> Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or “forked” from Ge0rg3’s code — called “async-ip-rotator” — and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.
Code is pretty much the same, with comments removed, some `async` sprinkled in and minor changes (I bet this was just pasted into LLM with prompt to make it async, but if that worked why not).
Except... Original GPL3 license is gone. Obviously not something you would expect DOGE people to understand or respect.
The repository has been deleted. In addition, 26 other repos have been removed from the account. This is in line with DOGE members' quick response scrubbing data whenever put into spotlight, as previously seen with another "teen hacker". [0]
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
“If this were a side project, it would just be bad code,” the reviewer wrote. “But if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.”
The "critique" is nuts. Surely AI generated. If I didn't trust the domain, I'd assume the author to be incredible for seriously referencing something like this.
Look at the critique [0] and then look at the code [1].
The only person who has standing to say anything is the original author of the code, the holder of the copyright.
It's possible, but very unlikely, the copyright license wasn't actually violated because, for example, the fork could have arranged a separate license.
You can get it under a GPL license for free. You can pay them money to get it under a Commercial license that would let you modify the code without releasing changes.
So, while I doubt it happened, the person who forked it here could have contacted the original author, the copyright holder, and asked for an exemption from the GPL terms.
I'm sure the people who work for an administration that by and large flaunts court orders responsible for this will get right on that.....aaaand it's gone.
You are only required to keep the GPL3 license if you re-distribute it. Putting it in a GitHub repo, is ambiguous whether or not it is re-distributing it, at least morally.
If you want to delete the license in a personal copy, that is perfectly valid according to the license terms. If you then happen to upload that to a private GitHub repo, also perfectly valid.
If you then happen to upload that to a public GitHub repo, because of, say, restrictions on free private repos, without intent to distribute, then what?
Putting it on a GitHub repo IS redistributing it. By putting it on GitHub you agree in the ToS that you have the rights to distribute the code. Which you only have if you don’t violate the license.
> If you then happen to upload that to a public GitHub repo, because of, say, restrictions on free private repos, without intent to distribute, then what?
Then you keep the license eh? Distributing without an intent to distribute is distributing.
Git is free and open source. If you want version control and collaboration and NO unintended distribution completely for free you can just use Git. It even has a built in server to share with your work buddies.
>not something you would expect DOGE people to understand or respect
To be fair I see in my daily life folks who copy and paste from stack overflow or random GitHub repo and move on with their day. They ignore the Creative Commons Attribution-ShareAlike or whatever license is applied to the code they copied.
I see on this very site people who will share copyrighted articles that are behind a paywall (just because it is on some archive site doesn’t make it right).
Please don’t take this as support for DOGE and the headaches they are causing. To make a cheap jab at a group of people while ignoring the group that you associate with is bad form.
I'd say it's wrong in both cases, but we shouldn't ignore degrees of wrongness.
Copy pasting from stack overflow without attribution is wrong but it's also harder to claim "ownership" over single lines or small snippets. It depends how "obvious" they are. You definitely can't copyright trivial functions. There's a lot of gray here but yes attribution is always good.
But things get a lot less murky when we're talking about forking a project. That's usually nontrivial and non obvious. I think what's most important is that removing a license is an active decision. Certainly that would make a critical difference in a court [0]
Then there's further escalation by who is doing the action. The more power and influence you have the greater responsibilities. All men are not created equal. Men with more power can disproportionally do more damage and require higher accountability. So yeah, I care a fuck ton more about a government employee doing something bad especially while performing official duties more than some rando. The ability to do harm is very different.
The reason I dislike your comment is because it's dismissive of the action. "Other people do it!" Is not a defense nor excuse. It is even worse by ignoring multiple points of context.
[0] though protecting open source has been traditionally hard for many reasons. Specifically it's hard for small developers to take legal action, especially against larger bodies. But isn't this something we should want to be fixed? Credit for our own contributions?!
this part of the whistleblower complaint seem way worse:
"
On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior
week. I saw way above baseline response times, and resource utilization showed increased
network output above anywhere it had been historically – as far back as I could look. I noted that
this lined up closely with the data out event. I also notice increased logins blocked by access
policy due to those log-ins being out of the country. For example: In the days after DOGE
accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia
started trying to log in. Those attempts were blocked, but they were especially alarming.
Whoever was attempting to log in was using one of the newly created accounts that were used in
the other DOGE related activities and it appeared they had the correct username and password
due to the authentication flow only stopping them due to our no-out-of-country logins policy
activating. There were more than 20 such attempts, and what is particularly concerning is that
many of these login attempts occurred within 15 minutes of the accounts being created by DOGE
engineers.
"
Any guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers and DOGE are working from insecure open networks.
The worst possible interpretation is straightforward - they are working for the Russians as agents and let the Russians in or installed the keyloggers for Russia.
Excerpt: "How much more proof do we need that this administration is completely compromised? There is zero reason for the US to relax any offensive digital actions against Russia. If anything, we should be applying more."
> guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers and DOGE are working from insecure open networks
They were accessing Github over the internet from superuser accounts they were presumably also using as their user account. Given the code quality, I doubt their opsec is put together, either.
The objective may not have been to obtain access or any useful data. The objective may have been to get the scary headlines about Russians and use the existing media and political agitprop to further destabilize the government you seek to color revolution away.
Isn't it just that the IP router happens to use IPs in Russia as part of the rotation?
If they're trying to exfiltrate data, they might want to rotate through IP addresses in order to obfuscate what's going on or otherwise circumvent restrictions. Using a simple ip rotator like the post talks about would maybe be an approach they'd use. If they're not careful with the IP addresses, once in a while one might get caught due to some restriction like being outside the US. It'd maybe appear as though you're getting these weird requests from Russia, but that's just because you're not logging the requests that are not being flagged from the US.
Maybe I'm reading the post incorrectly though (if so, please correct me!)
> Any guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers [...]
