I don't see any evidence that this should be the case. My email appears in dumps on haveibeenpwnd too, because of database dumps. How is that evidence that there's a key logger on my system?
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
> user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware.
So this isn't from website dumps with plaintext passwords.
If I did highly secure work (which I don’t), I’d set up a few honeypot machines and input my “secure credentials” (with a bogus password) into that repeatedly.
Yeah, inputing "secure credentials" traceable directly to you with what you'd hope is a bogus password is a very bad idea, especially if you're doing highly secure work.
These aren't local credentials, these are credentials from various third-party websites that made their way into stealer logs. Garbled or not, using your personal email address for both legitimate purposes (e.g. Google Calendar, as the article points out) and honeypots isn't the best idea.
Ah, I thought you meant what sites list the stolen credentials. The exact overlap of websites across four separate stealer logs is enough to leak an email address pretty reliably. The only thing that's "telling" for is that they're not willing to dox this person.
Have I Been Pwned listed me in the ALIEN TXTBASE Stealer Logs. I went through the Notify me tab, got a verification link to check for my personal records, and all I got was this lousy:
"No domains were found for your email address. Whilst your email address was found in a stealer log, no websites were found alongside it. This can be due to the way the log was formatted."
TL;DR: You could try my email in there, believe credentials were stolen, when that might be recycled leak stuffing.
Alternative explanation - someone emailing you is infected by a stealer on their machine - they typed your email into the "to field" and that was captured by a key logger on their system.
"By searching for his personal Gmail address (which I'm not sharing) in Have I Been Pwned, he appears in 51 data breaches and in 5 pastes. These include a 2013 breach of 153 million Adobe users, a 2016 breach of 164 million LinkedIn users, a 2020 breach of 167 million users from Gravatar, a 2024 breach of the conservative news site The Post Millennial, and many more."
Stop reading Ars and your name will be cleared. This isnt real journalism, it is Ars-washed political talking points.
I’d be in 3 of those breaches. One of the rules working in government was never use your personal email or ID for anything.
If you had to work in the nightmare of secure systems, the computers are literally in a different room, there is no Internet access in there, and you can’t take your smartphone in there.
This is different from haveibeenpawned leaks. These infostealer dumps mean the data is direct from a spyware/malware on a victims computer. for ex: https://hackerone.com/reports/3091909
It means the people in the leak had malware on their computer in the past, and maybe present.
> a strong indication that devices belonging to him have been hacked in recent years.
I like these kind of speculative articles. The click bait title states something with certanity than the first sentence clarifies that it is a speculation. I am not sure why we are falling for this click baity garbage, over and over.
> Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware
The Ars Technica article is a bit confusing, if you click through to the original article, the case they make is much clearer. It's not that his credentials were found on Have I Been Pwned, which is the case for most people through no fault of their own. Instead, it's this:
>But some of the datasets that Schutt is included in are much more concerning than normal data breaches because they're from stealer logs.
Logs from information-stealing malware were leaked multiple times, and if your credentials appear in multiple of those, that's reasonably good evidence that you are doing something wrong.
So I don't think the headline is clickbait, but I do think that the Ars article could be clearer in making its point.
"Well-known" email addresses (e.g: gaben@valvesoftware.com, president@whitehouse.gov) also seem to show up in these mentioned stealer logs on https://haveibeenpwned.com/ - which makes me suspect addresses are extracted from keypresses even if just typed in the To field of an email, for instance, and do not necessarily indicate the owner of the email has malware on their machine or has had their account/password compromised.
At one point I was a contractor for a government department and at another I was at a government sponsored NGO.
My credentials are in the various leaks, like the Adobe one.
“Login credentials belonging to a Department of Defense contractor, who previously had worked at a government-sponsored media outlet, have appeared in multiple public credential leaks.”
Yep, headline doesn't say it is his current computer or anything, just that his computer was infected. It would be clickbait if it said his current computer is actively infected. Less clickbait than now if it said one of his computers appears to have been infected at some point.
Cannot tell if it's sarcasm or not. Obviously everyone who reads the headline assumes it's his current computer, and it had some, uh, consequences. That's why they click. That's what makes it clickbait. Nobody would care otherwise.
(Also, if you are willing to be pointlessly formal, it goes in both directions, since it can be argued that a computer, which belongs to a person, who in the future will become DOGE's software engineer, but hasn't become yet, also formally isn't a "DOGE software engineer’s computer".)
As long as it's a work computer, what does it matter if it's his current computer or not? Remember that we're talking about an infostealer, it got his credentials and "that's it" (that's gravely serious).
