> Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or “forked” from Ge0rg3’s code — called “async-ip-rotator” — and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.
Code is pretty much the same, with comments removed, some `async` sprinkled in and minor changes (I bet this was just pasted into LLM with prompt to make it async, but if that worked why not).
Except... Original GPL3 license is gone. Obviously not something you would expect DOGE people to understand or respect.
this part of the whistleblower complaint seem way worse:
"
On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior
week. I saw way above baseline response times, and resource utilization showed increased
network output above anywhere it had been historically – as far back as I could look. I noted that
this lined up closely with the data out event. I also notice increased logins blocked by access
policy due to those log-ins being out of the country. For example: In the days after DOGE
accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia
started trying to log in. Those attempts were blocked, but they were especially alarming.
Whoever was attempting to log in was using one of the newly created accounts that were used in
the other DOGE related activities and it appeared they had the correct username and password
due to the authentication flow only stopping them due to our no-out-of-country logins policy
activating. There were more than 20 such attempts, and what is particularly concerning is that
many of these login attempts occurred within 15 minutes of the accounts being created by DOGE
engineers.
"
> According to a whistleblower complaint filed last week by Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several all-powerful “tenant admin” accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Feels like a pretty good Occam’s razor case… but is there any legitimate reason why one would request this?
1. DOGE employees access data they were not supposed to.
This fairly clear.
The story says that DOGE attained access to an account that had
huge permissions into what it could see and alter.
The person or persons from DOGE may have downloaded 10GB of data.
The person may have used this in a manner that is illegal.
Or it is illegal to start with.
With the understanding that POTUS may or may not be allowed
grand such access. (I dont think POTUS can)
2. DOGE employee downloaded code that could be used to use a huge
pool of IP addresses, from AWS to bypass forms of throtheling.
3. The code was badly written.
4. The person is a racist
How would a person from DOGE use "unlimited" number of IP adderssess
from AWS to hammer and automaticlay screenscape webpage, benefit
from it when it came to copying extremly sensetive data from an
internal National Labor Relations Board database?
Did 10.000 sessions authenticate to the database at the same time, using
AWS UP addresses and scraped the data?
Something is pretty broken if the system with extremly sensetive data
is available from external IPs -and- allowing a single account to login
10.0000 times to concurrently scrape data off the interal database?
Of are they saying that this code was adapted to use 10.000/100 IP addresses
internal to National Labor Relations Board and scrapes using those?
The automation later noted makes a lot more sense to aid the work.
The CEO of Tesla and Space-X; a self-proclaimed high IQ individual, an alleged programmer, has apparently hired a straight-up script kiddie to their elite delta force of technical government downsizers.
I find the following bizarre. Ignoring who this marko guy is, why would a random person post such a "take down" of the repo? I have never randomly passed by a repo and wanted to just dunk on it. Also this critique reeks of being AI generated.
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
The fact that they left these packages public on GitHub.. guys you do know you can make things private right? Just shows how dumb these people are honestly
So what exactly is being alleged here? That these DOGE bros wrote and used “hacker” code from GitHub to bypass security limitations on NLRB data? Why would they even need to do that if they had superuser accounts in the system already?
Isn't the ip rotator used to scrape from public websites to bypass rate limits? Not sure how that automatically means they are "siphoning sensitive case files".
>Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially.
A little nit-picking, but that's not what open source means, especially as it relates to the GPL in this case. If you can't use the code commercially, it's neither "open source" (as defined by OSI) nor free software (as defined by the FSF).
To everyone saying 'where are the arrests?' This is all conjecture at this point and time will tell what was click bait and truth. Below is the statement from NLRB's acting press secretary.
"Tim Bearese, the NLRB's acting press secretary, denied that the agency granted DOGE access to its systems and said DOGE had not requested access to the agency's systems. Bearese said the agency conducted an investigation after Berulis raised his concerns but "determined that no breach of agency systems occurred."
> Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as they’d previously agreed.
If the allegation is true, what would be the motivation of the higher-ups to keep this secret from US-CERT?
It appears to be a severe compromise, and the context suggests that much of the rest of the federal government is imminently vulnerable to the same tactics by the same threat actor.
