Whistleblower: DOGE Siphoned NLRB Case Data
399 comments
·April 22, 2025rawling
tomhow
Whistleblower details how DOGE may have taken sensitive NLRB data – https://news.ycombinator.com/item?id=43691142
1139 points/7 days ago/528 comments
ModernMech
I'm glad this is still being discussed. It seems like there are 4 main threads that we have to deal with right now as a society, and the severity of each means we have no time to deal with just one.
1. Breakdown of rule of law and political systems. Executive usurped Congress and is currently usurping SCOTUS. Both parties are dead. MAGA replaced the Republican party and Democrats are in the wilderness.
2. Destruction of the federal government through DOGE, which is this thread.
3. Destruction of the economy through tariffs and usurping the Federal Reserve by firing the Fed Chair, turning America into essentially a controlled economy.
4. Destruction of non-government institutions like law firms and academima which are power centers that could resist points 1-3.
DrillShopper
RE: 4
The current Attorney General's brother is running for a seat on the Board of Governors of the Washington, DC bar. It is expected that he will carry water for Trump and Bondi and impede any sort of disciplinary action the DC bar may dole out to any attorney working for Trump.
Yet another way Trump has his lackeys putting a thumb on the scale.
qwertox
Related: Whistleblower statement on anomalies at time of DOGE work at NLRB [pdf] - 16 hours ago, 13 comments - https://news.ycombinator.com/item?id=43755298
bgwalter
This whole article reads like a comedy. Hidden accounts, login attempts from Russia (they can't afford IP addresses elsewhere?), and then there is this:
"Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts."
Why does Microsoft have login and account information for a government institution? I'd prefer a mainframe without Windows or Internet access in the basement.
pjc50
> Why does Microsoft have login and account information for a government institution?
Undoubtedly Office365. Difficult to run a bureaucracy without Word or Outlook.
(French/German governments investing in a replacement for this kind of reason: https://www.techspot.com/news/107225-france-germany-unveil-d... )
rurban
Russia and China run their goverment offices with their own Linux distributions for very long now.
bmacho
That's why we have docx
getlawgdon
1. "Russian IPs" give them plausible deniability for people who are Pavlovian for that soundbite. 2. Plausible deniability no longer required for an administration with components that are obviously Kremlin influenced.
galangalalgol
Both azure and aws apparently have the government as fairly large chunks of their userbase. It does raise some questions.
mugsie
apparently? JEDI and Wild and Stormy were two programs just from the DoD and NSA that were 20 billion USD.
AWS, Azure, Oracle, SUSE (via Rancher) and I am sure GCP all have confidential & classified (C/S/TS) clouds, as well as lower FedRAMP clouds to get that sweet sweet federal money.
Not sure what questions it raises, it has been a thing for decades.
galangalalgol
Given that extra information I guess:
Who handles physical security and what sort of place is it located that it can house that kind of data?
To what degree is the federal government subsidizing Amazon's retail dominance?
Cthulhu_
What questions? All of the major cloud operators have government offerings too.
rsynnott
> login attempts from Russia (they can't afford IP addresses elsewhere?)
There’s some history of Russian intelligence being rather blatant here (presumably deliberately, as a way of making a statement). Remember Guccifer 2.0? That persona not only used a Russian ip address, but one which was _assigned to the GRU headquarters building_.
whalesalad
Azure cloud.
red-iron-pine
> login attempts from Russia (they can't afford IP addresses elsewhere?)
why pretend at this point? they own all of the leadership and there won't be consequences
null
qwery
Sad to see it if this gets killed as a [dupe].
The story has been posted twice, yes. The first submission[0] is ~10 hours older and has 3 comments on it. This one has 348 comments at time of writing. If you care about having an interesting discussion, this one's clearly where it's at.
wyldfire
It's interesting, because Edward Coristine was fired "cybersecurity firm Path Network in 2022 for allegedly leaking internal company information to a competitor" [1]. Seems like an ideal candidate for recruitment by a foreign espionage service. And he'd used accounts on a cybercrime social network [2]. How in the world is this person still able to work anywhere near the government?
But if Russian spies wanted to access US Gov resources, why would they use their own IPs as the origin? Unless getting caught was deliberate, to foment discord?
