> “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (ahemcough cough the Russians cough) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon.
Good point.
akimbostrawman · 11h ago
Is the point good enough to elaborate further preferably with actual proof instead of just opinion?
amelius · 9h ago
If it looks like a duck, walks like a duck, swims like a duck and quacks like a duck, then at some point you gotta assume it's a duck. No need to run a DNA test.
halJordan · 4h ago
Its more like "i see something waddling and quacking, is it a mallard or gallwad"
rsynnott · 8h ago
I mean, obviously very difficult to prove, but there _is_ a level of apparent stupidity where Hanlon's razor starts to get a bit blunt.
FirmwareBurner · 10h ago
"We don't do that here"
- T'Challa
FireBeyond · 7h ago
I imagine it is "all of the above".
Exactly as you describe, and I'm sure for other foreign interests, everyone at DOGE became massive targets for very highly directed nation-state level interest for phishing/malware/compromise.
belter · 11h ago
How bad can it be? Be pardoned by a SCOTUS immune president?
satanfirst · 22m ago
Ask Rudy Giuliani or any architect foolish enough to take a project from him. While Trump might know more about protecting people who help him than he did then, it would be out of character for him to expend the time it takes to sign something if his benefit in the transaction is over.
FirmwareBurner · 12h ago
>Good point.
Is it a good point? How so?
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
conartist6 · 12h ago
Likely not the choice of the engineers, who appear not to know that they're being used as pawns in an international spy game that could send them to prison for a very long time.
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
conartist6 · 11h ago
Knowing their choice of targets too (definitely not left up to the engs), by which I mean only DOGEing and compromising the security of what they consider left-leaning agencies: with that targeting and their care to cover their tracks digitally, why not choose a strategy that lets the Russians in quietly? Shortly after they compromised the security of the NRLB they were making blackmail threats by taking drone videos of people (who threatened to reveal their malfeasance) where they lived and worked. Clearly someone in the chain of command is thinking carefully about what they can learn from how Russia governs
akimbostrawman · 11h ago
But it's coming from the right/good side so any conspiracy instead of panic and dehumanization is plausible and not worth discussing further.
abouthn · 9h ago
Remember that checklist meme from /.? The “You seem to be advocating/here is why it will not work”?
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
FirmwareBurner · 4h ago
We're being downvoted to oblivion, but notice nobody is saying we are wrong?
kurtis_reed · 12h ago
Hanlon's razor
UncleMeat · 10h ago
This is not an invincible decision making tool. It does not mean that literally every thing that can be explained by idiocy must be. We might start by leaning towards idiocy as an explanation but we are allowed to adjust our opinion as we see more and more information.
watwut · 8h ago
Hanlon's razor was originally a joke. Not like, serious observation about how world works.
namaria · 11h ago
The caveat is that intentional stupidity is indistinguishable from malice.
sys_64738 · 11h ago
In law we shouldn't be focused on ignorance and cluelessness. The outcome of what they have allowed is the crime. All the DOGE dudes need life without parole.
more-nitor · 9h ago
idk the law differentiates between "attempted but failed murder" / "accidental murder" / "successful(?) murder"
...maybe your "law" is some ancient eye-for-eye kind of law instead of some modern stuff?
TrapLord_Rhodo · 10h ago
Do you actually believe that? Do you not think that at least SOME OF THEM, are working their asses off to save american tax payer dollars?
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
AlotOfReading · 9h ago
Did you look through that page before posting it? Currently, the default list of biggest savings is topped by things like eliminating a refugee intake facility, various HHS programs making sure public housing meets basic standards of habitability, and eradicating polio.
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
troyvit · 7h ago
> there are better ways to do that.
That's the crux, for sure. The problem with DOGE though is that instead of creating better ways of doing anything, they just seem to eliminate doing those things at all.
Now we not only don't have a better way of doing a thing that might have been necessary, but we don't even have the sub-optimal way of doing that thing, so now it's not getting done at all.
