked. Clearly someone in the chain of command is thinking carefully about what they can learn from how Russia governs
Remember that checklist meme from /.? The “You seem to be advocating/here is why it will not work”?
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
This is not an invincible decision making tool. It does not mean that literally every thing that can be explained by idiocy must be. We might start by leaning towards idiocy as an explanation but we are allowed to adjust our opinion as we see more and more information.
In law we shouldn't be focused on ignorance and cluelessness. The outcome of what they have allowed is the crime. All the DOGE dudes need life without parole.
Do you actually believe that? Do you not think that at least SOME OF THEM, are working their asses off to save american tax payer dollars?
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
Did you look through that page before posting it? Currently, the default list of biggest savings is topped by things like eliminating a refugee intake facility, various HHS programs making sure public housing meets basic standards of habitability, and eradicating polio.
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
That's the crux, for sure. The problem with DOGE though is that instead of creating better ways of doing anything, they just seem to eliminate doing those things at all.
Now we not only don't have a better way of doing a thing that might have been necessary, but we don't even have the sub-optimal way of doing that thing, so now it's not getting done at all.
Edit: Bringing it back to the article, if a person with access to 'a "core financial management system" belonging to the Federal Emergency Management Agency' was foolish enough to let their system get hacked, are we really finding a better way to do things, or are we being a little too careless?
It's 2.9B for a facility that can accommodate up to 3000 children simultaneously, as well as the support services to run it and provide the medical care and social workers needed to take care of them. It's not $3B for a specific 3000 children somewhere, so it's nonsense to try counting the cost per child that way.
I haven't looked at the contract in detail, but no, $3B over 5 years for 3000 people including construction costs sounds reasonably in line with prison costs (the closest comparison). Certainly not the order of magnitude too high like you're suggesting, which surely someone would have undercut on the bid if it were easy.
Wow, I took a look at the first one: ~$3 Billion for temporary shelter for just 3k kids? Almost $1 million per child??
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
Hanlon's razor is overused and abused. Quite often, it is actually a malice and if you are willing to look at the situation dispassionately, it is quite visible.
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
I would normally second this, but the Trump admin did order a suspension of offensive cyber operations against Russia in March. So not sure you can truly rule out malice in this case.
>a suspension of offensive cyber operations against Russia in March.
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Such Biden logic that ended with us launching missiles into russia. A constant escalation with no real end in sight and always matching "tit-for-tat- instead of trying to solve the root issue.
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
No other president has given explicit permission to launch american missles and use american guidance systems to launch missles into russian territory... Besides biden. What are you talking about?
And you forgot... besides Trump. because trumps not a warmonger, people like to act like he's on the side of the russians. People have lost their minds.
Because when someone punches you in the face, you punch back?
Also I don't know why we keep referring to Russia as a major power, their GDP is about the size of Italy's, their economy is on the rocks, their military stockpile is depleted from a failed invasion of their much, much smaller neighbor.
failed operation? Have you seen the war map? After the whole world dumped all their stockpiles to ukraine for over $500B, the russians have still taken over a 3rd of the country. Biden logic was going to lead to a american troops on the ground, and a vietnam all over again.
Russia didn't punch us in the face, they punched some dude that we barley knew in highschool half way across the world.
Your numbers are way off. Ukraine has not received "over $500B". According to the Kiel institute tracker, as of February, the total military support for Ukraine from all all over the world combined stands at 132 billion EUR (~148bn USD). Nor does Russia control a third of the country. Russia controls 18.3%, of which 7.05% was occupied before 2022 and 11.25% since then. The total area held by Russia peaked in the first month of the war at 25.86%, was reduced to 18% with Ukrainian counteroffensives, and has stood there since the late 2022.
While looking at the chart, keep in mind that Russia currently loses around 30-45k people a month as dead and wounded and they have nothing to show for it. The last major territorial gains were during the first month of the war in March 2022. It's a total military disaster with no end in sight.
And the person you replied to is absolutely right: Russia is not fighting for the potato fields of Ukraine, but to dismantle the entire international security system that the US built after the WWII to secure commerce and influence on the world. Ukraine is one of the stepping stones. Here's the full blueprint: https://en.wikipedia.org/wiki/Foundations_of_Geopolitics#Con...
This isn't an example of incompetence. DOGE staff broke laws when they connected their personal computers to classified system. They knew better, plenty of people told them not to do this and they still did it.