Where the higher-ups reporting the security crisis through better channels?
Or were they trying to keep it quiet entirely, so might be complicit in something bad?
This is much ado about nothing. The article tries to very hard to make something ordinary sound nefarious.
This appears to be DOGE employees simply doing their job.
You may not agree with what they’re doing in a political sense, but if you were tasked with the same problem you’d come up with a nearly identical solution.
For example: “tenant admin” is probably the special role that can bypass access control (not audits!) and see and read all data.
This sounds scary but I regularly request this right from large government departments and I get it granted to me.
Its use is justified when normal access requests would be too complex / fiddly and error prone. Generally, in a large environment, there is no other way to guarantee 100% coverage because as an outsider you don’t even know what permissions to ask for if you can’t see anything due to a lack of permissions!
Seriously: sit down for a second and think about how you would go about getting access to make a full copy of an organisation’s data for an audit if you fully expect both passive resistance and even active efforts to hide the very things you’re looking for.
So the real question is, who do you actually report this too if the fox is guarding the hen house? The only place that makes any sense is congressional oversight in some way but that will go nowhere except maybe a quick NPR story.
What sucks is, is that Russia and China now, almost certainly, have all this data, but they don't worry me, as much as the American oligarchs that now have it.
I almost can't make heads or tails of out of this scatterbrained word salad.
Let's start with this:
> Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases.
> Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub
What exactly does that mean? NLRB database accounts are GitHub accounts? (Surely not.) Or the same IP address accessed both, suggesting it was the same person? Define "account".
No coherent point being made here. This story needs to clearly separate the rhetoric about GitHub repositories from the NLRB access, and connect them together coherently.
The flow seems to be:
1. Some DOGE people obtained unbridled access to NLRB, with the ability to erase audit trails.
2. There is some sort of evidence that the same people downloaded tools from GitHub for distributed web scraping, suggesting intent to scrape massive amounts of data from somewhere (inferred to be the NLRB database).
There is no evidence cited in the article for the actual downloading of gigabytes of data; the "whistleblower" is quoted only as saying that DOGE required certain privileged accounts to be created and that the users of the accounts supposedly downloaded some web scraping software from GitHub.
At least mention some circumstantial evidence, like a suspicious increase in access activity, coming from distributed IP addresses in the Amazon cloud, following the download of those tools.
This:
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
seems neither here nor there; why include that. It may be that the tools DOGE are using are not adequately safeguarding the data, but it seems like an extraneous point, and undigestable without specifics.
"The ad hoc addition to the otherwise tightly controlled White House information environment could create blind spots and security exposures while setting potentially dangerous precedent."
That page reads completely incoherently if you understand junior level programming mental models. This is a hit piece for non technical audience meant to conjure fud.
> Upon learning of your resignation, following reports that you were linked to an account advocating to “normalize Indian hatred” and for a “eugenic immigration policy,” I can’t help but address the staggering hypocrisy of these views within the context of the IT industry.
> This field, including your own career, is built on the labor, innovation, and expertise of Indian engineers and developers. To hold such hateful beliefs about a group that forms the backbone of this industry isn’t just reprehensible—it’s a complete contradiction of the reality you benefit from every day.
> My original critique of your code addressed technical issues and provided solutions, but after learning about your expressed views, it’s clear that poor coding isn’t the root problem here. Your mindset is incompatible with the fundamental values of IT: collaboration, respect, and global interconnectedness.
> Someone who advocates for hate cannot build systems meant to serve diverse users, nor can they lead or contribute meaningfully to teams that rely on trust and mutual respect. I strongly suggest you reflect on the harm your beliefs cause—not just to others, but to your credibility and future in this profession.
It doesn't invalidate the same author's critique above it at all (the critique itself manages to do that) but how it ended up mentioned in Krebs' article is puzzling. It harkens back to the days when journalists would quote-mine random Twitter users' tweets as if it meant something. "Twitter user @john89674651684685 said…" Give me a break.
For those genuine actors here: this theoretical outrage assumes the premise of something immoral or illegal, and completely ignores the authority structure. This looks and smells like an info operation.