Wouldn't the assumption be that some percentage of government workers have infostealers on their computers? The track record of these people is not good, pretty much since we've had the internet there have been a steady stream of minor-to-moderate scandals where information gets to places that it shouldn't be.
This might just be selection bias because there is a large crowd of angry people looking for things to fling at DOGE.
If there's bias, I think it comes from people being concerned that there are people coming into various govt. offices, demanding and receiving write/read, non-logging accounts on systems containing sensitive information. The access DOGE staffers are being granted absolutely warrants extra scrutiny of their conduct and security practices.
If his accounts were compromised after the computer was (as article indicates), people would still care. It included Greenfield too, so potentially has password reuse risk.
Doesn't seem speculative in the least - they have some pretty strong indicators of a problem. It's great that we're getting some tech-literate investigative journalism going - and good for our government to have a light shining here.
I've updated the title to something less sensationalist and more representative of the article's content.
HN does have a policy of using the original title from the submitted article, unless it is misleading or linkbait, and we try to be rigorous in enforcing it.
Users can help us by emailing us (hn@ycombinator.com) when they see a case where a title seems to be misleading or linkbait.
This is something that already happens. When there is a strong general opinion questioning the quality of the title, even if it's the same as the original title, if it's against HN directives they do get changed. Unfortunately I don't remember exactly these cases, but if you've been to HN long enough you've surely seen these changes.
> If the facts support those allegations, then absolutely yes
See, here's the thing: almost everyone believes this about themselves.
There is always enough difference between any given pairing of cases that one can retain their belief in their own fairness. And there is no shortage of partisan coverage that will assist you in believing that the cases are different.
And it's not like there is an incentive for holding _your own side_ accountable when the other side is not being held accountable.
charitably, you have fallen for the myth that americans can only engage in politics from one of two sports-fan positions. this is not true and the sooner we stop engaging with this myth, the better.
uncharitably, you are pushing a stupid narrative on purpose with ill intent.
Seems like people here assume that passwords were found on Have I Been Pwned. It's more than that, it's about "stealer malware":
> [...] user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits.
> Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial.
Putting this in undermines the quality of their critique.
Does the USA have an authority that can deny privileged data access to someone that has such poor operational security? Revoke security clearances, that kind of thing.
Yes in theory, however it's 2025 and I think it's likely that most of what they're doing falls afoul of data storage/recordkeeping laws anyway and there's basically zero chance that the perpetrators will face consequences.
Yes, but all such authorities are subordinate to the President, and the President can issue security clearance by fiat, bypassing normal procedures and exempting people from them .
I mean if so many of them are scared they can just caucus with the nearly (but not actually) 50% of congress members that are democrats [1].
It's really just republicans are only unified in presenting a unified front so when it comes to actually doing something like electing a speaker [2] [3] the lack of alignment becomes obvious. So they aren't doing anything to counteract trump because they aren't as a whole unified in that it's something they want but they're unified in not fracturing and helping democrats.
Reactionary politics and hysterical screeching is what got the democrats into the problems they are currently face. Repeating the same mistakes over and over again is the definition of insanity.
Yes but that's basically the prisoner's dilemma in a nutshell. Who's going to to take the leap of faith and put their neck on the chopping block?
Liz Cheney?
Adam Kitzinger?
Mitt Romney?
> In an interview with The Atlantic published earlier this week, Romney fretted over his ability to keep his entire family safe from Trump’s ire, should he be reelected in November. (Trump has made it clear that his plans for a second term include seeking revenge on those who’ve wronged him.)
“How am I going to protect 25 grandkids, two great-grandkids?” Romney told The Atlantic. “I’ve got five sons, five daughters-in-law—it’s like, we’re a big group.”
I am saying "they are doing nothing, because they want this to happen". Trump policies are exactly what conservatives wanted and pushed for. The corruption and all that is stuff they are fine with, as long as it is one of them doing it.
To a large extent, insofar as Trump is a dictator, it is only because Congress have decided to allow that through inaction. At least for the time being (though, see, for instance, the Weimar Republic; this may end up being a use-it-or-lose-it ability), they still do have the power to largely put him back in his box if they want to.
Dictators around the world have supporters who do not rise against them, because they are completely on board with their agenda.
Trump and his policies are to large extend logical extension of what republican party pushed for and wanted for years. Conservatives wanted exactly this, pressed for exactly this, made this happen. Plus, they are not just tolerating, they are actively defending it, sane-washing it more then mainstream media.
And yet also, they all have choices. They are not at risk the same way people living under dictatorship are. They made choice to support this party again and again, because they agree with it.