They could have followed OpSec rules and still done their work. They chose not to do so. Their willful disobedience of the laws and OpSec might stem from multiple rationals, but it doesn't matter, because their actions are criminal and their negligence is beyond incompetence.
I don't see any evidence that this should be the case. My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
If I did highly secure work (which I don’t), I’d set up a few honeypot machines and input my “secure credentials” (with a bogus password) into that repeatedly.
Yeah, inputing "secure credentials" traceable directly to you with what you'd hope is a bogus password is a very bad idea, especially if you're doing highly secure work.
These aren't local credentials, these are credentials from various third-party websites that made their way into stealer logs. Garbled or not, using your personal email address for both legitimate purposes (e.g. Google Calendar, as the article points out) and honeypots isn't the best idea.
Ah, I thought you meant what sites list the stolen credentials. The exact overlap of websites across four separate stealer logs is enough to leak an email address pretty reliably. The only thing that's "telling" for is that they're not willing to dox this person.
Have I Been Pwned listed me in the ALIEN TXTBASE Stealer Logs. I went through the Notify me tab, got a verification link to check for my personal records, and all I got was this lousy:
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
Alternative explanation - someone emailing you is infected by a stealer on their machine - they typed your email into the "to field" and that was captured by a key logger on their system.
"By searching for his personal Gmail address (which I'm not sharing) in Have I Been Pwned, he appears in 51 data breaches and in 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more."
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
I’d be in 3 of those breaches. One of the rules working in government was never use your personal email or ID for anything.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
This is different from haveibeenpawned leaks. These infostealer dumps mean the data is direct from a spyware/malware on a victims computer. for ex: https://hackerone.com/reports/3091909
It means the people in the leak had malware on their computer in the past, and maybe present.
> a strong indication that devices belonging to him have been hacked in recent years.
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
The Ars Technica article is a bit confusing, if you click through to the original article, the case they make is much clearer. It's not that his credentials were found on Have I Been Pwned, which is the case for most people through no fault of their own. Instead, it's this:
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
"Well-known" email addresses (e.g: gaben@valvesoftware.com, president@whitehouse.gov) also seem to show up in these mentioned stealer logs on https://haveibeenpwned.com/ - which makes me suspect addresses are extracted from keypresses even if just typed in the To field of an email, for instance, and do not necessarily indicate the owner of the email has malware on their machine or has had their account/password compromised.
At one point I was a contractor for a government department and at another I was at a government sponsored NGO.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
Yep, headline doesn't say it is his current computer or anything, just that his computer was infected. It would be clickbait if it said his current computer is actively infected. Less clickbait than now if it said one of his computers appears to have been infected at some point.
Cannot tell if it's sarcasm or not. Obviously everyone who reads the headline assumes it's his current computer, and it had some, uh, consequences. That's why they click. That's what makes it clickbait. Nobody would care otherwise.
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
Wouldn't the assumption be that some percentage of government workers have infostealers on their computers? The track record of these people is not good, pretty much since we've had the internet there have been a steady stream of minor-to-moderate scandals where information gets to places that it shouldn't be.
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
If there's bias, I think it comes from people being concerned that there are people coming into various govt. offices, demanding and receiving write/read, non-logging accounts on systems containing sensitive information. The access DOGE staffers are being granted absolutely warrants extra scrutiny of their conduct and security practices.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
Doesn't seem speculative in the least - they have some pretty strong indicators of a problem. It's great that we're getting some tech-literate investigative journalism going - and good for our government to have a light shining here.
This is something that already happens. When there is a strong general opinion questioning the quality of the title, even if it's the same as the original title, if it's against HN directives they do get changed. Unfortunately I don't remember exactly these cases, but if you've been to HN long enough you've surely seen these changes.
> If the facts support those allegations, then absolutely yes
See, here's the thing: almost everyone believes this about themselves.
There is always enough difference between any given pairing of cases that one can retain their belief in their own fairness. And there is no shortage of partisan coverage that will assist you in believing that the cases are different.
And it's not like there is an incentive for holding _your own side_ accountable when the other side is not being held accountable.
charitably, you have fallen for the myth that americans can only engage in politics from one of two sports-fan positions. this is not true and the sooner we stop engaging with this myth, the better.
uncharitably, you are pushing a stupid narrative on purpose with ill intent.
