Agency:
"Social Security initially denied Borges’s allegations and said the data referenced in his complaint is stored in a secure environment walled-off from the internet."
Ah walled of the internet, so no one can get there and copy the data to a flashdrive. Move on, move on!
Unfortunately it seems quite believable. This is the same outfit that fired a bunch of people responsible for overseeing the US Nuclear Arsenal. [0] The combination of arrogance and stupidity was breathtaking.
If I recall, that was exactly what happened early on in DOGE's tenure. Senior personnel were explicitly directed to grant admin access to DOGE personnel, and auditing/logging were disabled. This was widely reported at the time. I don't remember whether there were threats of termination, but it would not surprise me.
Contemporaneous reporting was that DOGE people demanded root-level access across multiple systems (disallowed by federal policy, so political appointees had to demand the access) and without background checks or onboarding, after which they extracted protected data and shoved it in some S3 buckets. Just blew a hole right through the entire federal data protection model; you can't plan for "the President orders everyone to ignore all privacy and security controls" as a threat model.
While it's hard to overestimate the clownishness of this administration, I'd want to see the original wording of this denial before concluding that they said something that stupid, versus the author of this article paraphrasing it in a stupid manner. I'm not sure if this is what they're referring to, but the only response from the SSA that I found with a brief search doesn't say anything so foolish: https://dailycaller.com/2025/09/02/social-security-administr...
Nothing nerve wrecking like that but come on. They claim "the information could not have been stolen because the security practices" but "evidence has been published online, is now available to anyone and therefore it is dangerous" is a clown situation. It doesn't matter how it happened, it happened. Them trying to dispute the method is a clown camp.
The agency's statement says that PII is secure but that the complaint included internal emails and documents with info about the agency's systems and employees. That's not contradictory.
I suspect the whistleblower is correct, but I don't think it's proven to the point where we can confidently state that "it happened." SSA isn't trying to dispute the method, they're trying to dispute the fundamental claim.
Can any of the administration's defenders explain to me how this is actually a good thing and not the exact thing people were warning about a year ago?
> “Never believe that anti-Semites are completely unaware of the absurdity of their replies. They know that their remarks are frivolous, open to challenge. But they are amusing themselves, for it is their adversary who is obliged to use words responsibly, since he believes in words. The anti-Semites have the right to play. They even like to play with discourse for, by giving ridiculous reasons, they discredit the seriousness of their interlocutors. They delight in acting in bad faith, since they seek not to persuade by sound argument but to intimidate and disconcert. If you press them too closely, they will abruptly fall silent, loftily indicating by some phrase that the time for argument is past.”
― Jean-Paul Sartre
No they cannot. They don't offer real arguments, they make pre-textual arguments and they bullshit. (bullshit in the formal Harry G. Frankfurt sense of the word.) If an argument they make suits them, they will stand by that argument. If an argument ends up not suiting them, they will readily discard and fabricate a different justification.
So many years of dealing with this administration, and people are still attempting to point our hypocrisy and hold people to standards with regard to principle, past statements, character, etc. None of it will work here.
I agree. I'm not trying to point out the hypocrisy, it is obvious to anyone watching. I am more interested in testing the limits of how people will justify actions to themselves and others. It is fascinating to see the twisting happen in real time.
"Musk says he'll fix the corrupt Democrat-run government and reduce two trillion in spending and given his track record I have no reason not to believe him."
Real quote from a friend when this whole thing was going down.
Omelettes, a few eggs, or something. And actually, breaking eggs is a good thing. This is a nation built on egg-breaking.
It's hardly the first time that side effects have been ignored in the pursuit of a goal (in this administration, yes, but let alone in any previous administration, or any previous governing body at all). In due time, this one will fall out of your mental stack, too.
Damn, hoss, I wish this shit would just fall out of my stack.
Instead, I have a steady and ever-growing list of real and vicious shit that the US has done, going back to its formation.
You can pretend that everyone is just outraged because of some flavor of the month. You can pretend you're okay with breaking eggs because you don't think they are your eggs.
But at the end of the day some of us really don't like this stuff because we pay attention and have a memory- if you don't, then that's something you should work on.
There are two stories here. One is the alleged wrongdoing. The second is the fact that the Washington Post has a name of a former DOGE employee. I'm far more interested in the second story than the first.
Asking for a list of all DOGE employees is different than asking for the name of the single accused employee. It wouldn't make any sense for the media to publish a list of every DOGE employee in the context of this story.
I feel like when I was a twenty- something I would have been at risk of exfiltrating data like this not for any specific nefarious purpose or money-making scheme but just out of data hoarding.
