> “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (ahemcough cough the Russians cough) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon.
Good point.
akimbostrawman · 3h ago
Is the point good enough to elaborate further preferably with actual proof instead of just opinion?
amelius · 1h ago
If it looks like a duck, walks like a duck, swims like a duck and quacks like a duck, then at some point you gotta assume it's a duck. No need to run a DNA test.
rsynnott · 38m ago
I mean, obviously very difficult to prove, but there _is_ a level of apparent stupidity where Hanlon's razor starts to get a bit blunt.
FirmwareBurner · 2h ago
"We don't do that here"
- T'Challa
belter · 3h ago
How bad can it be? Be pardoned by a SCOTUS immune president?
kurtis_reed · 4h ago
Hanlon's razor
UncleMeat · 2h ago
This is not an invincible decision making tool. It does not mean that literally every thing that can be explained by idiocy must be. We might start by leaning towards idiocy as an explanation but we are allowed to adjust our opinion as we see more and more information.
watwut · 12m ago
Hanlon's razor was originally a joke. Not like, serious observation about how world works.
namaria · 3h ago
The caveat is that intentional stupidity is indistinguishable from malice.
sys_64738 · 3h ago
In law we shouldn't be focused on ignorance and cluelessness. The outcome of what they have allowed is the crime. All the DOGE dudes need life without parole.
TrapLord_Rhodo · 2h ago
Do you actually believe that? Do you not think that at least SOME OF THEM, are working their asses off to save american tax payer dollars?
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
AlotOfReading · 1h ago
Did you look through that page before posting it? Currently, the default list of biggest savings is topped by things like eliminating a refugee intake facility, various HHS programs making sure public housing meets basic standards of habitability, and eradicating polio.
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
AlotOfReading · 1h ago
It's 2.9B for a facility that can accommodate up to 3000 children simultaneously, as well as the support services to run it and provide the medical care and social workers needed to take care of them. It's not $3B for a specific 3000 children somewhere, so it's nonsense to try counting the cost per child that way.
TrapLord_Rhodo · 1h ago
regardless of the KPI perspective, do you agree that $3.3B is a bit much for a facility that can only host up the 3k?
For reference, look up some of the Giga factory costs (With Capital expenditure for production). They are similiar in expenditures.
AlotOfReading · 52m ago
I haven't looked at the contract in detail, but no, $3B over 5 years for 3000 people including construction costs sounds reasonably in line with prison costs (the closest comparison). Certainly not the order of magnitude too high like you're suggesting, which surely someone would have undercut on the bid if it were easy.
This was awarded sole source. There were no vendors able to compete.
I also find their J&A unconvincing, and there's no way it passes the smell test required in Far part 6.
There was really no other vendor in the world, besides Family Care to be able to do this? They aren't even a construction company.
bavell · 1h ago
Wow, I took a look at the first one: ~$3 Billion for temporary shelter for just 3k kids? Almost $1 million per child??
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
idk the law differentiates between "attempted but failed murder" / "accidental murder" / "successful(?) murder"
...maybe your "law" is some ancient eye-for-eye kind of law instead of some modern stuff?
watwut · 13m ago
Hanlon's razor is overused and abused. Quite often, it is actually a malice and if you are willing to look at the situation dispassionately, it is quite visible.
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
psadauskas · 1h ago
¿Por qué no los dos?
(Spanish for _Why not both?_)
fspoettel · 4h ago
I would normally second this, but the Trump admin did order a suspension of offensive cyber operations against Russia in March. So not sure you can truly rule out malice in this case.
sorcerer-mar · 4h ago
And also asked Russian intelligence services to hack his opponent in 2016, which they did the next day.
conartist6 · 4h ago
you could not make this shit up, right!?
SauciestGNU · 1h ago
There was specifically the televised "Russia, if you're listening..." quip followed by the release of the DNC emails.
TrapLord_Rhodo · 2h ago
>a suspension of offensive cyber operations against Russia in March.
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Rexxar · 2h ago
> why are we commiting offensive cyber operations against a nuclear power?
Maybe because they are doing it too ?
TrapLord_Rhodo · 1h ago
Such Biden logic that ended with us launching missiles into russia. A constant escalation with no real end in sight and always matching "tit-for-tat- instead of trying to solve the root issue.
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
FirmwareBurner · 4h ago
>Good point.
Is it a good point? How so?
