> Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or “forked” from Ge0rg3’s code — called “async-ip-rotator” — and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.
Code is pretty much the same, with comments removed, some `async` sprinkled in and minor changes (I bet this was just pasted into LLM with prompt to make it async, but if that worked why not).
Except... Original GPL3 license is gone. Obviously not something you would expect DOGE people to understand or respect.
The repository has been deleted. In addition, 26 other repos have been removed from the account. This is in line with DOGE members' quick response scrubbing data whenever put into spotlight, as previously seen with another "teen hacker". [0]
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
“If this were a side project, it would just be bad code,” the reviewer wrote. “But if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.”
To be fair the code actually creates a new API gateway server that acts as a proxy on to an already existing server and you're possibly meant to use this header with your own gateway service.
So, it's set as a header, sent to a user owned proxy, then to the actual external endpoint.
On the other hand I think the receiving API Gateway will be able to see and log your AWS account identifier when you do this. So your IP may not be the only identifying information that needs to be obscured for this to actually work.
The code seems like a "creative" use of API gateway to turn it into a proxy for other external sites (single site, really, since you need one per site.) Wouldn't it be simpler to send the requests through a lambda (with a function URL) and get better control of the outbound requests?
tbh the ip space of lambda is large, but not as large as you might think. i did some experiments ages ago with the hypothesis that lambda could be a decent proxy network (if many ip addresses are needed) but iirc the upper limit in my testing was about ~50 ip's.
Even this example if you maxx out your usage of regions appears to only give (2,4 * num_regions) or let's say 70-80 ip's maximum. And they are AWS ip's, which means it is gonna be really easy to detect and block that traffic.
But if you know your target receives lots of traffic from AWS systems all around the world ... this is a good way to mimic that.
I'm sure the people who work for an administration that by and large flaunts court orders responsible for this will get right on that.....aaaand it's gone.
this part of the whistleblower complaint seem way worse:
"
On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior
week. I saw way above baseline response times, and resource utilization showed increased
network output above anywhere it had been historically – as far back as I could look. I noted that
this lined up closely with the data out event. I also notice increased logins blocked by access
policy due to those log-ins being out of the country. For example: In the days after DOGE
accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia
started trying to log in. Those attempts were blocked, but they were especially alarming.
Whoever was attempting to log in was using one of the newly created accounts that were used in
the other DOGE related activities and it appeared they had the correct username and password
due to the authentication flow only stopping them due to our no-out-of-country logins policy
activating. There were more than 20 such attempts, and what is particularly concerning is that
many of these login attempts occurred within 15 minutes of the accounts being created by DOGE
engineers.
"
Any guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers and DOGE are working from insecure open networks.
The worst possible interpretation is straightforward - they are working for the Russians as agents and let the Russians in or installed the keyloggers for Russia.
The objective may not have been to obtain access or any useful data. The objective may have been to get the scary headlines about Russians and use the existing media and political agitprop to further destabilize the government you seek to color revolution away.
It doesn't make sense to me that an administration that by and large has been throating Putin would do that to throw more shade on Russia.
I'm not saying they didn't do that, just that it's not in line with their support for Putin and Russia. Maybe as a false flag it give Putin the cover to crack down on hacking groups that don't throat him.
Sometimes getting caught isn’t a bad thing. If you are trying to seed division between to groups, acting in a way that divides them - e.g., getting caught helping one side - is more effective than what you gain by not getting caught.
I struggle to see what Russia would gain with nlrb data, but getting caught “helping doge” furthers distrust between the two sides of our country - which is something they gain from
The article could offer a summary of this key finding, rather than, say, the pointless paragraph near the bottom about the scraping software found in GitHub not being well written.
This is the evidence which strongly suggests that the DOGE personnel are using various cloud IP addresses to scrape.
> According to a whistleblower complaint filed last week by Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several all-powerful “tenant admin” accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Feels like a pretty good Occam’s razor case… but is there any legitimate reason why one would request this?
Even worse when you know more of the whistleblower's story which is that ~15 minutes after one of DOGE's accounts were made there was an attempted login with the correct password from Russia. Not many explanations for that that look good for DOGE...
DOGE is a complete clusterfuck. Fwiw I think there is hard to spot fraud in the govt that should be looked at (eg price inflation at the pentagon, VA, Medicaid/Medicare, SS). They should have done the hard work of uncovering that. Instead they just went for clickbait headlines.
> Within minutes after DOGE accessed the NLRB's systems, someone with an IP address in Russia started trying to log in, according to Berulis' disclosure.
My company retains all e-mails for at least 5 years, for audit purposes. But if some troublemaker were to e-mail child porn to an employee, we'd need to remove that from the audit records, because the laws against possessing child porn don't have an exception for corporate audit records.
So there's essentially always some account with the power to erase things from the audit records.
It sounds like you haven't actually had to face that situation, because it is more complicated than just having to delete an offending attachment. You would still have an audit log of the deletion of that email record by the superuser, even if the content is deleted. And there would be other records generated to document the deletion, like I'm sure a long email or slack thread from this getting discovered and sent up the chain, over to legal, then to the FBI, then back to coordinating the logistics of manually deleting something from the audit logs. So if for a completely unrelated case, a third party auditor stumbles upon that mess, they will be able to reconstruct why a single attachment cannot be found in the audit logs.
"No" is the answer to GP: there is no legitimate reason for a fully unlogged superuser account.
Yeah, superuser accounts? Of course you need them to exist. Superuser accounts that produce no logs? There is never a reason for that. Anyone who claims they should have a superuser with no logging is up to no good.
Ah man... back in the day I worked for a company that built out records management software. One of the big things on the side of the cereal box was that not even an admin could delete something flagged as a record within its retention plan. Fast forward to a company doing that for emails, messing up spam filters, and getting a blast of 'normal' porn that was all flagged as records. I believe they ended up creating security groups for those files that help keep those who were using it .. safe for work.
From a an old hackers perspective disabling shell history can have positive security implications. But in today's 'cattle not pets' systems mentality I'd expect all actions to have a log and not having that seems fishy to me. Keeping logging infra secure has a dubious, the log4j fiasco comes to mind. I'm not a fan of regulation for most things, but I think we need a higher cost for data leaking since security is an afterthought for many orgs. My personal leaning is to be very choosy about who I'll do business/share data with.
> “We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”
From the previous post, they had auditor roles built in that they purposely chose to go around
There’s no possible need for an admin-level user that bypasses logging. If anything these users should have additional logging to external systems to make it harder to hide their use.
That still leaves highly visible log traces if you’re following most security standards (required in .gov) since you’d have the logs showing them disabling the forwarder. The difference here is that this was like an attacker but had backing from senior management to violate all of those rules which would normally get someone fired, if not criminally charged.
At least at places I've worked, terminating the logger would cause a security incident, and the central logging service have some general heuristics that should trigger a review if a log is filled with junk. Of course with enough time and root, there's ways to avoid that. But that's also usually why those with root are limited to a small subset of users, and assuming root usually requires a reason and is time gated.
That is a very serious design flaw, but I also believe it is a flaw that is addressed by SELinux. (Perhaps someone with a knowledge of SELinux can offer some input here.) That said, I'm not sure how widespread the use of SELinux is and doubt that it would help in this case since the people in question have or can gain physical access.
typically the admin account can createthings like super users, and super users can do anything with the data, but not sure there's a use case where a single account can do both, and why can any of them avoid logging?
I am sure they demanded maximum access, but the logging activity phrasing sounds a little bit like spin...
I think if I wanted to describe an account with access to perform "sudo -s" as negatively as possible, I would say "an all-powerful admin account that is exempt from logging activity that would otherwise keep a detailed record of all actions taken by those accounts."
Anything musk's dogs claim to find cannot be taken at face value because of this. Because there is no audit, and no evidence that they can offer that they didn't doctor their findings.
The next time they claim that a 170-year old person is receiving SS checks, they have no way to prove that they didn't subtract a century from that person's birthdate in some table.
> This might not actually be spying, but instead just an attempt to plant fake results.
That statement might be (slightly) more believable had there not been access attempts from Russian IP addresses using valid (and recently created) DOGE login credentials so very shortly thereafter.
They give away the game if you pay attention and read other internal sources from other agencies. This is all about shoving AI into the loop and removing federal workers from it.
They want to prove that AI can do "just as good a job" on these data sets and arrive at "equal conclusions" with a much higher level of effiency.
This is what happens when you get high on your own supply.
And even if it's not and everyone involved is a qualified, thoughtful, unimpeachable public servant with no agenda but the general welfare of the Glorious Republic of Arstotzka in their hearts, the lack of an audit trail means that you have to seriously consider that they aren't.
Of course, given the blatant dishonesty and criminality that the rest of this administration is producing (see: every immigration law case that they are losing in court), you'd have to be a useful idiot to actually assume good intent from them.
> Setting aside legitimate (thats a matter of judgement)
By definition, a judge decides what's legitimate.
If DOGE expects their access to be blocked by a court judgement, and bum-rushes agencies to exfiltrate data ahead of the judgement, that's also criminal intent.
I am not sure what you are getting at. "Covert" isn't how I'd describe DOGE's actions. "Brazen" maybe?
People have admitted in news interviews to destroying government data to prevent others from knowing what the government was doing. That’s likely criminal. This is a legitimate reason to get at information before people who might destroy have the opportunity.
What’s happening with judges is very political. We likely won’t know what’s allowed until things have gone through the appeals process. There have been cases of judges admitting they will rule against the current administration no matter the topic or law. This is messy, to say the least.
1. DOGE employees access data they were not supposed to.
This fairly clear.
The story says that DOGE attained access to an account that had
huge permissions into what it could see and alter.
The person or persons from DOGE may have downloaded 10GB of data.
The person may have used this in a manner that is illegal.
Or it is illegal to start with.
With the understanding that POTUS may or may not be allowed
grand such access. (I dont think POTUS can)
2. DOGE employee downloaded code that could be used to use a huge
pool of IP addresses, from AWS to bypass forms of throtheling.
3. The code was badly written.
4. The person is a racist
How would a person from DOGE use "unlimited" number of IP adderssess
from AWS to hammer and automaticlay screenscape webpage, benefit
from it when it came to copying extremly sensetive data from an
internal National Labor Relations Board database?
Did 10.000 sessions authenticate to the database at the same time, using
AWS UP addresses and scraped the data?
Something is pretty broken if the system with extremly sensetive data
is available from external IPs -and- allowing a single account to login
10.0000 times to concurrently scrape data off the interal database?
Of are they saying that this code was adapted to use 10.000/100 IP addresses
internal to National Labor Relations Board and scrapes using those?
The automation later noted makes a lot more sense to aid the work.
The author brings up the ip scraping but makes no effort to tie anything together. It's actually really confusing. Were they using this utility to steal the data or are these two just totally unrelated things?
We have no way to know what they were using it for, because as the article details, DOGE works hard to make sure nobody can find out what it's doing or why.
I find the following bizarre. Ignoring who this marko guy is, why would a random person post such a "take down" of the repo? I have never randomly passed by a repo and wanted to just dunk on it. Also this critique reeks of being AI generated.
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
It's only "bizarre" if you "ignore who this marko guy is." It's not a coincidence, it's somebody pointing out that DOGE's "cracked coders" are wearing no clothes.
And the follies here seem to be many. I’m not following why this Marko guy would make a publicly-visible fork of a repo (though he seems to have deleted it since this story went big), and why they would openly request to have their accounts exempted from logging when they were apparently already privileged users.
I must be missing something here; surely the level of elite technical skill implicit in his résumé would preclude this kind of thing
Well yeah they're junior developers. By all account from good schools but literally everyone here has dealt with junior developer brain.
I would say that Elmo picked a bunch of junior devs because they don't have enough maturity to talk back and will do anything they're asked but I think that's too charitable. I think he actually went this route because Elmo is a sad man in his 50s who is desperately trying to pretend that he is, and has not matured beyond, his 20s.
On February 6th, Marko Elez announced his resignation from DOGE after the WSJ discovered many racist posts he made in 2024 (which they published on the 5th). That likely made someone really interested in what his actual coding skill levels were, and they took a look at a repo he had made.
Musk did a "poll" on X that voted for rehiring Elez to DOGE, by February 20th Elez had a US Government email address again, and on Febrary 21st he was reported as working for DOGE at the Social Security Administration.