Edit: Bringing it back to the article, if a person with access to 'a "core financial management system" belonging to the Federal Emergency Management Agency' was foolish enough to let their system get hacked, are we really finding a better way to do things, or are we being a little too careless?
AlotOfReading · 9h ago
It's 2.9B for a facility that can accommodate up to 3000 children simultaneously, as well as the support services to run it and provide the medical care and social workers needed to take care of them. It's not $3B for a specific 3000 children somewhere, so it's nonsense to try counting the cost per child that way.
TrapLord_Rhodo · 9h ago
regardless of the KPI perspective, do you agree that $3.3B is a bit much for a facility that can only host up the 3k?
For reference, look up some of the Giga factory costs (With Capital expenditure for production). They are similiar in expenditures.
AlotOfReading · 8h ago
I haven't looked at the contract in detail, but no, $3B over 5 years for 3000 people including construction costs sounds reasonably in line with prison costs (the closest comparison). Certainly not the order of magnitude too high like you're suggesting, which surely someone would have undercut on the bid if it were easy.
This was awarded sole source. There were no vendors able to compete.
I also find their J&A unconvincing, and there's no way it passes the smell test required in Far part 6.
There was really no other vendor in the world, besides Family Care to be able to do this? They aren't even a construction company.
bavell · 9h ago
Wow, I took a look at the first one: ~$3 Billion for temporary shelter for just 3k kids? Almost $1 million per child??
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
Hanlon's razor is for a peaceful heart, not for helping you win bets.
psadauskas · 9h ago
¿Por qué no los dos?
(Spanish for _Why not both?_)
watwut · 8h ago
Hanlon's razor is overused and abused. Quite often, it is actually a malice and if you are willing to look at the situation dispassionately, it is quite visible.
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
amelius · 6h ago
Hanlon's razor can be taken advantage of.
fspoettel · 12h ago
I would normally second this, but the Trump admin did order a suspension of offensive cyber operations against Russia in March. So not sure you can truly rule out malice in this case.
sorcerer-mar · 12h ago
And also asked Russian intelligence services to hack his opponent in 2016, which they did the next day.
conartist6 · 12h ago
you could not make this shit up, right!?
SauciestGNU · 9h ago
There was specifically the televised "Russia, if you're listening..." quip followed by the release of the DNC emails.
TrapLord_Rhodo · 10h ago
>a suspension of offensive cyber operations against Russia in March.
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Rexxar · 10h ago
> why are we commiting offensive cyber operations against a nuclear power?
Maybe because they are doing it too ?
TrapLord_Rhodo · 9h ago
Such Biden logic that ended with us launching missiles into russia. A constant escalation with no real end in sight and always matching "tit-for-tat- instead of trying to solve the root issue.
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
psadauskas · 3h ago
You misspelled Reagan.
(Though to be fair, every president since Truman has escalated things with Russia/USSR, except maybe Clinton. Reagan just did more than most.)
> You don't think trump is actively involved in negotations[sic] with russia to stop all this madness?
No, I think Trump is doing whatever Putin wants him to do.
TrapLord_Rhodo · 2h ago
No other president has given explicit permission to launch american missles and use american guidance systems to launch missles into russian territory... Besides biden. What are you talking about?
And you forgot... besides Trump. because trumps not a warmonger, people like to act like he's on the side of the russians. People have lost their minds.
camel_Snake · 3h ago
Because when someone punches you in the face, you punch back?
Also I don't know why we keep referring to Russia as a major power, their GDP is about the size of Italy's, their economy is on the rocks, their military stockpile is depleted from a failed invasion of their much, much smaller neighbor.
TrapLord_Rhodo · 2h ago
failed operation? Have you seen the war map? After the whole world dumped all their stockpiles to ukraine for over $500B, the russians have still taken over a 3rd of the country. Biden logic was going to lead to a american troops on the ground, and a vietnam all over again.
