People are going to read this because it's Bruce friggin' Schneier. But Bruce is best when he's discussing low-level details of some actual exploit. And usually even then, his coverage glosses over most technical details. He's the guy you go to when you hear about "spectre" or "meltdown" and want a quick three-paragraph summary of what the deal is.
This is different. This is a hand-wavy "maybe somehow possibly I guess someday" article, presumably his freelance writing fee is nice.
This is a trait you see in his other articles (the hand-waviness) but here it's all fluff and hand-waviness. Take, for example:
> By modifying core systems, the attackers have not only compromised current operations, but have also left behind vulnerabilities that could be exploited in future attacks
Logically, that should say "By modifying core system, the attackers could compromise current operations and/or leave behind vulnerabilities" (he's calling the DOGE government employees "attackers" because his politics allow him to look at the grey area from a highly-polarized angle, another mainstay of Bruce's reporting). But logic flew out the window, I guess. If you modify code, you introduce vulnerabilities. Always! 100% of the time! This guy spent too much time writing encryption code, methinks.
I'm wondering what process surrounded giving them sudo/admin privs. Like, which systems admin, what chain of command. It's not like there's a special white house decoder ring signal.
From 20,000ft it feels like a social engineering attack over a wall "because I said so" high.
Was there no M of N process step required? Are the barriers around data in government unenforceable, based on personal restraint only?
Or did they e.g. toss old boxes through single user, not require approval, use root privileges to reset a password or two then reboot into multi user and own an sql binding, or some other asinine approach?
This isn't asking right or wrong, it's asking what the human procedural steps were to doing this.
DOGE doesnt need sudo, just a READ-only access to the the most recent (read: last month's) database backup is enough.
when I was a data analyst, I rarely connected to live production DB to do Exploratory data analysis (this is what DOGE is doing). Because running OLAP queries on live OLTP system is problematic.
But having my own instance of DB with a restored backup of data was more than enough for analysis:
1. I could modify schema, create indexes to speed up my queries
2. Could create materialized view to join bunch of dimension tables
3. Could create temp tables for intermediary analysis steps, sumamries, etc etc.
If I were DOGE, I would just ask for a a yesterday's Backup database restored on a single server (isolated from PROD environment completely) and just would do all my analysis there
That's smart. A lot of places do cold or nearline storage offsite so i guess if it wasn't superenciphered (or, if you were given the key) it's lowish impact to clone from that.
It's apparent that Musk has been given a directive by the president to get access to any and all information, and he's getting that access by firing anyone who refuses to give it to him. There's nothing anyone can do to stop that kind of clearance, no one has the authority.
The presidents authority to act is legally disputed. It would take a brave underling to say no, but senior staff would gave known how to push back. Still.. it feels like a very low process.
"The president said so" stamp on a sheet of paper?
Trump has articulated he believes he has the power to declassify or classify anything just by thinking it, and he doesn't even have to tell anyone. So even less process than a stamp on a paper.
They are actual people! Mostly just tired of reading how the opposing side from the elections is not happy. I wish something like that would happen in EU.
It’s not just SSNs, it is earnings and payment data. One of the common ways to authenticate yourself to a bank is to provide the amount of a recent direct deposit. For millions of Americans that is a Social Security payment, and the other side of it is the Treasury payment system in question.
Tax data is also way more sensitive than just SSN, as it includes details about salary, investments, property ownership, marital status, what organizations one supports financially, etc.
Treasury payments also go to companies, including companies engaged in highly sensitive projects like classified weapons systems.
This is all just off the top of my head as someone who is somewhat familiar with the federal government. The article is worth a read for more details.
Typically security of this data is aided by compartmentalization; no one has access to aggregate and collate it all. But now random
people do.
And typically the people who secure and work with this data are carefully vetted to reduce the chance they are disgruntled, blackmailed, etc. But now it’s a bunch of random young guys with no clearances or background checks.
And usually many of these systems are air gapped from the Internet. But now they are being accessed with consumer laptops off the street and data is sent off in clear text to commercial data centers where it is likely logged, copied, stored.