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
conartist6 · 4h ago
Likely not the choice of the engineers, who appear not to know that they're being used as pawns in an international spy game that could send them to prison for a very long time.
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
conartist6 · 3h ago
Knowing their choice of targets too (definitely not left up to the engs), by which I mean only DOGEing and compromising the security of what they consider left-leaning agencies: with that targeting and their care to cover their tracks digitally, why not choose a strategy that lets the Russians in quietly? Shortly after they compromised the security of the NRLB they were making blackmail threats by taking drone videos of people (who threatened to reveal their malfeasance) where they lived and worked. Clearly someone in the chain of command is thinking carefully about what they can learn from how Russia governs
abouthn · 1h ago
Remember that checklist meme from /.? The “You seem to be advocating/here is why it will not work”?
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
akimbostrawman · 3h ago
But it's coming from the right/good side so any conspiracy instead of panic and dehumanization is plausible and not worth discussing further.
whacko_quacko · 6h ago
I don't see any evidence that this should be the case. My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
alxlaz · 6h ago
> My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
If your password is in the dumps, too, like this person's passwords, then yeah, you might want to look into it.
buckle8017 · 6h ago
Many website still store plaintext passwords.
Indeed the ones getting hacked are more likely to.
alxlaz · 5h ago
From the linked article:
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
trollbridge · 3h ago
If I did highly secure work (which I don’t), I’d set up a few honeypot machines and input my “secure credentials” (with a bogus password) into that repeatedly.
alxlaz · 2h ago
Yeah, inputing "secure credentials" traceable directly to you with what you'd hope is a bogus password is a very bad idea, especially if you're doing highly secure work.
trollbridge · 8m ago
"Hope"? Generate random text, repeatedly type it in with AutoHotKey on honeypot machine, whatever rootkits are on there get garbled, useless data.
lostmsu · 2h ago
Them not naming the sites is pretty telling.
alxlaz · 1h ago
They're linking to the original source of the news, which literally names "the sites".
lostmsu · 46m ago
No it does not. What sites appeared in the "stealer logs" with his email?
alxlaz · 3m ago
Ah, I thought you meant what sites list the stolen credentials. The exact overlap of websites across four separate stealer logs is enough to leak an email address pretty reliably. The only thing that's "telling" for is that they're not willing to dox this person.
Hikikomori · 6h ago
If you read the full article you'll see its not just from database dumps.
nicolaslegland · 4h ago
Have I Been Pwned listed me in the ALIEN TXTBASE Stealer Logs. I went through the Notify me tab, got a verification link to check for my personal records, and all I got was this lousy:
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
blitzar · 4h ago
Alternative explanation - someone emailing you is infected by a stealer on their machine - they typed your email into the "to field" and that was captured by a key logger on their system.
nicolaslegland · 4h ago
Absolutely. Now, how do I sort things out? And eventually clear my name so people searching for my email don’t jump to conclusions regarding my OPSEC…
thomquaid · 4h ago
"By searching for his personal Gmail address (which I'm not sharing) in Have I Been Pwned, he appears in 51 data breaches and in 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more."
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
trollbridge · 3h ago
I’d be in 3 of those breaches. One of the rules working in government was never use your personal email or ID for anything.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
blitzar · 2h ago
You fly jets long enough, something like this happens.
florbnit · 5h ago
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
welder · 6h ago
This is different from haveibeenpawned leaks. These infostealer dumps mean the data is direct from a spyware/malware on a victims computer. for ex: https://hackerone.com/reports/3091909
It means the people in the leak had malware on their computer in the past, and maybe present.
No comments yet
dev_l1x_be · 6h ago
> a strong indication that devices belonging to him have been hacked in recent years.
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
aweiher · 6h ago
The first sentence is actually:
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
Does not sound like clickbait for me.
InsideOutSanta · 6h ago
The Ars Technica article is a bit confusing, if you click through to the original article, the case they make is much clearer. It's not that his credentials were found on Have I Been Pwned, which is the case for most people through no fault of their own. Instead, it's this:
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
Ukv · 3h ago
"Well-known" email addresses (e.g: gaben@valvesoftware.com, president@whitehouse.gov) also seem to show up in these mentioned stealer logs on https://haveibeenpwned.com/ - which makes me suspect addresses are extracted from keypresses even if just typed in the To field of an email, for instance, and do not necessarily indicate the owner of the email has malware on their machine or has had their account/password compromised.
poincaredisk · 3h ago
>reasonably good evidence that you are doing something wrong.