Seems like people here assume that passwords were found on Have I Been Pwned. It's more than that, it's about "stealer malware":
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
Was he using his own computer? He should surely have been using one provided by the institution. In a properly secured system he should not have needed passwords to connect to databases, they should have been secured by something like Active Directory roles and certificates. Do any of these US institutions have any idea of proper security?
DOGE didn't care to go through proper channels for anything. They just used whatever they had. It was a true train wreck let by young talentless types like "big balz" or whatever his name was; their only qualifying talent was complete loyalty to Elon Musk.
All thee DOGE dudes are destined to spend life imprisoned on Alcatraz. The scope of the antics done by these people and the downright disregard for security, ethics, law, and the Constitution, all make them the right people to make examples of.
Does the USA have an authority that can deny privileged data access to someone that has such poor operational security? Revoke security clearances, that kind of thing.
Yes in theory, however it's 2025 and I think it's likely that most of what they're doing falls afoul of data storage/recordkeeping laws anyway and there's basically zero chance that the perpetrators will face consequences.
Yes, but all such authorities are subordinate to the President, and the President can issue security clearance by fiat, bypassing normal procedures and exempting people from them .
Security levels of documents and clearances are technically controlled by the office of the President (IIRC), but this is often delegated to the agencies themselves. The military, for example, has it's own system for classified things, while it looks like maybe DOGE does not.
I mean if so many of them are scared they can just caucus with the nearly (but not actually) 50% of congress members that are democrats [1].
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
Yes but that's basically the prisoner's dilemma in a nutshell. Who's going to to take the leap of faith and put their neck on the chopping block?
Liz Cheney?
Adam Kitzinger?
Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
I am saying "they are doing nothing, because they want this to happen". Trump policies are exactly what conservatives wanted and pushed for. The corruption and all that is stuff they are fine with, as long as it is one of them doing it.
To a large extent, insofar as Trump is a dictator, it is only because Congress have decided to allow that through inaction. At least for the time being (though, see, for instance, the Weimar Republic; this may end up being a use-it-or-lose-it ability), they still do have the power to largely put him back in his box if they want to.
Dictators around the world have supporters who do not rise against them, because they are completely on board with their agenda.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
Once upon a time Congress would botch something and all one could do without getting into weeds no one cared about was blame Congress. No one wanted to hear a list of 200 assorted representatives.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
Honestly, stuff like this always makes me double check my own passwords and habits. Bunch of people just roll with the same easy setup for years and act surprised later. Gotta be careful, for real.
I'm on Fastmail and it has been worth every penny. They happen to also integrate their email alias generation with 1Password, which I also use, making it an extra good investment
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
Under normal circumstances if that system were connected to an internal network there would be a cleanup (and the costs would be astronomical). I say normal circumstances because I fully expect these clowns to obfuscate, omit and deny everything for the next four years.
The article title suggests that this is about his current PC which he is using at the agency. That is totally false.
In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.
I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?
Now imagine how many normie, computer-illiterate federal employees in fairly sensitive roles have had various credentials leaked over the past few years.
There are safe guards for information not to leak. Those safe guards make it very hard to get the info, not impossible, but very hard. Walking into a government office and plugging in your personal Macbook, and running whatever software you want with "god" powers on the network makes it a lot easier to gain access to whatever data is required. Even if its unintentional (big if) from the DOGE's side, at this level you are target by state actors and they will get to your personal devices if they want.
I worked in Federal government on classified systems. There were many safeguards in place, most importantly networks that were 100% disconnected from the Internet and locked down workstations. That made sure that even the most inept user could not cause a problem like this.
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
Did you find stealer logs with your credentials though? Because that is certainly much more concerning than simply having your credentials leaked from some breach, and it's what happened to the DOGE guy.
> “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (ahem cough cough the Russians cough) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon.
Good point.
Is the point good enough to elaborate further preferably with actual proof instead of just opinion?
If it looks like a duck, walks like a duck, swims like a duck and quacks like a duck, then at some point you gotta assume it's a duck. No need to run a DNA test.
Its more like "i see something waddling and quacking, is it a mallard or gallwad"
I dont mind, its open season and neither is on the protected list.
I mean, obviously very difficult to prove, but there _is_ a level of apparent stupidity where Hanlon's razor starts to get a bit blunt.