[1] https://en.wikipedia.org/wiki/Edward_Coristine
[2] https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-...
zmgsabst
As a PSYOP, it’s great:
- create account
- attempt to access whatever records, don’t worry about succeeding
- wait for US news to cause fragmentation
Undermining US unity is an objective of Russian influence, as we’ve seen from the spectrum of advocacy groups they funded ads for.
- - - - -
There’s also the suspicious timing that this happened just as the US was engaged with Russia to negotiate peace in Ukraine — and that this embarrasses the regime doing so and encourages a feud with Russia. (As an indication that it may not be so simple.)
Spying is complicated.
carrja99
DOGE will be an interesting case study in the years to come to say the least. A friend was contacted by them in an attempt to recruit him to help rebuild the nations aviation systems from the ground up as a 1099 contractor reporting directly to Sean Duffy. The recruiter advertised it as a side hustle on evenings and weekends paying an abmysal hourly wage. When my friend pointed out that the comp was far below what he makes, the recruiter countered with the prestige that will come with having worked for DOGE.
pjc50
> prestige that will come with having worked for DOGE.
This seems like a highly fragile currency. If things continue to deteriorate a future administration may end up running its own reprisals trials against DOGE staff.
mdhb
I mean I think it would be a fair assumption that there’s a very very real chance that havinng worked at DOGE will come with credible threats to your safety in the future. This is a team that is currently in the process of killing peoples grandparents by cutting them off from social security, building databases of immigrants and people with autism among a million other fuckups.
People aren’t going to just let that slide. I really don’t think they should expect to live in comfort and anonymity for the rest of their days if you look at how these kinds of things have played out historically with only a few counterexamples (I.e the East German Stasi come to mind as one)
diggan
> things have played out historically with only a few counterexamples
The first counter-example that comes to mind is the "Pact of Forgetting" that happened after Franco died, where basically people agreed to let spilled blood be spilled, without spilling more. Basically hard and difficult questions were avoided in order to facilitate "national reconciliation" when the transition to democracy began in 1970s.
Depending on the political aftermath when this (pointing everywhere) is done, it's not impossible something similar could happen, to try to let things cool down. Or, it goes the way of the Nuremberg Trials, also a possibility I suppose.
morkalork
Hiring a whole bunch of contractors is almost providing cover. "No, I didn't work on the gulag candidate selection tool, I was just a FAA navigation coder".
During the downfall of ISIS there was a funny quote from a commander in the Iraqi military along the lines of "if you listen to what the prisoners said, you'd think ISIS was entirely staffed by innocent drivers and cooks and never any jihadists"
sanderjd
The prestige of being unable to include it on your resume if you ever want to be able to work again.
Smeevy
Maybe they list it as "Consulting" and list vague achievements in government cybersecurity auditing?
A bunch of them seem young enough to just leave it off and say they were in school. Maybe DOGE counts as a student cybersecurity project?
VagabundoP
Achievements and Hobbies: Destroyed US democracy, Kayaking and Bivouacking.
SketchySeaBeast
Oh, I'm sure some companies admire the "move fast, break things, don't care who you hurt, just follow orders" ethos.
insane_dreamer
Rebuilding something as critical as the nations’ aviation system using underpaid 1099s working nights/weekends is certainly not the way to build a robust and fault-tolerant system. Idiots!
roflyear
It's a great case study of someone having no knowledge of something coming in and saying "we can save half the budget" then, oops - saying maybe they can do 5% of the original promise, lol.
I wonder how much DOGE is going to cost at the end of the day? I hope not literally billions of dollars, so maybe the $100b-200b they save will be net positive after the lawsuits, etc..
Longwelwind
> Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a “container,” which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.
This feels funny to read, for some reasons.
honeybadger1
it's written in a way to sound nefarious but is more an admission of technical ignorance
qwertox
Not at all: it says DOGE appears to have created a container in a place where containers were never created by NLRB. Tell THAT to someone who doesn't know what Docker is, and it is less informative.
Where's the technical ignorance?
Ukv
I think it sounds a bit off in the same way as "Linux, a computer program commonly used by hackers, was found on the suspect's machine" does, though not to that extent.