Anymore I have zero desire to keep any copy of work code or other data on any personal device. Nope, never gonna need it, don't want it, just a potential legal headache with no upside.
But when I was younger? I could totally imagine getting a big juicy dataset like that and wanting a copy for myself. It'd make me feel special, having information no one else had.
It may not have been your intent, but this comment seems to downplay the crime here. It's a crime to take the data even if he wasn't shopping it around as alleged. and the fact that he was 'young and stupid' makes the circumstances of how this happened much more important for an investigation by the IG (ie why was an immature person given so much power?)
I think it’s a great reaction to news stories to imagine how you could have made the same bad decisions. Furthermore this public confession of being able to imagine making bad decisions might encourage a similarly minded to 20-something to wonder why an older version of themself is so afraid of even having such a dataset. It might even prompt someone to destroy some long forgotten cache of data they exfiltrated a long time ago.
I don’t think there’s a risk that it will influence a rare person in power to enforce the rules to go lighter. I just think it encourages people to be less reckless with hoarding data who might otherwise put themselves in danger.
> zero desire to keep any copy of work code or other data on any personal device
Same. I won't even have Teams or Authenticator on my phone unlike most others here (though wrt Teams, that is at least as much about not wanting work to bother me as it is about the danger of data seepage). I need the authenticator to do the job, but I have an old factory-reset phone that has that (and, just in case, Teams) on it.
> But when I was younger? I could totally imagine getting a big juicy dataset like that and wanting a copy for myself.
I'm pretty sure I never would have done. I've always resisted knowing credentials and personal information that aren't mine (so if anything untoward happens with/using that information there is no way it can be my fault/doing, as well as the less selfish reasons) despite people falling over themselves to do things like tell me their passwords & such when they were wanting some for of tech support.
But I think there is a different attitude to data risk in that age group today. They've grown up in a world where very little is really private, and every app and its dog has wanted their contact details and other information (and all too often information about their friends & family), do the idea that data is a free-for-all is dangerously normalised in their heads.
I find older people are similarly very lax with their own data, in fact often being rather too trusting of others generally, but not so much with other peoples. There are a lot more people who are appropriately careful (or even paranoid) in their 30s/40s/50s (I'm late 40s myself) - I think we are lucky to be in the middle, being exposed to information dangers enough to not have that “naivety or age” and not desensitised by having lax information security pushed at us from an early age.
I don't think I would have offered to sell it or accepted an offer to buy it, but I think I could have easily been talked into sharing it, in a "I think my boss is a cool guy and I want him to like me and/or impress him" situation.
I'm not doing anything wrong! It's not like I'm selling it! I'm just showing off the cool data no one else has! I'm saving the day, probably, by letting us solve a problem with my cool data that would be impossible otherwise.
Eh, over time I've come to believe having systems that manage insider risk is more important than expecting to be perfect in hiring.
Like, any system will fail if too many of its members don't care about maintaining it, but you're going to hire the wrong person from time to time.
It's important to design your systems to minimize access, both in terms of not allowing everyone access to everything and to only allow people as much access as then need to do their jobs, to require multiple people to sign off on temporary access grants, to create audit trails and to actually audit them and have consequences for violating the rules.
(Which, in this case, DOGE purposefully dismantled.)
It doesn't just protect the data from nefarious villains, it also protects young idiots from themselves, who don't realize you can cause harm just by being curious.
Sure, I'm not proposing that we shouldn't have systems to mitigate insider risk.
I'm proposing that we both have systems to mitigate insider risk and we try to avoid hiring ideologically motivated and ethically compromised goobers to highly sensitive government jobs.
And I'm proposing that we don't write this off as, "welp he's a kid!"
I don't think you deserve downvotes; I think it's totally plausible that some people would steal this data just to feel special.
But:
1) That's why we have traditionally had the safeguards that we have had, to protect against this sort of crime, and
2) The allegation in this case is that he later approached coworkers to do something with this data, even if they ultimately didn't help him do it. So it doesn't appear to be hoarding just for the sake of it here.
A broken logic. Of course the people who you would have stolen the data from, had it. A question pops up, though... what's in your possession you should not be in the possession of.
In the DOGE case, they specifically broke all the controls that existed to manage insider risk and keep people from making copies like this, but (especially 20-30 years ago) I've been on plenty of networks that just had no concept of insider risk and everything was just open for anyone to access (or protected by shared passwords everyone knew).
I don't know about this person specifically, but the news from when DOGE was active was full of "employee of department fired for trying to prevent DOGE employees from directly accessing system no one is allowed to directly access".
