Notices by BrianKrebs (briankrebs@infosec.exchange)

Independent writer Anthony Clark lists a number of ways that Trump's nominee for surgeon general appears to have falsified, misled, selectively omitted, or lied about her medical education, board certifications, and military experience.

https://lastcampaign.substack.com/p/trumps-surgeon-general-pick-distorted

Clark published a follow-up with more detail here:

https://substack.com/home/post/p-161849494

Okay this is really interesting. The NLRB whistleblower Daniel Berulis told me that he found the DOGE accounts had downloaded three different code libraries from GitHub that none of their IT people or contractors used or knew about. One of them, Berulis said, had in its "README" file a description that said the software was designed as "a proxy to generate pseudo-infinite IPs for web scraping and brute forcing."

One of the core DOGE employees is Marko Elez, and Elez's GitHub page has a very interesting code repository: async-ip-rotator, created in January 2025

https://github.com/markoelez/async-ip-rotator

Checking the history of this code, Elez's profile says it was forked from this

https://github.com/Ge0rg3/requests-ip-rotator, which says in its description:

"A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing."

"This library will allow the user to bypass IP-based rate-limits for sites and services."

Gee, I wonder which DOGE employee was in the NLRB in early March?

ICYMI, Defense Secretary Pete Hegseth managed to leak Yemen bombing plans with friends and family in yet another Signal chat fiasco, the NYT reported.

The first time this happened, when administration officials including Hegseth texted war plans to the editor of The Atlantic, the White House said basically everyone makes mistakes, nothing to see here, nothing classified, no investigation, case closed.

But screw up the same way a second time and there have to be consequences, right? BZZZT. The administration claims the real problem are the "woke" leakers who are showing what an absolute clownshow the administration is running.

https://www.nytimes.com/2025/04/20/us/politics/hegseth-yemen-attack-second-signal-chat.html

My wife and I have gotten into the habit of asking each other at dinner what was the best thing that happened to each other that day. She now likes this tradition so much she's expanded it into three things, which I contend makes the whole thing more of a mental exercise, but I usually manage. I have found though that it makes me take closer note of the good things that happen during the day, so I'm not left with "uh...." when it's my turn. It also helps punctuate the positive at a time when there's a whole lot of the opposite.

I published a follow-up on NPR's scoop last week about a whistleblower at the National Labor Relations Board (NLRB), who alleges DOGE created super admin accounts (w/ no logging) at NLRB and transferred ~10GB worth of data from the agency's case files.

The story includes an interview with the whistleblower -- NLRB security architect Daniel Berulis -- and examines the technical claims in his report to lawmakers. He's taking some paid leave for now, noting that the same day the NPR story ran, the NLRB removed administrative rights for its IT staff and almost everyone else at the agency.

The backstory is that both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.

Here's the lede:

"A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account."

https://krebsonsecurity.com/2025/04/whistleblower-doge-siphoned-nlrb-case-data/

The Trump administration is actively censoring the White House press pool, @mmasnick writes for Techdirt.

"On Tuesday, the White House effectively eliminated the Associated Press from the White House press pool, changing the rules to basically bar the wire service entirely. This is even after (or perhaps in response to) a Trump-appointed judge ruling that the White House was clearly violating the First Amendment in excluding the AP from various press conferences. This isn’t a huge surprise, because last week there were reports that the White House was still excluding AP reporters… and then directly censoring press pool reports that mentioned this and other embarrassing facts."

"Last week, Oliver Darcy was the first to call out two troubling developments related to this: First, the White House was ignoring the ruling and still blocking the AP from certain access. Indeed, what Darcy had found is that the pool reporter on duty, Joseph Morton, the Washington correspondent for The Dallas Morning News, had written in the pool report the following:"

“A reporter and photographer with The Associated Press were turned away from joining the pool.”

"So why are we hearing this from Darcy instead of Morton?"