[flagged]
"We don't do that here"
- T'Challa
How bad can it be? Be pardoned by a SCOTUS immune president?
That won't save you from a lawsuit
Ask Rudy Giuliani or any architect foolish enough to take a project from him. While Trump might know more about protecting people who help him than he did then, it would be out of character for him to expend the time it takes to sign something if his benefit in the transaction is over.
I imagine it is "all of the above".
Exactly as you describe, and I'm sure for other foreign interests, everyone at DOGE became massive targets for very highly directed nation-state level interest for phishing/malware/compromise.
>Good point.
Is it a good point? How so?
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
Likely not the choice of the engineers, who appear not to know that they're being used as pawns in an international spy game that could send them to prison for a very long time.
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
Knowing their choice of targets too (definitely not left up to the engs), by which I mean only DOGEing and compromising the security of what they consider left-leaning agencies: with that targeting and their care to cover their tracks digitally, why not choose a strategy that lets the Russians in quietly? Shortly after they compromised the security of the NRLB they were making blackmail threats by taking drone videos of people (who threatened to reveal their malfeasance) where they lived and worked. Clearly someone in the chain of command is thinking carefully about what they can learn from how Russia governs
But it's coming from the right/good side so any conspiracy instead of panic and dehumanization is plausible and not worth discussing further.
Remember that checklist meme from /.? The “You seem to be advocating/here is why it will not work”?
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
We're being downvoted to oblivion, but notice nobody is saying we are wrong?
Hanlon's razor
This is not an invincible decision making tool. It does not mean that literally every thing that can be explained by idiocy must be. We might start by leaning towards idiocy as an explanation but we are allowed to adjust our opinion as we see more and more information.
Hanlon's razor was originally a joke. Not like, serious observation about how world works.
The caveat is that intentional stupidity is indistinguishable from malice.
In law we shouldn't be focused on ignorance and cluelessness. The outcome of what they have allowed is the crime. All the DOGE dudes need life without parole.
idk the law differentiates between "attempted but failed murder" / "accidental murder" / "successful(?) murder"
...maybe your "law" is some ancient eye-for-eye kind of law instead of some modern stuff?
Do you actually believe that? Do you not think that at least SOME OF THEM, are working their asses off to save american tax payer dollars?
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
Did you look through that page before posting it? Currently, the default list of biggest savings is topped by things like eliminating a refugee intake facility, various HHS programs making sure public housing meets basic standards of habitability, and eradicating polio.
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
I guess we just disagree on what's important. $2.9B for 3,000 children. That's 967K per child. What in the actual fuck? https://www.fpds.gov/common/jsp/LaunchWebPage.jsp?command=ex...
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
> there are better ways to do that.
That's the crux, for sure. The problem with DOGE though is that instead of creating better ways of doing anything, they just seem to eliminate doing those things at all.
Now we not only don't have a better way of doing a thing that might have been necessary, but we don't even have the sub-optimal way of doing that thing, so now it's not getting done at all.
Edit: Bringing it back to the article, if a person with access to 'a "core financial management system" belonging to the Federal Emergency Management Agency' was foolish enough to let their system get hacked, are we really finding a better way to do things, or are we being a little too careless?
It's 2.9B for a facility that can accommodate up to 3000 children simultaneously, as well as the support services to run it and provide the medical care and social workers needed to take care of them. It's not $3B for a specific 3000 children somewhere, so it's nonsense to try counting the cost per child that way.
regardless of the KPI perspective, do you agree that $3.3B is a bit much for a facility that can only host up the 3k?
For reference, look up some of the Giga factory costs (With Capital expenditure for production). They are similiar in expenditures.
I haven't looked at the contract in detail, but no, $3B over 5 years for 3000 people including construction costs sounds reasonably in line with prison costs (the closest comparison). Certainly not the order of magnitude too high like you're suggesting, which surely someone would have undercut on the bid if it were easy.
You can look at the bid requirements yourself and determine whether you think it's reasonable for the scope of the facility: https://sam.gov/opp/3726d9e2246c47e197396e805ce6bb33/view
This was awarded sole source. There were no vendors able to compete.
I also find their J&A unconvincing, and there's no way it passes the smell test required in Far part 6.
There was really no other vendor in the world, besides Family Care to be able to do this? They aren't even a construction company.