It's not saying anything technically untrue, and emphasising the aspects it does arguably makes sense within the context of what the concept is being brought up for, but it comes across as an odd framing for people familiar with the concept in general (using containers for standardization/scaling/etc.)
Maxious
From the email shown in the photo, it seems like DOGE was trying to build and run a docker container using Integuru (YC W24) https://news.ycombinator.com/item?id=41983409 to scrape the system
DrillShopper
I was wondering when Y Combinator affiliated companies were going to show up to help DOGE dismantle democracy, and it looks like we've found the first instance.
lima
Editorialized by the reporter, not the original report.
crawsome
No it’s malicious
They intentionally turned off logging. Only attackers and criminals do that.
nonrandomstring
This is a smoking gun. I'm a little shocked at how little MSM coverage this is getting and the moral gymnastics some commentators are performing to lend a veneer of innocence to this. It's an incident on par with 1950s Cambridge ring [0] and I cannot understand why an investigation team from the Pentagon are not all over this kicking-in doors and taking names?
zo1
It's just docker containers. As a technical person I was confused reading that at least 3 times until I made the mental connection that it's docker containers. So yes you are right it's made to sound more opaque and nefarious than one would normally assume in our field. If they have a policy that says we can't run docker containers in network A or zone B then just say so but don't lie to make it sound like Russia Hackers. That's the kind of shit that makes fence sitters and reasonable people across the isle not trust your motives.
Anywho, this whole "opaque" or "untrusted" code running in a VM is the same lingo that big corporates use to gatekeep newer technologies that bypass traditional processes. E.g. "oh sorry you can't test locally because you need to use our officially licensed and expensive Oracle DB instance. Oh and BTW, you can't use the free container image that Oracle provides free of charge. It's running 'untrusted' code in our network." and endless variations of that.
computerthings
[dead]
kmitz
How come this article has disappeared from HN front page ? Posted 2 hours ago and with 649 points
PyWoody
It's the top story on https://news.ycombinator.com/active.
morkalork
Huh, I've never seen "active" before, it looks like one of the hidden views like pool. Can't blame people for not seeing a thread there...
diggan
Boy do I have news for you: https://news.ycombinator.com/lists
Bunch of other fun links in the footer too :)
jerrygenser
It's not flagged. Is it shadow banned? Is that a thing in hacker news?
mdhb
Dang and other editors manually tweak things regularly to make sure stuff like this is not on the front page and consider that to be a feature not a bug and are not at all interested in listening to any criticism that maybe that’s not the right move in 2025.
tomhow
This is false.
This story spent 18 hours on the front page seven days ago, and attracted over 1100 upvotes and over 600 comments. It also attracted dozens of community flags, but we turned off the flags in order to give the story full visibility.
ineedasername
Possibly because Y now has some of its startups involved with DOGE and other government activities. Keep in mind that much of the techn world’s anarchocapitalism ideology being implemented came from or has been the “though leaders” or their behind this website.
tomhow
You guys!
Paul Graham (the only "thought leader" behind this website) loudly campaigns against the current U.S. administration almost every day on Twitter.
One YC-backed founder out of more than 10,000 is volunteering with DOGE.
A more thorough response to this trope can be found here:
pera
Is Graham still involved in HN?
While it's true that he has spoken against Trump many times, Garry Tan is very close to Thiel, Musk, and the MAGA movement in general. Didn't he recently show support for DOGE as well?
Of course, YC is more than its current CEO and hopefully this doesn't affect the moderation of this website :)
ineedasername
His responses to these particulars are less relevant than his career of pushing ideas that have fueled the anarcho capitalist agenda where the following seems virtuous rather than destructive of equitable law and society:
If you follow the logic of his essays—especially ones like “How to Make Wealth,” “Do Things that Don’t Scale,” or “Hackers and Painters”—you end up in a world where:
• The best people ignore rules that slow them down.
• Regulation is often just cargo-cult bureaucracy.
• Wealth is proof of virtue, or at least utility. Wealth + the rest = do what you want if you think you’re right and can get away with it
• Institutions should get out of the way of smart individuals.