Paul Graham and Garry Tan were both big cheerleaders of DOGE, so, keep that in mind.
A shocking number of the biggest stories about DOGE over the past year were flagged here, probably including the stories about goons physically removing people.
Posts questioning this suppression/censorship were flagged.
Some people like to argue that since any story about Musk becomes toxic - for some reason - it 'makes sense' to flag every story about anything to with him. You know, like Israel, or US torture, or Assange, or Snowden, or Epstein, etc.
For we are but naive children here in the tech industry, and must have a safe space to discuss PCB specs and the meaning of 42 without too much 'current affairs', lest the site 'lose its focus'.
It's not like almost the entire top of the industry is neck-deep in collaboration with all this or anything, right?
... Anyway, if people here don't know much about DOGE, the massive flagging that's gone on here is probably a big factor as to why.
In principle, flagrant abuse of the pardon power is blocked by Congress's ability to impeach and remove a President who engages in such abuse.
In practice, that has always been an ineffective threat against Presidents who are within days of leaving office anyway. And more importantly, the framers of the Constitution seemed to have entirely failed to imagine a party like today's Republicans who value strict personal loyalty to the President over every other principle of government.
I mean enforcing the laws on the books would be a good start. Corruption quickly breeds more and more corruption if it isn't rooted out and punished. Everyone who isn't corrupt starts losing and the benefits of not being corrupt evaporate
This comes on the heels of the AHA and other parties in the suit against the government posting the video depositions of some of the DOGE people to youtube [1], which are fascinating to watch.
Justin Fox not being able to say what DEI is really tells you everything you need to know about how grants were cancelled.
What kind of job would you realistically take this data to? What company would even so much as look at data procured in this manor. I can think of one that's evil enough and probably have the protection of the US government, but it's not like they could acquire the data directly, if it was necessary.
If I had to make a wild guess, xAI. The article states they took a job at a government contractor.
It’s interesting (horrifying) to think of the implications actually. People wouldn’t buy this data directly, it’s too obviously illegally procured. But laundered through an LLM to provide “insights” without citation? That’s plausible deniability.
My understanding is stats canada gets offered a lot of money for this data after being anonymized. A lot of employers might not ask questions if someone had really good data they could use to help market their product. Especially politically aligned think tanks
Maybe not under the current administration, but that's the kind of risk that could kill your company, if you got caught. It might be why I'm not rich, but that seems like a massively irresponsible risk to take.
I disagree - it's 100% a factor of how much money you have to pay in legal fees.
Zuck would be happy to take that data, and because he's worth a cool $350 billion, he'll do whatever the fuck he wants with that data, and we'll thank him by cutting his taxes.
If this goes within the Ad Tech industry and knowing how Ad tech industry is, I don't feel quite surprised if we might see foreign adversarial nation buying the Social Security data from Ad tech/ (this Doge person in general either directly or through multiple layers) even in secretive manner at this point.
Either way this data is definitely going to spread behind closed doors.
Cool. Investigate it. If they really did take data off a government system without permission, charge them with the most serious thing you can find in a district where they're likely to be convicted. Then send them to prison to delete years or decades off their lives.
See if Musk was in any way involved, or acted with such reckless disregard for known security standards that he could be civilly or criminally liable. Do the same as above for him.
The only way this stops is if consequences are introduced.
That doesn't mean don't file them. Don't allow evil deeds to be done merely by threat - force immoral people to take the immoral action in public if they want to behave that way.
Unfortunately, consequences have been largely absent for anyone in this administration since the last time they were in power. That's part of why this round they've been flaunting it so egregiously.
I've always wondered what the endgame of that farce was. Cost-cutting was clearly always a pretense and a bad one at that. There's made up claims about 300 year olds getting Social Security but I think this only proves that the SSA database was an explicit goal and that was cover.
But why? The only conclusion I can come to is "stealing elections". I'll include this partial list I made of Republican voter suppression efforts going back decades [1].
I believe out there someone is collecting all this data into an AI model to predict how people will vote, something that Cambridge Analytica was a toy version of. But it goes beyond how people will vote but whether they will vote. Likewise, data will be constructed to strike off people from voter rolls if the system believes they won't vote how you want. We've seen efforts like this where similar-sounding names of felons in other states are used to strike off people from voter rolls. And that's a real problem because people might not know they're no longer registered to vote and in some states you have to register 30 or more days before the election.
There is essentially infinite money available to fund Republicans stealing elections because it results in public funding cuts to give even more tax breaks to billionaires.
