I remember when they leaked a million SF-86s. You know, the form we fill out with a ton of highly personal information so they can decide if we can be trusted with sensitive data.
Seems senators had questions about why CISA was scaling back efforts related to election security[1]. Tulsi's resignation today seems interestingly timed to when this became public.
If these guys who are supposed to be the experts cannot really be secure on the internet, I'm not sure how anyone else is supposed to be secure on the internet.
What an egregious mistake. "exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository" - isn't is git 101 to not put creds in git? What pattern do they think this is consistent with?
They're not defending it as an established workflow pattern or some kind of best practice.
The usage of "exhibit a pattern consistent with..." is just describing what it looks like the repository was used for. i.e. it's not a set of government sourcecode for an internal project, it's not something indicative of intentionally leaking large amounts of data, etc.
If I had a dollar for the amount of secrets committed to public repositories I could probably retire. No, that isn’t an excuse. Pretending the US govt isn’t made up of people just like you or I is quite silly.
If I had a dollar for each secret I’ve committed to a public repo, I could probably buy a couple of sandwiches. I’m not smarter and my opsec probably isn’t any better than most old devs, but I also don’t have a treasure trove of government secrets on disk and—crucially!—_I would make different decisions if did_.
The nuance here: when I’ve slipped and committed secrets, it’s typically a relative nothing burger: most common case is API keys to some third-party service. I’ve worked across a bunch of regulated industries and, within those, not caused a breach—because being in that space you know to be more careful, and because the companies in those spaces (wisely!) tend to support good security practices, more so than the industry average.
Lawmakers want answers but they never provide answers themselves. Who watches the so-called watchers? Corruption on a massive scale on by lawmakers but when a key gets published, heads will roll? Keys are mistakenly published all the time by very smart people. Ever ran rm -rf *? Every destroy a production db? Ever power off the wrong server? Yes.
> “Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”
More competent technical control means a random contractor doesn't have passwords from mid-2025 to copy to their home machine that even still work after 30 days, if not 5.
I don't work with national secrets, but I do have access to sensitive/valuable to the client data. The thought of downloading anything directly to my device is just beyond me. I don't even like downloading log files with something like "aws s3 cp s3://client/file - | less". I'd much rather fire up a cheap instance and view the data within their VPC.
This. In fact I thought the government had long since gotten pretty serious about using smartcards and HSMs for everything? Why let anyone take any sort of accessible credential at all vs handing out hardware they can use but that cannot have the credentials taken off? At some organizations the extra cost would be a concern of course but that wouldn't be the case here.
Or maybe that'd have been the sort of project and standard CISA would have formerly done before the Republicans gutted it last year I guess, and this is just another symptom of rot? But yeah to your point technology certainly can absolutely help with this sort of thing. It's not some inevitable act of nature.
I think you have to look at it against the backdrop of so many people being fired and new employees being tasked with “urgent” projects across the government. It’s very plausible that the people who used to enforce all of the policies which would’ve preceded or contained this were either fired for political reasons or didn’t think they could tell someone to follow policy if it slowed them down.
> CISA, which lost more than a third of it workforce and almost all of its senior leaders after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency’s various divisions
It's almost like gutting the agency of experts diminishes their opsec capacity among many others.
In 2020 Chris Krebs contradicted stolen election claims. In 2025, Trump sacked Krebs and revoked his clearance, leaving CISA without a director. https://en.wikipedia.org/wiki/Chris_Krebs
Let's be real, it's more directly consistent with aggressive incompetence and hiring/firing based on loyalty. As for how the relevant fools ended up with the power to hire or fire, I'll grant that's a more complicated question...
Oh wow. Except for those secrets.
https://m.youtube.com/watch?v=3m5qxZm_JqM
[1]https://www.padilla.senate.gov/newsroom/press-releases/padil...
The usage of "exhibit a pattern consistent with..." is just describing what it looks like the repository was used for. i.e. it's not a set of government sourcecode for an internal project, it's not something indicative of intentionally leaking large amounts of data, etc.
They clearly stated what pattern this usage is consistent with: using it as a sort of personal scratch pad.
You’re assigning more meaning to the statement than there is. They are simply stating an observation.
You'd be rich if you got a dollar for every worldwide murder too, but that doesn't make murder a common workplace occurrence.
The nuance here: when I’ve slipped and committed secrets, it’s typically a relative nothing burger: most common case is API keys to some third-party service. I’ve worked across a bunch of regulated industries and, within those, not caused a breach—because being in that space you know to be more careful, and because the companies in those spaces (wisely!) tend to support good security practices, more so than the industry average.
More competent technical control means a random contractor doesn't have passwords from mid-2025 to copy to their home machine that even still work after 30 days, if not 5.
Or maybe that'd have been the sort of project and standard CISA would have formerly done before the Republicans gutted it last year I guess, and this is just another symptom of rot? But yeah to your point technology certainly can absolutely help with this sort of thing. It's not some inevitable act of nature.
In 2020 Chris Krebs contradicted stolen election claims. In 2025, Trump sacked Krebs and revoked his clearance, leaving CISA without a director. https://en.wikipedia.org/wiki/Chris_Krebs
In March 2025, the cuts began. https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-st...
In 2026, it was still without a director and running on fumes. https://techcrunch.com/2026/02/25/us-cybersecurity-agency-ci...
This activity is consistent with intentionally weakening a country's defenses from within and sowing chaos.
Eventually, paths like that may lead to increased privatization through security contractors.