Cybersecurity is not my main field but this sounds beyond suspicious.
> Berulis [...] and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.
> “Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”
Somehow each paragraph reveals something even worse than the last.
> Berulis [...] and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.
- "“Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains,” Wired reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”"
What is interesting to me is how those two things are mixing. Theoretically any one of us could own a russian domain and any one of us could get a job at NLRB (or another gov agency) but our jobs and our ownership of that domain are two entirely separate things.
What's interesting here is how these two things are seemingly mixing. At this point I have two pet theories:
- One of the DOGE staffers is a Russian agent: This one I'm putting in the camp of "highly highly unlikely" but still possible given those login attempts from Russia.
- The more likely theory is this is just some braindead attempt to "own the libs". If we look back 6-8 years to when all the Trump Russia stuff came out and turned into a nothingburger. This could be some idea like: "Yo I've got this VM in Russia, let's own the libs and make them thin the Russians are invading again!"
- It could also be completley innocouous. Like right now I have a Mullvad VPN setup on my machine that points to Algeria. Ubuntu will auto start this VPN at login. What if one of DOGE staffers just happened to have a VPN running with an exit in Russia when they tried logging in.
Russian IPs are used, because russia won't help the american authorities with investigations. If I was an american and hacking into <whatever american thing>, I'd use russian IPs too.
Which is fine for the attacker here. All they need is to hit the login endpoint from an IP that's geolocated to the US. They don't mind if it's possible to trace it to their Russian IP. And that's roughly all that the VPN service sees. I explicitly mentioned Monero because I believe that when used properly, it wouldn't add any extra information.
Or, very unlikely but maybe, the DOGE employee used this new account to attempt to login via a Russian VPN just to test security. Still very unlikely, because they were not interested in security at all.
Haha, have you never worked with a prolific junior that wants power and openly questions everything you do, their role and any limitations you place on them. These kids won’t care it’s not their remit.
If the president is behind all that, there are proper command chains to deal with such a scenario. Democracy is about checks and balances. The US is by far not a democracy anymore, but still calls itself so.
The "proper chain" for this scenario is either Congress impeaching the president, or the vice president triggering the 25th Amendment.
Unfortunately, the Republicans in Congress refuse to do so and pretend that everything is fine, and the vice president is the president's lackey.
As far as I know, we don't have any other legal mechanisms to remove the president from his position as commander-in-chief. If you know of any, I'd love to hear more about them.
The article mentioned that traces of a few GitHub repos were found. One of the READMEs left behind described a tool used to create a multihop network to hide the original source.
Seems plausible that they could have used that tool when logging in and it happened to bounce off a Russian IP.
If I am testing a login I don't need 20+ failed attempts to know it's not working. Sometimes the simple answer is the correct one. The series of events does not read as someone, whose job has been reported to disable security and demand root access to systems, testing the already in place login system to make sure Russian IPs (specifically) can not log in.
Lets be honest: they are compromised. Musk is compromised. Trump is compromised. They are all traitors who are selling America out. It took almost four decades but Russia is winning the cold war after all, without firing a shot.
He does owe Russia for the email hack and leaks that he publicly requested. Not to mention sticking it to Ukraine after they didn't find/fabricate evidence against the Biden family.
I want to know why your comment isn’t flagged but any dissenting opinion or question from yours will be…. Is that in alignment with American values? Hmm…
If you block outright an adversary has reason to try another IP. If you allow the attempt then show a standard "login failed" page they have less information to go on.
Not necessarily. One could have a gov site allowing anyone to view it, but have stricter rules on a /login path, HTTP POST, auth header, or it could have been blocked by some compny-wide safety layer that manages this stuff semi-automatically.
But that's just a speculation.
So the default behavior of a Fortigate is to allow you to apply an access policy to the VPN tunnel itself, which can easily be a geoblock, but the local-in policy where the remote is actually authenticating against the firewall is much harder to change.
Not saying this is a Fortigate or that the federal government didn't change the low effort configuration, but it's certainly not unusual, Fortinet is a huge presence.
Auth providers (like Okta for example) often do the geo-blocking at level 7 -- because if you know the login being used, you can then lock the account that is being accessed from a blocked region.
Remember these are elons are script kiddie hackers, it only occurred to disable the outer firewall, azure ad will independently geoip block all by itself
> Berulis [...] and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.
> “Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”
Somehow each paragraph reveals something even worse than the last.
> Berulis [...] and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.