• Marshezezz@lemmy.blahaj.zoneEnglish
    2 hours

    We could just burn everything down and return to jungle law where the fascists will realize really quick how coddled they’ve been in life

  • Absurdly Stupid @lemmy.worldEnglish
    4 hours

    Passwords were stored as plain text in a public GitHub repository.

    Governments and corporations are made up of people, and when people see other people treated like garbage, they tend to become less diligent in their own duties, and loyalty is thrown out the window. Revenge is never off the table.

    Also, even if you get rid of everybody so that no witnesses of your injustice remain, you’ve filled those positions with neophytes, who are incompetent for quite some time (at least).

    that’s the notorious “double whammy catch-22 fuck around find out” phenomenon, a TRIPLE THREAT

    • Kairos@lemmy.todayEnglish
      4 hours

      “Store gets robbed after owner leaves door wide open at night”

  • mlg@lemmy.worldEnglish
    13 hours

    GitHub gets autoscanned by thousands of malicious actors for keys and credentials on every commit, including the comments lol.

    The fact that CISA themselves never saw an automated breach attempt only minutes after pushing to github is the more interesting story here.

    Either the contractor is so incompetent that they didn’t have any logging set up and the breach went completely unnoticed for 6 months.

    Or this really is some fat honeypot that they won’t admit is a honeypot because they’ve been using it to watch or bait APTs.

    Currently, there is no indication that any sensitive data was compromised as a result of this incident

    This is literally impossible unless it really was a honeypot. You can demo this yourself in real time. Make a throwaway cloud account on your favorite provider, commit the cloud auth token into a repo, and you will see an automated bot login within minutes.

    Commiting any secrets to a public repo should just be considered auto compromised because of how potent it is.

    That stuff ususlly gets exposed via poor CI/CD permissions where credentials are required, but straight up file commit is like publicly announcing exactly where you left your house keys lol.

    • Ironfacebuster@lemmy.worldEnglish
      10 hours

      Can confirm, with one of my first discord bots I accidentally committed the token and within a day someone logged in and announced in every server it was in that the token was compromised

    • 4am@lemmy.zipEnglish
      12 hours

      Straight up file committing is like making a copy of your house keys for anyone who can see you at that moment and all moments thereafter lol

  • whotookkarl@lemmy.dbzer0.comEnglish
    13 hours

    Imagine fucking up so bad security researchers think it must be an obvious honey pot until they see what the credentials give access to

  • pulsewidth@lemmy.worldEnglish
    16 hours

    Six months of exposure.

    There is zero chance that the CISA systems have not been comprehensively breeched by every foreign adversary.

    Good thing Trump cut 1/4 of their workforce last year. It’s really paying dividends for Putin.

  • wonderingwanderer@sopuli.xyzEnglish
    12 hours

    Is this the same cybersecurity agency that fired all its professionals to replace them with sycophants?

  • zd9@lemmy.worldEnglish
    16 hours

    jesus christ

    This regime has caused so much damage to our national security, much of which we won’t discover for years or decades. The Russians and Chinese (and literally anyone else) are probably fully infiltrated into our entire system in every aspect. SO fucking incompetent and corrupt.

    • henfredemars@lemdro.idEnglish
      15 hours

      We’re barely even trying with the massive cuts to cyber security. It’s almost the exact playbook you would use if leadership were actively hostile.

      • zd9@lemmy.worldEnglish
        13 hours

        Trump and co are actively hostile to the US government though. There have been entire books written about how compromised he is. He’s the perfect insider threat example: in debt to foreign powers, selfish and looking to make personal money, lies about his dealings, easily temptable with honeypot women (and Epstein girls, fucking sick), no allegiance or any form of duty to country or anything bigger than himself because he’s a massive nihilist narcissist.

        Really really scary times for anyone in America.

      • Lost_My_Mind@lemmy.worldEnglish
        13 hours

        See, that’s the thing. I always grew up with the phrase “Don’t blame on malice what can be explained by incompetence”.

        But at a certain point, IS it incompetence anymore??? At this point it’s starting to feel very very deliberate.

        • kent_eh@lemmy.caEnglish
          13 hours

          In this case it is both malice and incompetence acting together to create the worst possible outcomes.

      • Malyca@lemmy.zipEnglish
        11 hours

        They are hostile, their mission is to destroy us

    • prole@lemmy.blahaj.zoneEnglish
      13 hours

      We’re also creating generations of new enemies and potential “terrorists”.

      And Democrats will inevitably be blamed when they attack us in the future.

      • zd9@lemmy.worldEnglish
        12 hours

        I think we’re headed towards a Troubles type scenario. Like a decade or more of stochastic terrorism, some organized groups, lots of violent suppression by the government, and further corporate capture of the state. I guess that’s just the fascist end goal.

  • demonsword@lemmy.worldEnglish
    17 hours

    vibe code go brrrrrrr

    EDIT: wow it’s far worse, it was a single contractor that decided that his convenience was above any and all security recommendations ever written. Pure. Genius!

  • Optional@lemmy.worldEnglish
    16 hours

    Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

    But wait

    Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

    “Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

    One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers.

    This is shameful incompetence. Just head-rolling abysmal incompetence. These are the people they hired, for all you 1337 hax0rz currently looking.

    • AA5B@lemmy.worldEnglish
      9 hours

      “Mistake”. Yeah, no. That’s someone thinking policies aren’t meant for them and blindly taking the easiest path. Sounds just like those 1337 hax0rs they gave the keys to

      In a sane world this should get clearances revoked so they never again deal with any private data

    • atomicbocks@sh.itjust.worksEnglish
      16 hours

      As a dev who’s been unemployed for 18 months your last sentence was pretty much my first thought when reading the article.

      • Optional@lemmy.worldEnglish
        15 hours

        Sorry, I hear ya. You are so not the only one either. Hang in there. Hey - this place may have some open positions soon?

    • CosmicTurtle0 [he/him]@lemmy.dbzer0.comEnglish
      14 hours

      Outside of the sheer incompetence of this administration, is there ANY chance this was done intentionally as a honeypot or something along those lines?

      The fact that the commits were explicit along with bypassing all the checks could read as someone trying to see who knocks on the door.

      • Optional@lemmy.worldEnglish
        14 hours

        I don’t see it. Like the guy in the article said, it starts out looking like a joke . . . Buuuut it ain’t.

      • henfredemars@lemdro.idEnglish
        15 hours

        Our best and finest left the safe combo next to the safe and then left for 6 months.

      • Optional@lemmy.worldEnglish
        13 hours

        Woke computer nerds fucked us

        Edit: just to reassure the more anxious amongst us, I mean ‘woke’ in the maga sense of anything-i-don’t-like-is-woke. Not actually woke.

        Actually woke computer nerds observe proper security protocols ffs.

        • squidman64@lemmy.worldEnglish
          12 hours

          Unfortunately you can’t ironically pretend to be a dumb asshole on the internet because you become indistinguishable from the actual dumb assholes

  • dhork@lemmy.worldEnglish
    15 hours

    Why are people acting surprised? This is exactly what DOGE intended to do.

    • yeehaw@lemmy.caEnglish
      14 hours

      This is like being surprised someone died in a fatal car accident after their wheel came off on the highway because they handed a wheel and lug nuts to a 10 year old and said “put this on”

  • BaroqueInMind@piefed.socialEnglish
    17 hours

    Its dumb shit like this that reassures me that AI will definitely take over cyber security jobs and make shit even LESS secure than everything already is.