Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.
But wait
Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.
“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”
One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers.
This is shameful incompetence. Just head-rolling abysmal incompetence. These are the people they hired, for all you 1337 hax0rz currently looking.
“Mistake”. Yeah, no. That’s someone thinking policies aren’t meant for them and blindly taking the easiest path. Sounds just like those 1337 hax0rs they gave the keys to
In a sane world this should get clearances revoked so they never again deal with any private data
Outside of the sheer incompetence of this administration, is there ANY chance this was done intentionally as a honeypot or something along those lines?
The fact that the commits were explicit along with bypassing all the checks could read as someone trying to see who knocks on the door.
But wait
This is shameful incompetence. Just head-rolling abysmal incompetence. These are the people they hired, for all you 1337 hax0rz currently looking.
“Mistake”. Yeah, no. That’s someone thinking policies aren’t meant for them and blindly taking the easiest path. Sounds just like those 1337 hax0rs they gave the keys to
In a sane world this should get clearances revoked so they never again deal with any private data
As a dev who’s been unemployed for 18 months your last sentence was pretty much my first thought when reading the article.
Sorry, I hear ya. You are so not the only one either. Hang in there. Hey - this place may have some open positions soon?
Outside of the sheer incompetence of this administration, is there ANY chance this was done intentionally as a honeypot or something along those lines?
The fact that the commits were explicit along with bypassing all the checks could read as someone trying to see who knocks on the door.
I don’t see it. Like the guy in the article said, it starts out looking like a joke . . . Buuuut it ain’t.
ELIT please.
Explain like im Trump in case you didn’t get the T bit. Sorry.
Our best and finest left the safe combo next to the safe and then left for 6 months.
Best and finest indeed. Thanks for the dumbing down for me.
Woke computer nerds fucked us
Edit: just to reassure the more anxious amongst us, I mean ‘woke’ in the maga sense of anything-i-don’t-like-is-woke. Not actually woke.
Actually woke computer nerds observe proper security protocols ffs.
Unfortunately you can’t ironically pretend to be a dumb asshole on the internet because you become indistinguishable from the actual dumb assholes
Poe’s law binds us all