Why wonder? The user who wrote it seems to be a pretty well established user, and their public repositories suggest that they work in adjacent contexts, so it's entirely plausible they attempted to use async-ip-rotator in one of their projects.
The public repos for this person that I could find that weren't forks with no activity to upstream consisted of a dice-rolling guessing game, rock-paper-scissors, and some kind of framework for downloading and transcribing audio files that does not yet download or transcribe, but implements a whole bunch of boilerplate. I find it rather difficult to believe this person engaged in a good-faith review of the async-ip-rotator code base.
It's also worth noting that Feb 6 may very well be after Marko Elez became a public figure with DOGE. The article doesn't do a great job of expanding on any of this.
Are you genuinely puzzled or just wanted an excuse to point us all toward that comment? If "the comment" is correct word for what amounts to full article in length.
The CEO of Tesla and Space-X; a self-proclaimed high IQ individual, an alleged programmer, has apparently hired a straight-up script kiddie to their elite delta force of technical government downsizers.
There is a phenomena I've noticed in this industry where people who lack a skill compensate by convincing themselves that they are a savant at seeing and exploiting that skill they lack in others. They find and encircle themselves with people who they believe are the Best of the Best, at least in their imagination, and it is critical for their ego that this is never challenged. They will be blind to any evidence to the contrary because they need the people they "identify" to be extraordinary, justifying their great people curation.
I mean, I guess this really happens in all industries. Art, music, leadership, software development. People who maybe once had credibility in something and now desperately try to foist Their People as the best in the industry.
I feel like that is what is happening here. None of the people who Elon surrounds himself are notable in any way, and their skills are hugely suspect, but he has to have his harem of "Super Coders" to prop up his own mythology.
I agree with the script kiddies comment- which is basically what the reporting has shown... but in a way isn't that part of the point? That they can save billions of dollars just by having a couple of relatively normal comp sci kids (who can't even rent a car) review the most basic financial information of our government departments. These guys aren't supposed to be "delta force" they are supposed to be the interns.
Not trying to defend the means to the end, but I would really like my tax money used more efficiently. I will also say am extremely worried about the levels of access that they are being given, especially since it comes with basically no accountability
Your comment assumes the conclusion that these comp sci kids were able to save billions while preserving the correct behavior of the system, i.e. if their changes cause even one person to miss one payment they should have received, then the rest of your comment is entirely baseless.
If you could prove that billions were saved in pure waste, then I’d imagine any sane citizen would agree with you, setting aside matters of decorum and human decency (e.g. RIFs that may ultimately be necessary but conducted in an inhumane way)
I’d like my tax money used efficiently, but this group does not merit the trust to carry out those changes, even on a technical level
> I would really like my tax money used more efficiently
Except by most accounts so far it was being used efficiently by the federal workforce. This whole debacle will end up costing the US tax payer more money. See cutting the IRS or USAID which will probably lead the US to bailing out farmers. And if they privatize, then it'll be even more expensive.
I mean if they privatize USAID it’s a tremendous opportunity to loot on a scale we have not seen. Same thing if they privatize the IRS or Social Security. Think about all the money that could be invested in their friends’ enterprises out of the treasury float or the SS trust fund.
A lot of people seem to consider anything that doesn’t personally, immediately, and directly benefit them to be a waste of their tax dollars. God forbid you use their property taxes to build schools their adult children don’t go to.
> review the most basic financial information of our government departments
That is what the GAO is for https://www.gao.gov/ , and these people are much better than script kiddies.
> I would really like my tax money used more efficiently
Me too! You are on hacker news so I assume you are firm believer in https://en.wikipedia.org/wiki/Amdahl%27s_law ! If you would like your tax money used efficiently, are you willing to discuss cuts to social security, medicare, medicaid, veteran benefits, and whatever else is at the top of the budget? https://www.cbo.gov/publication/61181? What would you cut?
Personally, I would increase taxes on anyone making over $500K/year and stop nickle and diming our federal government so the US can actually become a first world country for everyone that isn't a software engineer.
> Not trying to defend the means to the end, but I would really like my tax money used more efficiently. I will also say am extremely worried about the levels of access that they are being given, especially since it comes with basically no accountability
This is like the derelict father with partial custody who parachutes in one weekend a month to buy his son ice cream and a new video game to leave two days later the conquering hero. Meanwhile mom works two jobs, has to set all the expectations and responsibilities for the child, and the father is late on child support payments.
DOGE blitzkrieged government IT. It'll be years before we understand the scope of what they've done and given available evidence: these are script kiddies who worship Musk, I don't think there is ANY reason for optimism or charitable consideration.
The people who need to see/understand this live in a different reality where uncomfortable things like this are ETL'd into righteous anger towards people they don't like.
This is the deep state they've been worried about, this is the boot that will tread on them.
EDIT: parent comment was highest ranked comment for the article and is now at the bottom?
I would have agreed years ago, but seeing trump - who obviously should be in prison for January 6th, among other crimes - back in the WH pretty much proves the US is not a nation of laws.
It's worse. SCOTUS says he's immune to any law while POTUS meaning he can have people commit crimes on his behalf and then pardon them (or simply commit them himself). See the 1/6 insurrectionists.
That law now officially includes an individual who is immune from the law and who can issue pardons to anyone for anything. So you live in a nation with optional laws.
One of the things that is being exposed by the current administration is that, even though the Judiciary is an arm of the government, and supposed to provide a check on the Executive, the reality is that the Executive has the power to pardon anyone it sees fit, voiding the power of the judiciary (the argument is that the ultimate power lies with the voters who can pass their judgement on the Executive, and its use of its powers, by voting them out, hopefully)
This is one of the fundamental issues that underlies our broken system in the US. The gaps between what the law actually is, what people think it is, what people want it to be, and what it in practice is, are enormous.
Some of the recent deportation cases highlight this. You have cases where people were living in the US illegally for decades but faced no repercussions, and now people are upset because they were suddenly detained and/or deported. Virtually all the framing I see is about how it's a sudden and horrible injustice that they were detained during a "routine" ICE check-in --- very little about how we have accumulated this palimpsest of rules and enforcement policies resting on laws which don't actually encode the state of affairs most people want.
If we want people to be able to immigrate easily and safely (and I do), we need to stop breathing sighs of relief when a new president comes in and issues some kind of temporary executive order that makes things okay in the short term. We need to fix the laws at all levels, including criminalizing enforcement actions that are contrary to the law. That would likely mean massive purges of many individuals in local and state governments and law enforcement agencies, with many of them sentenced to considerable prison terms for the kind of enforcement discretion that we currently accept as normal. It's not going to be pretty. But it has to be done if we want to return to a system grounded in the actual rule of law and not the rule of law enforcement.
Do you believe there should be criminal prosecution for state and local government officials currently refusing to to work with ICE in its current form in the Trump administration?
Bruh, do you think people are pissed about the deportations just because they’re immigrants?
Deport them all if they came here illegally and that was _proven_, but the government just skipped all due process and as we’re seeing and as the government already admitted, people are being mistakenly deported to these camps and then the same government says they can’t do anything to reverse it.
You can’t be waxing poetic about the rule of law and how we need to enforce everything when they can’t even follow due process
> But it has to be done if we want to return to a system grounded in the actual rule of law and not the rule of law enforcement.
This is never going to happen - politics aside of what you might or might not believe about the current situation.
It's about as likely to happen as every religious individual on the planet obeying every rule in their sacred book.
The reason that they don't happen is because peoples' ideas on what is acceptable and isn't in a society changes, sometimes quite rapidly - note that the current US Administration was (attempting) to use a statute from the 1700s, are you obeying all the laws (that haven't yet been repealed) from then?
edit:
An obvious example is the fact that the USA exists - it's on land that was acquired via theft, and murder. Therefore every person living on that land is receiving stolen property - let me know when that law is being enforced.
I fully believe there's a stack of pardons in Trump's drawer for everyone involved in this debacle. I can't imagine breaking so many laws all over the government if you thought you'd ever have to face consequences. The alternative to pardons in preventing the next congress & administration from cleaning this up is too dire to really contemplate.
They are betting the system won't go after them later which is a very bad bet if they eventually give back the executive branch and an even worse bet if the power they support never gives it back. About as brilliant as being in a photo with Stalin.
Can't pardon state crimes nor cases of impeachment.
Arguably, if you impeach someone in public office, even if they aren't convicted by the Senate, any pardon of those same acts becomes moot and they can be tried in court for the same offenses. At least, that's what the DoJ suggested in 2000.
> Trump can wait until the last day in office then issue pardons for any possible crimes, right?
Is your mental model of the pardon process actually confused? Yes, the president can unilaterally issue pardons, and Donald Trump is president until the end of his term, so he can issue pardons on his last day in office.
What hostility? I was asking if they were really confused or if they were asking rhetorically. If they were actually confused, the answer is yes.
edit: oh, I guess "and Donald Trump is president until the end of his term" could come off as patronizing. I meant it just as a statement in a chain of reasoning
Recent untested precedent exists of blanket pardons needed for unqualified crimes and they are so far likely to be challenged on a different technicality (first?).. Asking what people think is not confused unless you are being uncharitable or know a lot of actual precedents that we all should know from another era.
I am fully unaware of any challenges to recent pardons. I don’t follow politics much and just knew about the blanket pardon that I assume all presidents will use going forward unless it’s challenged in court.
I think it's been used properly in a lot of instances, especially when you consider that federal law can quickly become out-of-step with modern sensibilities, so being able to relieve those harmed by laws flawed under contemporary standards is important. There's probably a better way of handling that, but it's one instance where the power of presidential and governors' pardons have been applied appropriately.
> I think it's been used properly in a lot of instances, especially when you consider that federal law can quickly become out-of-step with modern sensibilities, so being able to relieve those harmed by laws flawed under contemporary standards is important.
No, that is exactly what we don't need. When law becomes out of step with modern sensibilities, the law needs to be changed. Precisely the problem we currently have is that we have become too accustomed to dealing with a sort of "shadow law" system where the way things actually work is not the way they're supposed to work according to the law. That is a recipe for confusion, bias, favoritism, and inequity. What we need is a system of laws that actually lets the people fix things when they are broken instead of patching around them. (This is, in my view, a byproduct of other aspects of our legal system, in particular the grossly over-restrictive process for amending the constitution.)
That's not really what I meant. Just because a law is repealed or changed, doesn't mean the people who were sentenced to prison because of its original form will receive revised sentences.
At the very least, it seems obvious there should be an asterick on the pardon power of, "you can't use it to pardon your employees/staff." Or pardon people for things they did under your direction/purview.
I'm not actually convinced that now would be a terrible time to hold a constitutional convention. Yes, it would be messy, but the nature of the ratification requirements (3/4 of all states) means that nothing could make it through without essentially unanimous consent of the country as a whole.
To remove the presidential pardon power, you'd need to [amend the Constitution][1]. Getting [two thirds of both Houses of Congress][2] to pass any amendment in the foreseeable future seems highly unlikely if not downright inconceivable.
The problem with prosecuting them – they are employees of a White House office, doing what their bosses told them to do, and it is clear their bosses are carrying out the President's wishes.
If Joe Blow off the street walks into a federal agency and takes all their data – open and shut case, throw the book at them, see you in a few decades.
If someone from the White House walks into a federal agency, tells the agency leadership "the President wants me to take all your data", and the agency leadership replies "sure, of course" – not a scenario people were expecting, so the existing laws haven't been crafted to clearly criminalize it. Maybe some enterprising prosecutor can find a way to map it to the crimes on the statute book, maybe it is just too hard. But even if the prosecutor overcomes that hurdle, it will be far from easy to convince the jury / trial judge / appellate courts that the legal elements of the crime are actually met – and if it actually gets as far as a conviction upheld by the appellate court, what do you think the conservative SCOTUS majority are going to do with that when they get it? And many prosecutors, foreseeing those low odds of ultimate success, will stop before they even get to an indictment.
So, I think the odds of anyone ultimately being convicted over this are low, even if Trump never pardons them.
Maybe, Congress might pass a law to make it more clearly illegal, which might make it easier to prosecute if a future administration repeats the same behavior.
The claim that because your boss tells you to do something illegal means that you should just do it is bullshit. It's your social responsibility to not capitulate under these circumstances.