You can't directly use the SSA databsae obviously so any effort must be small enough to not draw attention, involve part or all of the computing done overseas to avoid legal scrutiny and/or "washing" that data through data provider services. I would bet if you started exhaustively looking at various companies in or adjacent to these spaces, you'd find some pretty dodgy stuff.
Americans are about to find out why data protection laws exist in the EU, and why even the government has to follow it.
Nobody should have permission to query 70M Americans, it's a huge security flaw for the average citizen. But Pentagon has been doing this for a while a la Snowden, and the average american doesn't seem to be worried. With Snowden becoming a menace rather than a hero.
Once private government data from Americans starts being heavily used to mess up elections, or even worse, persecute people with a different opinion than the ruling party...
Americans will finally wake up that GDPR doesn't stiffle innovation, but rather protect its citizens from an evil actors.
But it may be too late, like when NSDAP started chasing jews and migrants. There was nothing they could do other than to flee to survive.
I knew it. I was saying from the instant they started we'd have a scandal like this. Bunch of tech bros walking into the government with personal MBPs and administrative authority to demand data from anyone and everyone was a privacy crisis happening in real time.
Yet here on HN, what have we been arguing about? Big tech. Google and Meta have been allowed to become boogeymen in this community out of all proportion to the actual threat they posed[1].
While the actual boogeyman stealing our data to exploit in the market? It was us.
[1] I mean, lets be honest, while everyone has abstract complaints the truth is that they've actually been remarkably benign stewards of our data over the past 20 years. Much, much, MUCH more responsible than the glibertarian dude in the cubicle next to you, as it turns out.
Yep, and we're only hearing about this because in this case there was a whistleblower. Call me cynical but I'm sure that there is plenty of data DOGE workers exfiltrated from SSA and other places that we'll never directly know about.
Ex-employee alleges data copied to a flashdrive.
Agency: "Social Security initially denied Borges’s allegations and said the data referenced in his complaint is stored in a secure environment walled-off from the internet."
Ah walled of the internet, so no one can get there and copy the data to a flashdrive. Move on, move on!
You can't make that up.
> You can't make that up.
Unfortunately it seems quite believable. This is the same outfit that fired a bunch of people responsible for overseeing the US Nuclear Arsenal. [0] The combination of arrogance and stupidity was breathtaking.
[0] https://thebulletin.org/2025/04/doges-staff-firing-fiasco-at...
The only way someone could get that data is if they demanded physical access and fired anyone who stood in the way. An impossible task if you ask me!
If I recall, that was exactly what happened early on in DOGE's tenure. Senior personnel were explicitly directed to grant admin access to DOGE personnel, and auditing/logging were disabled. This was widely reported at the time. I don't remember whether there were threats of termination, but it would not surprise me.
Yes, that's the joke
Sorry. I started switching off of coffee this week...
> secure environment
> copied to a flashdrive
Both of these cannot be true. A secure environment does not allow trivial data exfiltration over USB.
Contemporaneous reporting was that DOGE people demanded root-level access across multiple systems (disallowed by federal policy, so political appointees had to demand the access) and without background checks or onboarding, after which they extracted protected data and shoved it in some S3 buckets. Just blew a hole right through the entire federal data protection model; you can't plan for "the President orders everyone to ignore all privacy and security controls" as a threat model.
Maybe it wasn't trivial?
I mean technically a flash drive could be "a secure environment walled-off from the internet"
An intranet could be a secure environment walled off from the internet
Technically they could claim it’s a backup
An unplanned, decentralized, public backup?
While it's hard to overestimate the clownishness of this administration, I'd want to see the original wording of this denial before concluding that they said something that stupid, versus the author of this article paraphrasing it in a stupid manner. I'm not sure if this is what they're referring to, but the only response from the SSA that I found with a brief search doesn't say anything so foolish: https://dailycaller.com/2025/09/02/social-security-administr...
Nothing nerve wrecking like that but come on. They claim "the information could not have been stolen because the security practices" but "evidence has been published online, is now available to anyone and therefore it is dangerous" is a clown situation. It doesn't matter how it happened, it happened. Them trying to dispute the method is a clown camp.
The agency's statement says that PII is secure but that the complaint included internal emails and documents with info about the agency's systems and employees. That's not contradictory.
I suspect the whistleblower is correct, but I don't think it's proven to the point where we can confidently state that "it happened." SSA isn't trying to dispute the method, they're trying to dispute the fundamental claim.
It might be worth waiting for the outcome of the investigation before trying to dispute anything in public statements.
Kristi Noem doesn't operate like that either. It's a pattern.
Can any of the administration's defenders explain to me how this is actually a good thing and not the exact thing people were warning about a year ago?