Best possible case I see would be that the whistleblower has made some mistake (or is being intentionally dishonest). Seems plausible for instance that "it appeared they had the correct username and password" based on "our no-out-of-country logins policy activating" could just be a misunderstanding of how/when the policy triggers. Not to say it's the most likely explanation, just the least concerning one.
I think less concerning than keyloggers, while still assuming the whistleblower is correct, would be that a DOGE employee was using a VPN/proxy/Tor. Probably not a great idea to have traffic going through a hostile nation state even with encryption, but less bad than keyloggers on their machines stealing and trying credentials within minutes.
Definitely concerning though, to be clear - just steelmanning/answering the question of best possible interpretation.
Yeah, like the APT that compromised O365 accounts from US gov entities a year or so ago, using residential proxies to go around Conditional Access Policies..., is now logging in straight from the Kremlin. :D
How dumb would Russian hackers be to not use some kind of vpn? My friend who lives in Russia says that without vpn he can not access majority of USA sites so he has it always on be default. Something to is not right or these people are very very dumb.
The article could offer a summary of this key finding, rather than, say, the pointless paragraph near the bottom about the scraping software found in GitHub not being well written.
This is the evidence which strongly suggests that the DOGE personnel are using various cloud IP addresses to scrape.
While blocking before authentication seems intuitive for efficiency, checking after provides crucial context that's missing if you block pre-auth: you know which specific user account just authenticated successfully.
This context enables two important things:
- Granular exceptions: If Alice is attending a conference in Toronto, you can say "Allow Alice to log in from Canada next week" without opening Canada-wide logins for everyone. Pre-auth geo-blocking forces you into an all-or-nothing stance.
- Better threat intelligence: A valid login from an unexpected region (e.g. Moscow when Alice is normally in D.C.) is a far stronger signal of compromise than a failed attempt. Capturing "successful login + wrong location" helps you prioritize real threats. If you block pre-auth, you'd never know Alice's account was compromised.
Putting geo-checks after authentication gives you precise control over whom, exactly, is logging in from where, and offers richer data for your security monitoring.
Since the system is hosted on Azure, I guess we are talking about an Entra ID login. So I think they set up a Conditional Access [1] that can blocks logins based on the country IP. These policies run after authentication and can be specific to a user.
Probably the least expected location to connect from, if it was genuine. Not saying it necessarily isn't, but it's not usual either and doesn't make much sense.
Right?.. Primorskiy Krai, official population 1.8M, of which the largest city of Vladivostok accounts for 600k and the next three largest cities for about 400k more, and the rest of the settlements are below 50k inhabitants each. China (Heilongjiang) to the west, North Korea to the south, Japan (Hokkaido) to the east. Literally six times closer to Tokyo than to Moscow (and only a bit closer to Moscow than to Vancouver), connected to Moscow by the longest train route in the world (six to seven days). A reputation for fierce independence and old Japanese left-hand-drive cars. That Primorskiy Krai.
> According to a whistleblower complaint filed last week by Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several all-powerful “tenant admin” accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.
Feels like a pretty good Occam’s razor case… but is there any legitimate reason why one would request this?
Even worse when you know more of the whistleblower's story which is that ~15 minutes after one of DOGE's accounts were made there was an attempted login with the correct password from Russia. Not many explanations for that that look good for DOGE...
My company retains all e-mails for at least 5 years, for audit purposes. But if some troublemaker were to e-mail child porn to an employee, we'd need to remove that from the audit records, because the laws against possessing child porn don't have an exception for corporate audit records.
So there's essentially always some account with the power to erase things from the audit records.
From a an old hackers perspective disabling shell history can have positive security implications. But in today's 'cattle not pets' systems mentality I'd expect all actions to have a log and not having that seems fishy to me. Keeping logging infra secure has a dubious, the log4j fiasco comes to mind. I'm not a fan of regulation for most things, but I think we need a higher cost for data leaking since security is an afterthought for many orgs. My personal leaning is to be very choosy about who I'll do business/share data with.
> “We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”
From the previous post, they had auditor roles built in that they purposely chose to go around
Anything musk's dogs claim to find cannot be taken at face value because of this. Because there is no audit, and no evidence that they can offer that they didn't doctor their findings.
The next time they claim that a 170-year old person is receiving SS checks, they have no way to prove that they didn't subtract a century from that person's birthdate in some table.
I am sure they demanded maximum access, but the logging activity phrasing sounds a little bit like spin...
I think if I wanted to describe an account with access to perform "sudo -s" as negatively as possible, I would say "an all-powerful admin account that is exempt from logging activity that would otherwise keep a detailed record of all actions taken by those accounts."
this guy's lawyer says: This is a difficult topic for Dan to discuss, but prior to our filing the whistle-blower disclosure this week, last week, somebody went to Dan's home and taped a threatening note, a menacing note on his door with personal information.
...
While he was at work, and it also contained photographs of him walking his dog taken by a drone.
The Deep State! The government is filled with spies determined to "leak" the great work DOGE is doing is the press - so, of course, it needs "God mode" access. Totally legit.
> Setting aside legitimate (thats a matter of judgement)
By definition, a judge decides what's legitimate.
If DOGE expects their access to be blocked by a court judgement, and bum-rushes agencies to exfiltrate data ahead of the judgement, that's also criminal intent.
I am not sure what you are getting at. "Covert" isn't how I'd describe DOGE's actions. "Brazen" maybe?
1. DOGE employees access data they were not supposed to.
This fairly clear.
The story says that DOGE attained access to an account that had
huge permissions into what it could see and alter.
The person or persons from DOGE may have downloaded 10GB of data.
The person may have used this in a manner that is illegal.
Or it is illegal to start with.
With the understanding that POTUS may or may not be allowed
grand such access. (I dont think POTUS can)
2. DOGE employee downloaded code that could be used to use a huge
pool of IP addresses, from AWS to bypass forms of throtheling.