If you don't feel that way then you deserve the world you are creating.
The problem is a lot of relevant criminal laws contain this word “unauthorized”. If you have access to a computer system, and it is authorized by the people who own the system, it isn’t a crime. These people will say that whatever they did/bypassed was (1) authorized by the President (of course if you ask Trump if he authorized them to do whatever he’ll say “yes”); (2) authorized by the senior agency leadership (because Trump has made clear that if they refuse to authorize it they’ll be fired).
So, how do you prosecute them for accessing a computer system (or data or whatever) without authorization when both the President and the senior agency leadership say they authorized it?
Well, you can’t-unless you want to argue that the President / agency leadership’s authorization is illegal and hence illegally invalid, ultra vires. But even supposing you are right about that in the abstract, will you be able to convince a judge and jury of it? And even supposing you convince a jury, trial judge and appellate court, there’s a dozen different ways SCOTUS could overturn it (from narrow questions of statutory construction to sweeping rulings about the President’s inherent constitutional power to demand information from the executive branch), and I think the main question for the current SCOTUS majority will be which of those ways they choose.
My impression is that a lot of people are mixing up what they think the law ought to be, with what it actually is. Just because something ought to be a crime doesn’t mean it actually is one - and that’s especially going to be the case with unprecedented situations, it is hard to make something a crime if nobody foresaw it would one day happen.
The complaint alleges that DOGE was able to get unlimited-permissions admin accounts that were not subject to logging. They also downloaded external repositories that gave users of those repos lots of different IPs. The complaint further alleges that the DOGE person used the combination of these things to "download... more than 10 gigabytes of data from the agency’s case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents."
If this is all true, this is basically hacking sensitive data in the open. We already know the current administration has worked to hobble unions. So putting these things together, this act is not only wrong in and of itself, but the data is likely going to be used to harm americans' interests. So, deserving of punishment.
And they fucking illegally fired the IGs who are supposed to act as watchdogs for and light-shiners-on-of blatantly-illegal activity like this in the executive. The ones we added after Nixon's crimes. It was one of the first actions of the administration, blanket firing without actual cause, which is supposed to be required, and without the required notice-period to Congress.
That should have exhausted any benefit of the doubt right off the bat, even among those inclined to think Trump's maybe not great but also some ordinary amount of bad for a politician. You don't do that unless you fully intend to do some crimes. Not only that, they were so goddamn eager to crime that they couldn't wait the 30 days or whatever. They intended to do criminal shit immediately.
If you take a step back and realize that the intent is to utterly destroy the social safety net provided by social security, Medicare, etc that we have all been paying into our entire adult lives, tell me why every citizen affected should not pursue civil and criminal charges of theft and fraud with malicious intent?
And then the means to do so have involved ignoring the courts and bypassing constitutional checks and balances? Please tell me how this isn’t criminal if not treasonous?
Not only did you not explain the original comment, you added more assertions that are significantly more extraordinary without explaining your reasoning for those either.
Sensitive government data was (sure, allegedly) extracted to Russia via an account that was expressly created to hide / not create logs. This is treason. Allegedly.
This administration is doing a lot of things that are borderline treasonous. Hopefully they get prosecuted when they get voted out or ideally get removed form power.
Trump will blanket-pardon anyone who's still on his good side. And maybe some who aren't, just to limit the reach of investigations. And Trump himself's untouchable—while it remains technically possible to criminally prosecute a President for actions in office, it's in-practice impossible short of some unlikely hypothetical scenarios, thanks to the Supreme Court (the Roberts court loves leaving things technically intact, but actually not)
If I told you someone went to your bank and demanded the right to setup accounts with permissions to do everything and to have all logging of that users activity disabled, and then a whistleblower pointed out that they downloaded everyone's bank statements, you'd probably be pretty up set.
After all, why do they need unfettered access? Why do they need your bank statements? Why do they need to hide what they're doing with the unfettered access?
That's what's happening here. There is no good explanation other than bad actors
Without knowing the specifics of US law, there’s a lot in there for a reasonable case. Improper handling of sensitive data, interfering with ongoing legal proceedings, abuse of telecommunications infrastructure (looks like the guy runs a brute forcing crawler on a government system) and probably even more.
The fact that they left these packages public on GitHub.. guys you do know you can make things private right? Just shows how dumb these people are honestly
Or they think what they're doing is righteous and they're proud of it. It isn't - DOGE is responsible for hundreds of thousands of deaths through cuts to health programs - but I suspect they are deluding themselves into thinking it is.
What? They reused public packages that have been public for years. One guy made a public fork with some changes. Is that not what open source is intended for?
We only hear about the cases where a someone is taking the risk of blowing the whistle, and actually manages to get the story out. Hopefully with enough substance for people to take the information seriously. How many cases that are likely to reach public knowledge is left as an exercise to the reader, as the saying goes.
So the real question is, who do you actually report this too if the fox is guarding the hen house? The only place that makes any sense is congressional oversight in some way but that will go nowhere except maybe a quick NPR story.
So what exactly is being alleged here? That these DOGE bros wrote and used “hacker” code from GitHub to bypass security limitations on NLRB data? Why would they even need to do that if they had superuser accounts in the system already?
I think the point of the article is that the whistleblower's original claims can be substantiated publicly. It's another datapoint indicating that the DOGE people are operating haphazardly at the absolute best and, more likely, attempting to obscure their tracks because they know that what they're doing wouldn't pass legal muster.
The lede is buried but the implication is downloading a huge amount of data on union organizers, which can then be given to a company to pre-emptively fire those individuals
Also this PDF contains a detail I haven't seen reported elsewhere:
> Furthermore, on Monday, April 7, 2025, while my client and my team were
preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you
It's an interesting detail because if true -- and I fully assume it is -- the intention likely wasn't to dissuade him from going public, but instead to make him look like a conspiratorial nut. When I first saw this story and heard that "drone shot of him / threatening note" I admit that I immediately assumed it was a flake, but on further details I think that was actually the reason for doing that.
Thanks. So the tools downloaded from GitHub were allegedly used to scrape personally-identifiable information (PII), details about ongoing legal cases, union-related data, and corporate secrets. The whistleblower observed large spikes in outbound data traffic, suggesting that gigabytes of sensitive information were exfiltrated with logging disabled, so as not to leave a trail.
Isn't the ip rotator used to scrape from public websites to bypass rate limits? Not sure how that automatically means they are "siphoning sensitive case files".
The IP rotator was discovered in the analysis. The exfiltration of data was discovered by an NLRB employee and triggered the complaint. A member of their staff saw the spike in egress, found the source and that the audit log had been bleached.
>Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially.
A little nit-picking, but that's not what open source means, especially as it relates to the GPL in this case. If you can't use the code commercially, it's neither "open source" (as defined by OSI) nor free software (as defined by the FSF).
> Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as they’d previously agreed.
If the allegation is true, what would be the motivation of the higher-ups to keep this secret from US-CERT?
It appears to be a severe compromise, and the context suggests that much of the rest of the federal government is imminently vulnerable to the same tactics by the same threat actor.
Where the higher-ups reporting the security crisis through better channels?
Or were they trying to keep it quiet entirely, so might be complicit in something bad?
I almost can't make heads or tails of out of this scatterbrained word salad.
Let's start with this:
> Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases.
> Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub
What exactly does that mean? NLRB database accounts are GitHub accounts? (Surely not.) Or the same IP address accessed both, suggesting it was the same person? Define "account".
No coherent point being made here. This story needs to clearly separate the rhetoric about GitHub repositories from the NLRB access, and connect them together coherently.
The flow seems to be:
1. Some DOGE people obtained unbridled access to NLRB, with the ability to erase audit trails.
2. There is some sort of evidence that the same people downloaded tools from GitHub for distributed web scraping, suggesting intent to scrape massive amounts of data from somewhere (inferred to be the NLRB database).
There is no evidence cited in the article for the actual downloading of gigabytes of data; the "whistleblower" is quoted only as saying that DOGE required certain privileged accounts to be created and that the users of the accounts supposedly downloaded some web scraping software from GitHub.
At least mention some circumstantial evidence, like a suspicious increase in access activity, coming from distributed IP addresses in the Amazon cloud, following the download of those tools.
This:
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
seems neither here nor there; why include that. It may be that the tools DOGE are using are not adequately safeguarding the data, but it seems like an extraneous point, and undigestable without specifics.
Plus in the whistleblower's actual report, there is evidence of them getting it, like logs of network output far above previous levels, and those accounts making accesses from various IP addresses (including geo-blocked attempts from Russia).
What sucks is, is that Russia and China now, almost certainly, have all this data, but they don't worry me, as much as the American oligarchs that now have it.
If you continue reading, that question is answered. The GitHub repositories don't belong to the NLRB (or to DOGE), they were generic tools that were used to exfiltrate data from the NLRB.
This is the big question everyone here seems to be skipping over. It seems like they're using "database" in the colloquial sense and actually mean some sort of already public data that's just rate limited (for example https://www.nlrb.gov/advanced-search).
Then depending on the order of events, either scraping didn't work well enough and were given "unlimited" (not rate limited) access, or the accounts were actually denied so they fell back to scraping. Or perhaps these two things are just unrelated despite what the story is claiming.
Or maybe, even with access, they couldn't figure out how to query the actual database, so they resorted to scraping? Even with full "tenant" access, it could take some time to figure out where to look.
That page reads completely incoherently if you understand junior level programming mental models. This is a hit piece for non technical audience meant to conjure fud.
This is much ado about nothing. The article tries to very hard to make something ordinary sound nefarious.
This appears to be DOGE employees simply doing their job.
You may not agree with what they’re doing in a political sense, but if you were tasked with the same problem you’d come up with a nearly identical solution.
For example: “tenant admin” is probably the special role that can bypass access control (not audits!) and see and read all data.
This sounds scary but I regularly request this right from large government departments and I get it granted to me.
Its use is justified when normal access requests would be too complex / fiddly and error prone. Generally, in a large environment, there is no other way to guarantee 100% coverage because as an outsider you don’t even know what permissions to ask for if you can’t see anything due to a lack of permissions!
Seriously: sit down for a second and think about how you would go about getting access to make a full copy of an organisation’s data for an audit if you fully expect both passive resistance and even active efforts to hide the very things you’re looking for.
"7. March 3rd - I received a call during which an ACIO stated instructions were given that we were not to adhere to SOP with the doge account creation in regards to creating records. He specifically was told that there were to be no logs or records made of the accounts created for DOGE employees."
Which part of doing an audit, or some other DOGE employee's job, requires logs or records not to be made of their accounts?
Another quote:
"They were to be given what are referred to as “tenant owner” level accounts, with essentially unrestricted permission to read, copy, and alter data. Note, these permissions are above even my CIO’s access level to our systems. Well above what level of access is required to
pull metrics, efficiency reports, and any other details that would be needed to assess utilization or
usage of systems in our agency. We have built in roles that auditors can use and have used
extensively in the past but would not give the ability to make changes or access subsystems
without approval. The suggestion that they use these accounts instead was not open to
discussion."
Audits don't require being able to alter data.
Also, some of the data is mentioned as being sensitive. Although granting access to the data of another agency may make sense, I have trouble believing that direct access to data such as sensitive personal information of third parties would routinely be given to people from outside of the organization. Even within the organization the group of people given access to sensitive data should be as limited as possible.
All of what you said is either true or likely honest statements from the agency staff… yet completely misses the point.
> We have built in roles that auditors can use
… and we make sure doesn’t reveal our wrongdoing.
— that’s what DOGE is tasked with uncovering. The “deep state”, the lies, hidden costs, etc…
Now you may think this is counterproductive. You may think this is political posturing. You may think it’s borderline conspiracy theory nonsense.
We agree!
Trump, Musk and DOGE don’t agree with us and don’t trust the staff that they believe are providing carefully constrained access and curated data dumps with strategic omissions.
THIS is why they’re side-stepping the official processes and using the skeleton key.
Again, please, focus on disambiguating the politics from the technical steps being taken.
If the task is: “Get all the data, especially the data they’re trying to hide from us” then asking for Tenant Admin is the right technical choice.
I can pick apart every other statement but I don’t have the time. But as a quick note: it’s common for the RBAC permissions to be the inverse of the organisational permission. As a random subcontractor I often get granted Domain Admin or the equivalent and the CIO, CTO, and CISO staff are treated the same on the network as some secretary might. They’re meeting jockeys, not super admins! The fact that the staff member raised this “issue” automatically implies that they know nothing and that their opinions and statements are suspect.