> “Never believe that anti-Semites are completely unaware of the absurdity of their replies. They know that their remarks are frivolous, open to challenge. But they are amusing themselves, for it is their adversary who is obliged to use words responsibly, since he believes in words. The anti-Semites have the right to play. They even like to play with discourse for, by giving ridiculous reasons, they discredit the seriousness of their interlocutors. They delight in acting in bad faith, since they seek not to persuade by sound argument but to intimidate and disconcert. If you press them too closely, they will abruptly fall silent, loftily indicating by some phrase that the time for argument is past.” ― Jean-Paul Sartre
Why would someone have to defend their overall support an entire administration weighed against the act of one person’s actions?
Is that the standard you held during other administrations? Or do you find it just politically convenient now?
No they cannot. They don't offer real arguments, they make pre-textual arguments and they bullshit. (bullshit in the formal Harry G. Frankfurt sense of the word.) If an argument they make suits them, they will stand by that argument. If an argument ends up not suiting them, they will readily discard and fabricate a different justification.
So many years of dealing with this administration, and people are still attempting to point our hypocrisy and hold people to standards with regard to principle, past statements, character, etc. None of it will work here.
I agree. I'm not trying to point out the hypocrisy, it is obvious to anyone watching. I am more interested in testing the limits of how people will justify actions to themselves and others. It is fascinating to see the twisting happen in real time.
"Musk says he'll fix the corrupt Democrat-run government and reduce two trillion in spending and given his track record I have no reason not to believe him."
Real quote from a friend when this whole thing was going down.
Your friend is a prick
Given his track record, spending should be at four trillion now, right?
You interested in some exquisite cope?
Omelettes, a few eggs, or something. And actually, breaking eggs is a good thing. This is a nation built on egg-breaking.
It's hardly the first time that side effects have been ignored in the pursuit of a goal (in this administration, yes, but let alone in any previous administration, or any previous governing body at all). In due time, this one will fall out of your mental stack, too.
> In due time, this one will fall out of your mental stack, too.
I bet you said the same thing a year ago when people were warning about exactly this scenario.
If so then they were right, everybody promptly forgot from then on until just now.
>> In due time, this one will fall out of your mental stack, too.
Unless you get stack overflow first!
Damn, hoss, I wish this shit would just fall out of my stack.
Instead, I have a steady and ever-growing list of real and vicious shit that the US has done, going back to its formation.
You can pretend that everyone is just outraged because of some flavor of the month. You can pretend you're okay with breaking eggs because you don't think they are your eggs.
But at the end of the day some of us really don't like this stuff because we pay attention and have a memory- if you don't, then that's something you should work on.
Gotta break a few eggs to, uh, make things worse with no definable purpose.
> The Post is not naming the former DOGE member or company because it has not independently confirmed the accusations in the complaint.
Why not? Shouldn't the public be allowed to learn who all the DOGE employees were? Federal employees are public record, are they not?
They're not naming them because they haven't been able to confirm the wrongdoing, not because they can't publish the names of DOGE employees.
The public is...unintelligent, and generally incapable of differentiating between an accusation and a conviction.
There are two stories here. One is the alleged wrongdoing. The second is the fact that the Washington Post has a name of a former DOGE employee. I'm far more interested in the second story than the first.
Asking for a list of all DOGE employees is different than asking for the name of the single accused employee. It wouldn't make any sense for the media to publish a list of every DOGE employee in the context of this story.
https://en.wikipedia.org/wiki/Network_of_the_Department_of_G...
Oh wow! I hadn't seen that. That's really great! All of them should be listed there, and should have been public all along.
I feel like when I was a twenty- something I would have been at risk of exfiltrating data like this not for any specific nefarious purpose or money-making scheme but just out of data hoarding.
Anymore I have zero desire to keep any copy of work code or other data on any personal device. Nope, never gonna need it, don't want it, just a potential legal headache with no upside.
But when I was younger? I could totally imagine getting a big juicy dataset like that and wanting a copy for myself. It'd make me feel special, having information no one else had.
It may not have been your intent, but this comment seems to downplay the crime here. It's a crime to take the data even if he wasn't shopping it around as alleged. and the fact that he was 'young and stupid' makes the circumstances of how this happened much more important for an investigation by the IG (ie why was an immature person given so much power?)
I think it’s a great reaction to news stories to imagine how you could have made the same bad decisions. Furthermore this public confession of being able to imagine making bad decisions might encourage a similarly minded to 20-something to wonder why an older version of themself is so afraid of even having such a dataset. It might even prompt someone to destroy some long forgotten cache of data they exfiltrated a long time ago.