Hello, I work in incident response and cyber forensics within the private sector and as a government contractor. I'm familiar with the government contracting company that currently holds the SOCaaS contract with the NLRB - it's MindPoint Group. They share the a SOC with the DOJ. I reviewed the whistleblower’s evidence, and I have significant doubts about his claims.
Firstly, anyone claiming that "the whole government is compromised" is being conspiratorial. Breaches of this nature are reportable to CISA (US-CERT), the DOJ, local law enforcement, and the FBI. The NLRB has its own cybersecurity incident response team, which includes legal counsel. If both the NLRB and US-CERT determined that this wasn’t a reportable incident then I trust their judgment.
Secondly, I’ve seen a lot of speculative commentary about the Russian IP allegedly logging into the DOGE account. A simple OSINT investigation reveals that this IP has had a negative reputation for over a year, specifically flagged for credential stuffing and scanning activity. Credential stuffing is a common tactic when credentials have been leaked or breached, often showing up on platforms like intelx.io, DeHashed, or BreachForums.
It's also worth noting: no serious nation-state actor would use an IP with such a known bad reputation. Doing so would risk burning any operational investment they’ve made. Nation-state actors almost always use clean infrastructure or proxy chains to conceal their activity.
The timeline the whistleblower presents spans two months, yet I find his interpretation of the activity speculative without hard evidence—especially considering he admits he does not possess the actual logs. That’s a huge red flag.
Thirdly, I tried to find the whistle blower’s official title, and it’s usually hidden in the media. In his official report he states that he is a Dev Sec Ops engineer. He also claims that he lost access to privileges – but the emails in the screen shot seemed to be a zero-trust/principle of least privileges hardening effort. That’s not suspicious to me.
Fourth, the screenshots the whistleblower provided of the Azure environment appeared extremely sparse. While I don’t know the exact size of the NLRB’s infrastructure, unless it's unusually small, I would expect to see more resources. From what I reviewed, the Azure dashboards he used had no filters applied, which raises the question—why are there no other subscriptions, VMs, load balancers, WAFs, etc., visible?
Regarding the DLP policy alerts, he could have easily shown the associated data. Interestingly, the alerts were labeled “test,” which is significant—but he chose not to address or explain that. Omitting that context makes the evidence less compelling.
He also leaves out basic critical Indicators of Compromise (IOCs) like src_ip, src_port, dest_ip, dest_port, bytes, and duration. I’m not expecting him to extract mutex and environment variables but showing the basics would be convincing enough consider all they would have been accessible to him from the dashboards he screenshots in the document.
Finally, his claim that the NLRB doesn’t have a SIEM is demonstrably false. The NLRB shares a SIEM with the DOJ, which is operated by MindPoint Group under a SOCaaS contract.
Here’s my general take on the situation:
The whistleblower had only been with the organization for six months and served as a mid-level DevSecOps engineer—not a security analyst, incident responder, or SOC analyst. After DOGE was announced, the NLRB began implementing Zero Trust principles and the Principle of Least Privilege. This is typical hardening. As a result, his old admin access which was over provisioned and no longer necessary for his role—was revoked. He panicked.
Still having access to some Azure tools, he could have used a test or dev environment (referencing the sparse number of resources in the screenshot but he claimed it to be prod with no filter), toggled a few settings, took screenshot, and constructed a narrative around it. He escalated it to the CEO, who initially listened. However, the incident response team conducted an investigation and found nothing substantiating his claims. NLRB and US-CERT determined it to not be reportable, or which indicates that if it was a security event it was not an incident.
As for the Russian IP, it may be real—but it’s clearly tied to credential stuffing activity, not a sophisticated threat actor. If it genuinely accessed a DOGE account, that would indicate a breach on the DOGE side or weak password hygiene. But again—as mentioned earlier—he doesn’t have the logs to back this up, and his reasons for that are unconvincing.
#Doubt.
I have a theory that "business ethics" is really just "following the law." In capitalism, outside a few select industries like journalism, as long as it's legal you can - and should - do anything to maximize profits. It has turned into (or perhaps always was) the govt's job to set those rules.
Now, the govt also has to create rules for itself. So it creates the Privacy Act and layers of beurocratic checks and balances. These rules are to protect the people, not to derisk or protect the govt. After all, the govt has all the power.