No need for multiple leaks, just one is enough.
And I wouldn't say "do something wrong", just getting infected with an infostealer. Happens all the time.
trollbridge · 3h ago
At one point I was a contractor for a government department and at another I was at a government sponsored NGO.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
cma · 6h ago
Yep, headline doesn't say it is his current computer or anything, just that his computer was infected. It would be clickbait if it said his current computer is actively infected. Less clickbait than now if it said one of his computers appears to have been infected at some point.
krick · 4h ago
Cannot tell if it's sarcasm or not. Obviously everyone who reads the headline assumes it's his current computer, and it had some, uh, consequences. That's why they click. That's what makes it clickbait. Nobody would care otherwise.
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
poincaredisk · 3h ago
>Nobody would care otherwise.
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
roenxi · 3h ago
Wouldn't the assumption be that some percentage of government workers have infostealers on their computers? The track record of these people is not good, pretty much since we've had the internet there have been a steady stream of minor-to-moderate scandals where information gets to places that it shouldn't be.
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
cma · 1h ago
> Nobody would care otherwise.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
AdamN · 5h ago
Doesn't seem speculative in the least - they have some pretty strong indicators of a problem. It's great that we're getting some tech-literate investigative journalism going - and good for our government to have a light shining here.
worldsayshi · 6h ago
> I am not sure why we are falling for this click baity garbage, over and over.
Because it's easier to create and broadcast bait than to filter it.
bmacho · 6h ago
Until HN improves, I propose that we flag moronic titles (misleading, clickbait, just annoyingly moronic, and so on).
In the long term HN should do something about it, e.g. editoralized titles.
gchamonlive · 3h ago
This is something that already happens. When there is a strong general opinion questioning the quality of the title, even if it's the same as the original title, if it's against HN directives they do get changed. Unfortunately I don't remember exactly these cases, but if you've been to HN long enough you've surely seen these changes.
trelane · 3h ago
> am not sure why we are falling for this click baity garbage, over and over.
It's pretty clear why. The Red Party is in the White House, and HN is very clearly a Blue Party site.
CoastalCoder · 3h ago
I oppose corruption and treason regardless of party affiliation.
trelane · 2h ago
If only that were true.
Or maybe you were agitating for action against the Clintons and Bidens as well?
I want to believe that there are actual principles, but as far as I can tell, principles are just the reasons everyone uses to prove that the opposing party is bad and must be stopped or destroyed.
There are always reasons why it's fine, actually, when one's own party does the bad thing.
CoastalCoder · 2h ago
If the facts support those allegations, then absolutely yes.
trelane · 2h ago
> If the facts support those allegations, then absolutely yes
See, here's the thing: almost everyone believes this about themselves.
There is always enough difference between any given pairing of cases that one can retain their belief in their own fairness. And there is no shortage of partisan coverage that will assist you in believing that the cases are different.
And it's not like there is an incentive for holding _your own side_ accountable when the other side is not being held accountable.
palata · 5h ago
Seems like people here assume that passwords were found on Have I Been Pwned. It's more than that, it's about "stealer malware":
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
philipwhiuk · 4h ago
It's not 'assume', it's literally in the text:
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
TrapLord_Rhodo · 2h ago
This is fake news. You use a CAC card to login to gov computers...
Since "2023", does not prove he has bad opsec. He could be using a random password generator with 2fa. Any of the sites could be hacked and he would still be solid. I can't even read the news anymore...
sys_64738 · 3h ago
All thee DOGE dudes are destined to spend life imprisoned on Alcatraz. The scope of the antics done by these people and the downright disregard for security, ethics, law, and the Constitution, all make them the right people to make examples of.
lesuorac · 2h ago
Alcatraz is a tourist attraction so while perhaps not somewhere I'd choose to live it also has routine ferries that you can just leave on.
dpkirchner · 1h ago
Their boss is talking about reopening Alcatraz. I suspect that's what sys_64738 is referencing.
ChrisArchitect · 1h ago
Source:
DOGEs K Schutt's computer infected by malware, credentials found in stealer logs
I don't think anyone really needs to express more at this point.
gitroom · 5h ago
Honestly, stuff like this always makes me double check my own passwords and habits. Bunch of people just roll with the same easy setup for years and act surprised later. Gotta be careful, for real.
jxjnskkzxxhx · 3h ago
I've rolled with the same set up for years, what should I be doing instead?
vntok · 3h ago
If your setup includes a password manager, generated unique passwords and enabling 2FA everywhere you can, there's not much else to do.
Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.
Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)
jxjnskkzxxhx · 1h ago
I happen to think that having your password manager online is a mistake.
mdaniel · 48m ago
For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
GaryNumanVevo · 3h ago
password manager with 2FA / yubikey, randomized passwords per account, randomized account emails if your provider supports aliasing
jxjnskkzxxhx · 1h ago
What provider do you suggest? I've used Gmail all my life. Recently firefox started supporting forwarding, but that's only 5 emails.
mdaniel · 45m ago
I'm on Fastmail and it has been worth every penny. They happen to also integrate their email alias generation with 1Password, which I also use, making it an extra good investment
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
ndsipa_pomu · 7h ago
Does the USA have an authority that can deny privileged data access to someone that has such poor operational security? Revoke security clearances, that kind of thing.
thot_experiment · 7h ago
Yes in theory, however it's 2025 and I think it's likely that most of what they're doing falls afoul of data storage/recordkeeping laws anyway and there's basically zero chance that the perpetrators will face consequences.
dragonwriter · 6h ago
Yes, but all such authorities are subordinate to the President, and the President can issue security clearance by fiat, bypassing normal procedures and exempting people from them .
marak830 · 4h ago
Well that's something that should be looked into.
withinboredom · 34m ago
That's how it is -- by design.
withinboredom · 7h ago
Security levels of documents and clearances are technically controlled by the office of the President (IIRC), but this is often delegated to the agencies themselves. The military, for example, has it's own system for classified things, while it looks like maybe DOGE does not.
actionfromafar · 7h ago
The DOGE staff have no security clearance to revoke, as far as I can tell.
zombot · 6h ago
How come they get to fumble and botch everything then?
actionfromafar · 6h ago
Reason: Congress has decided to not to ask that question of the Presidents Office.
DFHippie · 4h ago
Once upon a time Congress would botch something and all one could do without getting into weeds no one cared about was blame Congress. No one wanted to hear a list of 200 assorted representatives.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
watwut · 6h ago
Why so abstract? It is because republicans in the Congress are supporting Trump policies. They are doing nothing, because they want this to happen.
blitzar · 4h ago
Why don't people rise up against dictators in other parts of the world?
rsynnott · 29m ago
To a large extent, insofar as Trump is a dictator, it is only because Congress have decided to allow that through inaction. At least for the time being (though, see, for instance, the Weimar Republic; this may end up being a use-it-or-lose-it ability), they still do have the power to largely put him back in his box if they want to.
redeux · 3h ago
They always do - eventually
anonymars · 3h ago
I think the point was to refute "they are doing nothing therefore they want this to happen"
I mean if so many of them are scared they can just caucus with the nearly (but not actually) 50% of congress members that are democrats [1].
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
Yes but that's basically the prisoner's dilemma in a nutshell. Who's going to to take the leap of faith and put their neck on the chopping block?
Liz Cheney?
Adam Kitzinger?
Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
blitzar · 2h ago
Never interrupt your enemy when he is making a mistake.
The democrats don't have the numbers - even if they did, the more ridiculous the whole thing gets the better for them it is.
watwut · 1h ago
Dictators around the world have supporters who do not rise against them, because they are completely on board with their agenda.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
bregma · 4h ago
That kind of punishment is currently only considered appropriate for perpetrators of lese majeste.
raverbashing · 6h ago
Who needs authority when you have ~vibes~
vntok · 7h ago
If the story is published on arstechnica, be assured the relevant agencies are obviously well aware. They are choosing not to act.
arp242 · 6h ago
In principle? Perhaps. De-facto? Not as long as they're performing Trumpllatio.
mystified5016 · 1h ago
They're saving the government lots of money by streamlining the data exfiltration.
tjpnz · 4h ago
Under normal circumstances if that system were connected to an internal network there would be a cleanup (and the costs would be astronomical). I say normal circumstances because I fully expect these clowns to obfuscate, omit and deny everything for the next four years.
joejoo · 6h ago
Now imagine how many normie, computer-illiterate federal employees in fairly sensitive roles have had various credentials leaked over the past few years.
calgoo · 5h ago
There are safe guards for information not to leak. Those safe guards make it very hard to get the info, not impossible, but very hard. Walking into a government office and plugging in your personal Macbook, and running whatever software you want with "god" powers on the network makes it a lot easier to gain access to whatever data is required. Even if its unintentional (big if) from the DOGE's side, at this level you are target by state actors and they will get to your personal devices if they want.