• And the market, not the government, should determine value.
nineplay
Loudly complaining on a closed platform controlled by the unelected darling of the current adminstration is less impressive than he might hope. He has high profile blog that is silent on the current administration but highlights a article critical of "Wokeness".
sofixa
> Paul Graham (the only "thought leader" behind this website) loudly campaigns against the current U.S. administration almost every day on Twitter
Does he? https://x.com/paulg (maybe moderated by Musk/Twitter) only shows tweets about Gaza suffering which could be construed as criticising the current administration. On the contrary, I see multiple tweets jerking off Elon Musk (part of the current administration) and calling for compassion and personal sacrifice towards people who voted for Trump. Yes, there's "why you should vote for Kamala" tweet, but nothing critical of the current Trump regime. Let alone daily.
nineplay
PG is a tech billionaire and I don't trust any of them more than I can throw them. They'll put on a nice "Don't be evil" face and then smash us under their heels.
whalesalad
I was just asking myself the same thing.
kmitz
The faq says rankings can be affected by automated moderation. I'd appreciate to have this clarified by a mod if one happens to read my words. Thanks
How are stories ranked?
The basic algorithm divides points by a power of the time since a story was submitted. Comments in threads are ranked the same way.
Other factors affecting rank include user flags, anti-abuse software, software which demotes overheated discussions, account or site weighting, and moderator action.
whalesalad
> software which demotes overheated discussions
i'm inclined to think this is it. can't have the populous too rowdy - gotta settle them down.
roflyear
Stuff gets flagged as "flamebait" or something similar (forget the exact term) on HN - I think this can be done manually and is also automated, but it can definitely be turned off manually by mods - and it gets sent to the void b/c of risk of starting unwanted conversations.
tomhow
You guys! No topic has been anywhere near as heavily discussed this year on HN:
https://hn.algolia.com/?dateEnd=1745332080&dateRange=custom&...
mdhb
Or censored. Don’t present this issue as a one way street it’s very clearly not the case.
Havoc
Wild that this isn’t squarely in treason territory
Cthulhu_
It's only treason if someone in power actually charges them for it.
berkes
What would be "treason territory"? The leaking or the siphoning of case data?
jimbokun
Because the impeachment attempts failed, the legal cases against Trump mostly failed, the Supreme Court inoculated him from further prosecution, and he got reelected.
The checks and balances have all been used up and failed.
finnjohnsen2
Seen from afar; it seems that Trump is so close to absolute power that he can simply brush off what should be scandals with real consequences. How _everyone_ survived the Signal scandal blows my mind
adestefan
I could stand in the middle of 5th Avenue and shoot somebody and I wouldn't lose voters.
Y_Y
Same, but that's just because I don't have any voters
sjsdaiuasgdia
It's shocking how prescient this quote is turning out to be. There's a significant chunk of the US voting population that is willing to forgive effectively anything Trump might do, no matter how distasteful, illegal or unconstitutional it gets.
Using the DoJ to go after his perceived enemies. Mob boss protection rackets against universities and law firms. Revoking visas for traffic violations...or nothing at all. Putting people into a foreign prison camp without a chance for due process, and refusing to do anything about the inevitable errors and rights violations that result. Eliminating oversight roles and agencies, enabling grift, theft, and fraud for himself and his friends. Selling cars on the White House lawn. Hiring incompetent people and not firing them when they inevitably do incompetent things (looking at you, Hegseth and RFK Jr). Refusal to admit failure or error regardless of how obvious it is. Constant lies about what he has accomplished. Destroying the US economy with erratic and unstable tariff policies. And so much more...
And they eat it up.
littlestymaar
He would likely lose a bunch of independent voters but your point still stand if we're only talking about the MAGA crowd.
intended
I’ve been noodling this argument ever since November, and I am pretty confident now that America has a fragile, asymmetric information economy.
Most Americans on the right live in a protected information market. I am not talking about media bias — both sides have that. The issue is deeper: on the right, the marketplace of ideas has been captured. There's no free trade between ideas, only ‘subsidized’ narratives and ‘tariffs’ on dissent. That’s how Trump — or anyone like him — thrives. Realists, by contrast, get priced out.
This isn’t culture war stuff, this is structural failure. The traditional metaphor of American free speech — the Holmesian "marketplace of ideas" — breaks down when one side captures the market.
There is no competition of ideas when there is no fair fight.