PS: Most systems don’t have a built-in Tenant Reader role, they only have Tenant Admin. DOGE staffers would have been instructed not to trust any custom role, so… Tenant Admin it is.
DOGE was given a mandate by a President with unprecedented (hah) unitary power. They’re executing on that, roughly how you’d expect them to, given their instructions and the time and resources available to them.
I personally feel that they’re being reckless and sloppy, uncovering “waste” that is often simply an artefact of their hubris. In doing so, they’re risking exposing the internal systems of the government to outside attack.
This is the rough equivalent of the guards in a prison turning over everything in a cell looking for contraband.
It’s not nice. It’s rarely productive. It is also a tool of intimidation. That’s part of the point. The prisoner is not supposed to like it. They’re not invited politely to present what they want others to see. They’re humiliated and powerless. That’s what the MAGA and DOGE want.
I have taken part in audits for several organizations over the years, and I can assure you that's not how audits are done at all.
In fact, should the auditor find there is a way for them to access sensitive data without it being logged, they will flag it immediately. That would be the case even under simple financial regulation.
There is absolutely the risk that the people you audit will lie to you or present you with false data. In practice that's not common, because they stand to at the very least lose their jobs. It could also be illegal. Not worth it.
> Furthermore, on Monday, April 7, 2025, while my client and my team were preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you
It would be astonishingly stupid to threaten a whistleblower in such an amateurish manner when you’re backed by the party in power and have the full and official apparatus of the state at your disposal.
- Who decided to threaten the whistleblower and why?
- Who approved such an idiotic idea?
- Who determined his home address?
- Who flew the drone, timed to capture photos of the whistleblower while on his way to/from his home?
- Who took the drone photography, printed out the images, and wrote a threatening note?
- Who then took all that and physically posted it on his door?
That’s a very involved process, with substantial risk, with no realistic upside. None of the incentives are aligned with the behavior. It simply doesn’t make sense.
Applying Occam’s razor, it seems a lot more likely to be fabricated — that’s a scenario in which incentives actually align with the behavior.
In practice, that shouldn’t make a difference to the investigation; given the physical evidence, they should investigate in great detail the origin of the threat — regardless of whether it’s a hoax or real.
not sure if this is a serious question…? what would it accomplish if you were the whistleblower? if it was me, my family would be on the first flight out of the country
It would convince me that whoever I was whistleblowing on was so remarkably stupid as to engage in a felonious criminal conspiracy while leaving behind physical evidence thereof.
I hope that the threatening note and photos have been turned over to the police, where they can be analyzed for fingerprints, printer microdots, et al, and the police can canvas the neighborhood for security camera footage.
As a tactical move, this kind of threat makes zero sense for anyone in the government to carry out if they are even a semi-rational actor.
our HIGHEST-level government people are texting each other (along with whoever else happens to be in their contacts) war plans so you know, stupid is as stupid does :)
In that case, you and departments you work for are either breaking the law regularly or working with public data anyway.
Besides, no one needs unmonitored write access for audit. Even less DOGE who does no audit and don't have knowledge how to do audit. Audits are supposed to he traceable.
Omg they also saw spikes in DNS traffic and high load during days exfiltration ahead of audit...
Clearly the (system) auditing infrastructure wasn't robust enough to still provide a lot of monitoring even in the service is being managed by someone else...
Also a several hundred line teardown of a 300line file is exactly what is wrong with some coders. Not having a CI/CL for every single short tool written once to do a job is called being productive...
For those genuine actors here: this theoretical outrage assumes the premise of something immoral or illegal, and completely ignores the authority structure. This looks and smells like an info operation.
Just, as an exercise, list out 3 good reasons someone might want untraceable admin accounts then list 3 really bad reasons they might want that. If you manage to find 3 good reasons does the outcome of those those outweigh the risks of the potential bad reasons?
Good:
1. The account-level below that doesn't have access to certain stuff and just happened to have untraceable stuff
2. They just said "give me the highest level of access" and didn't investigate what that meant
3. Can't think of a good third atm
Bad:
1. They want to do nefarious things untraceably
2, 3. I think 1. covers pretty much everything.
Personally, if I'm put in charge of overhauling a system I don't want to waste my time waiting on approvals for BS, I just want to be given the highest level of access I can be given to get on with work.
I'm not saying this is fine, but the information here is basically a random list of things that happened and it doesn't really tell a nefarious story to my eyes.
I appreciate the question. The most obvious is that this is an “audit the auditors” exercise, and they do not want to leak information toward a likely adversarial counterpart. If they have the authority to so, then they do. An adjacent complaint about “not following Treasury policy is similar.” If these systems exist, there is a governing authority structure, and that does not begin at the level contemplated in this document.
I don't see anything wrong with what they did, they basically got admin accounts so they can peak into the system and used some libraries from github. What is the problem here? Got a feeling it is just politically motivated, people are not happy that the Trump administration is actually doing something to make systems more efficient and stop money waste of tax payers. I am sure they will make some mistakes along the way and I am sure not every "saving" is actually saving but when you look at so many systems and so much money some errors are expected.
I have a theory that "business ethics" is really just "following the law." In capitalism, outside a few select industries like journalism, as long as it's legal you can - and should - do anything to maximize profits. It has turned into (or perhaps always was) the govt's job to set those rules.
Now, the govt also has to create rules for itself. So it creates the Privacy Act and layers of beurocratic checks and balances. These rules are to protect the people, not to derisk or protect the govt. After all, the govt has all the power.
So when capitalist businesses leaders are given the keys to govt, the normal ways of ethical alignment don't work. If you don't follow your own rules, who cares? They're your rules! I think what we're seeing is what happens if you apply traditional capitalist business practices to govt administration.
The trouble is that money is power, so the people who succeed the most at maximizing profit end up getting a lot of influence over the rules.
In some countries, this is done with outright bribery. Here, we do it with campaign contributions and lobbying and “we’ll create jobs in your district.”
>In capitalism, outside a few select industries like journalism, as long as it's legal you can - and should - do anything to maximize profits.
Honestly, if you were around watching the news 30+ years ago, you would notice a stark difference in how news is covered then versus today. You can't really blame them, they are doing what they can to survive, but coverage today much more tabloid than news.
I would say the "fake but accurate," was the death knell, but it might have been sooner.
> Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or “forked” from Ge0rg3’s code — called “async-ip-rotator” — and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.
Original code: https://github.com/Ge0rg3/requests-ip-rotator
Forked: https://github.com/markoelez/async-ip-rotator
Code is pretty much the same, with comments removed, some `async` sprinkled in and minor changes (I bet this was just pasted into LLM with prompt to make it async, but if that worked why not).
Except... Original GPL3 license is gone. Obviously not something you would expect DOGE people to understand or respect.
The repository has been deleted. In addition, 26 other repos have been removed from the account. This is in line with DOGE members' quick response scrubbing data whenever put into spotlight, as previously seen with another "teen hacker". [0]
Archived repo page: https://archive.ph/LI7tt; archived previous repo count: https://archive.ph/tgkg5
0. https://arstechnica.com/tech-policy/2025/04/i-no-longer-hack...
I think one reason to hide/delete is so speculative articles like this don’t get written.
The mistake was ever having them public.
These are government employees, you don't get to do that.
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
“If this were a side project, it would just be bad code,” the reviewer wrote. “But if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.”
FYI the Fork got hidden/deleted in the last minute or so -- did anyone manage to clone it before it disappeared?
I did. It's essentially just a single .py file: https://gist.github.com/whalesalad/06804fd734efe6bd2e0c84906...
The original author claims this is to prevent API gateway from leaking the true client IP.
To be fair the code actually creates a new API gateway server that acts as a proxy on to an already existing server and you're possibly meant to use this header with your own gateway service.
So, it's set as a header, sent to a user owned proxy, then to the actual external endpoint.
On the other hand I think the receiving API Gateway will be able to see and log your AWS account identifier when you do this. So your IP may not be the only identifying information that needs to be obscured for this to actually work.
The code seems like a "creative" use of API gateway to turn it into a proxy for other external sites (single site, really, since you need one per site.) Wouldn't it be simpler to send the requests through a lambda (with a function URL) and get better control of the outbound requests?
This actually a very common way that hackers have used api gateway for years now.
You can take a look at plugins like IPRotate. We are currently working on bringing that into our product.
This is cheaper in that you don't have to pay for any compute time.
tbh the ip space of lambda is large, but not as large as you might think. i did some experiments ages ago with the hypothesis that lambda could be a decent proxy network (if many ip addresses are needed) but iirc the upper limit in my testing was about ~50 ip's.
Even this example if you maxx out your usage of regions appears to only give (2,4 * num_regions) or let's say 70-80 ip's maximum. And they are AWS ip's, which means it is gonna be really easy to detect and block that traffic.
But if you know your target receives lots of traffic from AWS systems all around the world ... this is a good way to mimic that.
GPLv3 requires the license to be kept. Seems reportable to the owner of the repo and or GitHub.
I'm sure the people who work for an administration that by and large flaunts court orders responsible for this will get right on that.....aaaand it's gone.
The fork has been deleted it seems.
posted above ^^
this part of the whistleblower complaint seem way worse:
" On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior week. I saw way above baseline response times, and resource utilization showed increased network output above anywhere it had been historically – as far back as I could look. I noted that this lined up closely with the data out event. I also notice increased logins blocked by access policy due to those log-ins being out of the country. For example: In the days after DOGE accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia started trying to log in. Those attempts were blocked, but they were especially alarming. Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating. There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers. "
Any guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers and DOGE are working from insecure open networks.
The worst possible interpretation is straightforward - they are working for the Russians as agents and let the Russians in or installed the keyloggers for Russia.
Don't forget the third option: false flag.
The objective may not have been to obtain access or any useful data. The objective may have been to get the scary headlines about Russians and use the existing media and political agitprop to further destabilize the government you seek to color revolution away.
I don't follow. Are you saying the DOGE boys are trying to give Trump bad press?
It doesn't make sense to me that an administration that by and large has been throating Putin would do that to throw more shade on Russia.
I'm not saying they didn't do that, just that it's not in line with their support for Putin and Russia. Maybe as a false flag it give Putin the cover to crack down on hacking groups that don't throat him.
I would have thought that a Russian state sponsored attack would trivially mask the IP to originate from within the USA. This is just brazen.
Sometimes getting caught isn’t a bad thing. If you are trying to seed division between to groups, acting in a way that divides them - e.g., getting caught helping one side - is more effective than what you gain by not getting caught.
I struggle to see what Russia would gain with nlrb data, but getting caught “helping doge” furthers distrust between the two sides of our country - which is something they gain from
Spearfishing then some kind of spyware on the system would be my guess.
Though with nation state actors you can't rule out Pegasus like zero-click infiltrations.
Best case scenario those kids were duped into giving out credentials to the wrong (Russian) people.
The article could offer a summary of this key finding, rather than, say, the pointless paragraph near the bottom about the scraping software found in GitHub not being well written.
This is the evidence which strongly suggests that the DOGE personnel are using various cloud IP addresses to scrape.
This just seems odd.
Why would they attempt a login from Russia (if it was indeed Russians)?
It is incredibly cheap to use a VPN with a US residential IP.
Maybe not everyone involved is quite the genius you might've been expecting.
Occam’s razor would also suggest a hoax as one of several very credible possibilities.
Wow that's insane
> According to a whistleblower complaint filed last week by Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several all-powerful “tenant admin” accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Feels like a pretty good Occam’s razor case… but is there any legitimate reason why one would request this?
Even worse when you know more of the whistleblower's story which is that ~15 minutes after one of DOGE's accounts were made there was an attempted login with the correct password from Russia. Not many explanations for that that look good for DOGE...
That's straight up traitorous.
DOGE needs to be shutdown and everyone of them held as a flight risk while the whole thing is investigated.
They work for Trump so they'll never be held to account, even if a Democrat wins the next election (assuming even have one and it's fair and free)
I never thought I'd be calling for UN observers for an election in the US but here we are
Citation?
Not parent but it’s here - https://krebsonsecurity.com/2025/04/whistleblower-doge-sipho...
