← Back to context

Comment by zmgsabst

8 days ago

Lots of government websites are vulnerable early on.

Hope they used good proxies, because this seems like a felony.

> One of the sources told 404 Media that they were able to push updates to a database of government employment information after studying the website’s architecture and finding the database’s API endpoints.

Oof, not something to put in your article.

22 comments

zmgsabst

Reply
netsharc  8 days ago

> push updates to a database of government employment information

Huh, what would be the goal of connecting this database to an API on or near doge.gov? Surely it's not the "actual"/"source of truth" database, more likely a copy: I can imagine the geniuses thought ""let's mirror everything online on a single system so it's easier for all of us to access it and do queries like "WHERE gender NOT IN ('m', 'f') OR race NOT IN ('white')" and get results from all the databases we know of."". (I assume there is no single federal employee database?)

And since the truth is whatever they say nowadays, maybe it IS the "source of truth" database.

altacc  8 days ago

The massive difference here is that the Doge team is acting as quickly making decisions about government funding and classifications of that spending e.g. if it's a "scam". If they're supposed computer experts making incorrect decisions about something as simple as web hosting you can be sure that they're making incorrect decisions in more important topics.

  • zmgsabst  8 days ago

    [flagged]

    • altacc  8 days ago

      Many on the Doge team are software engineers. And calling it an audit is being very generous. Looking at the Doge feed on approved state media it's mostly just DELETE FROM Contract WHERE Description like '%DEI%'

    • perching_aix  8 days ago

      Odd question considering they didn't say that being an audit team is what makes them an expert at websites, or that they were experts at websites specifically.

      2 replies →

    • insane_dreamer  8 days ago

      DOGE isn't staffed with seasoned auditors (the government actually has those, and they're called Inspector Generals, and they mostly got fired by Trump); it's staffed with engineers who are supposed to be making the government "more efficient", and who are completely unqualified to determine whether something is "wasteful" or not.

acdha  8 days ago

> Lots of government websites are vulnerable early on.

What data are you basing this on? Federal websites have an approval process which includes a security review so I’d expect some familiarity with that in your response.

lvturner  8 days ago

"Able to" and "Did" are two very different things.

  • zmgsabst  8 days ago

    > This person showed me two database entries they were able to push to the website, which are live on doge.gov as I write this (archived here and here)

    All you had to do was actually read the article; it’s the very next paragraph from the one I quoted.

threeseed  8 days ago

> Lots of government websites are vulnerable early on

Would like to see a source on this.

Governments are similar to large enterprises whereby every bit of code going into Production requires a full security, architecture and site reliability review.

There is no doubt bugs in bespoke web applications but for your typical website.