If you’ve got a couple of million bucks to spend, my guess is start buying up and supporting local news channels in the rust belt, and then let them work on whatever they want to work, as long as they can show actual independence.
Or perhaps gift people subscriptions to things like groundnews or something. I don’t know if theres any science that shows it effectively diversifies information consumption of its users.
I don’t know what the napkin math is for a tipping point, but I suspect its not as expensive as litigating an entire administration.
zo1
Yet he literally can't get existing laws to be policed and acted on by government officials. Hardly absolute power when judges brush off his work left right and center.
Muromec
Not enough authoritarianism , I see.
ohgr
You mean brush off the bits where he’s breaking the law right? You know the laws that were there because once they weren’t and things broke.
Hnrobert42
Like what?
FranzFerdiNaN
Yes judges still apply the law. But so what? Trump just ignores their verdicts. And its all fine and dandy, because he is a cult leader, and his followers are now everywhere.
submeta
„Russia accessing US data using Russia IP“
Is it me or does this sound like someone trying to create a Russia connection here? Why whould Russian intelligence do this so amateurishly? As if they want to get caught. - Cui bono?
jfengel
The pattern has been that they don't particularly care about getting caught. The goal is to sow chaos, rather than any specific task. They like to goad you into making mistakes.
What do they want with NLRB days in the first place? Maybe they have an idea; maybe not. The goal is "we got your data, be worried". Getting caught furthers that.
dinoqqq
I'm not so sure. Look at the bargaining power in geopolitics a country gets, when they know a certain country hacked them (Dem. hacks, Clinton email hacks, by Russia). It is always better to hide your tracks or to blaim someone else. Especially if it can be done easily.
freen
Remember: the Russians also hacked the Republican email server as well, just, those emails were never released.
XorNot
The Russians assassinated someone on British soil using a radioactive agent that can only be made in nuclear reactors, and is incredibly expensive to extract and transport.
There are literally dozens of ways to kill a guy, if you must poison him, which are cheaper in every possible way and can be sourced locally by someone with the sort of basic chemistry knowledge an intelligence agency would have on payroll, or from a drunk undergrad.
Which is to say: Russia's MO has at no point been "subtlety", it's been vranyo: a lie they tell where you know they're lying, but are obliged to pretend the other party is not.
FireBeyond
They don't care, and also, their expectation from DOGE was probably "Logging is turned off, here's the credentials, go".
bilekas
There's no need to try and attempt to connect anyone, the entire thing is smelly enough.
Looking at the IP it might be a mobile connection.
> Russia
> MOW
> Moscow
> Moscow>
> 144700
> 55.7558
> 37.6173
> MegaFon
So, lets say it was one of the contracted private individuals that just happened to be travelling in RU for WHATEVER reason and wanted to test the login decided to just use their hotspot.
Given the level of incompetence here it wouldn't surprise me. But this is what whistleblowers are for, starting investigations. Now we will have to wait month and years of bureaucratic nonsense and legal challenges to every information request required for the investigation to even get started.
It's incredibly frustrating.
Muromec
If one is using roaming, does it show the IP of locality they are actually in or the IP assigned to their home operator? I vaguely remember that it's the latter.
fabioborellini
At least with European 2G/3G/4G it's the latter, their home country IP.
bilekas
I honestly don't know, I am just trying to do mental gymnastics to imagine why this would even happen.
Also I haven't played with eSIM cards either and so I'm not sure their behaviour.
Yizahi
Why would you assume Ruzzian Intelligence if only IP address has been mentioned? Also, if it was such an agency, why wouldn't the supposed shiba-doge leaker/spy not provide them a warning that regional restriction firewall exists?
Go with the most probable case - one of the shiba-doge amateurs had a virus on his laptop, and after creating an account those credentials were automatically siphoned to some bot farm in the Ruzzian segment, from where a few automated attacks were initiated by a botnet, which were blocked by a regional firewall.
Muromec
>Why would you assume Ruzzian Intelligence if only IP address has been mentioned?
because they have a theoretical capability to get the credentials that were being used and would love to have a database dump to figure out what to do with it later. The botnet explanation is also plausible, but not mutually exclusive.