DOGE is a complete clusterfuck. Fwiw I think there is hard to spot fraud in the govt that should be looked at (eg price inflation at the pentagon, VA, Medicaid/Medicare, SS). They should have done the hard work of uncovering that. Instead they just went for clickbait headlines.
From the whistle blower.
> Within minutes after DOGE accessed the NLRB's systems, someone with an IP address in Russia started trying to log in, according to Berulis' disclosure.
https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-...
> all-powerful “tenant admin” accounts that were to be exempted from network logging activity
Is this normal to build this sort of functionality into a software system? Especially software systems that heavily rely on auditability?
Sometimes, depending on the situation.
My company retains all e-mails for at least 5 years, for audit purposes. But if some troublemaker were to e-mail child porn to an employee, we'd need to remove that from the audit records, because the laws against possessing child porn don't have an exception for corporate audit records.
So there's essentially always some account with the power to erase things from the audit records.
It sounds like you haven't actually had to face that situation, because it is more complicated than just having to delete an offending attachment. You would still have an audit log of the deletion of that email record by the superuser, even if the content is deleted. And there would be other records generated to document the deletion, like I'm sure a long email or slack thread from this getting discovered and sent up the chain, over to legal, then to the FBI, then back to coordinating the logistics of manually deleting something from the audit logs. So if for a completely unrelated case, a third party auditor stumbles upon that mess, they will be able to reconstruct why a single attachment cannot be found in the audit logs.
"No" is the answer to GP: there is no legitimate reason for a fully unlogged superuser account.
Yeah, superuser accounts? Of course you need them to exist. Superuser accounts that produce no logs? There is never a reason for that. Anyone who claims they should have a superuser with no logging is up to no good.
> You would still have an audit log of the deletion of that email record by the superuser, even if the content is deleted.
If needing things wiped from the audit logs happens often, you might indeed have an audited interface for wiping things from the audit logs.
But if it's very rare? Maybe I just request the production database password for "Incident #12345" and run some careful SQL.
> And there would be other records generated to document the deletion, like I'm sure a long email or slack thread
For sure - but the account capable of deleting entries from the audit logs exists
And if I am ordered to hand it over to someone who doesn't care to explain their actions on slack? Then there won't be any explanations in slack.
Ah man... back in the day I worked for a company that built out records management software. One of the big things on the side of the cereal box was that not even an admin could delete something flagged as a record within its retention plan. Fast forward to a company doing that for emails, messing up spam filters, and getting a blast of 'normal' porn that was all flagged as records. I believe they ended up creating security groups for those files that help keep those who were using it .. safe for work.
Very true - this comes up constantly in blockchain questions - but in that case there’d at least be an audit log showing who deleted which records.
No. Never. While it’s expected to have a “root” account exempting from logging serves no honest purpose.
Of course not. It's the exact opposite and every single person here knows this.
From a an old hackers perspective disabling shell history can have positive security implications. But in today's 'cattle not pets' systems mentality I'd expect all actions to have a log and not having that seems fishy to me. Keeping logging infra secure has a dubious, the log4j fiasco comes to mind. I'm not a fan of regulation for most things, but I think we need a higher cost for data leaking since security is an afterthought for many orgs. My personal leaning is to be very choosy about who I'll do business/share data with.
> “We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”
From the previous post, they had auditor roles built in that they purposely chose to go around
It's the same as domain admin in active directory.
You always need it to setup the system initially.
It's like root on Linux: it's an implementation detail that it must be possible.
There’s no possible need for an admin-level user that bypasses logging. If anything these users should have additional logging to external systems to make it harder to hide their use.
Root on Linux isn’t exempt from logging. I also don’t know any enterprise that allows admin accounts to bypass logging.
There is no legitimate justification for this request.
root on Linux can just kill the log forwarder and erase the relevant logs, or refill them with junk.
Yes. A more competent hack would have been to use their superuser permissions to do that kind of thing.
But instead they requested that logging be disabled, thus outing themselves as acting in bad faith.
That still leaves highly visible log traces if you’re following most security standards (required in .gov) since you’d have the logs showing them disabling the forwarder. The difference here is that this was like an attacker but had backing from senior management to violate all of those rules which would normally get someone fired, if not criminally charged.
At least at places I've worked, terminating the logger would cause a security incident, and the central logging service have some general heuristics that should trigger a review if a log is filled with junk. Of course with enough time and root, there's ways to avoid that. But that's also usually why those with root are limited to a small subset of users, and assuming root usually requires a reason and is time gated.
> But that's also usually why those with root are limited to a small subset of users, and assuming root usually requires a reason and is time gated.
I mean, if we were to apply the equivalent from the article, then no they would not have had a reason nor been time gated.
That is a very serious design flaw, but I also believe it is a flaw that is addressed by SELinux. (Perhaps someone with a knowledge of SELinux can offer some input here.) That said, I'm not sure how widespread the use of SELinux is and doubt that it would help in this case since the people in question have or can gain physical access.
If your root, you can just turn off selinux
The question is whether it needs to be possible to turn off the audit logs for that role. And of course: No.
typically the admin account can createthings like super users, and super users can do anything with the data, but not sure there's a use case where a single account can do both, and why can any of them avoid logging?
Sure, to hide your tracks because you know what you intend to do isn't right.
I can’t think of any. Even if you wanted to give someone broad permissions to access and modify data, you wouldn't turn off the audit logs.
There is no justification for ever creating an account like that. The only purpose is nefarious.
I am sure they demanded maximum access, but the logging activity phrasing sounds a little bit like spin...
I think if I wanted to describe an account with access to perform "sudo -s" as negatively as possible, I would say "an all-powerful admin account that is exempt from logging activity that would otherwise keep a detailed record of all actions taken by those accounts."
Interview with whistleblower detailing the attack and the threats directed against him:
https://www.pbs.org/newshour/show/nlrb-whistleblower-claims-...
I'm only really familiar with the 'tenant admin' concept from microsoft administration, it's commonly used otherwise?
Obviously no
There isn't one.
Anything musk's dogs claim to find cannot be taken at face value because of this. Because there is no audit, and no evidence that they can offer that they didn't doctor their findings.
The next time they claim that a 170-year old person is receiving SS checks, they have no way to prove that they didn't subtract a century from that person's birthdate in some table.
Ah, this is something I haven't thought of before. This might not actually be spying, but instead just an attempt to plant fake results.
> This might not actually be spying, but instead just an attempt to plant fake results.
That statement might be (slightly) more believable had there not been access attempts from Russian IP addresses using valid (and recently created) DOGE login credentials so very shortly thereafter.
They give away the game if you pay attention and read other internal sources from other agencies. This is all about shoving AI into the loop and removing federal workers from it.
They want to prove that AI can do "just as good a job" on these data sets and arrive at "equal conclusions" with a much higher level of effiency.
This is what happens when you get high on your own supply.
And even if it's not and everyone involved is a qualified, thoughtful, unimpeachable public servant with no agenda but the general welfare of the Glorious Republic of Arstotzka in their hearts, the lack of an audit trail means that you have to seriously consider that they aren't.
Of course, given the blatant dishonesty and criminality that the rest of this administration is producing (see: every immigration law case that they are losing in court), you'd have to be a useful idiot to actually assume good intent from them.
Of course, it just never occurred to me that there's a less bad but still terrible explanation for ghost admin access.
To allow dodgy offshore actors to snarf huge amounts of data on US citizens to prepare a huge propaganda assault for the next election?
very clear admission of guilt.
Setting aside legitimate (thats a matter of judgement)...
Some previous attempts for DOGE to get data has resulted in data being deleted before they can look and requests for judges to block access to data.
DOGE may be trying to be covert in order to stop these two activities from happening before they can get and review the data.
> Setting aside legitimate (thats a matter of judgement)
By definition, a judge decides what's legitimate.
If DOGE expects their access to be blocked by a court judgement, and bum-rushes agencies to exfiltrate data ahead of the judgement, that's also criminal intent.
I am not sure what you are getting at. "Covert" isn't how I'd describe DOGE's actions. "Brazen" maybe?
People have admitted in news interviews to destroying government data to prevent others from knowing what the government was doing. That’s likely criminal. This is a legitimate reason to get at information before people who might destroy have the opportunity.
What’s happening with judges is very political. We likely won’t know what’s allowed until things have gone through the appeals process. There have been cases of judges admitting they will rule against the current administration no matter the topic or law. This is messy, to say the least.
1. DOGE employees access data they were not supposed to.
This fairly clear.
The story says that DOGE attained access to an account that had huge permissions into what it could see and alter. The person or persons from DOGE may have downloaded 10GB of data. The person may have used this in a manner that is illegal. Or it is illegal to start with. With the understanding that POTUS may or may not be allowed grand such access. (I dont think POTUS can)
2. DOGE employee downloaded code that could be used to use a huge pool of IP addresses, from AWS to bypass forms of throtheling. 3. The code was badly written. 4. The person is a racist
How would a person from DOGE use "unlimited" number of IP adderssess from AWS to hammer and automaticlay screenscape webpage, benefit from it when it came to copying extremly sensetive data from an internal National Labor Relations Board database?
Did 10.000 sessions authenticate to the database at the same time, using AWS UP addresses and scraped the data?
Something is pretty broken if the system with extremly sensetive data is available from external IPs -and- allowing a single account to login 10.0000 times to concurrently scrape data off the interal database?
Of are they saying that this code was adapted to use 10.000/100 IP addresses internal to National Labor Relations Board and scrapes using those?
The automation later noted makes a lot more sense to aid the work.
> I dont think POTUS can
What data in a federal agency could the chief executive not have authorization to access?
The author brings up the ip scraping but makes no effort to tie anything together. It's actually really confusing. Were they using this utility to steal the data or are these two just totally unrelated things?
We have no way to know what they were using it for, because as the article details, DOGE works hard to make sure nobody can find out what it's doing or why.
I find the following bizarre. Ignoring who this marko guy is, why would a random person post such a "take down" of the repo? I have never randomly passed by a repo and wanted to just dunk on it. Also this critique reeks of being AI generated.
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
Link from quote: https://github.com/markoelez/async-ip-rotator/issues/1
The follow comment is interesting to be a coincidental, such a weird interaction.
It's only "bizarre" if you "ignore who this marko guy is." It's not a coincidence, it's somebody pointing out that DOGE's "cracked coders" are wearing no clothes.
And the follies here seem to be many. I’m not following why this Marko guy would make a publicly-visible fork of a repo (though he seems to have deleted it since this story went big), and why they would openly request to have their accounts exempted from logging when they were apparently already privileged users.
I must be missing something here; surely the level of elite technical skill implicit in his résumé would preclude this kind of thing
Well yeah they're junior developers. By all account from good schools but literally everyone here has dealt with junior developer brain.
I would say that Elmo picked a bunch of junior devs because they don't have enough maturity to talk back and will do anything they're asked but I think that's too charitable. I think he actually went this route because Elmo is a sad man in his 50s who is desperately trying to pretend that he is, and has not matured beyond, his 20s.
Not just junior developers, but zoomer junior developers. I'm guessing Marko was just following Grok's advice.
On February 6th, Marko Elez announced his resignation from DOGE after the WSJ discovered many racist posts he made in 2024 (which they published on the 5th). That likely made someone really interested in what his actual coding skill levels were, and they took a look at a repo he had made.
Musk did a "poll" on X that voted for rehiring Elez to DOGE, by February 20th Elez had a US Government email address again, and on Febrary 21st he was reported as working for DOGE at the Social Security Administration.
They took down the repository ~20 minutes after OP's comment. Archived link: https://web.archive.org/web/20250423135719/https://github.co...
Surely Elez is currently reading this thread right now too. Probably reveling in the attention like all the juvenile hacker boys.
Why wonder? The user who wrote it seems to be a pretty well established user, and their public repositories suggest that they work in adjacent contexts, so it's entirely plausible they attempted to use async-ip-rotator in one of their projects.
???
The public repos for this person that I could find that weren't forks with no activity to upstream consisted of a dice-rolling guessing game, rock-paper-scissors, and some kind of framework for downloading and transcribing audio files that does not yet download or transcribe, but implements a whole bunch of boilerplate. I find it rather difficult to believe this person engaged in a good-faith review of the async-ip-rotator code base.
It's also worth noting that Feb 6 may very well be after Marko Elez became a public figure with DOGE. The article doesn't do a great job of expanding on any of this.