"Well, that’s the second discovery that Darcy reported on. The White House is now directly censoring White House press pool reports:"

"It was likely that sentence, which came after a judge had ordered the administration to restore the AP’s access, that irked the White House. That specific pool report from Morton, I’ve learned, was never distributed by the White House to news outlets subscribed to its pool report mailing list — a notable omission and a clear break from precedent."

"It also wasn’t the first time this week that the White House chose to censor the pool. On Monday, Philip Wegmann, a reporter for RealClearPolitics, filed a pool report noting that a scheduled press conference between Trump and Israeli Prime Minister Benjamin Netanyahu had been “cancelled” and was “no longer taking place.” That report, too, was never sent out by the White House."

https://www.techdirt.com/2025/04/18/white-house-censoring-press-pool-reports-while-still-discriminating-against-ap/

Someone remind me what is the argument against holding the White House in criminal contempt at this point? I keep reading headlines like "Will Trump Create a Constitutional Crisis?" He already has, many times over.

There is little indication this administration is doing anything to comply w/ multiple court orders, and it is thumbing its nose at the rulings. The POTUS is going to force the issue sooner or later. But later does not really seem like an appropriate response from the judiciary and does nobody any favors.

Today's most meta announcement: The FBI is warning that scammers are impersonating the Internet Crime Complaint Center (IC3), which is operated in partnership with the FBI to receive consumer complaints about fraud.

Naturally, the FBI urges victims to immediately report the fraud to the IC3.

tl;dr: 25% of students enrolled in California community colleges are reportedly AI bots set up to commit financial aid fraud. Probably this time next year it will be 40-50 percent.

Tired: Teachers using tools to find students cheating with AI.

Wired: Teachers using tools to figure out how many of their new students are bots who are just there to submit enough AI-completed assignments that they can claim financial aid in someone else's name.

This story from the Voice of San Diego is worth a read:

"When the spring semester began, Southwestern College professor Elizabeth Smith felt good. Two of her online classes were completely full, boasting 32 students each. Even the classes’ waitlists, which fit 20 students, were maxed out. That had never happened before. "

"By the end of the first two weeks of the semester, Smith had whittled down the 104 students enrolled in her classes, including those on the waitlist, to just 15. The rest, she’d concluded, were fake students, often referred to as bots."

"The bots’ goal is to bilk state and federal financial aid money by enrolling in classes, and remaining enrolled in them, long enough for aid disbursements to go out. They often accomplish this by submitting AI-generated work. And because community colleges accept all applicants, they’ve been almost exclusively impacted by the fraud."

"That has put teachers on the front lines of an ever-evolving war on fraud, muddied the teaching experience and thrown up significant barriers to students’ ability to access courses. What has made the situation at Southwestern all the more difficult, some teachers say, is the feeling that administrators haven’t done enough to curb the crisis."

https://voiceofsandiego.org/2025/04/14/as-bot-students-continue-to-flood-in-community-colleges-struggle-to-respond/

Another area where the POTUS is setting up a constitutional challenge with the judicial branch:

"The Associated Press said in a court filing on Wednesday that the Trump administration had defied a federal judge’s order requiring the administration to restore the wire service’s full access to the White House."

"Lawyers for the The A.P. wrote that a White House spokesman had told A.P. reporters on Monday that they would continue to be excluded from the press pool — a small, rotating group of journalists who cover certain events in confined spaces at the White House — because the “case is ‘ongoing.’”

"For the last two months, The A.P.’s access to President Trump has been sharply curtailed over its refusal to refer to the Gulf of Mexico as the Gulf of America, the name that Mr. Trump designated for the body of water."

"In a temporary order last week, Judge Trevor N. McFadden of the Federal District Court in Washington, D.C., said the exclusion violated the First Amendment’s free-speech clause and instructed the White House to restore The A.P.’s access “immediately.”

https://www.nytimes.com/2025/04/16/us/politics/trump-ap-white-house-access.html

And, just like that there IS content on the foundation's site.

UPDATE: The CVE board today announced the creation of non-profit entity called The CVE Foundation that will continue the program's work under a new, unspecified funding mechanism and organizational structure.