Once upon a time Congress would botch something and all one could do without getting into weeds no one cared about was blame Congress. No one wanted to hear a list of 200 assorted representatives.
In these partisan times one can always be more precise: it is either the Democratic caucus or the Republican caucus. Almost no one goes against their caucus. In this case, and in every case until the midterm elections, it is the Republican caucus.
Assign blame or merit where it is due and maybe voters will have enough shame, pride, or sense of self-preservation to fix things.
Botching security is currently a Republican project.
Security levels of documents and clearances are technically controlled by the office of the President (IIRC), but this is often delegated to the agencies themselves. The military, for example, has it's own system for classified things, while it looks like maybe DOGE does not.
Under normal circumstances if that system were connected to an internal network there would be a cleanup (and the costs would be astronomical). I say normal circumstances because I fully expect these clowns to obfuscate, omit and deny everything for the next four years.
All thee DOGE dudes are destined to spend life imprisoned on Alcatraz. The scope of the antics done by these people and the downright disregard for security, ethics, law, and the Constitution, all make them the right people to make examples of.
Was he using his own computer? He should surely have been using one provided by the institution. In a properly secured system he should not have needed passwords to connect to databases, they should have been secured by something like Active Directory roles and certificates. Do any of these US institutions have any idea of proper security?
DOGE didn't care to go through proper channels for anything. They just used whatever they had. It was a true train wreck let by young talentless types like "big balz" or whatever his name was; their only qualifying talent was complete loyalty to Elon Musk.
The article title suggests that this is about his current PC which he is using at the agency. That is totally false.
In fact the story is that at someone point in the past at least in 2013 some credentials of his landed in multiple breaches. Some of my credentials also appear there, this of course means nothing at all about his current account security or the security of the data.
I don't even know what the allegations are. Can you not ever work for a government agency when any account of yours gets compromised? Databreaches aren't that uncommon, presumably many people here have some credentials leaked, do you think these people should be excluded from working jobs in the government?
Buried down the text, they have the plausible deniability disclaimer:
"As Lee notes, the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points."
Of course "credentials have been exposed": the vast majority of sites have been hacked. It doesn't mean this person used the same credentials everywhere, AND that they didn't use 2FA, AND that the credentials matter in the first place. And, of course, this has absolutely nothing to do with malware.
Shame on you ARS for publishing purely speculative posts.
> “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (ahemcough cough the Russians cough) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon.
If it looks like a duck, walks like a duck, swims like a duck and quacks like a duck, then at some point you gotta assume it's a duck. No need to run a DNA test.
Ask Rudy Giuliani or any architect foolish enough to take a project from him. While Trump might know more about protecting people who help him than he did then, it would be out of character for him to expend the time it takes to sign something if his benefit in the transaction is over.
The 6 January rioters who got 20 years in prison, after beating and indirectly causing deaths at the capitol police have ALL been pardoned and are walking free.
"...The extraordinary pardons and commutations extended to those who committed both violent and nonviolent crimes on Jan. 6, including assaulting police officers and seditious conspiracy..."
Exactly as you describe, and I'm sure for other foreign interests, everyone at DOGE became massive targets for very highly directed nation-state level interest for phishing/malware/compromise.
This is not an invincible decision making tool. It does not mean that literally every thing that can be explained by idiocy must be. We might start by leaning towards idiocy as an explanation but we are allowed to adjust our opinion as we see more and more information.
In law we shouldn't be focused on ignorance and cluelessness. The outcome of what they have allowed is the crime. All the DOGE dudes need life without parole.
Do you actually believe that? Do you not think that at least SOME OF THEM, are working their asses off to save american tax payer dollars?
Can you point to any of the contracts in the wall of savings that have saved billions of dollars and disagree with any of them? https://doge.gov/savings
Did you look through that page before posting it? Currently, the default list of biggest savings is topped by things like eliminating a refugee intake facility, various HHS programs making sure public housing meets basic standards of habitability, and eradicating polio.
Is the argument that government was so efficient before that eliminating these seemingly useful programs was the best and only way to save taxpayer dollars?
Edit: the contract was 3.3B, so that changes the calculus to 1,109,966.78 per child. Haven't seen the facility, but i highly doubt they are staying in million dollar condos, but if they are... there are better ways to do that.
$1,136,436,294.65 for paying their legal services... Why are we paying a billion dollars for legal services of a program we have discontinued?
1,021,000,000 to eradicate polio... Of which that last case in the united states was in 2022... Polio is all but irradicated here in the united states.
We just seem to disagree with what's important and what's wasteful. You could build a brand new city for those amounts in the private sector.