Are you genuinely puzzled or just wanted an excuse to point us all toward that comment? If "the comment" is correct word for what amounts to full article in length.
Why would they want an excuse to point everyone to that comment when it's literally linked in the article?
The CEO of Tesla and Space-X; a self-proclaimed high IQ individual, an alleged programmer, has apparently hired a straight-up script kiddie to their elite delta force of technical government downsizers.
Um, as best I can tell from similar articles, they're all script kiddies.
There is a phenomena I've noticed in this industry where people who lack a skill compensate by convincing themselves that they are a savant at seeing and exploiting that skill they lack in others. They find and encircle themselves with people who they believe are the Best of the Best, at least in their imagination, and it is critical for their ego that this is never challenged. They will be blind to any evidence to the contrary because they need the people they "identify" to be extraordinary, justifying their great people curation.
I mean, I guess this really happens in all industries. Art, music, leadership, software development. People who maybe once had credibility in something and now desperately try to foist Their People as the best in the industry.
I feel like that is what is happening here. None of the people who Elon surrounds himself are notable in any way, and their skills are hugely suspect, but he has to have his harem of "Super Coders" to prop up his own mythology.
I agree with the script kiddies comment- which is basically what the reporting has shown... but in a way isn't that part of the point? That they can save billions of dollars just by having a couple of relatively normal comp sci kids (who can't even rent a car) review the most basic financial information of our government departments. These guys aren't supposed to be "delta force" they are supposed to be the interns.
Not trying to defend the means to the end, but I would really like my tax money used more efficiently. I will also say am extremely worried about the levels of access that they are being given, especially since it comes with basically no accountability
Your comment assumes the conclusion that these comp sci kids were able to save billions while preserving the correct behavior of the system, i.e. if their changes cause even one person to miss one payment they should have received, then the rest of your comment is entirely baseless.
If you could prove that billions were saved in pure waste, then I’d imagine any sane citizen would agree with you, setting aside matters of decorum and human decency (e.g. RIFs that may ultimately be necessary but conducted in an inhumane way)
I’d like my tax money used efficiently, but this group does not merit the trust to carry out those changes, even on a technical level
> I would really like my tax money used more efficiently
Except by most accounts so far it was being used efficiently by the federal workforce. This whole debacle will end up costing the US tax payer more money. See cutting the IRS or USAID which will probably lead the US to bailing out farmers. And if they privatize, then it'll be even more expensive.
I mean if they privatize USAID it’s a tremendous opportunity to loot on a scale we have not seen. Same thing if they privatize the IRS or Social Security. Think about all the money that could be invested in their friends’ enterprises out of the treasury float or the SS trust fund.
> I would really like my tax money used more efficiently.
This is immature thinking, because, who wouldn't?
The contention comes from differing opinions on what is waste.
A lot of people seem to consider anything that doesn’t personally, immediately, and directly benefit them to be a waste of their tax dollars. God forbid you use their property taxes to build schools their adult children don’t go to.
> review the most basic financial information of our government departments
That is what the GAO is for https://www.gao.gov/ , and these people are much better than script kiddies.
> I would really like my tax money used more efficiently
Me too! You are on hacker news so I assume you are firm believer in https://en.wikipedia.org/wiki/Amdahl%27s_law ! If you would like your tax money used efficiently, are you willing to discuss cuts to social security, medicare, medicaid, veteran benefits, and whatever else is at the top of the budget? https://www.cbo.gov/publication/61181? What would you cut?
Personally, I would increase taxes on anyone making over $500K/year and stop nickle and diming our federal government so the US can actually become a first world country for everyone that isn't a software engineer.
> Not trying to defend the means to the end, but I would really like my tax money used more efficiently. I will also say am extremely worried about the levels of access that they are being given, especially since it comes with basically no accountability
This is like the derelict father with partial custody who parachutes in one weekend a month to buy his son ice cream and a new video game to leave two days later the conquering hero. Meanwhile mom works two jobs, has to set all the expectations and responsibilities for the child, and the father is late on child support payments.
DOGE blitzkrieged government IT. It'll be years before we understand the scope of what they've done and given available evidence: these are script kiddies who worship Musk, I don't think there is ANY reason for optimism or charitable consideration.
Someone needs to go to prison over this. It’s not just a misunderstanding, it is an intentional attack on every US citizen.
The people who need to see/understand this live in a different reality where uncomfortable things like this are ETL'd into righteous anger towards people they don't like.
This is the deep state they've been worried about, this is the boot that will tread on them.
EDIT: parent comment was highest ranked comment for the article and is now at the bottom?
A twisted justification for suggesting someone who broke serious laws not face consequences.
We live in a nation of laws, whether or not conspiracy-minded individuals prefer to follow them.
> We live in a nation of laws
You stopped living in a nation of laws a while ago. Now you live in a nation of might makes right.
We'll see.
The thing about the law in the US, it's slow and heavy. You'll need to be pretty mighty to move it if it catches up to you.
Justice delayed is justice denied.
I would have agreed years ago, but seeing trump - who obviously should be in prison for January 6th, among other crimes - back in the WH pretty much proves the US is not a nation of laws.
It's worse. SCOTUS says he's immune to any law while POTUS meaning he can have people commit crimes on his behalf and then pardon them (or simply commit them himself). See the 1/6 insurrectionists.
Supreme court gave Trump a pass on all his crimes. We have already seen. No more waiting is necessary to find out.
That law now officially includes an individual who is immune from the law and who can issue pardons to anyone for anything. So you live in a nation with optional laws.
Federal laws only. There is some daylight there.
All the evidence is contrary to your assertion that we live in a nation of laws.
We live in a nation of peers before we live in a nation of laws.
Laws are only as strong as the enforcement.
One of the things that is being exposed by the current administration is that, even though the Judiciary is an arm of the government, and supposed to provide a check on the Executive, the reality is that the Executive has the power to pardon anyone it sees fit, voiding the power of the judiciary (the argument is that the ultimate power lies with the voters who can pass their judgement on the Executive, and its use of its powers, by voting them out, hopefully)
> Laws are only as strong as the enforcement.
This is one of the fundamental issues that underlies our broken system in the US. The gaps between what the law actually is, what people think it is, what people want it to be, and what it in practice is, are enormous.
Some of the recent deportation cases highlight this. You have cases where people were living in the US illegally for decades but faced no repercussions, and now people are upset because they were suddenly detained and/or deported. Virtually all the framing I see is about how it's a sudden and horrible injustice that they were detained during a "routine" ICE check-in --- very little about how we have accumulated this palimpsest of rules and enforcement policies resting on laws which don't actually encode the state of affairs most people want.
If we want people to be able to immigrate easily and safely (and I do), we need to stop breathing sighs of relief when a new president comes in and issues some kind of temporary executive order that makes things okay in the short term. We need to fix the laws at all levels, including criminalizing enforcement actions that are contrary to the law. That would likely mean massive purges of many individuals in local and state governments and law enforcement agencies, with many of them sentenced to considerable prison terms for the kind of enforcement discretion that we currently accept as normal. It's not going to be pretty. But it has to be done if we want to return to a system grounded in the actual rule of law and not the rule of law enforcement.
Do you believe there should be criminal prosecution for state and local government officials currently refusing to to work with ICE in its current form in the Trump administration?
Bruh, do you think people are pissed about the deportations just because they’re immigrants?
Deport them all if they came here illegally and that was _proven_, but the government just skipped all due process and as we’re seeing and as the government already admitted, people are being mistakenly deported to these camps and then the same government says they can’t do anything to reverse it.
You can’t be waxing poetic about the rule of law and how we need to enforce everything when they can’t even follow due process
> But it has to be done if we want to return to a system grounded in the actual rule of law and not the rule of law enforcement.
This is never going to happen - politics aside of what you might or might not believe about the current situation.
It's about as likely to happen as every religious individual on the planet obeying every rule in their sacred book.
The reason that they don't happen is because peoples' ideas on what is acceptable and isn't in a society changes, sometimes quite rapidly - note that the current US Administration was (attempting) to use a statute from the 1700s, are you obeying all the laws (that haven't yet been repealed) from then?
edit: An obvious example is the fact that the USA exists - it's on land that was acquired via theft, and murder. Therefore every person living on that land is receiving stolen property - let me know when that law is being enforced.
Chances of that happening are zero right now.
I fully believe there's a stack of pardons in Trump's drawer for everyone involved in this debacle. I can't imagine breaking so many laws all over the government if you thought you'd ever have to face consequences. The alternative to pardons in preventing the next congress & administration from cleaning this up is too dire to really contemplate.
They are betting the system won't go after them later which is a very bad bet if they eventually give back the executive branch and an even worse bet if the power they support never gives it back. About as brilliant as being in a photo with Stalin.
Trump can wait until the last day in office then issue pardons for any possible crimes, right? Biden did something similar I believe
Can't pardon state crimes nor cases of impeachment.
Arguably, if you impeach someone in public office, even if they aren't convicted by the Senate, any pardon of those same acts becomes moot and they can be tried in court for the same offenses. At least, that's what the DoJ suggested in 2000.
> Trump can wait until the last day in office then issue pardons for any possible crimes, right?
Is your mental model of the pardon process actually confused? Yes, the president can unilaterally issue pardons, and Donald Trump is president until the end of his term, so he can issue pardons on his last day in office.
Is the hostility really required?
The comment was about last-day pardons, not pardons in general. Its a topic many presidents have gotten flak or attention for.
What hostility? I was asking if they were really confused or if they were asking rhetorically. If they were actually confused, the answer is yes.
edit: oh, I guess "and Donald Trump is president until the end of his term" could come off as patronizing. I meant it just as a statement in a chain of reasoning
Recent untested precedent exists of blanket pardons needed for unqualified crimes and they are so far likely to be challenged on a different technicality (first?).. Asking what people think is not confused unless you are being uncharitable or know a lot of actual precedents that we all should know from another era.
I am fully unaware of any challenges to recent pardons. I don’t follow politics much and just knew about the blanket pardon that I assume all presidents will use going forward unless it’s challenged in court.
Time to remove the pardon powder. Has it achieved anything productive in the last 100 years?
I think it's been used properly in a lot of instances, especially when you consider that federal law can quickly become out-of-step with modern sensibilities, so being able to relieve those harmed by laws flawed under contemporary standards is important. There's probably a better way of handling that, but it's one instance where the power of presidential and governors' pardons have been applied appropriately.
> I think it's been used properly in a lot of instances, especially when you consider that federal law can quickly become out-of-step with modern sensibilities, so being able to relieve those harmed by laws flawed under contemporary standards is important.
No, that is exactly what we don't need. When law becomes out of step with modern sensibilities, the law needs to be changed. Precisely the problem we currently have is that we have become too accustomed to dealing with a sort of "shadow law" system where the way things actually work is not the way they're supposed to work according to the law. That is a recipe for confusion, bias, favoritism, and inequity. What we need is a system of laws that actually lets the people fix things when they are broken instead of patching around them. (This is, in my view, a byproduct of other aspects of our legal system, in particular the grossly over-restrictive process for amending the constitution.)
That's not really what I meant. Just because a law is repealed or changed, doesn't mean the people who were sentenced to prison because of its original form will receive revised sentences.
At the very least, it seems obvious there should be an asterick on the pardon power of, "you can't use it to pardon your employees/staff." Or pardon people for things they did under your direction/purview.
it's written into the Constitution very explicitly. and it's a really bad time to hold a Constitutional Convention.
I'm not actually convinced that now would be a terrible time to hold a constitutional convention. Yes, it would be messy, but the nature of the ratification requirements (3/4 of all states) means that nothing could make it through without essentially unanimous consent of the country as a whole.
While we are at it we can add ranked voting and a vote of no confidence (maybe initiated by congress and voted on by the states or people).
To remove the presidential pardon power, you'd need to [amend the Constitution][1]. Getting [two thirds of both Houses of Congress][2] to pass any amendment in the foreseeable future seems highly unlikely if not downright inconceivable.
[1]: https://constitution.congress.gov/browse/essay/artII-S2-C1-3...
[2]: https://constitution.congress.gov/browse/essay/artV-1/ALDE_0...
It's a bizarre and archaic power, which has been abused by presidents from both parties.
It's also clearly incompatible with most (all?) modern definitions of democracy.