3. The code was badly written.
4. The person is a racist
How would a person from DOGE use "unlimited" number of IP adderssess
from AWS to hammer and automaticlay screenscape webpage, benefit
from it when it came to copying extremly sensetive data from an
internal National Labor Relations Board database?
Did 10.000 sessions authenticate to the database at the same time, using
AWS UP addresses and scraped the data?
Something is pretty broken if the system with extremly sensetive data
is available from external IPs -and- allowing a single account to login
10.0000 times to concurrently scrape data off the interal database?
Of are they saying that this code was adapted to use 10.000/100 IP addresses
internal to National Labor Relations Board and scrapes using those?
The automation later noted makes a lot more sense to aid the work.
The author brings up the ip scraping but makes no effort to tie anything together. It's actually really confusing. Were they using this utility to steal the data or are these two just totally unrelated things?
We have no way to know what they were using it for, because as the article details, DOGE works hard to make sure nobody can find out what it's doing or why.
I am fairly sure it would be a crime for the President to pull up someone's VA health records on a whim, or at least it would be a crime for anyone at the VA to facilitate him doing that.
We can also add to that IRS data. The articles of impeachment against Nixon included the following:
"He has, acting personally and through his subordinates and agents, endeavoured to obtain from the Internal Revenue Service, in violation of the constitutional rights of citizens, confidential information contained in income tax returns for purposes not authorized by law" (emphasis mine).
There actually are laws regulating the handling of personal data collected by the government and it generally doesn't have a "the president wants to see it" exception.
I think the question is whether employees of an advisory group that is not an actual department of the government are on the list of people to whom can he authorize access to this type of sensitive data.
The CEO of Tesla and Space-X; a self-proclaimed high IQ individual, an alleged programmer, has apparently hired a straight-up script kiddie to their elite delta force of technical government downsizers.
I hated Elon Musk long before it was cool: I was a fan of Tesla in the early days, and when I read Musk's "super-secret master plan" for Tesla I thought "yeesh, the board chairman is an idiot, where did they find this bozo?" (I knew a bit about SpaceX but somehow didn't make the connection.)
That said, I was surprised to learn much later that, by all accounts, Elon Musk was a competent and resourceful leader in SpaceX's early days. Maybe these stories are just his personality cult in action, but I found it plausible. It appears he once knew his place as an engineering manager, without LARPing as a Chief Engineer (he didn't appoint himself to CTO until quite a bit later). I worked for a really good manager who didn't know how to code, but he knew a lot about software and was very good about pulling back on coding things vs pushing forward on software design. It seemed like Musk was similar at SpaceX.
Which is all to say that celebrity is a helluva drug. I don't think Musk was ever an especially "high-IQ individual," and his first marriage suggests he's always been a misogynistic loser. But being anointed "a real life Tony Stark!" seems to have destroyed his brain. Ketamine probably doesn't help.
> That said, I was surprised to learn much later that, by all accounts, Elon Musk was a competent and resourceful leader in SpaceX's early days. Maybe these stories are just his personality cult in action, but I found it plausible
He's good at having and raising money which was what SpaceX needed, I think he was probably the same then as he is now. Reading about his early days at Tesla and the PayPal stuff, I don't really buy the idea he was ever different and took a dark turn. He's the type of person that will never self-regulate and somehow has never faced any negative consequences for lying and self-aggrandizing so has kept pushing it further
There is a phenomena I've noticed in this industry where people who lack a skill compensate by convincing themselves that they are a savant at seeing and exploiting that skill they lack in others. They find and encircle themselves with people who they believe are the Best of the Best, at least in their imagination, and it is critical for their ego that this is never challenged. They will be blind to any evidence to the contrary because they need the people they "identify" to be extraordinary, justifying their great people curation.
I mean, I guess this really happens in all industries. Art, music, leadership, software development. People who maybe once had credibility in something and now desperately try to foist Their People as the best in the industry.
I feel like that is what is happening here. None of the people who Elon surrounds himself are notable in any way, and their skills are hugely suspect, but he has to have his harem of "Super Coders" to prop up his own mythology.
You are discounting the possibility that he wants them to wreak havoc and cause the systems to fail. The Republican dream is for government to fail and be privatized. What better way for government to fail?
I agree with the script kiddies comment- which is basically what the reporting has shown... but in a way isn't that part of the point? That they can save billions of dollars just by having a couple of relatively normal comp sci kids (who can't even rent a car) review the most basic financial information of our government departments. These guys aren't supposed to be "delta force" they are supposed to be the interns.
Not trying to defend the means to the end, but I would really like my tax money used more efficiently. I will also say am extremely worried about the levels of access that they are being given, especially since it comes with basically no accountability
Your comment assumes the conclusion that these comp sci kids were able to save billions while preserving the correct behavior of the system, i.e. if their changes cause even one person to miss one payment they should have received, then the rest of your comment is entirely baseless.
If you could prove that billions were saved in pure waste, then I’d imagine any sane citizen would agree with you, setting aside matters of decorum and human decency (e.g. RIFs that may ultimately be necessary but conducted in an inhumane way)
I’d like my tax money used efficiently, but this group does not merit the trust to carry out those changes, even on a technical level
> review the most basic financial information of our government departments
That is what the GAO is for https://www.gao.gov/ , and these people are much better than script kiddies.
> I would really like my tax money used more efficiently
Me too! You are on hacker news so I assume you are firm believer in https://en.wikipedia.org/wiki/Amdahl%27s_law ! If you would like your tax money used efficiently, are you willing to discuss cuts to social security, medicare, medicaid, veteran benefits, and whatever else is at the top of the budget? https://www.cbo.gov/publication/61181? What would you cut?
Personally, I would increase taxes on anyone making over $500K/year and stop nickle and diming our federal government so the US can actually become a first world country for everyone that isn't a software engineer.