It is a real problem that is being swept aside through political signaling. But the real consequences will likely bother Americans for a long time.
every thing you said is false or plain exaggeration.
DOGE are not random people, they are government employees using government owned laptops to do audit on the orders of the President (DOGE is a renamed US Department of Digital Services).
Just because they analyze the data, journalists assume something nefarious going on, without the actual knowledge of actual risks:
Based on what they do, they only need read-only access to the General ledger transactions. I highly doubt they have access to modify COBOL programs on Treasury mainframes, but rather just operate off of read-only replicas/backups to read and analyze the data.
there are no risks to the Tresury system in this scenario.
There are risks to citizen data. Read access to Treasury includes access to millions of SSN and Social Security payments, tax data and tax payments, federal contract payments including for classified projects, and the routing and account numbers for all of those people and companies.
DOGE staff are bringing laptops in themselves. The previous U.S. Digital Service staff are firewalled from DOGE, including the IT teams who issue and manage equipment.
And DOGE staff are using these random laptops to copy all this sensitive data into private cloud accounts for storage and analysis.
That level of exfiltration of sensitive data is nefarious, and illegal, which is why a federal judge has issued an order to halt it.
Please read the linked article. It’s by a deeply experienced and well-regarded security expert. I get that people are excited to dig out fraud, but sensitive data must remain secure in the process.
there are no risks to citizen data of the data is properly handled.
SSNs are being leaked every year by every large consumer and finance company, its not even that much of an issue anyways.
SSN is not supposed to be secret info anyways, and any system that allows stealing money just because someone happens to know SSN - deserves to go bankrupt
There is an article said that a DOGE member had write access as well (See [1]). But it was quickly changed back to read only. So there was a risk, but I can only hope nothing happened.
>> How about you share information about these "vast amounts of waste"? That would certainly help us discuss them!
> You can gaslight all you want.
A request for evidence is gaslighting? That's a fucked up position.
1) No reasonable person should take Elon Musk's word on what is waste and what is not.
2) A lot of essential things look like waste to ignorant people who don't understand what they're looking at. For instance: "SpaceX blew up a lot of rockets. Cut that huge waste of money, and send the work to Boeing!"
3) Like everything, a lot determinations of "waste" depends entirely one's point of view. For instance: is space exploration pure waste or an essential activity for humanity to learn more about the universe?
> Sorry, but the burden of proof is on you and those like you to prove that, for some reason, the US federal government is the first government in history to not be wasteful.
The burden of proof is on you to prove a gaggle of twenty-something "engineers" working overtime can parachute in and make good decisions, or even understand what they're looking at.
Honestly, DOGE seems like a distillation of some of the worst and most annoying aspects of software engineering psychology, given extraordinary power (e.g. pathological levels of Engineer's disease and contempt for others).
It's wasteful, that's not the point, and you kinda know that wasn't the point but still decided to create a pedantic strawman. Probably this social ineptitude is a reason you're looking for a job...
Have you watched the video of Elon in the Oval Office from yesterday? The guy's examples are literally like watching a kid pull lies out of his ass because he's caught with his pants down. It's sad to watch, and even sadder still that people are convinced by these lies because it's what they want to believe. All the while, Trump sits there with a hateful look on his face, just glad to be getting vengeance on someone, even if it's you and I.
"just glad to be getting vengeance on someone, even if it's you and I.
I don't know about you, but he's saving me money and his 'hateful' look is about all of the wasted tax dollars.
The Biden administration destroyed our economy by shutting down the oil industry and making it impossible to run a business. After Covid, he had an easy job, which was to open up the economy and bring more business and jobs to the US.
He catered to his ultra liberal base and instead ended his term with a near 25% unemployment rate. We now need someone like Trump to cut the waste immediately or our economy will never be at it's previous levels.
I just look at the outcomes: Someone who isn't funneling money directly into their pocket (Look at all of the Democrat politicians that use insider trading to become near billionaires while in office while making very little compared to this), keeping all of his campaign promises, and being completely transparent about his actions is not in the wrong here.