Russia didn't punch us in the face, they punched some dude that we barley knew in highschool half way across the world.
mopsi · 46m ago
Your numbers are way off. Ukraine has not received "over $500B". According to the Kiel institute tracker, as of February, the total military support for Ukraine from all all over the world combined stands at 132 billion EUR (~148bn USD). Nor does Russia control a third of the country. Russia controls 18.3%, of which 7.05% was occupied before 2022 and 11.25% since then. The total area held by Russia peaked in the first month of the war at 25.86%, was reduced to 18% with Ukrainian counteroffensives, and has stood there since the late 2022.
While looking at the chart, keep in mind that Russia currently loses around 30-45k people a month as dead and wounded and they have nothing to show for it. The last major territorial gains were during the first month of the war in March 2022. It's a total military disaster with no end in sight.
And the person you replied to is absolutely right: Russia is not fighting for the potato fields of Ukraine, but to dismantle the entire international security system that the US built after the WWII to secure commerce and influence on the world. Ukraine is one of the stepping stones. Here's the full blueprint: https://en.wikipedia.org/wiki/Foundations_of_Geopolitics#Con...
GuinansEyebrows · 7h ago
Hanlon's razor has been weaponized against good-faith applications
whacko_quacko · 14h ago
I don't see any evidence that this should be the case. My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
alxlaz · 14h ago
> My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
If your password is in the dumps, too, like this person's passwords, then yeah, you might want to look into it.
buckle8017 · 14h ago
Many website still store plaintext passwords.
Indeed the ones getting hacked are more likely to.
alxlaz · 13h ago
From the linked article:
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
trollbridge · 10h ago
If I did highly secure work (which I don’t), I’d set up a few honeypot machines and input my “secure credentials” (with a bogus password) into that repeatedly.
alxlaz · 9h ago
Yeah, inputing "secure credentials" traceable directly to you with what you'd hope is a bogus password is a very bad idea, especially if you're doing highly secure work.
trollbridge · 8h ago
"Hope"? Generate random text, repeatedly type it in with AutoHotKey on honeypot machine, whatever rootkits are on there get garbled, useless data.
alxlaz · 7h ago
These aren't local credentials, these are credentials from various third-party websites that made their way into stealer logs. Garbled or not, using your personal email address for both legitimate purposes (e.g. Google Calendar, as the article points out) and honeypots isn't the best idea.
lostmsu · 10h ago
Them not naming the sites is pretty telling.
alxlaz · 9h ago
They're linking to the original source of the news, which literally names "the sites".
lostmsu · 8h ago
No it does not. What sites appeared in the "stealer logs" with his email?
alxlaz · 8h ago
Ah, I thought you meant what sites list the stolen credentials. The exact overlap of websites across four separate stealer logs is enough to leak an email address pretty reliably. The only thing that's "telling" for is that they're not willing to dox this person.
florbnit · 13h ago
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Hikikomori · 14h ago
If you read the full article you'll see its not just from database dumps.
nicolaslegland · 12h ago
Have I Been Pwned listed me in the ALIEN TXTBASE Stealer Logs. I went through the Notify me tab, got a verification link to check for my personal records, and all I got was this lousy:
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
blitzar · 12h ago
Alternative explanation - someone emailing you is infected by a stealer on their machine - they typed your email into the "to field" and that was captured by a key logger on their system.
nicolaslegland · 12h ago
Absolutely. Now, how do I sort things out? And eventually clear my name so people searching for my email don’t jump to conclusions regarding my OPSEC…
thomquaid · 12h ago
"By searching for his personal Gmail address (which I'm not sharing) in Have I Been Pwned, he appears in 51 data breaches and in 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more."
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
trollbridge · 11h ago
I’d be in 3 of those breaches. One of the rules working in government was never use your personal email or ID for anything.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
blitzar · 10h ago
You fly jets long enough, something like this happens.
welder · 14h ago
This is different from haveibeenpawned leaks. These infostealer dumps mean the data is direct from a spyware/malware on a victims computer. for ex: https://hackerone.com/reports/3091909
It means the people in the leak had malware on their computer in the past, and maybe present.