I don’t think there’s a risk that it will influence a rare person in power to enforce the rules to go lighter. I just think it encourages people to be less reckless with hoarding data who might otherwise put themselves in danger.
yeah. ignorantia juris non excusat applies to both the speed limit and passive data theft
So like Harold T. Martin who took 50 terabytes of data from the NSA because he was a data hoarder and was sentenced to nine years in prison?
https://en.wikipedia.org/wiki/Harold_T._Martin
> "Martin reportedly stole the information simply by walking out of his various secure workplaces with it in his possession"
"secure" eh?
> zero desire to keep any copy of work code or other data on any personal device
Same. I won't even have Teams or Authenticator on my phone unlike most others here (though wrt Teams, that is at least as much about not wanting work to bother me as it is about the danger of data seepage). I need the authenticator to do the job, but I have an old factory-reset phone that has that (and, just in case, Teams) on it.
> But when I was younger? I could totally imagine getting a big juicy dataset like that and wanting a copy for myself.
I'm pretty sure I never would have done. I've always resisted knowing credentials and personal information that aren't mine (so if anything untoward happens with/using that information there is no way it can be my fault/doing, as well as the less selfish reasons) despite people falling over themselves to do things like tell me their passwords & such when they were wanting some for of tech support.
But I think there is a different attitude to data risk in that age group today. They've grown up in a world where very little is really private, and every app and its dog has wanted their contact details and other information (and all too often information about their friends & family), do the idea that data is a free-for-all is dangerously normalised in their heads.
I find older people are similarly very lax with their own data, in fact often being rather too trusting of others generally, but not so much with other peoples. There are a lot more people who are appropriately careful (or even paranoid) in their 30s/40s/50s (I'm late 40s myself) - I think we are lucky to be in the middle, being exposed to information dangers enough to not have that “naivety or age” and not desensitised by having lax information security pushed at us from an early age.
Even in your twenties would you have then taken that data and attempted to share it with a future employee?
I don't think I would have offered to sell it or accepted an offer to buy it, but I think I could have easily been talked into sharing it, in a "I think my boss is a cool guy and I want him to like me and/or impress him" situation.
I'm not doing anything wrong! It's not like I'm selling it! I'm just showing off the cool data no one else has! I'm saving the day, probably, by letting us solve a problem with my cool data that would be impossible otherwise.
This is why we normally have hiring standards for USG.
I had access to insane amounts of highly sensitive data as an early 20-y/o and never once felt inclined to share it or brag about it with anyone.
Hiring processes around these roles should distinguish between past-me and past-you.
Eh, over time I've come to believe having systems that manage insider risk is more important than expecting to be perfect in hiring.
Like, any system will fail if too many of its members don't care about maintaining it, but you're going to hire the wrong person from time to time.
It's important to design your systems to minimize access, both in terms of not allowing everyone access to everything and to only allow people as much access as then need to do their jobs, to require multiple people to sign off on temporary access grants, to create audit trails and to actually audit them and have consequences for violating the rules.
(Which, in this case, DOGE purposefully dismantled.)
It doesn't just protect the data from nefarious villains, it also protects young idiots from themselves, who don't realize you can cause harm just by being curious.
Hum... The buck still has to end at some point. Somebody will have the power to override process or access things directly.
At DOGE, those somebodies were a bunch of red-piled barely adults that worshiped Musk.
Sure, I'm not proposing that we shouldn't have systems to mitigate insider risk.
I'm proposing that we both have systems to mitigate insider risk and we try to avoid hiring ideologically motivated and ethically compromised goobers to highly sensitive government jobs.
And I'm proposing that we don't write this off as, "welp he's a kid!"
Wow you’re dumb as hell
Personally, I like to think I just was dumb as hell, and now am only kind of stupid.
I don't think you deserve downvotes; I think it's totally plausible that some people would steal this data just to feel special.
But:
1) That's why we have traditionally had the safeguards that we have had, to protect against this sort of crime, and
2) The allegation in this case is that he later approached coworkers to do something with this data, even if they ultimately didn't help him do it. So it doesn't appear to be hoarding just for the sake of it here.
> having information no one else had
A broken logic. Of course the people who you would have stolen the data from, had it. A question pops up, though... what's in your possession you should not be in the possession of.
I'm pretty sure you can adjust the logic from "no one else" to "very very very few" and the logic just works the same...
Yeah, I'm pretty sure.
How would you get it in the first place?
I mean, insider risk is insider risk.
In the DOGE case, they specifically broke all the controls that existed to manage insider risk and keep people from making copies like this, but (especially 20-30 years ago) I've been on plenty of networks that just had no concept of insider risk and everything was just open for anyone to access (or protected by shared passwords everyone knew).
