> “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (ahemcough cough the Russians cough) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon.
If it looks like a duck, walks like a duck, swims like a duck and quacks like a duck, then at some point you gotta assume it's a duck. No need to run a DNA test.
Exactly as you describe, and I'm sure for other foreign interests, everyone at DOGE became massive targets for very highly directed nation-state level interest for phishing/malware/compromise.
This is not an invincible decision making tool. It does not mean that literally every thing that can be explained by idiocy must be. We might start by leaning towards idiocy as an explanation but we are allowed to adjust our opinion as we see more and more information.
In law we shouldn't be focused on ignorance and cluelessness. The outcome of what they have allowed is the crime. All the DOGE dudes need life without parole.
Do you actually believe that? Do you not think that at least SOME OF THEM, are working their asses off to save american tax payer dollars?
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
Did you look through that page before posting it? Currently, the default list of biggest savings is topped by things like eliminating a refugee intake facility, various HHS programs making sure public housing meets basic standards of habitability, and eradicating polio.
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
That's the crux, for sure. The problem with DOGE though is that instead of creating better ways of doing anything, they just seem to eliminate doing those things at all.
Now we not only don't have a better way of doing a thing that might have been necessary, but we don't even have the sub-optimal way of doing that thing, so now it's not getting done at all.
Edit: Bringing it back to the article, if a person with access to 'a "core financial management system" belonging to the Federal Emergency Management Agency' was foolish enough to let their system get hacked, are we really finding a better way to do things, or are we being a little too careless?
It's 2.9B for a facility that can accommodate up to 3000 children simultaneously, as well as the support services to run it and provide the medical care and social workers needed to take care of them. It's not $3B for a specific 3000 children somewhere, so it's nonsense to try counting the cost per child that way.
I haven't looked at the contract in detail, but no, $3B over 5 years for 3000 people including construction costs sounds reasonably in line with prison costs (the closest comparison). Certainly not the order of magnitude too high like you're suggesting, which surely someone would have undercut on the bid if it were easy.
Wow, I took a look at the first one: ~$3 Billion for temporary shelter for just 3k kids? Almost $1 million per child??
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
Hanlon's razor is overused and abused. Quite often, it is actually a malice and if you are willing to look at the situation dispassionately, it is quite visible.
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
I would normally second this, but the Trump admin did order a suspension of offensive cyber operations against Russia in March. So not sure you can truly rule out malice in this case.
>a suspension of offensive cyber operations against Russia in March.
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Such Biden logic that ended with us launching missiles into russia. A constant escalation with no real end in sight and always matching "tit-for-tat- instead of trying to solve the root issue.
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
This isn't an example of incompetence. DOGE staff broke laws when they connected their personal computers to classified system. They knew better, plenty of people told them not to do this and they still did it.
They could have followed OpSec rules and still done their work. They chose not to do so. Their willful disobedience of the laws and OpSec might stem from multiple rationals, but it doesn't matter, because their actions are criminal and their negligence is beyond incompetence.
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
Likely not the choice of the engineers, who appear not to know that they're being used as pawns in an international spy game that could send them to prison for a very long time.
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
Knowing their choice of targets too (definitely not left up to the engs), by which I mean only DOGEing and compromising the security of what they consider left-leaning agencies: with that targeting and their care to cover their tracks digitally, why not choose a strategy that lets the Russians in quietly? Shortly after they compromised the security of the NRLB they were making blackmail threats by taking drone videos of people (who threatened to reveal their malfeasance) where they lived and worked. Clearly someone in the chain of command is thinking carefully about what they can learn from how Russia governs
Remember that checklist meme from /.? The “You seem to be advocating/here is why it will not work”?
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
I don't see any evidence that this should be the case. My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
If I did highly secure work (which I don’t), I’d set up a few honeypot machines and input my “secure credentials” (with a bogus password) into that repeatedly.
