>Valadon said he reached out because the owner in this case wasn’t responding and the information exposed was highly sensitive.
obviously leaking the credentials itself is crazy, given that its (a contractor to) CISA, but to not respond when notified? crazy crazy.
but wait! it gets worse somehow
"“AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems"
while i understand and sympathize with the fact that CISA is kind of being gutted, a passwords.csv with weak passwords is inexcusable incompetence. not much budget is required for a password manager.
embarrassing all around.
epistasisyesterday at 2:31 PM
I think one thing that people are sleeping on is passing a ton of secrets to OpenAI and Anthropic or your OpenRouter by having a .env or secrets on disk in your repo, but not checked in
Your LLM will happily read the entire file, ship it off to be training data for future versions of ChatGPT, and not raise any flags, because let's be fair it was on ok thing to check if all the env vars were set, or it you had set up the database password for the app.
It's time for orgs to audit and rotate secrets wherever they are stored in disk or in logs, and switch to SOPS or Vault or whatever to keep these out if plaintext except exactly when needed.
protastusyesterday at 5:53 PM
In 2026, storing government credentials in a repo and not having scanners to flag it should be investigated. I am highly suspicious of anyone doing this in a professional capacity. If I worked at a foreign intelligence agency and saw this, I would first think it's a honeypot, and an unimaginative one because it's so lacking in subtlety.
Looks like someone needs to go take 27 training modules. That'll fix it.
morpheuskafkayesterday at 6:22 PM
The repo name was literally "Private-CISA". Would be fun to (a) search through repo names with private/internal/etc in them and (b) search for govt agency / non-tech company that otherwise wouldn't be expected to appear in repo names. Could probably clone them all and then have an LLM quickly scan for interesting stuff.
Also, doesn't Github have its own automated scanner for something as basic as a AWS credential?
dantiberiantoday at 12:58 AM
GitHub has automatic secret scanning on all public repositories which notifies AWS if access keys are pushed. I would have expected these tokens to be immediately revoked by AWS. Is there something different about GovCloud access keys so they weren't detected?
deletedtoday at 1:53 AM
nijaveyesterday at 11:51 PM
Ironically they could have used those AWS keys to use one of the many AWS services that's more secure.
For example S3 (ideally with KMS), Parameter Store (ideally with KMS), EBS, EFS, AWS Secrets Manager, even just KMS to directly encrypt the files
Really any AWS service that supports KMS and doesn't require giving the service principal access to the key
itintheoryyesterday at 5:06 PM
I'm surprised that this has apparently been ongoing for 6-7 months. I thought outfits like GitGuardian, or solo researchers with trufflehog (etc) would find leaked keys in days, not months. Maybe this is related to the major growth of github? The scanners can't keep up?
dcrazyyesterday at 3:57 PM
What makes this truly sad is that the federal government has had smartcard-based authentication (CAC) for decades. Yet because the public internet stack runs on passwords, so too does government infrastructure.
> but this administration clearly had no idea what they were getting themselves into and did not plan accordingly.
chrismarlow9yesterday at 5:28 PM
Sounds about right. Security is a joke everywhere right now. First to market is all that matters anymore and security is the very first thing to be thrown out when it stands in the way.
deletedyesterday at 5:44 PM
bilekasyesterday at 4:17 PM
I would be fired for this. Probably not able to ask for a refenerce and forever be the butt of a joke between friends and colleagues.
Seems like no big deal for CISA. Defunded really paying off now.
snihalaniyesterday at 4:33 PM
Do they not believe in encrypted files?
passiveyesterday at 4:55 PM
Uh, so it says this dates from Nov 2025.
Nov 2025 was also when most of us learned about the acting Chief Security Officer at DHS, whose name AND photo seem exactly like the calling card of someone who had these "keys to the kingdom". https://bsky.app/profile/andylevy.net/post/3m6ivhnthts2o
I want to believe...
deletedyesterday at 5:23 PM
tedgghyesterday at 4:56 PM
This seems like an act of sabotage disguised as incompetence.
deletedyesterday at 2:18 PM
ttulyesterday at 2:53 PM
Yet another argument for the death of the API key. Replacements abound; let's get on with it.