> they specifically broke all the controls
Is there a reference or citation for this? I didn't see in the article.
I don't know about this person specifically, but the news from when DOGE was active was full of "employee of department fired for trying to prevent DOGE employees from directly accessing system no one is allowed to directly access".
And further, I would absolutely leverage it to get myself a job.
Oh, wait. No I would never have done that. That's just insane.
The US has laws to handle stuff like this. The real problem is that the pardon power is completely broken and it needs to be removed.
Who are you to quote laws to those carrying swords?
The pen is mightier than the sword if the sword is very short, and the pen is very sharp.
- Terry Pratchett
Don't know why this is getting downvoted, it's well known that DOGE had goons to forcibly remove people that stood in their way.
> Don't know why this is getting downvoted
Paul Graham and Garry Tan were both big cheerleaders of DOGE, so, keep that in mind.
A shocking number of the biggest stories about DOGE over the past year were flagged here, probably including the stories about goons physically removing people.
Posts questioning this suppression/censorship were flagged.
Some people like to argue that since any story about Musk becomes toxic - for some reason - it 'makes sense' to flag every story about anything to with him. You know, like Israel, or US torture, or Assange, or Snowden, or Epstein, etc.
For we are but naive children here in the tech industry, and must have a safe space to discuss PCB specs and the meaning of 42 without too much 'current affairs', lest the site 'lose its focus'.
It's not like almost the entire top of the industry is neck-deep in collaboration with all this or anything, right?
... Anyway, if people here don't know much about DOGE, the massive flagging that's gone on here is probably a big factor as to why.
In principle, flagrant abuse of the pardon power is blocked by Congress's ability to impeach and remove a President who engages in such abuse.
In practice, that has always been an ineffective threat against Presidents who are within days of leaving office anyway. And more importantly, the framers of the Constitution seemed to have entirely failed to imagine a party like today's Republicans who value strict personal loyalty to the President over every other principle of government.
I mean enforcing the laws on the books would be a good start. Corruption quickly breeds more and more corruption if it isn't rooted out and punished. Everyone who isn't corrupt starts losing and the benefits of not being corrupt evaporate
This comes on the heels of the AHA and other parties in the suit against the government posting the video depositions of some of the DOGE people to youtube [1], which are fascinating to watch.
Justin Fox not being able to say what DEI is really tells you everything you need to know about how grants were cancelled.
[1] https://www.youtube.com/@historiansorg
Also: https://news.ycombinator.com/item?id=47327367#47327394
And: https://archive.is/Mw5bh
https://ghostarchive.org/archive/F9qjY
Fraud as governance. Cool.
What kind of job would you realistically take this data to? What company would even so much as look at data procured in this manor. I can think of one that's evil enough and probably have the protection of the US government, but it's not like they could acquire the data directly, if it was necessary.
If I had to make a wild guess, xAI. The article states they took a job at a government contractor.
It’s interesting (horrifying) to think of the implications actually. People wouldn’t buy this data directly, it’s too obviously illegally procured. But laundered through an LLM to provide “insights” without citation? That’s plausible deniability.
Also meta or any other data broker.
In addition to all the other answers here, foreign governments would fall over themselves to get this kind of data.
My understanding is stats canada gets offered a lot of money for this data after being anonymized. A lot of employers might not ask questions if someone had really good data they could use to help market their product. Especially politically aligned think tanks
Maybe not under the current administration, but that's the kind of risk that could kill your company, if you got caught. It might be why I'm not rich, but that seems like a massively irresponsible risk to take.
Ad Tech, I would bet its ad tech.
Nobody in Ad Tech is going to risk jailtime for a slightly higher CPM.
I think you are more correct than you realize
I disagree - it's 100% a factor of how much money you have to pay in legal fees.
Zuck would be happy to take that data, and because he's worth a cool $350 billion, he'll do whatever the fuck he wants with that data, and we'll thank him by cutting his taxes.
You think Donald Trump would put him in jail?
If this goes within the Ad Tech industry and knowing how Ad tech industry is, I don't feel quite surprised if we might see foreign adversarial nation buying the Social Security data from Ad tech/ (this Doge person in general either directly or through multiple layers) even in secretive manner at this point.
Either way this data is definitely going to spread behind closed doors.
archive: https://ghostarchive.org/archive/F9qjY
Cool. Investigate it. If they really did take data off a government system without permission, charge them with the most serious thing you can find in a district where they're likely to be convicted. Then send them to prison to delete years or decades off their lives.