At the VA medical system, they word-searched for "consulting" and cancelled contracts for.... surgical equipment sterilization, medical waste removal, stuff related to air quality that's required for hospital accreditation, and local burial services for people who die in the hospital.
Then a lot of those had to be reinstated because you simply can't operate a hospital without sanitation.
Just like they had to scramble to hire back the folks at the National Nuclear Safety Association.
Yeah, efficiency is great. But this is like ordering tacos and getting... a used tire and some dirty diapers...?
> Not trying to defend the means to the end, but I would really like my tax money used more efficiently. I will also say am extremely worried about the levels of access that they are being given, especially since it comes with basically no accountability
This is like the derelict father with partial custody who parachutes in one weekend a month to buy his son ice cream and a new video game to leave two days later the conquering hero. Meanwhile mom works two jobs, has to set all the expectations and responsibilities for the child, and the father is late on child support payments.
DOGE blitzkrieged government IT. It'll be years before we understand the scope of what they've done and given available evidence: these are script kiddies who worship Musk, I don't think there is ANY reason for optimism or charitable consideration.
> I would really like my tax money used more efficiently
Except by most accounts so far it was being used efficiently by the federal workforce. This whole debacle will end up costing the US tax payer more money. See cutting the IRS or USAID which will probably lead the US to bailing out farmers. And if they privatize, then it'll be even more expensive.
> I agree with the script kiddies comment- which is basically what the reporting has shown... but in a way isn't that part of the point?
I agree, but for a different point.
Generalising, but under the age of 25, most people don't have enough experience (business/government) to understand things such as business ethics, the consequences, auditing practises, privacy concerns, etc.
With professional experience, you develop a better understanding and build up that depth of knowledge of how things impact the wider "world" rather than the immediate task at hand. Meaning, you gain a better understanding of the ethical implications of what you're doing.
As an example - in law, it'd be easier to manipulate a law graduate than a lawyer with 20+ years experience, who would think outside the direct question or task that was asked.
Why is the age such a talking point? An insight in startup culture is that the public underestimates young people, especially when it comes to business skills with objective results and tight feedback cycles.
It just seems like now that HN is skewed older we no longer believe that?
Script kiddie isn't about age, it's just a derogatory term for someone who never learned to write their own code, instead only slightly modifying and/or straight up running someone else's code that they don't actually understand very much.
It's not really about age. More about a specific level of impatience, maliciousness, inflated sense of skill and importance, and a general lack of integrity.
> when it comes to business skills with objective results and tight feedback cycles
Is the federal government a business or startup? Does chainsawing it have a tight-enough feedback cycle to get good results? I'm going to say No to both, but I don't have the time or expertise to try to prove it. It can be true, both that young people are great at startups and bad at the federal govt.
There's ample evidence of incompetence from DoGE, including obvious coding security holes, firing people who ensure the safety of our nuclear arsenal, and other mistakes that you would expect from an unmotivated intern.
This is supporting evidence that they were picked for ideological reasons - namely, being young white supremacists who wouldn't ask any questions. That's why Marko Elez was rehired. Musk, Trump, and Vance all share his views, he was just dumb enough to express them in public.
I find the following bizarre. Ignoring who this marko guy is, why would a random person post such a "take down" of the repo? I have never randomly passed by a repo and wanted to just dunk on it. Also this critique reeks of being AI generated.
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
It's only "bizarre" if you "ignore who this marko guy is." It's not a coincidence, it's somebody pointing out that DOGE's "cracked coders" are wearing no clothes.
And the follies here seem to be many. I’m not following why this Marko guy would make a publicly-visible fork of a repo (though he seems to have deleted it since this story went big), and why they would openly request to have their accounts exempted from logging when they were apparently already privileged users.
I must be missing something here; surely the level of elite technical skill implicit in his résumé would preclude this kind of thing
Well yeah they're junior developers. By all account from good schools but literally everyone here has dealt with junior developer brain.
I would say that Elmo picked a bunch of junior devs because they don't have enough maturity to talk back and will do anything they're asked but I think that's too charitable. I think he actually went this route because Elmo is a sad man in his 50s who is desperately trying to pretend that he is, and has not matured beyond, his 20s.
On February 6th, Marko Elez announced his resignation from DOGE after the WSJ discovered many racist posts he made in 2024 (which they published on the 5th). That likely made someone really interested in what his actual coding skill levels were, and they took a look at a repo he had made.
Musk did a "poll" on X that voted for rehiring Elez to DOGE, by February 20th Elez had a US Government email address again, and on Febrary 21st he was reported as working for DOGE at the Social Security Administration.
> Upon learning of your resignation, following reports that you were linked to an account advocating to “normalize Indian hatred” and for a “eugenic immigration policy,” I can’t help but address the staggering hypocrisy of these views within the context of the IT industry
the 2nd comment in the issue explains why the 1st was posted pretty clearly
Why wonder? The user who wrote it seems to be a pretty well established user, and their public repositories suggest that they work in adjacent contexts, so it's entirely plausible they attempted to use async-ip-rotator in one of their projects.
The public repos for this person that I could find that weren't forks with no activity to upstream consisted of a dice-rolling guessing game, rock-paper-scissors, and some kind of framework for downloading and transcribing audio files that does not yet download or transcribe, but implements a whole bunch of boilerplate. I find it rather difficult to believe this person engaged in a good-faith review of the async-ip-rotator code base.
It's also worth noting that Feb 6 may very well be after Marko Elez became a public figure with DOGE. The article doesn't do a great job of expanding on any of this.
Are you genuinely puzzled or just wanted an excuse to point us all toward that comment? If "the comment" is correct word for what amounts to full article in length.
The fact that they left these packages public on GitHub.. guys you do know you can make things private right? Just shows how dumb these people are honestly
Or they think what they're doing is righteous and they're proud of it. It isn't - DOGE is responsible for hundreds of thousands of deaths through cuts to health programs - but I suspect they are deluding themselves into thinking it is.
