Looks like Elon's staff went in and made a copy of everything - which in this case NLRB, so sensitive stuff, but any state department going to have a ton of sensitive stuff - and sent it who knows where; this after disabling all logging and a ton of security, presumably to try to cover their tracks.
This is bad. These guys are looking like bad actors, with State-level authorization for access to everything.
Also looks like they're kids and don't have the hang of security, and the professional Russian State run APTs have hacked them.
> Also looks like they're kids and don't have the hang of security
According to the testimony they know enough to almost completely compromise a Azure tenant to the point that a foreign actor almost, ALMOST, could gain access with high privileges with a DOGE created username/password combination without being noticed because all monitoring was disabled.
The only thing which prevented that to happen was a luckily still enabled security policy restricting access to US IPs only (!) and flagging suspicious activity.
Believe me you'll need to have to know a shit ton about how Azure security works to pull something like that off without leaving evidence. I've got quite some experience in making sure this kind of shit doesn't happen.
Yeah, but it's actually not that straightforward to successfully turn the security of a heavily hardened Azure tenant to dogshit unless you know your way around and know exactly how Azure security works and what to strip out of it.
That's my point.
Same applies to properly hardened AWS and GCP tenants aswell.
I would have set a security policy which does not allow any kind of inbound admin related traffic from any unknown IP or device at all, including domestic IPs (and VPNs).
But that's just me, I don't know what the preferences of other dev(sec)ops engineers are.
Just read of this on BSky.
Has some of the protected disclosure document from the whistleblower.
https://bsky.app/profile/mattjay.com/post/3ln2dgoksce2e
Looks like Elon's staff went in and made a copy of everything - which in this case NLRB, so sensitive stuff, but any state department going to have a ton of sensitive stuff - and sent it who knows where; this after disabling all logging and a ton of security, presumably to try to cover their tracks.
This is bad. These guys are looking like bad actors, with State-level authorization for access to everything.
Also looks like they're kids and don't have the hang of security, and the professional Russian State run APTs have hacked them.
> Also looks like they're kids and don't have the hang of security
According to the testimony they know enough to almost completely compromise a Azure tenant to the point that a foreign actor almost, ALMOST, could gain access with high privileges with a DOGE created username/password combination without being noticed because all monitoring was disabled.
The only thing which prevented that to happen was a luckily still enabled security policy restricting access to US IPs only (!) and flagging suspicious activity.
Believe me you'll need to have to know a shit ton about how Azure security works to pull something like that off without leaving evidence. I've got quite some experience in making sure this kind of shit doesn't happen.
It's straightforward to make something insecure :-)
Making it secure is the hard part.
Yeah, but it's actually not that straightforward to successfully turn the security of a heavily hardened Azure tenant to dogshit unless you know your way around and know exactly how Azure security works and what to strip out of it.
That's my point.
Same applies to properly hardened AWS and GCP tenants aswell.
So, what would happen if they used VPNs in USA?
I would have set a security policy which does not allow any kind of inbound admin related traffic from any unknown IP or device at all, including domestic IPs (and VPNs).
But that's just me, I don't know what the preferences of other dev(sec)ops engineers are.
[flagged]
The NPR story mentioned in the tweet at the bottom of this thread is discussed here: https://news.ycombinator.com/item?id=43691142
But it doesn't dig as deep as this thread.
Isn't an out-of-country rule relatively trivial to get around using a domestic proxy?
Watch carefully for the official who demands logins be permitted from outside the country.