Yeah, inputing "secure credentials" traceable directly to you with what you'd hope is a bogus password is a very bad idea, especially if you're doing highly secure work.
These aren't local credentials, these are credentials from various third-party websites that made their way into stealer logs. Garbled or not, using your personal email address for both legitimate purposes (e.g. Google Calendar, as the article points out) and honeypots isn't the best idea.
Ah, I thought you meant what sites list the stolen credentials. The exact overlap of websites across four separate stealer logs is enough to leak an email address pretty reliably. The only thing that's "telling" for is that they're not willing to dox this person.
Have I Been Pwned listed me in the ALIEN TXTBASE Stealer Logs. I went through the Notify me tab, got a verification link to check for my personal records, and all I got was this lousy:
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
Alternative explanation - someone emailing you is infected by a stealer on their machine - they typed your email into the "to field" and that was captured by a key logger on their system.
"By searching for his personal Gmail address (which I'm not sharing) in Have I Been Pwned, he appears in 51 data breaches and in 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more."
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
I’d be in 3 of those breaches. One of the rules working in government was never use your personal email or ID for anything.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
This is different from haveibeenpawned leaks. These infostealer dumps mean the data is direct from a spyware/malware on a victims computer. for ex: https://hackerone.com/reports/3091909
It means the people in the leak had malware on their computer in the past, and maybe present.
> a strong indication that devices belonging to him have been hacked in recent years.
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
The Ars Technica article is a bit confusing, if you click through to the original article, the case they make is much clearer. It's not that his credentials were found on Have I Been Pwned, which is the case for most people through no fault of their own. Instead, it's this:
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
"Well-known" email addresses (e.g: [email protected], [email protected]) also seem to show up in these mentioned stealer logs on https://haveibeenpwned.com/ - which makes me suspect addresses are extracted from keypresses even if just typed in the To field of an email, for instance, and do not necessarily indicate the owner of the email has malware on their machine or has had their account/password compromised.
At one point I was a contractor for a government department and at another I was at a government sponsored NGO.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
Yep, headline doesn't say it is his current computer or anything, just that his computer was infected. It would be clickbait if it said his current computer is actively infected. Less clickbait than now if it said one of his computers appears to have been infected at some point.
Cannot tell if it's sarcasm or not. Obviously everyone who reads the headline assumes it's his current computer, and it had some, uh, consequences. That's why they click. That's what makes it clickbait. Nobody would care otherwise.
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
Wouldn't the assumption be that some percentage of government workers have infostealers on their computers? The track record of these people is not good, pretty much since we've had the internet there have been a steady stream of minor-to-moderate scandals where information gets to places that it shouldn't be.
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
Doesn't seem speculative in the least - they have some pretty strong indicators of a problem. It's great that we're getting some tech-literate investigative journalism going - and good for our government to have a light shining here.
This is something that already happens. When there is a strong general opinion questioning the quality of the title, even if it's the same as the original title, if it's against HN directives they do get changed. Unfortunately I don't remember exactly these cases, but if you've been to HN long enough you've surely seen these changes.
Or maybe you were agitating for action against the Clintons and Bidens as well?
I want to believe that there are actual principles, but as far as I can tell, principles are just the reasons everyone uses to prove that the opposing party is bad and must be stopped or destroyed.
There are always reasons why it's fine, actually, when one's own party does the bad thing.
> If the facts support those allegations, then absolutely yes
See, here's the thing: almost everyone believes this about themselves.
There is always enough difference between any given pairing of cases that one can retain their belief in their own fairness. And there is no shortage of partisan coverage that will assist you in believing that the cases are different.
And it's not like there is an incentive for holding _your own side_ accountable when the other side is not being held accountable.
charitably, you have fallen for the myth that americans can only engage in politics from one of two sports-fan positions. this is not true and the sooner we stop engaging with this myth, the better.
uncharitably, you are pushing a stupid narrative on purpose with ill intent.
Seems like people here assume that passwords were found on Have I Been Pwned. It's more than that, it's about "stealer malware":
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
This is fake news. You use a CAC card to login to gov computers...