What? They reused public packages that have been public for years. One guy made a public fork with some changes. Is that not what open source is intended for?
I think he’s saying that if their intent was to not get caught which you’d assume, they could have made a private repo instead of a public fork tied to a doge account
You misunderstand, open source is bad actually, when the heckin cheeto man is the one doing it.
Just as its only worth complaining about geriatric geezers in office until the cheeto man brings in young hackers, then the problem is that "the old impaired people were good, actually".
Don't observe. Don't think. Merely repeat the approved message.
> The Party told you to ignore the evidence of your eyes and ears. It was their final, most essential command.
The people who need to see/understand this live in a different reality where uncomfortable things like this are ETL'd into righteous anger towards people they don't like.
This is the deep state they've been worried about, this is the boot that will tread on them.
EDIT: parent comment was highest ranked comment for the article and is now at the bottom?
I fully believe there's a stack of pardons in Trump's drawer for everyone involved in this debacle. I can't imagine breaking so many laws all over the government if you thought you'd ever have to face consequences. The alternative to pardons in preventing the next congress & administration from cleaning this up is too dire to really contemplate.
They are betting the system won't go after them later which is a very bad bet if they eventually give back the executive branch and an even worse bet if the power they support never gives it back. About as brilliant as being in a photo with Stalin.
The complaint alleges that DOGE was able to get unlimited-permissions admin accounts that were not subject to logging. They also downloaded external repositories that gave users of those repos lots of different IPs. The complaint further alleges that the DOGE person used the combination of these things to "download... more than 10 gigabytes of data from the agency’s case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents."
If this is all true, this is basically hacking sensitive data in the open. We already know the current administration has worked to hobble unions. So putting these things together, this act is not only wrong in and of itself, but the data is likely going to be used to harm americans' interests. So, deserving of punishment.
If you take a step back and realize that the intent is to utterly destroy the social safety net provided by social security, Medicare, etc that we have all been paying into our entire adult lives, tell me why every citizen affected should not pursue civil and criminal charges of theft and fraud with malicious intent?
And then the means to do so have involved ignoring the courts and bypassing constitutional checks and balances? Please tell me how this isn’t criminal if not treasonous?
Sensitive government data was (sure, allegedly) extracted to Russia via an account that was expressly created to hide / not create logs. This is treason. Allegedly.
If I told you someone went to your bank and demanded the right to setup accounts with permissions to do everything and to have all logging of that users activity disabled, and then a whistleblower pointed out that they downloaded everyone's bank statements, you'd probably be pretty up set.
After all, why do they need unfettered access? Why do they need your bank statements? Why do they need to hide what they're doing with the unfettered access?
That's what's happening here. There is no good explanation other than bad actors
The problem with prosecuting them – they are employees of a White House office, doing what their bosses told them to do, and it is clear their bosses are carrying out the President's wishes.
If Joe Blow off the street walks into a federal agency and takes all their data – open and shut case, throw the book at them, see you in a few decades.
If someone from the White House walks into a federal agency, tells the agency leadership "the President wants me to take all your data", and the agency leadership replies "sure, go right ahead" – not a scenario people were expecting, so the existing laws haven't been crafted to clearly criminalize it. Maybe some enterprising prosecutor can find a way to map it to the crimes on the statute book, maybe it is just too hard. But even if the prosecutor overcomes that hurdle, it will be far from easy to convince the jury / trial judge / appellate courts that the legal elements of the crime are actually met – and if it actually gets as far as a conviction upheld by the appellate court, what do you think the conservative SCOTUS majority are going to do with that when they get it? And many prosecutors, foreseeing those low odds of ultimate success, will stop before they even get to an indictment.
So, I think the odds of anyone ultimately being convicted over this are low, even if Trump never pardons them.
Maybe, Congress might pass a law to make it more clearly illegal, which might make it easier to prosecute if a future administration repeats the same behavior.
EDIT: if people are downvoting this because they think my analysis of the likelihood of successful criminal prosecution is wrong, it would be great if they could reply to explain where they think I got it wrong
The claim that because your boss tells you to do something illegal means that you should just do it is bullshit. It's your social responsibility to not capitulate under these circumstances.
If you don't feel that way then you deserve the world you are creating.
Without knowing the specifics of US law, there’s a lot in there for a reasonable case. Improper handling of sensitive data, interfering with ongoing legal proceedings, abuse of telecommunications infrastructure (looks like the guy runs a brute forcing crawler on a government system) and probably even more.
Readit News
Original code: https://github.com/Ge0rg3/requests-ip-rotator
Forked: https://github.com/markoelez/async-ip-rotator
Code is pretty much the same, with comments removed, some `async` sprinkled in and minor changes (I bet this was just pasted into LLM with prompt to make it async, but if that worked why not).
Except... Original GPL3 license is gone. Obviously not something you would expect DOGE people to understand or respect.
Archived repo page: https://archive.ph/LI7tt; archived previous repo count: https://archive.ph/tgkg5
0. https://arstechnica.com/tech-policy/2025/04/i-no-longer-hack...
You can download it as a Git repository from https://archive.softwareheritage.org/api/1/vault/git-bare/sw...
Dead Comment
“If this were a side project, it would just be bad code,” the reviewer wrote. “But if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.”
Look at the critique [0] and then look at the code [1].
[0] https://web.archive.org/web/20250423135719/https://github.co...
[1] https://github.com/ricci/async-ip-rotator/blob/master/src/as...
Certainly Elon made him print it out on paper to personally code review.
Deleted Comment
It's possible, but very unlikely, the copyright license wasn't actually violated because, for example, the fork could have arranged a separate license.
The best example of this is the Qt Project's code: https://www.qt.io/qt-licensing
You can get it under a GPL license for free. You can pay them money to get it under a Commercial license that would let you modify the code without releasing changes.
