Technology

84796 readers

4211 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

795

‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub (gizmodo.com)

submitted 1 day ago by throws_lemy@reddthat.com to c/technology@lemmy.world

100 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] homesweethomeMrL@lemmy.world 94 points 1 day ago* (last edited 1 day ago) (4 children)

Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

But wait

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers.

This is shameful incompetence. Just head-rolling abysmal incompetence. These are the people they hired, for all you 1337 hax0rz currently looking.

[–] atomicbocks@sh.itjust.works 44 points 1 day ago (1 children)

As a dev who’s been unemployed for 18 months your last sentence was pretty much my first thought when reading the article.

[–] homesweethomeMrL@lemmy.world 6 points 1 day ago

Sorry, I hear ya. You are so not the only one either. Hang in there. Hey - this place may have some open positions soon?

[–] AA5B@lemmy.world 7 points 21 hours ago

“Mistake”. Yeah, no. That’s someone thinking policies aren’t meant for them and blindly taking the easiest path. Sounds just like those 1337 hax0rs they gave the keys to

In a sane world this should get clearances revoked so they never again deal with any private data

[–] CosmicTurtle0@lemmy.dbzer0.com 12 points 1 day ago (2 children)

Outside of the sheer incompetence of this administration, is there ANY chance this was done intentionally as a honeypot or something along those lines?

The fact that the commits were explicit along with bypassing all the checks could read as someone trying to see who knocks on the door.

[–] phutatorius@lemmy.zip 1 points 11 hours ago

Not a honeypot. Treason.

[–] homesweethomeMrL@lemmy.world 14 points 1 day ago

I don’t see it. Like the guy in the article said, it starts out looking like a joke . . . Buuuut it ain’t.

[–] TheVoiceOfRaison@thelemmy.club 9 points 1 day ago (2 children)

ELIT please.

Explain like im Trump in case you didn't get the T bit. Sorry.

[–] henfredemars@lemdro.id 21 points 1 day ago* (last edited 1 day ago) (1 children)

Our best and finest left the safe combo next to the safe and then left for 6 months.

[–] TheVoiceOfRaison@thelemmy.club 4 points 1 day ago

Best and finest indeed. Thanks for the dumbing down for me.

[+] homesweethomeMrL@lemmy.world -7 points 1 day ago* (last edited 1 day ago) (2 children)

Woke computer nerds fucked us

Edit: just to reassure the more anxious amongst us, I mean ‘woke’ in the maga sense of anything-i-don’t-like-is-woke. Not actually woke.

Actually woke computer nerds observe proper security protocols ffs.

[–] Sidhean@piefed.social 3 points 5 hours ago

Beautiful, woke computer nerds, and they're gonna replace nuclear. My uncle, he was a nuclear woke, and he said, he said you know what, computers are the future, they're gonna replace nuclear. He dosen't have the socks for it, and the electronic wokes, they have these socks that just make the computer work for them, ok, the computer works for them. The computers will work for the nuclear.

[–] squidman64@lemmy.world 6 points 1 day ago (1 children)

Unfortunately you can’t ironically pretend to be a dumb asshole on the internet because you become indistinguishable from the actual dumb assholes

[–] binux@sh.itjust.works 6 points 23 hours ago

Poe’s law binds us all