That's the crux, for sure. The problem with DOGE though is that instead of creating better ways of doing anything, they just seem to eliminate doing those things at all.
Now we not only don't have a better way of doing a thing that might have been necessary, but we don't even have the sub-optimal way of doing that thing, so now it's not getting done at all.
Edit: Bringing it back to the article, if a person with access to 'a "core financial management system" belonging to the Federal Emergency Management Agency' was foolish enough to let their system get hacked, are we really finding a better way to do things, or are we being a little too careless?
It's 2.9B for a facility that can accommodate up to 3000 children simultaneously, as well as the support services to run it and provide the medical care and social workers needed to take care of them. It's not $3B for a specific 3000 children somewhere, so it's nonsense to try counting the cost per child that way.
I haven't looked at the contract in detail, but no, $3B over 5 years for 3000 people including construction costs sounds reasonably in line with prison costs (the closest comparison). Certainly not the order of magnitude too high like you're suggesting, which surely someone would have undercut on the bid if it were easy.
Wow, I took a look at the first one: ~$3 Billion for temporary shelter for just 3k kids? Almost $1 million per child??
Never heard of the program but on its face that sounds pretty bad. Grift, scam, or just inefficient govt? Not sure but not a good argument for keeping it around!
Hanlon's razor is overused and abused. Quite often, it is actually a malice and if you are willing to look at the situation dispassionately, it is quite visible.
Hanlon's razor was originally a joke. Not a scientific observation how world works, but a funny sentence about there being a lot of incompetence in the world.
I would normally second this, but the Trump admin did order a suspension of offensive cyber operations against Russia in March. So not sure you can truly rule out malice in this case.
>a suspension of offensive cyber operations against Russia in March.
uhhh... why are we commiting offensive cyber operations against a nuclear power? Somewhere in your line you seems to think that it's justified? And that biden was doing the right thing by provoking a major power?
Some people just want the world to burn, and when someone puts out the fire, they think that's unamerican?
Such Biden logic that ended with us launching missiles into russia. A constant escalation with no real end in sight and always matching "tit-for-tat- instead of trying to solve the root issue.
You don't think trump is actively involved in negotations with russia to stop all this madness?
Don't you think that one of the first signs of good faith in negotations would be to stop attacking eachother?
No other president has given explicit permission to launch american missles and use american guidance systems to launch missles into russian territory... Besides biden. What are you talking about?
And you forgot... besides Trump. because trumps not a warmonger, people like to act like he's on the side of the russians. People have lost their minds.
In the last 3 months, Trump has threatened to invade:
- Greenland
- Canada
- Mexico
- Panama
- Cuba
> people like to act like he's on the side of the russians
Trump has said that Ukraine is the one that started the war, and the "deal" he negotiated to end the war excluded Ukraine from the discussion and would give Russia everything it asked for.
> People have lost their minds.
You're right on that point, but its probably not the people you're thinking of.
Because when someone punches you in the face, you punch back?
Also I don't know why we keep referring to Russia as a major power, their GDP is about the size of Italy's, their economy is on the rocks, their military stockpile is depleted from a failed invasion of their much, much smaller neighbor.
failed operation? Have you seen the war map? After the whole world dumped all their stockpiles to ukraine for over $500B, the russians have still taken over a 3rd of the country. Biden logic was going to lead to a american troops on the ground, and a vietnam all over again.
Russia didn't punch us in the face, they punched some dude that we barley knew in highschool half way across the world.
Your numbers are way off. Ukraine has not received "over $500B". According to the Kiel institute tracker, as of February, the total military support for Ukraine from all all over the world combined stands at 132 billion EUR (~148bn USD). Nor does Russia control a third of the country. Russia controls 18.3%, of which 7.05% was occupied before 2022 and 11.25% since then. The total area held by Russia peaked in the first month of the war at 25.86%, was reduced to 18% with Ukrainian counteroffensives, and has stood there since the late 2022.
While looking at the chart, keep in mind that Russia currently loses around 30-45k people a month as dead and wounded and they have nothing to show for it. The last major territorial gains were during the first month of the war in March 2022. It's a total military disaster with no end in sight.
And the person you replied to is absolutely right: Russia is not fighting for the potato fields of Ukraine, but to dismantle the entire international security system that the US built after the WWII to secure commerce and influence on the world. Ukraine is one of the stepping stones. Here's the full blueprint: https://en.wikipedia.org/wiki/Foundations_of_Geopolitics#Con...
This isn't an example of incompetence. DOGE staff broke laws when they connected their personal computers to classified system. They knew better, plenty of people told them not to do this and they still did it.