So when capitalist businesses leaders are given the keys to govt, the normal ways of ethical alignment don't work. If you don't follow your own rules, who cares? They're your rules! I think what we're seeing is what happens if you apply traditional capitalist business practices to govt administration.
I don't see anything wrong with what they did, they basically got admin accounts so they can peak into the system and used some libraries from github. What is the problem here? Got a feeling it is just politically motivated, people are not happy that the Trump administration is actually doing something to make systems more efficient and stop money waste of tax payers. I am sure they will make some mistakes along the way and I am sure not every "saving" is actually saving but when you look at so many systems and so much money some errors are expected.
Sorry, but the whole story just reads like a bad mystery novel; tales of Russian hackers, "suspicious" Github repos, somehow-nefarious (docker?) "containers", unspecified threats made (and I quote) in "meat space".
Also interesting to note that not only has Berulis' attorney lead multiple lawsuits against the Trump administration in the past, he was also an intern for both Chuck Schumer and Hillary Clinton. Now that obviously doesn't prove anything, but it could nonetheless be considered a strong indicator this all might be politically-motivated.
DOGE worker’s code supports NLRB whistleblower
(krebsonsecurity.com)992 points by todsacerdoti 23 April 2025 | 530 comments
Comments
Original code: https://github.com/Ge0rg3/requests-ip-rotator
Forked: https://github.com/markoelez/async-ip-rotator
Code is pretty much the same, with comments removed, some `async` sprinkled in and minor changes (I bet this was just pasted into LLM with prompt to make it async, but if that worked why not).
Except... Original GPL3 license is gone. Obviously not something you would expect DOGE people to understand or respect.
" On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior week. I saw way above baseline response times, and resource utilization showed increased network output above anywhere it had been historically – as far back as I could look. I noted that this lined up closely with the data out event. I also notice increased logins blocked by access policy due to those log-ins being out of the country. For example: In the days after DOGE accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia started trying to log in. Those attempts were blocked, but they were especially alarming. Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating. There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers. "
Feels like a pretty good Occam’s razor case… but is there any legitimate reason why one would request this?
This fairly clear.
The story says that DOGE attained access to an account that had huge permissions into what it could see and alter. The person or persons from DOGE may have downloaded 10GB of data. The person may have used this in a manner that is illegal. Or it is illegal to start with. With the understanding that POTUS may or may not be allowed grand such access. (I dont think POTUS can)
2. DOGE employee downloaded code that could be used to use a huge pool of IP addresses, from AWS to bypass forms of throtheling. 3. The code was badly written. 4. The person is a racist
How would a person from DOGE use "unlimited" number of IP adderssess from AWS to hammer and automaticlay screenscape webpage, benefit from it when it came to copying extremly sensetive data from an internal National Labor Relations Board database?
Did 10.000 sessions authenticate to the database at the same time, using AWS UP addresses and scraped the data?
Something is pretty broken if the system with extremly sensetive data is available from external IPs -and- allowing a single account to login 10.0000 times to concurrently scrape data off the interal database?
Of are they saying that this code was adapted to use 10.000/100 IP addresses internal to National Labor Relations Board and scrapes using those?
The automation later noted makes a lot more sense to aid the work.
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
Link from quote: https://github.com/markoelez/async-ip-rotator/issues/1
The follow comment is interesting to be a coincidental, such a weird interaction.
A little nit-picking, but that's not what open source means, especially as it relates to the GPL in this case. If you can't use the code commercially, it's neither "open source" (as defined by OSI) nor free software (as defined by the FSF).
"Tim Bearese, the NLRB's acting press secretary, denied that the agency granted DOGE access to its systems and said DOGE had not requested access to the agency's systems. Bearese said the agency conducted an investigation after Berulis raised his concerns but "determined that no breach of agency systems occurred."
https://www.npr.org/2025/04/15/nx-s1-5355895/doge-musk-nlrb-...
If the allegation is true, what would be the motivation of the higher-ups to keep this secret from US-CERT?
It appears to be a severe compromise, and the context suggests that much of the rest of the federal government is imminently vulnerable to the same tactics by the same threat actor.