So, while I doubt it happened, the person who forked it here could have contacted the original author, the copyright holder, and asked for an exemption from the GPL terms.
You are only required to keep the GPL3 license if you re-distribute it. Putting it in a GitHub repo, is ambiguous whether or not it is re-distributing it, at least morally.
If you want to delete the license in a personal copy, that is perfectly valid according to the license terms. If you then happen to upload that to a private GitHub repo, also perfectly valid.
If you then happen to upload that to a public GitHub repo, because of, say, restrictions on free private repos, without intent to distribute, then what?
Then you keep the license eh? Distributing without an intent to distribute is distributing.
Git is free and open source. If you want version control and collaboration and NO unintended distribution completely for free you can just use Git. It even has a built in server to share with your work buddies.
Vibe coding
> Original GPL3 license is gone. Obviously not something you would expect DOGE people to understand or respect.
Why would they? They don't give a FF about courts.
To be fair I see in my daily life folks who copy and paste from stack overflow or random GitHub repo and move on with their day. They ignore the Creative Commons Attribution-ShareAlike or whatever license is applied to the code they copied.
I see on this very site people who will share copyrighted articles that are behind a paywall (just because it is on some archive site doesn’t make it right).
Please don’t take this as support for DOGE and the headaches they are causing. To make a cheap jab at a group of people while ignoring the group that you associate with is bad form.
Copy pasting from stack overflow without attribution is wrong but it's also harder to claim "ownership" over single lines or small snippets. It depends how "obvious" they are. You definitely can't copyright trivial functions. There's a lot of gray here but yes attribution is always good.
But things get a lot less murky when we're talking about forking a project. That's usually nontrivial and non obvious. I think what's most important is that removing a license is an active decision. Certainly that would make a critical difference in a court [0]
Then there's further escalation by who is doing the action. The more power and influence you have the greater responsibilities. All men are not created equal. Men with more power can disproportionally do more damage and require higher accountability. So yeah, I care a fuck ton more about a government employee doing something bad especially while performing official duties more than some rando. The ability to do harm is very different.
The reason I dislike your comment is because it's dismissive of the action. "Other people do it!" Is not a defense nor excuse. It is even worse by ignoring multiple points of context.
[0] though protecting open source has been traditionally hard for many reasons. Specifically it's hard for small developers to take legal action, especially against larger bodies. But isn't this something we should want to be fixed? Credit for our own contributions?!
What group does the person who makes the comment associate with?
irony
" On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior week. I saw way above baseline response times, and resource utilization showed increased network output above anywhere it had been historically – as far back as I could look. I noted that this lined up closely with the data out event. I also notice increased logins blocked by access policy due to those log-ins being out of the country. For example: In the days after DOGE accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia started trying to log in. Those attempts were blocked, but they were especially alarming. Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating. There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers. "
The worst possible interpretation is straightforward - they are working for the Russians as agents and let the Russians in or installed the keyloggers for Russia.
Excerpt: "How much more proof do we need that this administration is completely compromised? There is zero reason for the US to relax any offensive digital actions against Russia. If anything, we should be applying more."
They were accessing Github over the internet from superuser accounts they were presumably also using as their user account. Given the code quality, I doubt their opsec is put together, either.
The objective may not have been to obtain access or any useful data. The objective may have been to get the scary headlines about Russians and use the existing media and political agitprop to further destabilize the government you seek to color revolution away.
If they're trying to exfiltrate data, they might want to rotate through IP addresses in order to obfuscate what's going on or otherwise circumvent restrictions. Using a simple ip rotator like the post talks about would maybe be an approach they'd use. If they're not careful with the IP addresses, once in a while one might get caught due to some restriction like being outside the US. It'd maybe appear as though you're getting these weird requests from Russia, but that's just because you're not logging the requests that are not being flagged from the US.
Maybe I'm reading the post incorrectly though (if so, please correct me!)
Best possible case I see would be that the whistleblower has made some mistake (or is being intentionally dishonest). Seems plausible for instance that "it appeared they had the correct username and password" based on "our no-out-of-country logins policy activating" could just be a misunderstanding of how/when the policy triggers. Not to say it's the most likely explanation, just the least concerning one.
I think less concerning than keyloggers, while still assuming the whistleblower is correct, would be that a DOGE employee was using a VPN/proxy/Tor. Probably not a great idea to have traffic going through a hostile nation state even with encryption, but less bad than keyloggers on their machines stealing and trying credentials within minutes.
Definitely concerning though, to be clear - just steelmanning/answering the question of best possible interpretation.
Though with nation state actors you can't rule out Pegasus like zero-click infiltrations.
This is the evidence which strongly suggests that the DOGE personnel are using various cloud IP addresses to scrape.
This context enables two important things:
- Granular exceptions: If Alice is attending a conference in Toronto, you can say "Allow Alice to log in from Canada next week" without opening Canada-wide logins for everyone. Pre-auth geo-blocking forces you into an all-or-nothing stance.
- Better threat intelligence: A valid login from an unexpected region (e.g. Moscow when Alice is normally in D.C.) is a far stronger signal of compromise than a failed attempt. Capturing "successful login + wrong location" helps you prioritize real threats. If you block pre-auth, you'd never know Alice's account was compromised.
Putting geo-checks after authentication gives you precise control over whom, exactly, is logging in from where, and offers richer data for your security monitoring.
[1] https://learn.microsoft.com/en-us/entra/identity/conditional...
Why would they attempt a login from Russia (if it was indeed Russians)?
It is incredibly cheap to use a VPN with a US residential IP.
Probably the least expected location to connect from, if it was genuine. Not saying it necessarily isn't, but it's not usual either and doesn't make much sense.
Feels like a pretty good Occam’s razor case… but is there any legitimate reason why one would request this?
DOGE needs to be shutdown and everyone of them held as a flight risk while the whole thing is investigated.
Is this normal to build this sort of functionality into a software system? Especially software systems that heavily rely on auditability?