No comments yet
dev_l1x_be · 14h ago
> a strong indication that devices belonging to him have been hacked in recent years.
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
aweiher · 14h ago
The first sentence is actually:
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
Does not sound like clickbait for me.
InsideOutSanta · 14h ago
The Ars Technica article is a bit confusing, if you click through to the original article, the case they make is much clearer. It's not that his credentials were found on Have I Been Pwned, which is the case for most people through no fault of their own. Instead, it's this:
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
Ukv · 11h ago
"Well-known" email addresses (e.g: gaben@valvesoftware.com, president@whitehouse.gov) also seem to show up in these mentioned stealer logs on https://haveibeenpwned.com/ - which makes me suspect addresses are extracted from keypresses even if just typed in the To field of an email, for instance, and do not necessarily indicate the owner of the email has malware on their machine or has had their account/password compromised.
poincaredisk · 11h ago
>reasonably good evidence that you are doing something wrong.
No need for multiple leaks, just one is enough.
And I wouldn't say "do something wrong", just getting infected with an infostealer. Happens all the time.
InsideOutSanta · 3h ago
Yes, by "doing something wrong," I meant "doing something that gets you infected with an infostealer," not something ethically wrong or illegal.
trollbridge · 11h ago
At one point I was a contractor for a government department and at another I was at a government sponsored NGO.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
cma · 14h ago
Yep, headline doesn't say it is his current computer or anything, just that his computer was infected. It would be clickbait if it said his current computer is actively infected. Less clickbait than now if it said one of his computers appears to have been infected at some point.
krick · 12h ago
Cannot tell if it's sarcasm or not. Obviously everyone who reads the headline assumes it's his current computer, and it had some, uh, consequences. That's why they click. That's what makes it clickbait. Nobody would care otherwise.
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
poincaredisk · 11h ago
>Nobody would care otherwise.
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
roenxi · 11h ago
Wouldn't the assumption be that some percentage of government workers have infostealers on their computers? The track record of these people is not good, pretty much since we've had the internet there have been a steady stream of minor-to-moderate scandals where information gets to places that it shouldn't be.
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
dakr · 4h ago
If there's bias, I think it comes from people being concerned that there are people coming into various govt. offices, demanding and receiving write/read, non-logging accounts on systems containing sensitive information. The access DOGE staffers are being granted absolutely warrants extra scrutiny of their conduct and security practices.
cma · 9h ago
> Nobody would care otherwise.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
cma · 3m ago
autocorrect; "included credentials too"
AdamN · 13h ago
Doesn't seem speculative in the least - they have some pretty strong indicators of a problem. It's great that we're getting some tech-literate investigative journalism going - and good for our government to have a light shining here.
worldsayshi · 14h ago
> I am not sure why we are falling for this click baity garbage, over and over.
Because it's easier to create and broadcast bait than to filter it.
bmacho · 14h ago
Until HN improves, I propose that we flag moronic titles (misleading, clickbait, just annoyingly moronic, and so on).
In the long term HN should do something about it, e.g. editoralized titles.
gchamonlive · 11h ago
This is something that already happens. When there is a strong general opinion questioning the quality of the title, even if it's the same as the original title, if it's against HN directives they do get changed. Unfortunately I don't remember exactly these cases, but if you've been to HN long enough you've surely seen these changes.
palata · 13h ago
Seems like people here assume that passwords were found on Have I Been Pwned. It's more than that, it's about "stealer malware":
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
philipwhiuk · 12h ago
It's not 'assume', it's literally in the text:
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
palata · 49m ago
> Putting this in undermines the quality of their critique.
