Comment by zmgsabst

5 months ago

Lots of government websites are vulnerable early on.

Hope they used good proxies, because this seems like a felony.

> One of the sources told 404 Media that they were able to push updates to a database of government employment information after studying the website’s architecture and finding the database’s API endpoints.

Oof, not something to put in your article.

> push updates to a database of government employment information

Huh, what would be the goal of connecting this database to an API on or near doge.gov? Surely it's not the "actual"/"source of truth" database, more likely a copy: I can imagine the geniuses thought ""let's mirror everything online on a single system so it's easier for all of us to access it and do queries like "WHERE gender NOT IN ('m', 'f') OR race NOT IN ('white')" and get results from all the databases we know of."". (I assume there is no single federal employee database?)

And since the truth is whatever they say nowadays, maybe it IS the "source of truth" database.

The massive difference here is that the Doge team is acting as quickly making decisions about government funding and classifications of that spending e.g. if it's a "scam". If they're supposed computer experts making incorrect decisions about something as simple as web hosting you can be sure that they're making incorrect decisions in more important topics.

> Lots of government websites are vulnerable early on.

What data are you basing this on? Federal websites have an approval process which includes a security review so I’d expect some familiarity with that in your response.

"Able to" and "Did" are two very different things.

  • > This person showed me two database entries they were able to push to the website, which are live on doge.gov as I write this (archived here and here)

    All you had to do was actually read the article; it’s the very next paragraph from the one I quoted.

> Lots of government websites are vulnerable early on

Would like to see a source on this.

Governments are similar to large enterprises whereby every bit of code going into Production requires a full security, architecture and site reliability review.

There is no doubt bugs in bespoke web applications but for your typical website.