SkipperCat · 3h ago
I worked in Federal government on classified systems. There were many safeguards in place, most importantly networks that were 100% disconnected from the Internet and locked down workstations. That made sure that even the most inept user could not cause a problem like this.
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
epanchin · 6h ago
This article is reaching.
I’ve logged onto secondary email accounts from PC’s that weren’t mine and could well have been infected. That’s what 2FA is for.
I wouldn’t use a PC which isn’t mine to login to anything sensitive. A password in a leak isn’t evidence of anything.
piva00 · 5h ago
Did you find stealer logs with your credentials though? Because that is certainly much more concerning than simply having your credentials leaked from some breach, and it's what happened to the DOGE guy.
florbnit · 5h ago
> A password in a leak isn’t evidence of anything.
It’s evidence that your password leaked. What are you on about?
You think they just randomly guessed his password?
Good point.
- T'Challa
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
For reference, look up some of the Giga factory costs (With Capital expenditure for production). They are similiar in expenditures.
You can look at the bid requirements yourself and determine whether you think it's reasonable for the scope of the facility: https://sam.gov/opp/3726d9e2246c47e197396e805ce6bb33/view
I also find their J&A unconvincing, and there's no way it passes the smell test required in Far part 6.
There was really no other vendor in the world, besides Family Care to be able to do this? They aren't even a construction company.
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
...maybe your "law" is some ancient eye-for-eye kind of law instead of some modern stuff?
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
(Spanish for _Why not both?_)
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Maybe because they are doing it too ?
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
Is it a good point? How so?
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
If your password is in the dumps, too, like this person's passwords, then yeah, you might want to look into it.
Indeed the ones getting hacked are more likely to.
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
It means the people in the leak had malware on their computer in the past, and maybe present.
No comments yet
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
Does not sound like clickbait for me.
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
No need for multiple leaks, just one is enough.
And I wouldn't say "do something wrong", just getting infected with an infostealer. Happens all the time.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
Because it's easier to create and broadcast bait than to filter it.
In the long term HN should do something about it, e.g. editoralized titles.
It's pretty clear why. The Red Party is in the White House, and HN is very clearly a Blue Party site.
Or maybe you were agitating for action against the Clintons and Bidens as well?
I want to believe that there are actual principles, but as far as I can tell, principles are just the reasons everyone uses to prove that the opposing party is bad and must be stopped or destroyed.
There are always reasons why it's fine, actually, when one's own party does the bad thing.
See, here's the thing: almost everyone believes this about themselves.
There is always enough difference between any given pairing of cases that one can retain their belief in their own fairness. And there is no shortage of partisan coverage that will assist you in believing that the cases are different.
And it's not like there is an incentive for holding _your own side_ accountable when the other side is not being held accountable.
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
Since "2023", does not prove he has bad opsec. He could be using a random password generator with 2fa. Any of the sites could be hacked and he would still be solid. I can't even read the news anymore...
DOGEs K Schutt's computer infected by malware, credentials found in stealer logs
https://news.ycombinator.com/item?id=43930267
I don't think anyone really needs to express more at this point.
Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.
Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)
- SHA1 or NTLM hash prefix matching https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...
- actually download the HIBP db and check for yourself https://haveibeenpwned.com/API/v3#PwnedPasswordsDownload
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
Related: https://www.newsweek.com/lisa-murkowski-donald-trump-retalia...
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
[1]: https://en.wikipedia.org/wiki/United_States_Congress
[2]: https://en.wikipedia.org/wiki/January_2023_Speaker_of_the_Un...
[3]: https://en.wikipedia.org/wiki/October_2023_Speaker_of_the_Un...
Liz Cheney? Adam Kitzinger? Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
The democrats don't have the numbers - even if they did, the more ridiculous the whole thing gets the better for them it is.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
I’ve logged onto secondary email accounts from PC’s that weren’t mine and could well have been infected. That’s what 2FA is for.
I wouldn’t use a PC which isn’t mine to login to anything sensitive. A password in a leak isn’t evidence of anything.
It’s evidence that your password leaked. What are you on about? You think they just randomly guessed his password?