I don't disagree, but the reader may show critical thinking and consider that there is more: there is mention of malware, not just a leak.
ninalanyon · 3h ago
Was he using his own computer? He should surely have been using one provided by the institution. In a properly secured system he should not have needed passwords to connect to databases, they should have been secured by something like Active Directory roles and certificates. Do any of these US institutions have any idea of proper security?
sys_64738 · 11h ago
All thee DOGE dudes are destined to spend life imprisoned on Alcatraz. The scope of the antics done by these people and the downright disregard for security, ethics, law, and the Constitution, all make them the right people to make examples of.
lesuorac · 10h ago
Alcatraz is a tourist attraction so while perhaps not somewhere I'd choose to live it also has routine ferries that you can just leave on.
dpkirchner · 9h ago
Their boss is talking about reopening Alcatraz. I suspect that's what sys_64738 is referencing.
Incipient · 10h ago
Haha noice.
I don't think anyone really needs to express more at this point.
ndsipa_pomu · 15h ago
Does the USA have an authority that can deny privileged data access to someone that has such poor operational security? Revoke security clearances, that kind of thing.
thot_experiment · 15h ago
Yes in theory, however it's 2025 and I think it's likely that most of what they're doing falls afoul of data storage/recordkeeping laws anyway and there's basically zero chance that the perpetrators will face consequences.
dragonwriter · 14h ago
Yes, but all such authorities are subordinate to the President, and the President can issue security clearance by fiat, bypassing normal procedures and exempting people from them .
marak830 · 12h ago
Well that's something that should be looked into.
withinboredom · 8h ago
That's how it is -- by design.
withinboredom · 15h ago
Security levels of documents and clearances are technically controlled by the office of the President (IIRC), but this is often delegated to the agencies themselves. The military, for example, has it's own system for classified things, while it looks like maybe DOGE does not.
actionfromafar · 15h ago
The DOGE staff have no security clearance to revoke, as far as I can tell.
zombot · 14h ago
How come they get to fumble and botch everything then?
actionfromafar · 14h ago
Reason: Congress has decided to not to ask that question of the Presidents Office.
watwut · 14h ago
Why so abstract? It is because republicans in the Congress are supporting Trump policies. They are doing nothing, because they want this to happen.
blitzar · 12h ago
Why don't people rise up against dictators in other parts of the world?
redeux · 11h ago
They always do - eventually
anonymars · 11h ago
I think the point was to refute "they are doing nothing therefore they want this to happen"
I mean if so many of them are scared they can just caucus with the nearly (but not actually) 50% of congress members that are democrats [1].
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
Never interrupt your enemy when he is making a mistake.
The democrats don't have the numbers - even if they did, the more ridiculous the whole thing gets the better for them it is.
lesuorac · 6h ago
Siting around and do nothing is going to come back and bite incumbent democrats in a couple years.
Sure they might not lose the general election to a republican but their primary is going to be painful.
anonymars · 9h ago
Yes but that's basically the prisoner's dilemma in a nutshell. Who's going to to take the leap of faith and put their neck on the chopping block?
Liz Cheney?
Adam Kitzinger?
Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
watwut · 3h ago
I am saying "they are doing nothing, because they want this to happen". Trump policies are exactly what conservatives wanted and pushed for. The corruption and all that is stuff they are fine with, as long as it is one of them doing it.
rsynnott · 8h ago
To a large extent, insofar as Trump is a dictator, it is only because Congress have decided to allow that through inaction. At least for the time being (though, see, for instance, the Weimar Republic; this may end up being a use-it-or-lose-it ability), they still do have the power to largely put him back in his box if they want to.
watwut · 9h ago
Dictators around the world have supporters who do not rise against them, because they are completely on board with their agenda.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
DFHippie · 12h ago
Once upon a time Congress would botch something and all one could do without getting into weeds no one cared about was blame Congress. No one wanted to hear a list of 200 assorted representatives.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
trelane · 3h ago
Sort of. The Dems laughing at the Reps voting out their own speaker was interesting on several levels.
bregma · 12h ago
That kind of punishment is currently only considered appropriate for perpetrators of lese majeste.
raverbashing · 14h ago
Who needs authority when you have ~vibes~
vntok · 15h ago
If the story is published on arstechnica, be assured the relevant agencies are obviously well aware. They are choosing not to act.
arp242 · 14h ago
In principle? Perhaps. De-facto? Not as long as they're performing Trumpllatio.
gitroom · 13h ago
Honestly, stuff like this always makes me double check my own passwords and habits. Bunch of people just roll with the same easy setup for years and act surprised later. Gotta be careful, for real.
jxjnskkzxxhx · 11h ago
I've rolled with the same set up for years, what should I be doing instead?