Truman and Carter used it well[1][2].
[1]: https://www.newspapers.com/article/news-and-record-truman-ex...
[2]: https://en.wikipedia.org/wiki/Proclamation_4483
The problem with prosecuting them – they are employees of a White House office, doing what their bosses told them to do, and it is clear their bosses are carrying out the President's wishes.
If Joe Blow off the street walks into a federal agency and takes all their data – open and shut case, throw the book at them, see you in a few decades.
If someone from the White House walks into a federal agency, tells the agency leadership "the President wants me to take all your data", and the agency leadership replies "sure, of course" – not a scenario people were expecting, so the existing laws haven't been crafted to clearly criminalize it. Maybe some enterprising prosecutor can find a way to map it to the crimes on the statute book, maybe it is just too hard. But even if the prosecutor overcomes that hurdle, it will be far from easy to convince the jury / trial judge / appellate courts that the legal elements of the crime are actually met – and if it actually gets as far as a conviction upheld by the appellate court, what do you think the conservative SCOTUS majority are going to do with that when they get it? And many prosecutors, foreseeing those low odds of ultimate success, will stop before they even get to an indictment.
So, I think the odds of anyone ultimately being convicted over this are low, even if Trump never pardons them.
Maybe, Congress might pass a law to make it more clearly illegal, which might make it easier to prosecute if a future administration repeats the same behavior.
The claim that because your boss tells you to do something illegal means that you should just do it is bullshit. It's your social responsibility to not capitulate under these circumstances.
If you don't feel that way then you deserve the world you are creating.
The problem is a lot of relevant criminal laws contain this word “unauthorized”. If you have access to a computer system, and it is authorized by the people who own the system, it isn’t a crime. These people will say that whatever they did/bypassed was (1) authorized by the President (of course if you ask Trump if he authorized them to do whatever he’ll say “yes”); (2) authorized by the senior agency leadership (because Trump has made clear that if they refuse to authorize it they’ll be fired).
So, how do you prosecute them for accessing a computer system (or data or whatever) without authorization when both the President and the senior agency leadership say they authorized it?
Well, you can’t-unless you want to argue that the President / agency leadership’s authorization is illegal and hence illegally invalid, ultra vires. But even supposing you are right about that in the abstract, will you be able to convince a judge and jury of it? And even supposing you convince a jury, trial judge and appellate court, there’s a dozen different ways SCOTUS could overturn it (from narrow questions of statutory construction to sweeping rulings about the President’s inherent constitutional power to demand information from the executive branch), and I think the main question for the current SCOTUS majority will be which of those ways they choose.
My impression is that a lot of people are mixing up what they think the law ought to be, with what it actually is. Just because something ought to be a crime doesn’t mean it actually is one - and that’s especially going to be the case with unprecedented situations, it is hard to make something a crime if nobody foresaw it would one day happen.
Not really possible since they would be pardoned even if anyone was ever willing to prosecute them.
Writing ai slop? Thanks !
Explain please.
The complaint alleges that DOGE was able to get unlimited-permissions admin accounts that were not subject to logging. They also downloaded external repositories that gave users of those repos lots of different IPs. The complaint further alleges that the DOGE person used the combination of these things to "download... more than 10 gigabytes of data from the agency’s case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents."
If this is all true, this is basically hacking sensitive data in the open. We already know the current administration has worked to hobble unions. So putting these things together, this act is not only wrong in and of itself, but the data is likely going to be used to harm americans' interests. So, deserving of punishment.
And they fucking illegally fired the IGs who are supposed to act as watchdogs for and light-shiners-on-of blatantly-illegal activity like this in the executive. The ones we added after Nixon's crimes. It was one of the first actions of the administration, blanket firing without actual cause, which is supposed to be required, and without the required notice-period to Congress.
That should have exhausted any benefit of the doubt right off the bat, even among those inclined to think Trump's maybe not great but also some ordinary amount of bad for a politician. You don't do that unless you fully intend to do some crimes. Not only that, they were so goddamn eager to crime that they couldn't wait the 30 days or whatever. They intended to do criminal shit immediately.
I wish the firings of the IGs was something that "Joe Sixpack" understood. Honestly, even that the IGs exist(ed).
(It wouldn't change the opinions of anybody who matters, I suppose.)
If you take a step back and realize that the intent is to utterly destroy the social safety net provided by social security, Medicare, etc that we have all been paying into our entire adult lives, tell me why every citizen affected should not pursue civil and criminal charges of theft and fraud with malicious intent?
And then the means to do so have involved ignoring the courts and bypassing constitutional checks and balances? Please tell me how this isn’t criminal if not treasonous?
Not only did you not explain the original comment, you added more assertions that are significantly more extraordinary without explaining your reasoning for those either.
Sensitive government data was (sure, allegedly) extracted to Russia via an account that was expressly created to hide / not create logs. This is treason. Allegedly.
This administration is doing a lot of things that are borderline treasonous. Hopefully they get prosecuted when they get voted out or ideally get removed form power.
Trump will blanket-pardon anyone who's still on his good side. And maybe some who aren't, just to limit the reach of investigations. And Trump himself's untouchable—while it remains technically possible to criminally prosecute a President for actions in office, it's in-practice impossible short of some unlikely hypothetical scenarios, thanks to the Supreme Court (the Roberts court loves leaving things technically intact, but actually not)
https://krebsonsecurity.com/2025/04/whistleblower-doge-sipho...
If I told you someone went to your bank and demanded the right to setup accounts with permissions to do everything and to have all logging of that users activity disabled, and then a whistleblower pointed out that they downloaded everyone's bank statements, you'd probably be pretty up set.
After all, why do they need unfettered access? Why do they need your bank statements? Why do they need to hide what they're doing with the unfettered access?
That's what's happening here. There is no good explanation other than bad actors
People voted for this
You’d have to prove a crime here to send someone to jail, correct? What would the charges be?
Without knowing the specifics of US law, there’s a lot in there for a reasonable case. Improper handling of sensitive data, interfering with ongoing legal proceedings, abuse of telecommunications infrastructure (looks like the guy runs a brute forcing crawler on a government system) and probably even more.
El Salvador seems very willing to take people off our hands for mere allegations.
The fact that they left these packages public on GitHub.. guys you do know you can make things private right? Just shows how dumb these people are honestly
Or they are emboldened in knowing there will be absolutely no consequences.
Go look at the list of pardons this administration has handed out. These guys won’t even be charged.
They were given a blanket pardon dating back to 2014. No crime even listed!
Or they think what they're doing is righteous and they're proud of it. It isn't - DOGE is responsible for hundreds of thousands of deaths through cuts to health programs - but I suspect they are deluding themselves into thinking it is.
> DOGE is responsible for hundreds of thousands of deaths through cuts to health programs
That seems like a lot. Source?
https://www.yahoo.com/news/count-dead-millions-133000054.htm...
https://www.bu.edu/sph/news/articles/2025/tracking-anticipat...
https://www.impactcounter.com/dashboard?view=table&sort=inte...
https://www.nature.com/articles/d41586-025-01191-z
https://www.scientificamerican.com/article/usaid-funding-sav...
This is just USAID. It's not even considering the cuts to HHS or other agencies.
Not that it matters in this specific case, but on GitHub privated forks aren’t fully private: https://docs.github.com/en/pull-requests/collaborating-with-...
It's git. Just clone and push to a new, private repo (on or off of GitHub) without clicking "fork".
Making a fork of a public repo private involves using the git cli.
What? They reused public packages that have been public for years. One guy made a public fork with some changes. Is that not what open source is intended for?
Untraceable and complete access to government databases. I can't begin to imagine the implications here.
We only hear about the cases where a someone is taking the risk of blowing the whistle, and actually manages to get the story out. Hopefully with enough substance for people to take the information seriously. How many cases that are likely to reach public knowledge is left as an exercise to the reader, as the saying goes.
Direct access to private data relating to accusations against companies Musk owns.
So the real question is, who do you actually report this too if the fox is guarding the hen house? The only place that makes any sense is congressional oversight in some way but that will go nowhere except maybe a quick NPR story.
So what exactly is being alleged here? That these DOGE bros wrote and used “hacker” code from GitHub to bypass security limitations on NLRB data? Why would they even need to do that if they had superuser accounts in the system already?
I think the point of the article is that the whistleblower's original claims can be substantiated publicly. It's another datapoint indicating that the DOGE people are operating haphazardly at the absolute best and, more likely, attempting to obscure their tracks because they know that what they're doing wouldn't pass legal muster.
DOGE downloaded libraries to assist in data exfiltration, and did exfiltrate data (obtained via the superuser accounts).
Suggest reading the complaint: https://whistlebloweraid.org/wp-content/uploads/2025/04/2025...
they added a backdoor that is not audit logged. that's why.
The lede is buried but the implication is downloading a huge amount of data on union organizers, which can then be given to a company to pre-emptively fire those individuals
The article is written very poorly. The disclosure itself is far more readable.
https://whistlebloweraid.org/wp-content/uploads/2025/04/2025...
Also this PDF contains a detail I haven't seen reported elsewhere:
> Furthermore, on Monday, April 7, 2025, while my client and my team were preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you
It's an interesting detail because if true -- and I fully assume it is -- the intention likely wasn't to dissuade him from going public, but instead to make him look like a conspiratorial nut. When I first saw this story and heard that "drone shot of him / threatening note" I admit that I immediately assumed it was a flake, but on further details I think that was actually the reason for doing that.
Thanks. So the tools downloaded from GitHub were allegedly used to scrape personally-identifiable information (PII), details about ongoing legal cases, union-related data, and corporate secrets. The whistleblower observed large spikes in outbound data traffic, suggesting that gigabytes of sensitive information were exfiltrated with logging disabled, so as not to leave a trail.
Yes, this is much more clear than the article.
Isn't the ip rotator used to scrape from public websites to bypass rate limits? Not sure how that automatically means they are "siphoning sensitive case files".
The IP rotator was discovered in the analysis. The exfiltration of data was discovered by an NLRB employee and triggered the complaint. A member of their staff saw the spike in egress, found the source and that the audit log had been bleached.
It doesn’t. Coupled with the whistleblower complaint, however, it is evidence.
>Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially.
A little nit-picking, but that's not what open source means, especially as it relates to the GPL in this case. If you can't use the code commercially, it's neither "open source" (as defined by OSI) nor free software (as defined by the FSF).
Right, but the original statement isn't being mutually exclusive.
> Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as they’d previously agreed.
If the allegation is true, what would be the motivation of the higher-ups to keep this secret from US-CERT?
It appears to be a severe compromise, and the context suggests that much of the rest of the federal government is imminently vulnerable to the same tactics by the same threat actor.
Where the higher-ups reporting the security crisis through better channels?
Or were they trying to keep it quiet entirely, so might be complicit in something bad?
> Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially.
That isn't what "open source" means.
>The new accounts also could restrict log visibility, delay retention, route
Guessing those are the same accounts that got accessed by Russian IPs?
Genuinely wondering whether the US democracy is going to make it to December.
I almost can't make heads or tails of out of this scatterbrained word salad.
Let's start with this:
> Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases.
> Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub
What exactly does that mean? NLRB database accounts are GitHub accounts? (Surely not.) Or the same IP address accessed both, suggesting it was the same person? Define "account".
No coherent point being made here. This story needs to clearly separate the rhetoric about GitHub repositories from the NLRB access, and connect them together coherently.
The flow seems to be:
1. Some DOGE people obtained unbridled access to NLRB, with the ability to erase audit trails.
2. There is some sort of evidence that the same people downloaded tools from GitHub for distributed web scraping, suggesting intent to scrape massive amounts of data from somewhere (inferred to be the NLRB database).
There is no evidence cited in the article for the actual downloading of gigabytes of data; the "whistleblower" is quoted only as saying that DOGE required certain privileged accounts to be created and that the users of the accounts supposedly downloaded some web scraping software from GitHub.
At least mention some circumstantial evidence, like a suspicious increase in access activity, coming from distributed IP addresses in the Amazon cloud, following the download of those tools.
This:
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
seems neither here nor there; why include that. It may be that the tools DOGE are using are not adequately safeguarding the data, but it seems like an extraneous point, and undigestable without specifics.
The only interesting part of 2 is it looks like Doge wanted all the data. The technical details of how they scraped it mostly doesn't matter.
