Comment by zmgsabst
5 months ago
Lots of government websites are vulnerable early on.
Hope they used good proxies, because this seems like a felony.
> One of the sources told 404 Media that they were able to push updates to a database of government employment information after studying the website’s architecture and finding the database’s API endpoints.
Oof, not something to put in your article.
> push updates to a database of government employment information
Huh, what would be the goal of connecting this database to an API on or near doge.gov? Surely it's not the "actual"/"source of truth" database, more likely a copy: I can imagine the geniuses thought ""let's mirror everything online on a single system so it's easier for all of us to access it and do queries like "WHERE gender NOT IN ('m', 'f') OR race NOT IN ('white')" and get results from all the databases we know of."". (I assume there is no single federal employee database?)
And since the truth is whatever they say nowadays, maybe it IS the "source of truth" database.
[flagged]
> but you made up slander they’re bigots?
https://en.wikipedia.org/wiki/Joke
Yawn indeed.
What a snowflakey thing to say.
The massive difference here is that the Doge team is acting as quickly making decisions about government funding and classifications of that spending e.g. if it's a "scam". If they're supposed computer experts making incorrect decisions about something as simple as web hosting you can be sure that they're making incorrect decisions in more important topics.
[flagged]
Many on the Doge team are software engineers. And calling it an audit is being very generous. Looking at the Doge feed on approved state media it's mostly just DELETE FROM Contract WHERE Description like '%DEI%'
Edward "Big Balls" Coristine's prior experience is mainly in websites. https://www.muskwatch.com/p/doge-teen-ran-image-sharing-site
Odd question considering they didn't say that being an audit team is what makes them an expert at websites, or that they were experts at websites specifically.
2 replies →
DOGE isn't staffed with seasoned auditors (the government actually has those, and they're called Inspector Generals, and they mostly got fired by Trump); it's staffed with engineers who are supposed to be making the government "more efficient", and who are completely unqualified to determine whether something is "wasteful" or not.
> Lots of government websites are vulnerable early on.
What data are you basing this on? Federal websites have an approval process which includes a security review so I’d expect some familiarity with that in your response.
"Able to" and "Did" are two very different things.
> This person showed me two database entries they were able to push to the website, which are live on doge.gov as I write this (archived here and here)
All you had to do was actually read the article; it’s the very next paragraph from the one I quoted.
Apologies. Missed that line, you are quite correct.
> Lots of government websites are vulnerable early on
Would like to see a source on this.
Governments are similar to large enterprises whereby every bit of code going into Production requires a full security, architecture and site reliability review.
There is no doubt bugs in bespoke web applications but for your typical website.
[flagged]
AFAIK, that referred to a DDOS by LulzSec, rather than a hack
> Lots of government websites are vulnerable early on
Citation?
[flagged]