GaryNumanVevo · 11h ago
password manager with 2FA / yubikey, randomized passwords per account, randomized account emails if your provider supports aliasing
jxjnskkzxxhx · 9h ago
What provider do you suggest? I've used Gmail all my life. Recently firefox started supporting forwarding, but that's only 5 emails.
mdaniel · 8h ago
I'm on Fastmail and it has been worth every penny. They happen to also integrate their email alias generation with 1Password, which I also use, making it an extra good investment
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
vntok · 11h ago
If your setup includes a password manager, generated unique passwords and enabling 2FA everywhere you can, there's not much else to do.
Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.
Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)
jxjnskkzxxhx · 9h ago
I happen to think that having your password manager online is a mistake.
mdaniel · 8h ago
For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
ChrisArchitect · 8h ago
Source:
DOGEs K Schutt's computer infected by malware, credentials found in stealer logs
They're saving the government lots of money by streamlining the data exfiltration.
tjpnz · 12h ago
Under normal circumstances if that system were connected to an internal network there would be a cleanup (and the costs would be astronomical). I say normal circumstances because I fully expect these clowns to obfuscate, omit and deny everything for the next four years.
constantcrying · 7h ago
The article title suggests that this is about his current PC which he is using at the agency. That is totally false.
In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.
I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?
joejoo · 14h ago
Now imagine how many normie, computer-illiterate federal employees in fairly sensitive roles have had various credentials leaked over the past few years.
calgoo · 13h ago
There are safe guards for information not to leak. Those safe guards make it very hard to get the info, not impossible, but very hard. Walking into a government office and plugging in your personal Macbook, and running whatever software you want with "god" powers on the network makes it a lot easier to gain access to whatever data is required. Even if its unintentional (big if) from the DOGE's side, at this level you are target by state actors and they will get to your personal devices if they want.
SkipperCat · 11h ago
I worked in Federal government on classified systems. There were many safeguards in place, most importantly networks that were 100% disconnected from the Internet and locked down workstations. That made sure that even the most inept user could not cause a problem like this.
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
GuinansEyebrows · 7h ago
imagine holding nominally-technical staff to a higher level of information security practice
epanchin · 14h ago
This article is reaching.
I’ve logged onto secondary email accounts from PC’s that weren’t mine and could well have been infected. That’s what 2FA is for.
I wouldn’t use a PC which isn’t mine to login to anything sensitive. A password in a leak isn’t evidence of anything.
piva00 · 13h ago
Did you find stealer logs with your credentials though? Because that is certainly much more concerning than simply having your credentials leaked from some breach, and it's what happened to the DOGE guy.
florbnit · 13h ago
> A password in a leak isn’t evidence of anything.
It’s evidence that your password leaked. What are you on about?
You think they just randomly guessed his password?
Good point.
- T'Challa
Exactly as you describe, and I'm sure for other foreign interests, everyone at DOGE became massive targets for very highly directed nation-state level interest for phishing/malware/compromise.
Is it a good point? How so?
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
...maybe your "law" is some ancient eye-for-eye kind of law instead of some modern stuff?
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
That's the crux, for sure. The problem with DOGE though is that instead of creating better ways of doing anything, they just seem to eliminate doing those things at all.
Now we not only don't have a better way of doing a thing that might have been necessary, but we don't even have the sub-optimal way of doing that thing, so now it's not getting done at all.