Plus in the whistleblower's actual report, there is evidence of them getting it, like logs of network output far above previous levels, and those accounts making accesses from various IP addresses (including geo-blocked attempts from Russia).
What sucks is, is that Russia and China now, almost certainly, have all this data, but they don't worry me, as much as the American oligarchs that now have it.
The government dogs are literally script kiddies, go figure.
Haha, and the Github repo is now offline. lol.
> accounts created for DOGE at the NLRB downloaded three code repositories from GitHub
Why is anything of significance on github in the first place?
Edit: It's not. They just download python libraries to do "IP rotation" to circumvent rate limits.
On the actual complaint: (https://whistlebloweraid.org/wp-content/uploads/2025/04/2025...)
It seems that the data was stored in Azure which doesn't make it any better.
If you continue reading, that question is answered. The GitHub repositories don't belong to the NLRB (or to DOGE), they were generic tools that were used to exfiltrate data from the NLRB.
I noticed and wanted to delete the coment but you replying made it impossible.
They downloaded "IP rotation" python libraries to circumvent rate limits.
What do you mean? It was "just" a tool to circumvent anti-scraping measures.
If they have full access to the systems, why are they scraping them externally?
This is the big question everyone here seems to be skipping over. It seems like they're using "database" in the colloquial sense and actually mean some sort of already public data that's just rate limited (for example https://www.nlrb.gov/advanced-search).
Then depending on the order of events, either scraping didn't work well enough and were given "unlimited" (not rate limited) access, or the accounts were actually denied so they fell back to scraping. Or perhaps these two things are just unrelated despite what the story is claiming.
Or maybe, even with access, they couldn't figure out how to query the actual database, so they resorted to scraping? Even with full "tenant" access, it could take some time to figure out where to look.
They are not. If I read the article right, they downloaded tools to use, mostly to do with anonymous web scraping.
That page reads completely incoherently if you understand junior level programming mental models. This is a hit piece for non technical audience meant to conjure fud.
It’s not at all about programming
This is much ado about nothing. The article tries to very hard to make something ordinary sound nefarious.
This appears to be DOGE employees simply doing their job.
You may not agree with what they’re doing in a political sense, but if you were tasked with the same problem you’d come up with a nearly identical solution.
For example: “tenant admin” is probably the special role that can bypass access control (not audits!) and see and read all data.
This sounds scary but I regularly request this right from large government departments and I get it granted to me.
Its use is justified when normal access requests would be too complex / fiddly and error prone. Generally, in a large environment, there is no other way to guarantee 100% coverage because as an outsider you don’t even know what permissions to ask for if you can’t see anything due to a lack of permissions!
Seriously: sit down for a second and think about how you would go about getting access to make a full copy of an organisation’s data for an audit if you fully expect both passive resistance and even active efforts to hide the very things you’re looking for.
The original complaint mentions:
"7. March 3rd - I received a call during which an ACIO stated instructions were given that we were not to adhere to SOP with the doge account creation in regards to creating records. He specifically was told that there were to be no logs or records made of the accounts created for DOGE employees."
Which part of doing an audit, or some other DOGE employee's job, requires logs or records not to be made of their accounts?
Another quote:
"They were to be given what are referred to as “tenant owner” level accounts, with essentially unrestricted permission to read, copy, and alter data. Note, these permissions are above even my CIO’s access level to our systems. Well above what level of access is required to pull metrics, efficiency reports, and any other details that would be needed to assess utilization or usage of systems in our agency. We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval. The suggestion that they use these accounts instead was not open to discussion."
Audits don't require being able to alter data.
Also, some of the data is mentioned as being sensitive. Although granting access to the data of another agency may make sense, I have trouble believing that direct access to data such as sensitive personal information of third parties would routinely be given to people from outside of the organization. Even within the organization the group of people given access to sensitive data should be as limited as possible.
All of what you said is either true or likely honest statements from the agency staff… yet completely misses the point.
> We have built in roles that auditors can use
… and we make sure doesn’t reveal our wrongdoing.
— that’s what DOGE is tasked with uncovering. The “deep state”, the lies, hidden costs, etc…
Now you may think this is counterproductive. You may think this is political posturing. You may think it’s borderline conspiracy theory nonsense.
We agree!
Trump, Musk and DOGE don’t agree with us and don’t trust the staff that they believe are providing carefully constrained access and curated data dumps with strategic omissions.
THIS is why they’re side-stepping the official processes and using the skeleton key.
Again, please, focus on disambiguating the politics from the technical steps being taken.
If the task is: “Get all the data, especially the data they’re trying to hide from us” then asking for Tenant Admin is the right technical choice.
I can pick apart every other statement but I don’t have the time. But as a quick note: it’s common for the RBAC permissions to be the inverse of the organisational permission. As a random subcontractor I often get granted Domain Admin or the equivalent and the CIO, CTO, and CISO staff are treated the same on the network as some secretary might. They’re meeting jockeys, not super admins! The fact that the staff member raised this “issue” automatically implies that they know nothing and that their opinions and statements are suspect.
PS: Most systems don’t have a built-in Tenant Reader role, they only have Tenant Admin. DOGE staffers would have been instructed not to trust any custom role, so… Tenant Admin it is.
Your argument makes sense. I still speculate they're doing malicious things.
DOGE was given a mandate by a President with unprecedented (hah) unitary power. They’re executing on that, roughly how you’d expect them to, given their instructions and the time and resources available to them.
I personally feel that they’re being reckless and sloppy, uncovering “waste” that is often simply an artefact of their hubris. In doing so, they’re risking exposing the internal systems of the government to outside attack.
This is the rough equivalent of the guards in a prison turning over everything in a cell looking for contraband.
It’s not nice. It’s rarely productive. It is also a tool of intimidation. That’s part of the point. The prisoner is not supposed to like it. They’re not invited politely to present what they want others to see. They’re humiliated and powerless. That’s what the MAGA and DOGE want.
I have taken part in audits for several organizations over the years, and I can assure you that's not how audits are done at all.
In fact, should the auditor find there is a way for them to access sensitive data without it being logged, they will flag it immediately. That would be the case even under simple financial regulation.
There is absolutely the risk that the people you audit will lie to you or present you with false data. In practice that's not common, because they stand to at the very least lose their jobs. It could also be illegal. Not worth it.
> Furthermore, on Monday, April 7, 2025, while my client and my team were preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you
It would be astonishingly stupid to threaten a whistleblower in such an amateurish manner when you’re backed by the party in power and have the full and official apparatus of the state at your disposal.
astonishingly stupid sounds about right for the people leading apparatus of the state :)
What could they possibly hope to accomplish with a threatening note and drone photos other than to provide fodder for his complaint?
Why would drone photos even be necessary when you’ve already demonstrated that you know where they live?
What possible purpose does such a threat serve?
To intimidate. To scare into silence.
Except that all you’d be doing is creating a trail of physical evidence demonstrating a felony conspiracy — and a frankly stupid one at that.
From recent news it seems unlikely these guys are interested in behaving rationally.
It just doesn’t pass the smell test.
- Who decided to threaten the whistleblower and why?
- Who approved such an idiotic idea?
- Who determined his home address?
- Who flew the drone, timed to capture photos of the whistleblower while on his way to/from his home?
- Who took the drone photography, printed out the images, and wrote a threatening note?
- Who then took all that and physically posted it on his door?
That’s a very involved process, with substantial risk, with no realistic upside. None of the incentives are aligned with the behavior. It simply doesn’t make sense.
Applying Occam’s razor, it seems a lot more likely to be fabricated — that’s a scenario in which incentives actually align with the behavior.
In practice, that shouldn’t make a difference to the investigation; given the physical evidence, they should investigate in great detail the origin of the threat — regardless of whether it’s a hoax or real.
not sure if this is a serious question…? what would it accomplish if you were the whistleblower? if it was me, my family would be on the first flight out of the country
It would convince me that whoever I was whistleblowing on was so remarkably stupid as to engage in a felonious criminal conspiracy while leaving behind physical evidence thereof.
I hope that the threatening note and photos have been turned over to the police, where they can be analyzed for fingerprints, printer microdots, et al, and the police can canvas the neighborhood for security camera footage.
As a tactical move, this kind of threat makes zero sense for anyone in the government to carry out if they are even a semi-rational actor.
our HIGHEST-level government people are texting each other (along with whoever else happens to be in their contacts) war plans so you know, stupid is as stupid does :)
I don't believe your statement that you ask for, and successfully receive, tenant admin rights from large government departments.
DOGE employees aren't simply doing their job. They are actively subverting the government to fatally wound it.
> This sounds scary but I regularly request this right from large government departments and I get it granted to me.
Prove it. I want you to give examples of where you did something like this.
Do you also delete logs, fire the cybersecurity team, and stonewall breach investigations?
https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-...
In that case, you and departments you work for are either breaking the law regularly or working with public data anyway.
Besides, no one needs unmonitored write access for audit. Even less DOGE who does no audit and don't have knowledge how to do audit. Audits are supposed to he traceable.
Omg they also saw spikes in DNS traffic and high load during days exfiltration ahead of audit...
Clearly the (system) auditing infrastructure wasn't robust enough to still provide a lot of monitoring even in the service is being managed by someone else...
Also a several hundred line teardown of a 300line file is exactly what is wrong with some coders. Not having a CI/CL for every single short tool written once to do a job is called being productive...
Absolute balderdash.
For those genuine actors here: this theoretical outrage assumes the premise of something immoral or illegal, and completely ignores the authority structure. This looks and smells like an info operation.
Just, as an exercise, list out 3 good reasons someone might want untraceable admin accounts then list 3 really bad reasons they might want that. If you manage to find 3 good reasons does the outcome of those those outweigh the risks of the potential bad reasons?
Good: 1. The account-level below that doesn't have access to certain stuff and just happened to have untraceable stuff 2. They just said "give me the highest level of access" and didn't investigate what that meant 3. Can't think of a good third atm
Bad: 1. They want to do nefarious things untraceably 2, 3. I think 1. covers pretty much everything.
Personally, if I'm put in charge of overhauling a system I don't want to waste my time waiting on approvals for BS, I just want to be given the highest level of access I can be given to get on with work.
I'm not saying this is fine, but the information here is basically a random list of things that happened and it doesn't really tell a nefarious story to my eyes.
I appreciate the question. The most obvious is that this is an “audit the auditors” exercise, and they do not want to leak information toward a likely adversarial counterpart. If they have the authority to so, then they do. An adjacent complaint about “not following Treasury policy is similar.” If these systems exist, there is a governing authority structure, and that does not begin at the level contemplated in this document.
I don't see anything wrong with what they did, they basically got admin accounts so they can peak into the system and used some libraries from github. What is the problem here? Got a feeling it is just politically motivated, people are not happy that the Trump administration is actually doing something to make systems more efficient and stop money waste of tax payers. I am sure they will make some mistakes along the way and I am sure not every "saving" is actually saving but when you look at so many systems and so much money some errors are expected.
the doge guys are truely living the script kiddie dream
I have a theory that "business ethics" is really just "following the law." In capitalism, outside a few select industries like journalism, as long as it's legal you can - and should - do anything to maximize profits. It has turned into (or perhaps always was) the govt's job to set those rules.
Now, the govt also has to create rules for itself. So it creates the Privacy Act and layers of beurocratic checks and balances. These rules are to protect the people, not to derisk or protect the govt. After all, the govt has all the power.
So when capitalist businesses leaders are given the keys to govt, the normal ways of ethical alignment don't work. If you don't follow your own rules, who cares? They're your rules! I think what we're seeing is what happens if you apply traditional capitalist business practices to govt administration.
The trouble is that money is power, so the people who succeed the most at maximizing profit end up getting a lot of influence over the rules.
In some countries, this is done with outright bribery. Here, we do it with campaign contributions and lobbying and “we’ll create jobs in your district.”
Yeah actually. I think that’s about right.
>In capitalism, outside a few select industries like journalism, as long as it's legal you can - and should - do anything to maximize profits.
Honestly, if you were around watching the news 30+ years ago, you would notice a stark difference in how news is covered then versus today. You can't really blame them, they are doing what they can to survive, but coverage today much more tabloid than news.
I would say the "fake but accurate," was the death knell, but it might have been sooner.
https://en.wikipedia.org/wiki/Killian_documents_controversy