Where the higher-ups reporting the security crisis through better channels?
Or were they trying to keep it quiet entirely, so might be complicit in something bad?
This appears to be DOGE employees simply doing their job.
You may not agree with what they’re doing in a political sense, but if you were tasked with the same problem you’d come up with a nearly identical solution.
For example: “tenant admin” is probably the special role that can bypass access control (not audits!) and see and read all data.
This sounds scary but I regularly request this right from large government departments and I get it granted to me.
Its use is justified when normal access requests would be too complex / fiddly and error prone. Generally, in a large environment, there is no other way to guarantee 100% coverage because as an outsider you don’t even know what permissions to ask for if you can’t see anything due to a lack of permissions!
Seriously: sit down for a second and think about how you would go about getting access to make a full copy of an organisation’s data for an audit if you fully expect both passive resistance and even active efforts to hide the very things you’re looking for.
Why is anything of significance on github in the first place?
Edit: It's not. They just download python libraries to do "IP rotation" to circumvent rate limits.
On the actual complaint: (https://whistlebloweraid.org/wp-content/uploads/2025/04/2025...)
It seems that the data was stored in Azure which doesn't make it any better.
https://news.ycombinator.com/item?id=11782383
Guessing those are the same accounts that got accessed by Russian IPs?
Genuinely wondering whether the US democracy is going to make it to December.
That isn't what "open source" means.
Let's start with this:
> Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases.
> Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub
What exactly does that mean? NLRB database accounts are GitHub accounts? (Surely not.) Or the same IP address accessed both, suggesting it was the same person? Define "account".
No coherent point being made here. This story needs to clearly separate the rhetoric about GitHub repositories from the NLRB access, and connect them together coherently.
The flow seems to be:
1. Some DOGE people obtained unbridled access to NLRB, with the ability to erase audit trails.
2. There is some sort of evidence that the same people downloaded tools from GitHub for distributed web scraping, suggesting intent to scrape massive amounts of data from somewhere (inferred to be the NLRB database).
There is no evidence cited in the article for the actual downloading of gigabytes of data; the "whistleblower" is quoted only as saying that DOGE required certain privileged accounts to be created and that the users of the accounts supposedly downloaded some web scraping software from GitHub.
At least mention some circumstantial evidence, like a suspicious increase in access activity, coming from distributed IP addresses in the Amazon cloud, following the download of those tools.
This:
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
seems neither here nor there; why include that. It may be that the tools DOGE are using are not adequately safeguarding the data, but it seems like an extraneous point, and undigestable without specifics.
https://www.wired.com/story/white-house-starlink-wifi/
"The ad hoc addition to the otherwise tightly controlled White House information environment could create blind spots and security exposures while setting potentially dangerous precedent."
> Upon learning of your resignation, following reports that you were linked to an account advocating to “normalize Indian hatred” and for a “eugenic immigration policy,” I can’t help but address the staggering hypocrisy of these views within the context of the IT industry.
> This field, including your own career, is built on the labor, innovation, and expertise of Indian engineers and developers. To hold such hateful beliefs about a group that forms the backbone of this industry isn’t just reprehensible—it’s a complete contradiction of the reality you benefit from every day.
> My original critique of your code addressed technical issues and provided solutions, but after learning about your expressed views, it’s clear that poor coding isn’t the root problem here. Your mindset is incompatible with the fundamental values of IT: collaboration, respect, and global interconnectedness.
> Someone who advocates for hate cannot build systems meant to serve diverse users, nor can they lead or contribute meaningfully to teams that rely on trust and mutual respect. I strongly suggest you reflect on the harm your beliefs cause—not just to others, but to your credibility and future in this profession.
It doesn't invalidate the same author's critique above it at all (the critique itself manages to do that) but how it ended up mentioned in Krebs' article is puzzling. It harkens back to the days when journalists would quote-mine random Twitter users' tweets as if it meant something. "Twitter user @john89674651684685 said…" Give me a break.
[0] https://web.archive.org/web/20250423135719/https://github.co...
