Lawmakers Demand Answers as CISA Tries to Contain Data Leak
38 points by speckx
by niwtsol
0 subcomment
What an egregious mistake. "exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository" - isn't is git 101 to not put creds in git? What pattern do they think this is consistent with?
by m3047
0 subcomment
CISA said “there is no indication that any sensitive data was compromised as a result of the incident.”
Oh wow. Except for those secrets.
by fragmede
0 subcomment
> “Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”
More competent technical control means a random contractor doesn't have passwords from mid-2025 to copy to their home machine that even still work after 30 days, if not 5.
Hacker News