Since "2023", does not prove he has bad opsec. He could be using a random password generator with 2fa. Any of the sites could be hacked and he would still be solid. I can't even read the news anymore...
All thee DOGE dudes are destined to spend life imprisoned on Alcatraz. The scope of the antics done by these people and the downright disregard for security, ethics, law, and the Constitution, all make them the right people to make examples of.
Honestly, stuff like this always makes me double check my own passwords and habits. Bunch of people just roll with the same easy setup for years and act surprised later. Gotta be careful, for real.
For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
I'm on Fastmail and it has been worth every penny. They happen to also integrate their email alias generation with 1Password, which I also use, making it an extra good investment
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
Does the USA have an authority that can deny privileged data access to someone that has such poor operational security? Revoke security clearances, that kind of thing.
Yes in theory, however it's 2025 and I think it's likely that most of what they're doing falls afoul of data storage/recordkeeping laws anyway and there's basically zero chance that the perpetrators will face consequences.
Yes, but all such authorities are subordinate to the President, and the President can issue security clearance by fiat, bypassing normal procedures and exempting people from them .
Security levels of documents and clearances are technically controlled by the office of the President (IIRC), but this is often delegated to the agencies themselves. The military, for example, has it's own system for classified things, while it looks like maybe DOGE does not.
Once upon a time Congress would botch something and all one could do without getting into weeds no one cared about was blame Congress. No one wanted to hear a list of 200 assorted representatives.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
To a large extent, insofar as Trump is a dictator, it is only because Congress have decided to allow that through inaction. At least for the time being (though, see, for instance, the Weimar Republic; this may end up being a use-it-or-lose-it ability), they still do have the power to largely put him back in his box if they want to.
I mean if so many of them are scared they can just caucus with the nearly (but not actually) 50% of congress members that are democrats [1].
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
Yes but that's basically the prisoner's dilemma in a nutshell. Who's going to to take the leap of faith and put their neck on the chopping block?
Liz Cheney?
Adam Kitzinger?
Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
Dictators around the world have supporters who do not rise against them, because they are completely on board with their agenda.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
The article title suggests that this is about his current PC which he is using at the agency. That is totally false.
In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.
I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?
Under normal circumstances if that system were connected to an internal network there would be a cleanup (and the costs would be astronomical). I say normal circumstances because I fully expect these clowns to obfuscate, omit and deny everything for the next four years.
Now imagine how many normie, computer-illiterate federal employees in fairly sensitive roles have had various credentials leaked over the past few years.
There are safe guards for information not to leak. Those safe guards make it very hard to get the info, not impossible, but very hard. Walking into a government office and plugging in your personal Macbook, and running whatever software you want with "god" powers on the network makes it a lot easier to gain access to whatever data is required. Even if its unintentional (big if) from the DOGE's side, at this level you are target by state actors and they will get to your personal devices if they want.
I worked in Federal government on classified systems. There were many safeguards in place, most importantly networks that were 100% disconnected from the Internet and locked down workstations. That made sure that even the most inept user could not cause a problem like this.
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
Did you find stealer logs with your credentials though? Because that is certainly much more concerning than simply having your credentials leaked from some breach, and it's what happened to the DOGE guy.
Good point.
- T'Challa
Exactly as you describe, and I'm sure for other foreign interests, everyone at DOGE became massive targets for very highly directed nation-state level interest for phishing/malware/compromise.
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
That's the crux, for sure. The problem with DOGE though is that instead of creating better ways of doing anything, they just seem to eliminate doing those things at all.
Now we not only don't have a better way of doing a thing that might have been necessary, but we don't even have the sub-optimal way of doing that thing, so now it's not getting done at all.
Edit: Bringing it back to the article, if a person with access to 'a "core financial management system" belonging to the Federal Emergency Management Agency' was foolish enough to let their system get hacked, are we really finding a better way to do things, or are we being a little too careless?
