Comment by john_strinlai

14 hours ago

>Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

obviously leaking the credentials itself is crazy, given that its (a contractor to) CISA, but to not respond when notified? crazy crazy.

but wait! it gets worse somehow

"“AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems"

while i understand and sympathize with the fact that CISA is kind of being gutted, a passwords.csv with weak passwords is inexcusable incompetence. not much budget is required for a password manager.

embarrassing all around.

80 comments

john_strinlai

Reply
tantalor  14 hours ago

The word you're looking for is "gross negligence"

uean  8 hours ago

Not defending this person, but it's obvious that this person used Github as a file-sync. Firefox-passwords.html and firefox-bookmarks.html are what you dump before migrating to a new computer and importing them there. An old school practice before FF sync was around.

This is mentioned in the article but it stood out enough to call it here.

totetsu  13 hours ago

One the one hand the CISA is being gutted, and on the other hand there is an ever increase of rhetoric about cybersecurity, national interests, critical infrastructure..

  • SV_BubbleTime  11 hours ago

    Complaining about gutting, during examples of gross negligence is kind of a sympathy destroyer for me.

    • array_key_first  4 hours ago

      Gutting doesn't magically solve incompetence. It's a anti-solultion that people peddle because it requires literally zero thought or nuance.

      If an organization has systemic incompetence and you gut them, then they're still incompetent but now they're also pressured and therefore more likely to make mistakes. So, you're just in a worse position.

      1 reply →

    • jandrese  3 hours ago

      What if they purged all of the competent people and installed party loyalists? That seems to be a recurring theme with this administration. These are guys who unapologetically admire the efficiency of the Nazi party, not realizing that the pervasive incompetence and most levels of the government were one of the driving factors in their ultimate defeat.

mystraline  13 hours ago

Most of the folks I know who were with CISA were purged with the January-March 2025 Doge campaign. 0 notice "we 20 year olds dont understand what you do so fired".

A group was working on Diebold voting insecurity, and foreign implant hacking. Gone.

  • mxuribe  12 hours ago

    > ...A group was working on Diebold voting insecurity, and foreign implant hacking. Gone...

    The conspiracy theorist in me from years ago would have stated that maybe this action from DOGE was purposeful...but, nowadays, i see lots more incompetence that merely might present/display as conspiracy! lol :-D

jimt1234  13 hours ago

The first "hack" I ever reported was when I found a plaintext passwords file on my high school computer network...in 1987. The more things change, the more they stay the same.

  • g-technology  9 hours ago

    Mine too, but it was in the late 90’s and I found an open table in an access database that the school district used for grades and attendance. It listed plaintext usernames and passwords for every user in the system. I managed to use that to get to know the districts head of IT and get a summer job with them.

  • JackGreyhat  9 hours ago

    Machine Head - Struck A Nerve

    The more things change, the more they stay the same.

    Wise words, lovely song.

throwaway5752  13 hours ago

DOGE. It's DOGE. This is just things going according to plan for people that think the US government is too powerful or that there is a fortune to be made in stealing public sector resources and privatizing them.

It is a bad plan that has and will continue to harm people, but it is intentional.

  • dude187  11 hours ago

    Yes, DOGE invented storing lists of text passwords and uploading them somewhere. What a monumental cost savings innovation, surely never been done before!

  • parineum  12 hours ago

    Which DOGE employee put this file on GitHub?

    • throwaway5752  12 hours ago

      "I didn't create the epidemic, I just fired all the doctors and dissolved the medical schools"

      Security doesn't happen by magic. It is enforced by process, maintained by people and systems built and run by people. Furthermore, when people are under stress and underresourced, they make more mistakes. This was inevitable given the budget cuts.

      You can't fire everyone at AWS and say one intern will support it, and say that it is a profitable and sustainable restructuring. Any fool can see that will fail, so if it were actually implemented by someone who is not a fool, you can conclude it is intentional.

      4 replies →

  • scottyah  12 hours ago

    [flagged]

    • ceejayoz  9 hours ago

      You incorrectly mistake "no authority" for "didn't happen". Judges spank the executive branch for exceeding their authority fairly regularly, including in this case.

      https://lawandcrime.com/high-profile/no-statutory-authority-...

      > The court finds that neither OPM nor OMB have any statutory authority to terminate employees – aside from their own internal employees – "or to order other agencies to downsize" or to restructure other agencies. And, as far as the Elon Musk-led agency is concerned, the judge is withering: "As plaintiffs rightly note, DOGE 'has no statutory authority at all.'"

      https://www.reuters.com/world/us/trump-scores-win-suit-chall...

      > A judge on Tuesday declined to immediately block Elon Musk's government efficiency department from directing firings of federal workers or accessing databases, but said the case raises questions about Musk's apparent unchecked authority as a top deputy to President Donald Trump.

delfinom  12 hours ago

Dealing with IT departments run wild with cyber security monkeys that can only follow checklists with no independent thought.

The spreadsheet of passwords is a tad more common than it should be because the password managers don't meet whatever arbitrary checklist of invented cyber security requirements they blindly follow. But Excel does.

Lol

modriano  13 hours ago

Sure, it could be incompetence. It could also be an intentional strategy to tie up CISA/DHS resources, poison or obstruct CISA/DHS investigations/operations, open up systems to sunlight and journalism, or cause general chaos.

The not-responding-when-notified part makes me think it's not just incompetence.

  • stackskipton  13 hours ago

    >The not-responding-when-notified part makes me think it's not just incompetence.

    Strong disagree. The person in question probably thought it was a private repo on Github and had a massive deer in headlights reaction when they got contacted. Whoever this is, lost their job, possibly security clearance and more. This was 100% life altering "mistake"/gross incompetence decision they made.

    • SoftTalker  12 hours ago

      the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

      That doesn't support the theory that it was a mistake. That was intentional action. Maybe he was being blackmailed, and was coerced to do it. Or maybe he was a foreign agent or sympathizer who had infiltrated the organization.

      1 reply →

    • modriano  13 hours ago

      Maybe. I didn't see enough in the article about the repo owner/committer to make any inference about their intentions and wouldn't jump to conclude it was incompetence or malice or crafty leaking. The only real signal I saw was that the repo didn't immediately turn private when the person was notified.

      For some people, yeah, this could be a career killer. For some other people, it might just precipitate a flight back to Moscow or Beijing or something.