They could have followed OpSec rules and still done their work. They chose not to do so. Their willful disobedience of the laws and OpSec might stem from multiple rationals, but it doesn't matter, because their actions are criminal and their negligence is beyond incompetence.
Without any proof or arguments, to me that Mastodon comment is just your average brain rot social media conspiracy slop, especially when you examine the profile of the user who wrote it.
Is this what journalism has now become? Parroting othe people's unhinged takes off social media, then upvoting it on HN?
Likely not the choice of the engineers, who appear not to know that they're being used as pawns in an international spy game that could send them to prison for a very long time.
I fully believe that the engineers themselves are wildly optimistic about society and their own abilities, but good security comes from realism and pessemism. Someone, probably many people, in the chain of command above them has moral and legal responsibility for choosing this course knowing it carried this risk and not caring.
Knowing their choice of targets too (definitely not left up to the engs), by which I mean only DOGEing and compromising the security of what they consider left-leaning agencies: with that targeting and their care to cover their tracks digitally, why not choose a strategy that lets the Russians in quietly? Shortly after they compromised the security of the NRLB they were making blackmail threats by taking drone videos of people (who threatened to reveal their malfeasance) where they lived and worked. Clearly someone in the chain of command is thinking carefully about what they can learn from how Russia governs
Remember that checklist meme from /.? The “You seem to be advocating/here is why it will not work”?
Well, you’ve burned a bit of time on HN with the karma you’ve accrued. The non-conspiratorial truth is that if you go back and read HN over a longer period of time, it amounts to people parroting other people’s unhinged takes. Least offensive is tech, which is merely juvenile. But the other topics, especially medical ones, are dangerous. Political ones, with zero verification are the worst from a board culture/health perspective.
HN has turned itself into slop in large part due to the voting and flagging mechanisms, because the community was never mentally equipped to use either tools responsibly. And pg/dang never set the tone. So now you see how far it has fallen.
My advice: don’t come here to read comments seriously. Yes, from time to time someone of good taste shows up to a topic they have first hand experience with and they have to educate the rest as to why their takes are completely wrong (and sometimes dangerous, see above).
Instead, come here to get the news, laugh at the shit flinging if you must, and move on.
I’ve been contemplating doing an HN-without-HN filter board; show just the tech stuff, have commentary without voting or flagging. Because while you’re just seeing how things are now, I am afraid to say they’ve always been so.
Honestly, stuff like this always makes me double check my own passwords and habits. Bunch of people just roll with the same easy setup for years and act surprised later. Gotta be careful, for real.
For your consideration, one does not need to have their password manager online to use HIBP; they offer [at least] two different concessions to your concerns:
Thus you could hash your passwords in your airgapped setup, transfer the hashes using a mechanism you trust to an Internet connected device, and then check the hashes
I'm on Fastmail and it has been worth every penny. They happen to also integrate their email alias generation with 1Password, which I also use, making it an extra good investment
Despite their name being fastMAIL they also have a passable calendaring implementation. My only complaint about it is that they don't offer an Android "widget" in order to see the upcoming agenda at a glance, so one has to actually launch their app to view the calendar
If such things matter to you, they have CalDAV and WebDAV offerings, the latter of which I use for backing up my ViolentMonkey scripts. I haven't used their "Google Keep" replacement because Joplin serves my needs, but it does exist. And all of this for the same yearly price
Now imagine how many normie, computer-illiterate federal employees in fairly sensitive roles have had various credentials leaked over the past few years.
There are safe guards for information not to leak. Those safe guards make it very hard to get the info, not impossible, but very hard. Walking into a government office and plugging in your personal Macbook, and running whatever software you want with "god" powers on the network makes it a lot easier to gain access to whatever data is required. Even if its unintentional (big if) from the DOGE's side, at this level you are target by state actors and they will get to your personal devices if they want.
I worked in Federal government on classified systems. There were many safeguards in place, most importantly networks that were 100% disconnected from the Internet and locked down workstations. That made sure that even the most inept user could not cause a problem like this.
Everyone I worked with respected OpSec and would never do something as risky as bring in an outside laptop and connect it to the network. DOGE has been so reckless that I believe they wanted to have the system hacked, because seeing our government destroyed is their real objective.
Did you find stealer logs with your credentials though? Because that is certainly much more concerning than simply having your credentials leaked from some breach, and it's what happened to the DOGE guy.
Actually critisizing DOGE for their major gaffes (like putting up easily defaceable websites, or their incompetence when it comes to reading numbers accurately) is important, but this kind of article is just sad and diminishes the credibility of news journalism
reply