Firstly, anyone claiming that "the whole government is compromised" is being conspiratorial. Breaches of this nature are reportable to CISA (US-CERT), the DOJ, local law enforcement, and the FBI. The NLRB has its own cybersecurity incident response team, which includes legal counsel. If both the NLRB and US-CERT determined that this wasn’t a reportable incident then I trust their judgment.
Secondly, I’ve seen a lot of speculative commentary about the Russian IP allegedly logging into the DOGE account. A simple OSINT investigation reveals that this IP has had a negative reputation for over a year, specifically flagged for credential stuffing and scanning activity. Credential stuffing is a common tactic when credentials have been leaked or breached, often showing up on platforms like intelx.io, DeHashed, or BreachForums.
It's also worth noting: no serious nation-state actor would use an IP with such a known bad reputation. Doing so would risk burning any operational investment they’ve made. Nation-state actors almost always use clean infrastructure or proxy chains to conceal their activity.
The timeline the whistleblower presents spans two months, yet I find his interpretation of the activity speculative without hard evidence—especially considering he admits he does not possess the actual logs. That’s a huge red flag.
Thirdly, I tried to find the whistle blower’s official title, and it’s usually hidden in the media. In his official report he states that he is a Dev Sec Ops engineer. He also claims that he lost access to privileges – but the emails in the screen shot seemed to be a zero-trust/principle of least privileges hardening effort. That’s not suspicious to me.
Fourth, the screenshots the whistleblower provided of the Azure environment appeared extremely sparse. While I don’t know the exact size of the NLRB’s infrastructure, unless it's unusually small, I would expect to see more resources. From what I reviewed, the Azure dashboards he used had no filters applied, which raises the question—why are there no other subscriptions, VMs, load balancers, WAFs, etc., visible?
Regarding the DLP policy alerts, he could have easily shown the associated data. Interestingly, the alerts were labeled “test,” which is significant—but he chose not to address or explain that. Omitting that context makes the evidence less compelling. He also leaves out basic critical Indicators of Compromise (IOCs) like src_ip, src_port, dest_ip, dest_port, bytes, and duration. I’m not expecting him to extract mutex and environment variables but showing the basics would be convincing enough consider all they would have been accessible to him from the dashboards he screenshots in the document.
Finally, his claim that the NLRB doesn’t have a SIEM is demonstrably false. The NLRB shares a SIEM with the DOJ, which is operated by MindPoint Group under a SOCaaS contract.
Here’s my general take on the situation: The whistleblower had only been with the organization for six months and served as a mid-level DevSecOps engineer—not a security analyst, incident responder, or SOC analyst. After DOGE was announced, the NLRB began implementing Zero Trust principles and the Principle of Least Privilege. This is typical hardening. As a result, his old admin access which was over provisioned and no longer necessary for his role—was revoked. He panicked. Still having access to some Azure tools, he could have used a test or dev environment (referencing the sparse number of resources in the screenshot but he claimed it to be prod with no filter), toggled a few settings, took screenshot, and constructed a narrative around it. He escalated it to the CEO, who initially listened. However, the incident response team conducted an investigation and found nothing substantiating his claims. NLRB and US-CERT determined it to not be reportable, or which indicates that if it was a security event it was not an incident.
As for the Russian IP, it may be real—but it’s clearly tied to credential stuffing activity, not a sophisticated threat actor. If it genuinely accessed a DOGE account, that would indicate a breach on the DOGE side or weak password hygiene. But again—as mentioned earlier—he doesn’t have the logs to back this up, and his reasons for that are unconvincing. #Doubt.
Now, the govt also has to create rules for itself. So it creates the Privacy Act and layers of beurocratic checks and balances. These rules are to protect the people, not to derisk or protect the govt. After all, the govt has all the power.
So when capitalist businesses leaders are given the keys to govt, the normal ways of ethical alignment don't work. If you don't follow your own rules, who cares? They're your rules! I think what we're seeing is what happens if you apply traditional capitalist business practices to govt administration.
Also interesting to note that not only has Berulis' attorney lead multiple lawsuits against the Trump administration in the past, he was also an intern for both Chuck Schumer and Hillary Clinton. Now that obviously doesn't prove anything, but it could nonetheless be considered a strong indicator this all might be politically-motivated.