Conversation

Notices

1. Embed this notice
   Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:59 JST Nonilex

   #Whistleblower details how #DOGE may have taken sensitive #NLRB data

   In the first days of March, a team of advisers from #Trump's new Department of Government Efficiency initiative arrived at the Southeast Washington, DC, headquarters of the National Labor Relations Board.

   The small, independent federal agency investigates & adjudicates complaints about unfair #labor practices.

   #law #InfoSec #privacy #NationalSecurity #Musk
   https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:48 JST Nonilex

     in reply to

     While NPR was unable to recover the code for that project, the name itself suggests that Wick could have been designing a #backdoor, or "Bdoor," to extract files from #NLRB's internal case management system, known as NxGen, acc/to several #cybersecurity experts who reviewed Berulis' conclusions.

     …NxGen is an internal system that was designed specifically for the NLRB in-house, acc/to several of the engineers who created the tool….

     #criminal #law #Trump #Musk #DOGE #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:49 JST Nonilex

     in reply to

     After journalist Roger Sollenberger started posting…about the account, Berulis noticed something Wick was working on: a project, or repository, titled "NxGenBdoorExtract."

     Wick made it private before Berulis could investigate further, he told NPR. But to Berulis, the title itself was revealing.

     "So when I saw this tool, I immediately panicked,"…He immediately alerted his whole team.

     #criminal #law #Trump #Musk #DOGE #InfoSec #NationalSecurity

     Paul Cantrell repeated this.
   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:50 JST Nonilex

     in reply to

     However, the #NLRB's budget hasn't had the money to pay for tools like that for years, Berulis said.

     A couple of days after #DOGE arrived, Berulis saw something else that alarmed him while browsing the internet over the weekend.

     MIT grad & DOGE engineer #JordanWick had been sharing info about coding projects he was working on to his public account w/ GitHub….

     #criminal #law #Trump #Musk #DOGE #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:51 JST Nonilex

     in reply to

     Those #forensic #digital #records are important for record-keeping requirements & allow for troubleshooting, but they also allow experts to investigate potential breaches, sometimes even tracing the attacker's path back to the vulnerability that let them inside a network. The records can also help experts see what #data might have been removed. Basic logs would likely not be enough to demonstrate the extent of a bad actor's activities, but it would be a start.

     #law #Trump #Musk #DOGE #InfoSec

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:51 JST Nonilex

     in reply to

     There's no reason for any legitimate user to turn off logging or other #security tools, #cybersecurity experts say.

     "None of this is normal," said Jake Braun…fmr acting principal dpty natl cyber dir at the WH…. "This type of activity is why the government buys insider-threat-monitoring technology. So we can know things like this are happening & stop sensitive data exfiltration before it happens," he told NPR.

     #criminal #law #Trump #Musk #DOGE #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:52 JST Nonilex

     in reply to

     For #cybersecurity professionals, a failure to log activity is a cardinal sin & contradicts best practices as recommended by the National Institute of Standards & Technology [#NIST] & the #DHS's #CISA, as well as the #FBI & the #NSA.

     "That was a huge red flag," said Berulis. "That's something that you just don't do. It violates every core concept of security & best practice."

     #criminal #law #Trump #Musk #DOGE #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:53 JST Nonilex

     in reply to

     …#DOGE employees demanded the highest level of access, what are called "tenant owner level" accounts inside the independent agency's computer systems, w/essentially unrestricted permission to read, copy & alter #data….

     When an IT staffer suggested a streamlined process to activate those accounts in a way that would let their activities be tracked, in accordance with #NLRB #security policies, the IT staffers were told to stay out of DOGE's way….

     #law #Trump #Musk #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:54 JST Nonilex

     in reply to

     The #whistleblower's account is corroborated by internal documentation & was reviewed by 11 technical experts across other govt agencies & the private sector. In total, NPR spoke to >30 sources across govt, private sector, #labor movement, #cybersecurity & #law enforcement who had their own concerns about how #DOGE & the #Trump admin might be handling sensitive #data, & the implications for its exposure. The following account comes from the whistleblower's ofcl disclosure & interviews w/ #NPR.