Wow, I took a look at the first one: ~$3 Billion for temporary shelter for just 3k kids? Almost $1 million per child??
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
You can't trust their claimed savings either. https://www.nytimes.com/2025/04/13/us/politics/doge-contract...
Hanlon's razor is for a peaceful heart, not for helping you win bets.
¿Por qué no los dos?
(Spanish for _Why not both?_)
Hanlon's razor is overused and abused. Quite often, it is actually a malice and if you are willing to look at the situation dispassionately, it is quite visible.
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
I would normally second this, but the Trump admin did order a suspension of offensive cyber operations against Russia in March. So not sure you can truly rule out malice in this case.
And also asked Russian intelligence services to hack his opponent in 2016, which they did the next day.
you could not make this shit up, right!?
There was specifically the televised "Russia, if you're listening..." quip followed by the release of the DNC emails.
>a suspension of offensive cyber operations against Russia in March.
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
> why are we commiting offensive cyber operations against a nuclear power?
Maybe because they are doing it too ?
Such Biden logic that ended with us launching missiles into russia. A constant escalation with no real end in sight and always matching "tit-for-tat- instead of trying to solve the root issue.
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
You misspelled Reagan.
(Though to be fair, every president since Truman has escalated things with Russia/USSR, except maybe Clinton. Reagan just did more than most.)
> You don't think trump is actively involved in negotations[sic] with russia to stop all this madness?
No, I think Trump is doing whatever Putin wants him to do.
No other president has given explicit permission to launch american missles and use american guidance systems to launch missles into russian territory... Besides biden. What are you talking about?
And you forgot... besides Trump. because trumps not a warmonger, people like to act like he's on the side of the russians. People have lost their minds.
Because when someone punches you in the face, you punch back?
Also I don't know why we keep referring to Russia as a major power, their GDP is about the size of Italy's, their economy is on the rocks, their military stockpile is depleted from a failed invasion of their much, much smaller neighbor.
failed operation? Have you seen the war map? After the whole world dumped all their stockpiles to ukraine for over $500B, the russians have still taken over a 3rd of the country. Biden logic was going to lead to a american troops on the ground, and a vietnam all over again.
Russia didn't punch us in the face, they punched some dude that we barley knew in highschool half way across the world.
Your numbers are way off. Ukraine has not received "over $500B". According to the Kiel institute tracker, as of February, the total military support for Ukraine from all all over the world combined stands at 132 billion EUR (~148bn USD). Nor does Russia control a third of the country. Russia controls 18.3%, of which 7.05% was occupied before 2022 and 11.25% since then. The total area held by Russia peaked in the first month of the war at 25.86%, was reduced to 18% with Ukrainian counteroffensives, and has stood there since the late 2022.
Scroll to "Overall control of Ukraine": https://www.warmapper.org/stats
While looking at the chart, keep in mind that Russia currently loses around 30-45k people a month as dead and wounded and they have nothing to show for it. The last major territorial gains were during the first month of the war in March 2022. It's a total military disaster with no end in sight.
And the person you replied to is absolutely right: Russia is not fighting for the potato fields of Ukraine, but to dismantle the entire international security system that the US built after the WWII to secure commerce and influence on the world. Ukraine is one of the stepping stones. Here's the full blueprint: https://en.wikipedia.org/wiki/Foundations_of_Geopolitics#Con...
Hanlon's razor can be taken advantage of.
Hanlon's razor has been weaponized against good-faith applications
[flagged]
Yeah, sure. Seeing a conspiracy and 4d chess in everything is a proof of having an enlightened mind.
I work in this space and many actors, including nation state actors, are just incompetent. You may not believe me, that's OK.
This isn't an example of incompetence. DOGE staff broke laws when they connected their personal computers to classified system. They knew better, plenty of people told them not to do this and they still did it.
They could have followed OpSec rules and still done their work. They chose not to do so. Their willful disobedience of the laws and OpSec might stem from multiple rationals, but it doesn't matter, because their actions are criminal and their negligence is beyond incompetence.
I don't see any evidence that this should be the case. My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
> My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
If your password is in the dumps, too, like this person's passwords, then yeah, you might want to look into it.
Many website still store plaintext passwords.
Indeed the ones getting hacked are more likely to.
From the linked article:
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
If I did highly secure work (which I don’t), I’d set up a few honeypot machines and input my “secure credentials” (with a bogus password) into that repeatedly.
