this post was submitted on 19 May 2026
618 points (99.4% liked)

Technology

85492 readers
4063 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
618
‘The Worst Leak That I’ve Witnessed’: U.S. Cybersecurity Agency Leaves Its Digital Keys Out in Public on GitHub (gizmodo.com)
submitted 4 weeks ago by throws_lemy@reddthat.com to c/technology@lemmy.world
100 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] homesweethomeMrL@lemmy.world 79 points 4 weeks ago* (last edited 4 weeks ago) (4 children)

Valadon’s company constantly scans public code repositories at GitHub and elsewhere for exposed secrets, automatically alerting the offending accounts of any apparent sensitive data exposures. Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.

But wait

Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

“Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature,” Valadon wrote in an email. “I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual’s mistake, but I believe that it might reveal internal practices.”

One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers.

This is shameful incompetence. Just head-rolling abysmal incompetence. These are the people they hired, for all you 1337 hax0rz currently looking.

[–] atomicbocks@sh.itjust.works 36 points 4 weeks ago (1 children)

As a dev who’s been unemployed for 18 months your last sentence was pretty much my first thought when reading the article.

[–] homesweethomeMrL@lemmy.world 6 points 4 weeks ago

Sorry, I hear ya. You are so not the only one either. Hang in there. Hey - this place may have some open positions soon?

[–] TheVoiceOfRaison@thelemmy.club 8 points 4 weeks ago (2 children)

ELIT please.

Explain like im Trump in case you didn't get the T bit. Sorry.

[–] henfredemars 18 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

Our best and finest left the safe combo next to the safe and then left for 6 months.

[–] TheVoiceOfRaison@thelemmy.club 4 points 4 weeks ago

Best and finest indeed. Thanks for the dumbing down for me.

[–] homesweethomeMrL@lemmy.world -4 points 4 weeks ago* (last edited 4 weeks ago) (2 children)

Woke computer nerds fucked us

Edit: just to reassure the more anxious amongst us, I mean ‘woke’ in the maga sense of anything-i-don’t-like-is-woke. Not actually woke.

Actually woke computer nerds observe proper security protocols ffs.

[–] squidman64@lemmy.world 7 points 4 weeks ago (1 children)

Unfortunately you can’t ironically pretend to be a dumb asshole on the internet because you become indistinguishable from the actual dumb assholes

[–] binux@sh.itjust.works 4 points 4 weeks ago

Poe’s law binds us all

[–] Sidhean@piefed.social 2 points 4 weeks ago

Beautiful, woke computer nerds, and they're gonna replace nuclear. My uncle, he was a nuclear woke, and he said, he said you know what, computers are the future, they're gonna replace nuclear. He dosen't have the socks for it, and the electronic wokes, they have these socks that just make the computer work for them, ok, the computer works for them. The computers will work for the nuclear.

[–] CosmicTurtle0@lemmy.dbzer0.com 7 points 4 weeks ago (2 children)

Outside of the sheer incompetence of this administration, is there ANY chance this was done intentionally as a honeypot or something along those lines?

The fact that the commits were explicit along with bypassing all the checks could read as someone trying to see who knocks on the door.

[–] homesweethomeMrL@lemmy.world 9 points 4 weeks ago

I don’t see it. Like the guy in the article said, it starts out looking like a joke . . . Buuuut it ain’t.

[–] phutatorius@lemmy.zip 1 points 4 weeks ago

Not a honeypot. Treason.

[–] AA5B@lemmy.world 2 points 4 weeks ago

“Mistake”. Yeah, no. That’s someone thinking policies aren’t meant for them and blindly taking the easiest path. Sounds just like those 1337 hax0rs they gave the keys to

In a sane world this should get clearances revoked so they never again deal with any private data