For reference, look up some of the Giga factory costs (With Capital expenditure for production). They are similiar in expenditures.
You can look at the bid requirements yourself and determine whether you think it's reasonable for the scope of the facility: https://sam.gov/opp/3726d9e2246c47e197396e805ce6bb33/view
I also find their J&A unconvincing, and there's no way it passes the smell test required in Far part 6.
There was really no other vendor in the world, besides Family Care to be able to do this? They aren't even a construction company.
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
...maybe your "law" is some ancient eye-for-eye kind of law instead of some modern stuff?
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
(Spanish for _Why not both?_)
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Maybe because they are doing it too ?
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
I work in this space and many actors, including nation state actors, are just incompetent. You may not believe me, that's OK.
They could have followed OpSec rules and still done their work. They chose not to do so. Their willful disobedience of the laws and OpSec might stem from multiple rationals, but it doesn't matter, because their actions are criminal and their negligence is beyond incompetence.
Is it a good point? How so?
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
If your password is in the dumps, too, like this person's passwords, then yeah, you might want to look into it.
Indeed the ones getting hacked are more likely to.
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
It means the people in the leak had malware on their computer in the past, and maybe present.
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
Does not sound like clickbait for me.
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
No need for multiple leaks, just one is enough.
And I wouldn't say "do something wrong", just getting infected with an infostealer. Happens all the time.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
Because it's easier to create and broadcast bait than to filter it.
In the long term HN should do something about it, e.g. editoralized titles.
It's pretty clear why. The Red Party is in the White House, and HN is very clearly a Blue Party site.
Or maybe you were agitating for action against the Clintons and Bidens as well?
I want to believe that there are actual principles, but as far as I can tell, principles are just the reasons everyone uses to prove that the opposing party is bad and must be stopped or destroyed.
There are always reasons why it's fine, actually, when one's own party does the bad thing.
See, here's the thing: almost everyone believes this about themselves.
There is always enough difference between any given pairing of cases that one can retain their belief in their own fairness. And there is no shortage of partisan coverage that will assist you in believing that the cases are different.
And it's not like there is an incentive for holding _your own side_ accountable when the other side is not being held accountable.
I won't bother trying to persuade you otherwise, beyond saying that my voting record and public comments refute that.
uncharitably, you are pushing a stupid narrative on purpose with ill intent.
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
Since "2023", does not prove he has bad opsec. He could be using a random password generator with 2fa. Any of the sites could be hacked and he would still be solid. I can't even read the news anymore...
Just use a unique complex root password for your password manager and check semi-regularly that it hasn't leaked on haveibeenpwnd.
Bonus points if your password manager automatically checks your stored passwords for leaks and scores them (eg. LastPass)
- SHA1 or NTLM hash prefix matching https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByR...
- actually download the HIBP db and check for yourself https://haveibeenpwned.com/API/v3#PwnedPasswordsDownload
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
I don't think anyone really needs to express more at this point.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
Related: https://www.newsweek.com/lisa-murkowski-donald-trump-retalia...
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
[1]: https://en.wikipedia.org/wiki/United_States_Congress
[2]: https://en.wikipedia.org/wiki/January_2023_Speaker_of_the_Un...
[3]: https://en.wikipedia.org/wiki/October_2023_Speaker_of_the_Un...
Liz Cheney? Adam Kitzinger? Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
The democrats don't have the numbers - even if they did, the more ridiculous the whole thing gets the better for them it is.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
DOGEs K Schutt's computer infected by malware, credentials found in stealer logs
https://news.ycombinator.com/item?id=43930267
In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.
I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
I’ve logged onto secondary email accounts from PC’s that weren’t mine and could well have been infected. That’s what 2FA is for.
I wouldn’t use a PC which isn’t mine to login to anything sensitive. A password in a leak isn’t evidence of anything.
It’s evidence that your password leaked. What are you on about? You think they just randomly guessed his password?