Yeah, inputing "secure credentials" traceable directly to you with what you'd hope is a bogus password is a very bad idea, especially if you're doing highly secure work.
"Hope"? Generate random text, repeatedly type it in with AutoHotKey on honeypot machine, whatever rootkits are on there get garbled, useless data.
These aren't local credentials, these are credentials from various third-party websites that made their way into stealer logs. Garbled or not, using your personal email address for both legitimate purposes (e.g. Google Calendar, as the article points out) and honeypots isn't the best idea.
Them not naming the sites is pretty telling.
They're linking to the original source of the news, which literally names "the sites".
No it does not. What sites appeared in the "stealer logs" with his email?
Ah, I thought you meant what sites list the stolen credentials. The exact overlap of websites across four separate stealer logs is enough to leak an email address pretty reliably. The only thing that's "telling" for is that they're not willing to dox this person.
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
If you read the full article you'll see its not just from database dumps.
Have I Been Pwned listed me in the ALIEN TXTBASE Stealer Logs. I went through the Notify me tab, got a verification link to check for my personal records, and all I got was this lousy:
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
Alternative explanation - someone emailing you is infected by a stealer on their machine - they typed your email into the "to field" and that was captured by a key logger on their system.
Absolutely. Now, how do I sort things out? And eventually clear my name so people searching for my email don’t jump to conclusions regarding my OPSEC…
"By searching for his personal Gmail address (which I'm not sharing) in Have I Been Pwned, he appears in 51 data breaches and in 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more."
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
I’d be in 3 of those breaches. One of the rules working in government was never use your personal email or ID for anything.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
You fly jets long enough, something like this happens.
This is different from haveibeenpawned leaks. These infostealer dumps mean the data is direct from a spyware/malware on a victims computer. for ex: https://hackerone.com/reports/3091909
It means the people in the leak had malware on their computer in the past, and maybe present.
> a strong indication that devices belonging to him have been hacked in recent years.
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
The first sentence is actually:
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
Does not sound like clickbait for me.
The Ars Technica article is a bit confusing, if you click through to the original article, the case they make is much clearer. It's not that his credentials were found on Have I Been Pwned, which is the case for most people through no fault of their own. Instead, it's this:
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
"Well-known" email addresses (e.g: gaben@valvesoftware.com, president@whitehouse.gov) also seem to show up in these mentioned stealer logs on https://haveibeenpwned.com/ - which makes me suspect addresses are extracted from keypresses even if just typed in the To field of an email, for instance, and do not necessarily indicate the owner of the email has malware on their machine or has had their account/password compromised.
>reasonably good evidence that you are doing something wrong.
No need for multiple leaks, just one is enough.
And I wouldn't say "do something wrong", just getting infected with an infostealer. Happens all the time.
Yes, by "doing something wrong," I meant "doing something that gets you infected with an infostealer," not something ethically wrong or illegal.
At one point I was a contractor for a government department and at another I was at a government sponsored NGO.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
Yep, headline doesn't say it is his current computer or anything, just that his computer was infected. It would be clickbait if it said his current computer is actively infected. Less clickbait than now if it said one of his computers appears to have been infected at some point.
Cannot tell if it's sarcasm or not. Obviously everyone who reads the headline assumes it's his current computer, and it had some, uh, consequences. That's why they click. That's what makes it clickbait. Nobody would care otherwise.
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
>Nobody would care otherwise.
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
Wouldn't the assumption be that some percentage of government workers have infostealers on their computers? The track record of these people is not good, pretty much since we've had the internet there have been a steady stream of minor-to-moderate scandals where information gets to places that it shouldn't be.
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
If there's bias, I think it comes from people being concerned that there are people coming into various govt. offices, demanding and receiving write/read, non-logging accounts on systems containing sensitive information. The access DOGE staffers are being granted absolutely warrants extra scrutiny of their conduct and security practices.
> Nobody would care otherwise.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
autocorrect; "included credentials too"
Doesn't seem speculative in the least - they have some pretty strong indicators of a problem. It's great that we're getting some tech-literate investigative journalism going - and good for our government to have a light shining here.
> I am not sure why we are falling for this click baity garbage, over and over.
Because it's easier to create and broadcast bait than to filter it.
Until HN improves, I propose that we flag moronic titles (misleading, clickbait, just annoyingly moronic, and so on).