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:55 JST Nonilex

     in reply to

     Meanwhile, his attempts to raise concerns internally within the #NLRB preceded someone "physically taping a threatening note" to his door that included sensitive personal information & overhead photos of him walking his dog that appeared to be taken with a drone, according to a cover letter attached to his disclosure filed by his attorney, Andrew Bakaj of the nonprofit #Whistleblower Aid.

     #criminal #law #Trump #Musk #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:56 JST Nonilex

     in reply to

     The #whistleblower believes that the suspicious activity warrants further investigation by agencies w/more resources, like #CISA or the #FBI.

     #Labor #law experts…fear that if the data gets out, it could be abused, including by private companies w/cases before the agency that might get insights into damaging testimony, #union leadership, #legal strategies & internal data on competitors — #Musk's #SpaceX among them….

     #criminal #law #Trump #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:56 JST Nonilex

     in reply to

     It could also intimidate #whistleblowers who might speak up about unfair labor practices, & it could sow distrust in the #NLRB's independence, they said.

     The new revelations about #DOGE's activities at the labor agency come from a #whistleblower in the IT department of the NLRB, who disclosed his concerns to #Congress & the US Office of Special Counsel [#OSC] in a detailed report that was then provided to #NPR.

     #criminal #law #Trump #Musk #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:57 JST Nonilex

     in reply to

     & data has nothing to do w/making the govt more efficient or cutting spending.

     Meanwhile, acc/to the disclosure & records of internal comms, members of the #DOGE team asked that their activities not be logged on the system & then appeared to try to cover their tracks behind them, turning off monitoring tools & manually deleting records of their access—evasive behavior several #cybersecurity experts compared to what #criminal or #StateSponsored #hackers might do.

     #law #Trump #Musk #InfoSec

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:57 JST Nonilex

     in reply to

     The employees grew concerned that the #NLRB's confidential #data could be exposed, particularly after they started detecting suspicious log-in attempts from an IP address in #Russia [wtf?], acc/to the disclosure. Eventually, the disclosure continued, the IT department launched a formal review of what it deemed a serious, ongoing #security #breach or potentially #illegal removal of personally identifiable information.

     #criminal #law #Trump #Musk #InfoSec #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:58 JST Nonilex

     in reply to

     But acc/to an official #whistleblower disclosure shared w/ #Congress & other federal overseers…, subsequent whistleblower interviews & records of internal comms, technical staff were alarmed about what #DOGE engineers did when granted access, particularly when staffers noticed a spike in #data LEAVING the agency. It's possible that the data included sensitive info on #unions, ongoing #legal cases & #CorporateSecrets — data that 4 #labor #law experts tell NPR should almost never leave the NLRB….

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Tuesday, 15-Apr-2025 22:24:59 JST Nonilex

     in reply to

     #NLRB stores reams of potentially sensitive data, from confidential info about employees who want to form unions to proprietary business info.

     The #DOGE employees, who are led by #Trump adviser & billionaire tech CEO #ElonMusk, appeared to have their sights set on accessing the NLRB's internal systems. They've said their unit's overall mission is to review agency data for compliance with the new admin's policies & to cut costs & maximize efficiency.

     #law #InfoSec #privacy #NationalSecurity

   • Embed this notice
     Nonilex (nonilex@masto.ai)'s status on Thursday, 17-Apr-2025 08:04:19 JST Nonilex

     in reply to

     …while many of the #NLRB's records are eventually made public, the NxGen case management system hosts #proprietary #data from #corporate competitors, personal information about #union members or employees voting to join a union, & #witness testimony in ongoing cases. Access to that data is protected by numerous federal #laws, including the #Privacy Act.

     #criminal #law #Trump #Musk #DOGE #InfoSec #NationalSecurity