My company retains all e-mails for at least 5 years, for audit purposes. But if some troublemaker were to e-mail child porn to an employee, we'd need to remove that from the audit records, because the laws against possessing child porn don't have an exception for corporate audit records.
So there's essentially always some account with the power to erase things from the audit records.
From the previous post, they had auditor roles built in that they purposely chose to go around
You always need it to setup the system initially.
It's like root on Linux: it's an implementation detail that it must be possible.
Anything musk's dogs claim to find cannot be taken at face value because of this. Because there is no audit, and no evidence that they can offer that they didn't doctor their findings.
The next time they claim that a 170-year old person is receiving SS checks, they have no way to prove that they didn't subtract a century from that person's birthdate in some table.
I think if I wanted to describe an account with access to perform "sudo -s" as negatively as possible, I would say "an all-powerful admin account that is exempt from logging activity that would otherwise keep a detailed record of all actions taken by those accounts."
https://www.pbs.org/newshour/show/nlrb-whistleblower-claims-...
...
While he was at work, and it also contained photographs of him walking his dog taken by a drone.
This is mafia shit.
Deleted Comment
That's the best I could do. LOL
Dead Comment
Some previous attempts for DOGE to get data has resulted in data being deleted before they can look and requests for judges to block access to data.
DOGE may be trying to be covert in order to stop these two activities from happening before they can get and review the data.
By definition, a judge decides what's legitimate.
If DOGE expects their access to be blocked by a court judgement, and bum-rushes agencies to exfiltrate data ahead of the judgement, that's also criminal intent.
I am not sure what you are getting at. "Covert" isn't how I'd describe DOGE's actions. "Brazen" maybe?
This fairly clear.
The story says that DOGE attained access to an account that had huge permissions into what it could see and alter. The person or persons from DOGE may have downloaded 10GB of data. The person may have used this in a manner that is illegal. Or it is illegal to start with. With the understanding that POTUS may or may not be allowed grand such access. (I dont think POTUS can)
2. DOGE employee downloaded code that could be used to use a huge pool of IP addresses, from AWS to bypass forms of throtheling. 3. The code was badly written. 4. The person is a racist
How would a person from DOGE use "unlimited" number of IP adderssess from AWS to hammer and automaticlay screenscape webpage, benefit from it when it came to copying extremly sensetive data from an internal National Labor Relations Board database?
Did 10.000 sessions authenticate to the database at the same time, using AWS UP addresses and scraped the data?
Something is pretty broken if the system with extremly sensetive data is available from external IPs -and- allowing a single account to login 10.0000 times to concurrently scrape data off the interal database?
Of are they saying that this code was adapted to use 10.000/100 IP addresses internal to National Labor Relations Board and scrapes using those?
The automation later noted makes a lot more sense to aid the work.
What data in a federal agency could the chief executive not have authorization to access?
We can also add to that IRS data. The articles of impeachment against Nixon included the following:
"He has, acting personally and through his subordinates and agents, endeavoured to obtain from the Internal Revenue Service, in violation of the constitutional rights of citizens, confidential information contained in income tax returns for purposes not authorized by law" (emphasis mine).
There actually are laws regulating the handling of personal data collected by the government and it generally doesn't have a "the president wants to see it" exception.
Personally? For starters, he can't access anything the Legislature's laws say he can't.
The Executive is there to implement the law, and that includes obeying them him/her-self.
A President telling other people to break the law on his behalf by threatening to fire them is also a crime of extortion.
That said, I was surprised to learn much later that, by all accounts, Elon Musk was a competent and resourceful leader in SpaceX's early days. Maybe these stories are just his personality cult in action, but I found it plausible. It appears he once knew his place as an engineering manager, without LARPing as a Chief Engineer (he didn't appoint himself to CTO until quite a bit later). I worked for a really good manager who didn't know how to code, but he knew a lot about software and was very good about pulling back on coding things vs pushing forward on software design. It seemed like Musk was similar at SpaceX.
Which is all to say that celebrity is a helluva drug. I don't think Musk was ever an especially "high-IQ individual," and his first marriage suggests he's always been a misogynistic loser. But being anointed "a real life Tony Stark!" seems to have destroyed his brain. Ketamine probably doesn't help.
He's good at having and raising money which was what SpaceX needed, I think he was probably the same then as he is now. Reading about his early days at Tesla and the PayPal stuff, I don't really buy the idea he was ever different and took a dark turn. He's the type of person that will never self-regulate and somehow has never faced any negative consequences for lying and self-aggrandizing so has kept pushing it further
I mean, I guess this really happens in all industries. Art, music, leadership, software development. People who maybe once had credibility in something and now desperately try to foist Their People as the best in the industry.
I feel like that is what is happening here. None of the people who Elon surrounds himself are notable in any way, and their skills are hugely suspect, but he has to have his harem of "Super Coders" to prop up his own mythology.
(Btw, awesome username!)
Not trying to defend the means to the end, but I would really like my tax money used more efficiently. I will also say am extremely worried about the levels of access that they are being given, especially since it comes with basically no accountability
If you could prove that billions were saved in pure waste, then I’d imagine any sane citizen would agree with you, setting aside matters of decorum and human decency (e.g. RIFs that may ultimately be necessary but conducted in an inhumane way)
I’d like my tax money used efficiently, but this group does not merit the trust to carry out those changes, even on a technical level
That is what the GAO is for https://www.gao.gov/ , and these people are much better than script kiddies.
> I would really like my tax money used more efficiently
Me too! You are on hacker news so I assume you are firm believer in https://en.wikipedia.org/wiki/Amdahl%27s_law ! If you would like your tax money used efficiently, are you willing to discuss cuts to social security, medicare, medicaid, veteran benefits, and whatever else is at the top of the budget? https://www.cbo.gov/publication/61181? What would you cut?
Personally, I would increase taxes on anyone making over $500K/year and stop nickle and diming our federal government so the US can actually become a first world country for everyone that isn't a software engineer.