See if Musk was in any way involved, or acted with such reckless disregard for known security standards that he could be civilly or criminally liable. Do the same as above for him.
The only way this stops is if consequences are introduced.
Federal charging will be countermanded from the top, or pardoned. Got to wait at least four years.
That doesn't mean don't file them. Don't allow evil deeds to be done merely by threat - force immoral people to take the immoral action in public if they want to behave that way.
Unfortunately, consequences have been largely absent for anyone in this administration since the last time they were in power. That's part of why this round they've been flaunting it so egregiously.
explain to me the incentives for the trump administration to do a complete 180 of crimes? why would they stop now?
Distract from crimes of those currently in favor?
It would be lovely if they did that. I very much doubt it will happen in this administration, if at all
This is probably a good time to mention that they court-martialed Chelsea Manning for exfiltrating Army documents.
I have a sinking suspicion this engineer won't see the inside of a jail cell.
I will say, the Department of Government Efficiency sure has made information thieves and grifters very efficient. Mission accomplished?
Let's see how many minutes this stays on the front page before getting removed.
You dont say
Previously: https://news.ycombinator.com/item?id=47327367
I've always wondered what the endgame of that farce was. Cost-cutting was clearly always a pretense and a bad one at that. There's made up claims about 300 year olds getting Social Security but I think this only proves that the SSA database was an explicit goal and that was cover.
But why? The only conclusion I can come to is "stealing elections". I'll include this partial list I made of Republican voter suppression efforts going back decades [1].
I believe out there someone is collecting all this data into an AI model to predict how people will vote, something that Cambridge Analytica was a toy version of. But it goes beyond how people will vote but whether they will vote. Likewise, data will be constructed to strike off people from voter rolls if the system believes they won't vote how you want. We've seen efforts like this where similar-sounding names of felons in other states are used to strike off people from voter rolls. And that's a real problem because people might not know they're no longer registered to vote and in some states you have to register 30 or more days before the election.
There is essentially infinite money available to fund Republicans stealing elections because it results in public funding cuts to give even more tax breaks to billionaires.
You can't directly use the SSA databsae obviously so any effort must be small enough to not draw attention, involve part or all of the computing done overseas to avoid legal scrutiny and/or "washing" that data through data provider services. I would bet if you started exhaustively looking at various companies in or adjacent to these spaces, you'd find some pretty dodgy stuff.
[1]: https://news.ycombinator.com/item?id=47053453
I think a lot of these people are literally dumb. Or so naive or Twitter-brained that they're effectively dumb.
https://www.onthewing.org/user/Bonhoeffer%20-%20Theory%20of%...
Society can only support so many sociopaths (~ 1 in 5) before it starts to collapse. We may have reached the tipping point.
Americans are about to find out why data protection laws exist in the EU, and why even the government has to follow it.
Nobody should have permission to query 70M Americans, it's a huge security flaw for the average citizen. But Pentagon has been doing this for a while a la Snowden, and the average american doesn't seem to be worried. With Snowden becoming a menace rather than a hero.
Once private government data from Americans starts being heavily used to mess up elections, or even worse, persecute people with a different opinion than the ruling party...
Americans will finally wake up that GDPR doesn't stiffle innovation, but rather protect its citizens from an evil actors.
But it may be too late, like when NSDAP started chasing jews and migrants. There was nothing they could do other than to flee to survive.
Unlikely. Also it doesn't work well where it needed in the EU.
I knew it. I was saying from the instant they started we'd have a scandal like this. Bunch of tech bros walking into the government with personal MBPs and administrative authority to demand data from anyone and everyone was a privacy crisis happening in real time.
Yet here on HN, what have we been arguing about? Big tech. Google and Meta have been allowed to become boogeymen in this community out of all proportion to the actual threat they posed[1].
While the actual boogeyman stealing our data to exploit in the market? It was us.
[1] I mean, lets be honest, while everyone has abstract complaints the truth is that they've actually been remarkably benign stewards of our data over the past 20 years. Much, much, MUCH more responsible than the glibertarian dude in the cubicle next to you, as it turns out.
Yep, and we're only hearing about this because in this case there was a whistleblower. Call me cynical but I'm sure that there is plenty of data DOGE workers exfiltrated from SSA and other places that we'll never directly know about.
Heil Elon lol
It's probably safe to assume any non-classified information you provide to the government is for sale on the dark web.
Like the stolen-art market, I wonder if anyone with a large zip file of fake data could sell it as the "DOGE files" and make mucho crypto.
I mean, recently it's pretty safe to assume any classified information the government has is stored in a fucking bathroom and is for sale.