AnimalMuppet
DOGE people were brand new to the infrastructure. (That's one of the criticisms - they're doing all this wild activity without really understanding the environment they're working in.) So they very plausibly would not know about the region-restricting firewall.
And then, they tried to get it shut off as soon as they found out it existed.
Yizahi
I would assume that mr. Berulis would mention taking down said firewall and the subsequent successful access from the foreign IP. So far it seems that all the data was stolen by bulldoge people for the internal USA masters (Elon likely), at leas at the first step. And it makes sense, because Elon and his cronies do profit from the NLRB info and have a preexisting history attacking them. While at the same time Ruzzians probably won't have any use from the data itself, and planting backdoor to the system would be done in a more quiet way. As it stands now, that whole system would need to be sanitized after the dog invasion, and all backdoors will be destroyed most likely.
adgjlsfhk1
> As if they want to get caught
no. as if they don't care about being caught.
crawsome
Right because they got caught before and the Supreme Court and the right side of the aisle bailed him out time and time again
b3lvedere
My humble personal hypothesis (so this could be totally completely wrong, because it's just an hypothesis) is that this is not about information, but about chaos. For the layman it seems connecting the dots is more than sufficient to get to a conclusion. As if somewhat tech adept people have been given very powerful tools, but not the entire oversight of what their actions might cause.
dinoqqq
It also raised my suspicion.
What I generally don't get, is that in so many hacks they state "this came from a Russina|Chinese|Iranian IP address", hinting that it came from that country probably.
Can someone in the security industry maybe elaborate if this makes sense or not?
athrowaway3z
As a technical problem to correlate # bytes @ time is just a very simple and you don't need a PhD to solve. Its a matter of how many measurement points on the network you have available.
Having said that. I doubt they checked and who cares where it landed? Its out.
Occam's Razor on doge (and the admin as a whole) points to opportunist amateurs, fraternizing on bravado & loyalty while willing to entertain treason by jumping through hoops for why it can't bother them.
Looking for deeper layers is a distraction. Nostalgic even.
I can empathize.
nonrandomstring
Something worth knowing is that "attribution" is extremely difficult.
Also "attribution engineering" is really quite easy and difficult to see through.
Often the purpose of a hack is not to exfiltrate data or sabotage systems but is exactly to direct blame (or sometimes distract/misdirect)
Indeed in vault 5 of Snowden's NSA leaks an "attribution engineering toolkit" was a interesting find. Malware is almost always engineered to throw forensic investigators off the scent.
That all said, I think this incident happening in US gov, in the current climate, without immediate urgent investigation is scandalous and in itself an indicator of deeper and very serious skulduggery.
hsbauauvhabzb
Not really. I am not a doge supporter, but if was and I wanted to troll the left, I would route traffic through a rented vps with a Russian IP.
It’s possible to route traffic such that assuming the crypto is perfect, the actual vps is not able to decrypt data.
I also think that it I were a doge member and _wanted_ to leak data to Russia, this is the exact opposite of how I’d go about doing it.
SketchySeaBeast
We're firmly in the realm of 1984-type arguments: "The Party told you to reject the evidence of your eyes and ears".
It makes me sick we're even considering "trolling" as a motivation here but, given that we are, it's clear we're at the level of stupid that they would brazenly leak data to Russia. These people are not the best, they are not the brightest, and there's no reason to assume they are playing 4D chess when checkers is working for them.
freen
Why go through the effort of sneaking in the back door if the front is wide open?
dornan
[dead]
sigwinch
It’s important to carefully watch which US official opens up the login policy to whitelist the region of Russia.
galangalalgol
Assuming the policy wasn't known and it wasn'teant to be seen. But either way... Backdoors in bleb starlink access points surreptitiously added to the roof of the gsa, how would you ever begin to undo this level of compromise?
az09mugen
Is it possible to have a Russian IP with a VPN maybe ?
dornan
Yes, with a residential/mobile proxy. Russian proxies are cheap because they're blocked or heavily scrutinized by many interesting networks, due to the rampant and unpunished misbehavior of some people in Russia.
Would it make any sense at all for a government agency (DOGE) to buy shady residential proxies in order to log in to their super-admin accounts? No. Nearly every government bans foreign IP addresses from accessing internal systems. That leaves the question: why did that log-in attempt happen? There may be another explanation, but the only thing that comes to mind is that someone in Russia using a mobile internet connection tried to log in but forgot to enable his VPN before doing so.