Edit: Bringing it back to the article, if a person with access to 'a "core financial management system" belonging to the Federal Emergency Management Agency' was foolish enough to let their system get hacked, are we really finding a better way to do things, or are we being a little too careless?
For reference, look up some of the Giga factory costs (With Capital expenditure for production). They are similiar in expenditures.
You can look at the bid requirements yourself and determine whether you think it's reasonable for the scope of the facility: https://sam.gov/opp/3726d9e2246c47e197396e805ce6bb33/view
I also find their J&A unconvincing, and there's no way it passes the smell test required in Far part 6.
There was really no other vendor in the world, besides Family Care to be able to do this? They aren't even a construction company.
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
(Spanish for _Why not both?_)
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Maybe because they are doing it too ?
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
(Though to be fair, every president since Truman has escalated things with Russia/USSR, except maybe Clinton. Reagan just did more than most.)
> You don't think trump is actively involved in negotations[sic] with russia to stop all this madness?
No, I think Trump is doing whatever Putin wants him to do.
And you forgot... besides Trump. because trumps not a warmonger, people like to act like he's on the side of the russians. People have lost their minds.
Also I don't know why we keep referring to Russia as a major power, their GDP is about the size of Italy's, their economy is on the rocks, their military stockpile is depleted from a failed invasion of their much, much smaller neighbor.
Russia didn't punch us in the face, they punched some dude that we barley knew in highschool half way across the world.
Scroll to "Overall control of Ukraine": https://www.warmapper.org/stats
While looking at the chart, keep in mind that Russia currently loses around 30-45k people a month as dead and wounded and they have nothing to show for it. The last major territorial gains were during the first month of the war in March 2022. It's a total military disaster with no end in sight.
And the person you replied to is absolutely right: Russia is not fighting for the potato fields of Ukraine, but to dismantle the entire international security system that the US built after the WWII to secure commerce and influence on the world. Ukraine is one of the stepping stones. Here's the full blueprint: https://en.wikipedia.org/wiki/Foundations_of_Geopolitics#Con...
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
If your password is in the dumps, too, like this person's passwords, then yeah, you might want to look into it.
Indeed the ones getting hacked are more likely to.
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
It means the people in the leak had malware on their computer in the past, and maybe present.
No comments yet
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
Does not sound like clickbait for me.
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
No need for multiple leaks, just one is enough.
And I wouldn't say "do something wrong", just getting infected with an infostealer. Happens all the time.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
Because it's easier to create and broadcast bait than to filter it.
In the long term HN should do something about it, e.g. editoralized titles.
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
I don't disagree, but the reader may show critical thinking and consider that there is more: there is mention of malware, not just a leak.
I don't think anyone really needs to express more at this point.
Related: https://www.newsweek.com/lisa-murkowski-donald-trump-retalia...
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
[1]: https://en.wikipedia.org/wiki/United_States_Congress
[2]: https://en.wikipedia.org/wiki/January_2023_Speaker_of_the_Un...
[3]: https://en.wikipedia.org/wiki/October_2023_Speaker_of_the_Un...
The democrats don't have the numbers - even if they did, the more ridiculous the whole thing gets the better for them it is.
Sure they might not lose the general election to a republican but their primary is going to be painful.
Liz Cheney? Adam Kitzinger? Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.
Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)
- SHA1 or NTLM hash prefix matching https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...
- actually download the HIBP db and check for yourself https://haveibeenpwned.com/API/v3#PwnedPasswordsDownload
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
DOGEs K Schutt's computer infected by malware, credentials found in stealer logs
https://news.ycombinator.com/item?id=43930267
In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.
I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
I’ve logged onto secondary email accounts from PC’s that weren’t mine and could well have been infected. That’s what 2FA is for.
I wouldn’t use a PC which isn’t mine to login to anything sensitive. A password in a leak isn’t evidence of anything.
It’s evidence that your password leaked. What are you on about? You think they just randomly guessed his password?