In the long term HN should do something about it, e.g. editoralized titles.
This is something that already happens. When there is a strong general opinion questioning the quality of the title, even if it's the same as the original title, if it's against HN directives they do get changed. Unfortunately I don't remember exactly these cases, but if you've been to HN long enough you've surely seen these changes.
[flagged]
I oppose corruption and treason regardless of party affiliation.
[flagged]
If the facts support those allegations, then absolutely yes.
> If the facts support those allegations, then absolutely yes
See, here's the thing: almost everyone believes this about themselves.
There is always enough difference between any given pairing of cases that one can retain their belief in their own fairness. And there is no shortage of partisan coverage that will assist you in believing that the cases are different.
And it's not like there is an incentive for holding _your own side_ accountable when the other side is not being held accountable.
I get the impression that you think every American voter, including me, is partisan and a party loyalist.
I won't bother trying to persuade you otherwise, beyond saying that my voting record and public comments refute that.
Not every, but way too many.
If you're truly one of the few, congrats.
I've seen the chairs switch way too many times to be anything but cynical.
charitably, you have fallen for the myth that americans can only engage in politics from one of two sports-fan positions. this is not true and the sooner we stop engaging with this myth, the better.
uncharitably, you are pushing a stupid narrative on purpose with ill intent.
"charitably?" "uncharitably?"
Nice ad hom you got there in lieu of an actual argument. lol
i'm willing to entertain ignorance, but not malice
Me too, man. Me too.
Seems like people here assume that passwords were found on Have I Been Pwned. It's more than that, it's about "stealer malware":
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
It's not 'assume', it's literally in the text:
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
> Putting this in undermines the quality of their critique.
I don't disagree, but the reader may show critical thinking and consider that there is more: there is mention of malware, not just a leak.
Was he using his own computer? He should surely have been using one provided by the institution. In a properly secured system he should not have needed passwords to connect to databases, they should have been secured by something like Active Directory roles and certificates. Do any of these US institutions have any idea of proper security?
DOGE didn't care to go through proper channels for anything. They just used whatever they had. It was a true train wreck let by young talentless types like "big balz" or whatever his name was; their only qualifying talent was complete loyalty to Elon Musk.
All thee DOGE dudes are destined to spend life imprisoned on Alcatraz. The scope of the antics done by these people and the downright disregard for security, ethics, law, and the Constitution, all make them the right people to make examples of.
Alcatraz is a tourist attraction so while perhaps not somewhere I'd choose to live it also has routine ferries that you can just leave on.
Their boss is talking about reopening Alcatraz. I suspect that's what sys_64738 is referencing.
Does the USA have an authority that can deny privileged data access to someone that has such poor operational security? Revoke security clearances, that kind of thing.
Yes in theory, however it's 2025 and I think it's likely that most of what they're doing falls afoul of data storage/recordkeeping laws anyway and there's basically zero chance that the perpetrators will face consequences.
Yes, but all such authorities are subordinate to the President, and the President can issue security clearance by fiat, bypassing normal procedures and exempting people from them .
Well that's something that should be looked into.
That's how it is -- by design.
[dead]
Security levels of documents and clearances are technically controlled by the office of the President (IIRC), but this is often delegated to the agencies themselves. The military, for example, has it's own system for classified things, while it looks like maybe DOGE does not.
The DOGE staff have no security clearance to revoke, as far as I can tell.
How come they get to fumble and botch everything then?
Reason: Congress has decided to not to ask that question of the Presidents Office.
Why so abstract? It is because republicans in the Congress are supporting Trump policies. They are doing nothing, because they want this to happen.
Why don't people rise up against dictators in other parts of the world?
They always do - eventually
I think the point was to refute "they are doing nothing therefore they want this to happen"
Related: https://www.newsweek.com/lisa-murkowski-donald-trump-retalia...
I mean if so many of them are scared they can just caucus with the nearly (but not actually) 50% of congress members that are democrats [1].
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
[1]: https://en.wikipedia.org/wiki/United_States_Congress
[2]: https://en.wikipedia.org/wiki/January_2023_Speaker_of_the_Un...
[3]: https://en.wikipedia.org/wiki/October_2023_Speaker_of_the_Un...
Never interrupt your enemy when he is making a mistake.
The democrats don't have the numbers - even if they did, the more ridiculous the whole thing gets the better for them it is.