I don't see a legitimate reason to require no logging either. If you're investigating things, you want your activities logged in a way you can't alter because it demonstrates how you found the evidence, and that you aren't just making things up.
RajT88
The IP is mentioned in the article. It belongs to a cell provider. Technically possible to have a VPN endpoint on a cell network, but unlikely.
Cthulhu_
Why would a representative of a US government agency use a Russian VPN with legitimate, freshly created login credentials? I'm confident this is against all the cybersecurity rules in place.
I also don't understand why the HN comment section is full of people trying to make excuses or explanations.
pcaharrier
Notice that the email from the deputy CIO mentions SCuBA.This is the "Secure Cloud Business Application Project" from CISA.If you look at two of the required policies you will find this:
"A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role."[1]
and
"Privileged users SHALL be provisioned with finer grained roles instead of Global Administrator."[2]
So at least for the agency-wide removal of security administrator roles, that would seem to be unrelated to anything DOGE was doing. The NLRB was supposed to be doing that anyway.
[1] https://www.cisa.gov/resources-tools/services/m365-entra-id#... [2] https://www.cisa.gov/resources-tools/services/m365-entra-id#...
jabiko
This is about the Global Administrator role. I don't believe that the employee had this role to begin with.
Otherwise this quote wouldn't make sense:
> [...] top-tier user privileges that neither Berulis nor his boss possessed
However, my guess would be that this is the role that DOGE employees requested to be assigned as it is the role with the highest level of privileges.
GranularRecipe
Is this a new policy? Otherwise, why this sudden and broad implementation so that "suddenly none of the IT employees at the agency could do their jobs properly anymore" (according to the source).
pcaharrier
It's pretty new, yes. The binding operational directive from CISA only came down in December. Agencies are in the midst of running the assessment tools and implementing the changes right now. See here: https://www.cisa.gov/news-events/directives/bod-25-01-implem....
ImPostingOnHN
The policy you linked doesn't say "agency-wide removal of security administrator roles". It discusses a limit. That says nothing about how many there were here, how it suddenly changed, how elmu's DOGE was able to gain administrator access despite these restrictions, how elmu's DOGE administrators were chosen, etc.
pcaharrier
Yes, a limit of eight. Meaning that if there were more than eight across the agency, the rest were supposed to be removed by order of CISA. So the binding operational directive is a plausible, alternate explanation of the facts reported in the article. Again, I didn't just do a google search and come up with this; the Deputy CIO specifically mentioned SCuBA in the email that's put in the article. It's not my fault that neither Krebs (nor anyone else, apparently) decided to look into what the email meant by "SCUBA."
Neil44
Removing admin from people who don't need it is 100% the correct thing to do according to any IT guidelines you could quote. And of course, every single user will whine that they're special and really really need it. With regards to the rest of the article, there's definitely stuff to be investigated here but I don't see the investigation yet.
pcaharrier
"Removing admin from people who don't need it is 100% the correct thing to do"
Indeed. And if you look at the picture of the email from the deputy CIO he mentions SCuBA (see here: https://www.cisa.gov/resources-tools/services/secure-cloud-b...). Cleaning up unnecessary admin roles is exactly the kind of thing that CISA itself is requiring agencies to go in and do.
GranularRecipe
> Removing admin from people who don't need it is 100% the correct thing to do according to any IT guidelines you could quote. And of course, every single user will whine that they're special and really really need it.
You assume that "suddenly none of the IT employees at the agency could do their jobs properly anymore" is whining and not substantial?
Shouldn't be least privilege principle a culture (a standardised and automated process) and not something that happens ad hoc?
sanderjd
Did you read the part where they kept them from reporting to the agency who would investigate?
bayindirh
From my understanding, the whistleblower is one of the admins, so why he shouldn't have the rights?
whalesalad
You’re focusing on the wrong thing. You’re not wrong but why is this the bone to pick? The big story here is that priv accounts were created, shortly thereafter they were being utilized from Russia, and data exfiltration occurred.
null
A lot of discussion, a week ago
https://news.ycombinator.com/item?id=43691142