"Since its inception, the CVE Program has operated as a U.S. government-funded initiative, with oversight and management provided under contract," the press release reads. "While this structure has supported the program's growth, it has also raised longstanding concerns among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor."

The organization's website, thecvefoundation.org, is less than a day old and currently hosts no content. The announcement said the foundation would release more information about its structure and transition planning in the coming days.

Probably the last CVE indexed before it goes dark should be CVE-2025-DOGE (critical, local privilege escalation vulnerability that leads to malicious code execution and data exfiltration).

It's worth asking again who would benefit from taking CVE offline? Surely not the United States government, nor its private companies. Not its allies (such as they are now) in Europe. But it almost certainly would help our adversaries, like China and Russia, because confusion and uncertainty works to their advantage always.

Wow. The tech and NASDAQ giant NVIDIA's shares have tanked in after hours trading, down 7 percent right now. Might have something to do with this disclosure:

"On April 9, 2025, the U.S. government, or USG, informed NVIDIA Corporation, or the Company, that the USG requires a license for export to China (including Hong Kong and Macau) and D:5 countries, or to companies headquartered or with an ultimate parent therein, of the Company's H20 integrated circuits and any other circuits achieving the H20's memory bandwidth, interconnect bandwidth, or combination thereof. The USG indicated that the license requirement addresses the risk that the covered products may be used in, or diverted to, a supercomputer in China. On April 14, 2025, the USG informed the Company that the license requirement will be in effect for the indefinite future.

The Company's first quarter of fiscal year 2026 ends on April 27, 2025. First quarter results are expected to include up to approximately $5.5 billion of charges associated with H20 products for inventory, purchase commitments, and related reserves."

Expect an extra wild ride on Wall Street when the bell rings tomorrow.

Finally put together a proper story on this funding debacle for MITRE's CVE program.

"A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program -- which is traditionally funded each year by the Department of Homeland Security -- expires on April 16."

https://krebsonsecurity.com/2025/04/funding-expires-for-key-cyber-vulnerability-database/

Pretty cool explainer on why MITRE's CVE is so central to the the process of how a vulnerability disclosure becomes official, and widely recognized. From James Berthoty on LinkedIn @jamesberthoty

@GossiTheDog See my updates. CVEs will still be issued to CNAs (via API, as long as that's running), but the more manual stuff they do (i.e. issuing cves to non-CNAs) may suffer in the time being.

Must-read report from NPR, showing once again that DOGE is a massive threat to the cyber/national security of the United States:

"In the first days of March, a team of advisers from President Trump's new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.

The small, independent federal agency investigates and adjudicates complaints about unfair labor practices. It stores reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.

The DOGE employees, who are effectively led by White House adviser and billionaire tech CEO Elon Musk, appeared to have their sights set on accessing the NLRB's internal systems. They've said their unit's overall mission is to review agency data for compliance with the new administration's policies and to cut costs and maximize efficiency."

"But according to an official whistleblower disclosure shared with Congress and other federal overseers that was obtained by NPR, subsequent interviews with the whistleblower and records of internal communications, technical staff members were alarmed about what DOGE engineers did when they were granted access, particularly when those staffers noticed a spike in data leaving the agency. It's possible that the data included sensitive information on unions, ongoing legal cases and corporate secrets — data that four labor law experts tell NPR should almost never leave the NLRB and that has nothing to do with making the government more efficient or cutting spending."

"Meanwhile, according to the disclosure and records of internal communications, members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them, turning off monitoring tools and manually deleting records of their access — evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or state-sponsored hackers might do."

"The employees grew concerned that the NLRB's confidential data could be exposed, particularly after they started detecting suspicious log-in attempts from an IP address in Russia, according to the disclosure. Eventually, the disclosure continued, the IT department launched a formal review of what it deemed a serious, ongoing security breach or potentially illegal removal of personally identifiable information. The whistleblower believes that the suspicious activity warrants further investigation by agencies with more resources, like the Cybersecurity and Infrastructure Security Agency or the FBI."

https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security