Siting around and do nothing is going to come back and bite incumbent democrats in a couple years.
Sure they might not lose the general election to a republican but their primary is going to be painful.
Yes but that's basically the prisoner's dilemma in a nutshell. Who's going to to take the leap of faith and put their neck on the chopping block?
Liz Cheney? Adam Kitzinger? Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
I am saying "they are doing nothing, because they want this to happen". Trump policies are exactly what conservatives wanted and pushed for. The corruption and all that is stuff they are fine with, as long as it is one of them doing it.
To a large extent, insofar as Trump is a dictator, it is only because Congress have decided to allow that through inaction. At least for the time being (though, see, for instance, the Weimar Republic; this may end up being a use-it-or-lose-it ability), they still do have the power to largely put him back in his box if they want to.
Dictators around the world have supporters who do not rise against them, because they are completely on board with their agenda.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
Once upon a time Congress would botch something and all one could do without getting into weeds no one cared about was blame Congress. No one wanted to hear a list of 200 assorted representatives.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
Sort of. The Dems laughing at the Reps voting out their own speaker was interesting on several levels.
That kind of punishment is currently only considered appropriate for perpetrators of lese majeste.
Who needs authority when you have ~vibes~
If the story is published on arstechnica, be assured the relevant agencies are obviously well aware. They are choosing not to act.
In principle? Perhaps. De-facto? Not as long as they're performing Trumpllatio.
Haha noice.
I don't think anyone really needs to express more at this point.
Honestly, stuff like this always makes me double check my own passwords and habits. Bunch of people just roll with the same easy setup for years and act surprised later. Gotta be careful, for real.
I've rolled with the same set up for years, what should I be doing instead?
password manager with 2FA / yubikey, randomized passwords per account, randomized account emails if your provider supports aliasing
What provider do you suggest? I've used Gmail all my life. Recently firefox started supporting forwarding, but that's only 5 emails.
I'm on Fastmail and it has been worth every penny. They happen to also integrate their email alias generation with 1Password, which I also use, making it an extra good investment
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
If your setup includes a password manager, generated unique passwords and enabling 2FA everywhere you can, there's not much else to do.
Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.
Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)
I happen to think that having your password manager online is a mistake.
For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:
- SHA1 or NTLM hash prefix matching https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...
- actually download the HIBP db and check for yourself https://haveibeenpwned.com/API/v3#PwnedPasswordsDownload
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
Source:
DOGEs K Schutt's computer infected by malware, credentials found in stealer logs
https://news.ycombinator.com/item?id=43930267
Under normal circumstances if that system were connected to an internal network there would be a cleanup (and the costs would be astronomical). I say normal circumstances because I fully expect these clowns to obfuscate, omit and deny everything for the next four years.
The article title suggests that this is about his current PC which he is using at the agency. That is totally false.
In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.
I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?
They're saving the government lots of money by streamlining the data exfiltration.
[dead]
[flagged]
Leaked? Maybe they even "leaked" it willingly, to prove their grip, their superiority, you name it.
[flagged]
[flagged]
Now imagine how many normie, computer-illiterate federal employees in fairly sensitive roles have had various credentials leaked over the past few years.
There are safe guards for information not to leak. Those safe guards make it very hard to get the info, not impossible, but very hard. Walking into a government office and plugging in your personal Macbook, and running whatever software you want with "god" powers on the network makes it a lot easier to gain access to whatever data is required. Even if its unintentional (big if) from the DOGE's side, at this level you are target by state actors and they will get to your personal devices if they want.
I worked in Federal government on classified systems. There were many safeguards in place, most importantly networks that were 100% disconnected from the Internet and locked down workstations. That made sure that even the most inept user could not cause a problem like this.
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
imagine holding nominally-technical staff to a higher level of information security practice
This article is reaching.
I’ve logged onto secondary email accounts from PC’s that weren’t mine and could well have been infected. That’s what 2FA is for.
I wouldn’t use a PC which isn’t mine to login to anything sensitive. A password in a leak isn’t evidence of anything.
Did you find stealer logs with your credentials though? Because that is certainly much more concerning than simply having your credentials leaked from some breach, and it's what happened to the DOGE guy.
> A password in a leak isn’t evidence of anything.
It’s evidence that your password leaked. What are you on about? You think they just randomly guessed his password?