Then a lot of those had to be reinstated because you simply can't operate a hospital without sanitation.
Just like they had to scramble to hire back the folks at the National Nuclear Safety Association.
Yeah, efficiency is great. But this is like ordering tacos and getting... a used tire and some dirty diapers...?
This is like the derelict father with partial custody who parachutes in one weekend a month to buy his son ice cream and a new video game to leave two days later the conquering hero. Meanwhile mom works two jobs, has to set all the expectations and responsibilities for the child, and the father is late on child support payments.
DOGE blitzkrieged government IT. It'll be years before we understand the scope of what they've done and given available evidence: these are script kiddies who worship Musk, I don't think there is ANY reason for optimism or charitable consideration.
Except by most accounts so far it was being used efficiently by the federal workforce. This whole debacle will end up costing the US tax payer more money. See cutting the IRS or USAID which will probably lead the US to bailing out farmers. And if they privatize, then it'll be even more expensive.
This is immature thinking, because, who wouldn't?
The contention comes from differing opinions on what is waste.
I agree, but for a different point.
Generalising, but under the age of 25, most people don't have enough experience (business/government) to understand things such as business ethics, the consequences, auditing practises, privacy concerns, etc.
With professional experience, you develop a better understanding and build up that depth of knowledge of how things impact the wider "world" rather than the immediate task at hand. Meaning, you gain a better understanding of the ethical implications of what you're doing.
As an example - in law, it'd be easier to manipulate a law graduate than a lawyer with 20+ years experience, who would think outside the direct question or task that was asked.
Why is the age such a talking point? An insight in startup culture is that the public underestimates young people, especially when it comes to business skills with objective results and tight feedback cycles.
It just seems like now that HN is skewed older we no longer believe that?
One could be a 60 year old skid.
Is the federal government a business or startup? Does chainsawing it have a tight-enough feedback cycle to get good results? I'm going to say No to both, but I don't have the time or expertise to try to prove it. It can be true, both that young people are great at startups and bad at the federal govt.
This is supporting evidence that they were picked for ideological reasons - namely, being young white supremacists who wouldn't ask any questions. That's why Marko Elez was rehired. Musk, Trump, and Vance all share his views, he was just dumb enough to express them in public.
Young people get convinced to do stupid things that their older selves would regret.
> On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”
Link from quote: https://github.com/markoelez/async-ip-rotator/issues/1
The follow comment is interesting to be a coincidental, such a weird interaction.
I must be missing something here; surely the level of elite technical skill implicit in his résumé would preclude this kind of thing
I would say that Elmo picked a bunch of junior devs because they don't have enough maturity to talk back and will do anything they're asked but I think that's too charitable. I think he actually went this route because Elmo is a sad man in his 50s who is desperately trying to pretend that he is, and has not matured beyond, his 20s.
Musk did a "poll" on X that voted for rehiring Elez to DOGE, by February 20th Elez had a US Government email address again, and on Febrary 21st he was reported as working for DOGE at the Social Security Administration.
the 2nd comment in the issue explains why the 1st was posted pretty clearly
The public repos for this person that I could find that weren't forks with no activity to upstream consisted of a dice-rolling guessing game, rock-paper-scissors, and some kind of framework for downloading and transcribing audio files that does not yet download or transcribe, but implements a whole bunch of boilerplate. I find it rather difficult to believe this person engaged in a good-faith review of the async-ip-rotator code base.
Go look at the list of pardons this administration has handed out. These guys won’t even be charged.
Just as its only worth complaining about geriatric geezers in office until the cheeto man brings in young hackers, then the problem is that "the old impaired people were good, actually".
Don't observe. Don't think. Merely repeat the approved message.
> The Party told you to ignore the evidence of your eyes and ears. It was their final, most essential command.
This is the deep state they've been worried about, this is the boot that will tread on them.
EDIT: parent comment was highest ranked comment for the article and is now at the bottom?
We live in a nation of laws, whether or not conspiracy-minded individuals prefer to follow them.
Dead Comment
Dead Comment
Dead Comment
If this is all true, this is basically hacking sensitive data in the open. We already know the current administration has worked to hobble unions. So putting these things together, this act is not only wrong in and of itself, but the data is likely going to be used to harm americans' interests. So, deserving of punishment.
And then the means to do so have involved ignoring the courts and bypassing constitutional checks and balances? Please tell me how this isn’t criminal if not treasonous?
After all, why do they need unfettered access? Why do they need your bank statements? Why do they need to hide what they're doing with the unfettered access?
That's what's happening here. There is no good explanation other than bad actors
If Joe Blow off the street walks into a federal agency and takes all their data – open and shut case, throw the book at them, see you in a few decades.
If someone from the White House walks into a federal agency, tells the agency leadership "the President wants me to take all your data", and the agency leadership replies "sure, go right ahead" – not a scenario people were expecting, so the existing laws haven't been crafted to clearly criminalize it. Maybe some enterprising prosecutor can find a way to map it to the crimes on the statute book, maybe it is just too hard. But even if the prosecutor overcomes that hurdle, it will be far from easy to convince the jury / trial judge / appellate courts that the legal elements of the crime are actually met – and if it actually gets as far as a conviction upheld by the appellate court, what do you think the conservative SCOTUS majority are going to do with that when they get it? And many prosecutors, foreseeing those low odds of ultimate success, will stop before they even get to an indictment.
So, I think the odds of anyone ultimately being convicted over this are low, even if Trump never pardons them.
Maybe, Congress might pass a law to make it more clearly illegal, which might make it easier to prosecute if a future administration repeats the same behavior.
EDIT: if people are downvoting this because they think my analysis of the likelihood of successful criminal prosecution is wrong, it would be great if they could reply to explain where they think I got it wrong
If you don't feel that way then you deserve the world you are creating.
Deleted Comment
Dead Comment