Rendered at 21:54:55 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
scottlamb 3 hours ago [-]
> [Opexus] said that “the individuals responsible for hiring the twins are no longer employed by Opexus.”
Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).
I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.
tempaccount5050 3 hours ago [-]
When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence. This is absolutely a standard and has to be for these kinds of positions. I've never worked anywhere where it wasn't for the majority of IT staff. You meet with HR, someone clears your desk, and security walks you out.
scottlamb 3 hours ago [-]
> When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
stronglikedan 44 minutes ago [-]
The first option is flipping one switch. The second option is flipping some switches now, and flipping the rest later. Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there. There's plenty of ways to communicate with ex-colleagues that don't involve company resources or opening the company up to liability.
mquander 18 minutes ago [-]
> Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there.
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
tempaccount5050 3 hours ago [-]
Yeah I don't see why that's necessary. I'm sure you can always reach out to HR and ask (I have facilitated this in the past, pulling contact lists and phone numbers) but that also gives them ways to exfiltrate data. It's company data. Just think of all the info you have in your inbox. Unless you've managed offboarding for high level IT positions it seems harsh, but the risk is just too high to allow the user to do that stuff themselves.
scottlamb 3 hours ago [-]
> Just think of all the info you have in your inbox.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
BrandoElFollito 3 hours ago [-]
High level IT positions are not risky. This is the db admin who can do most of the damage.
stego-tech 2 hours ago [-]
There is a middleground, but it requires conscious effort to prop-up, support, and maintain over the long haul: off-boarding centers.
I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
skinfaxi 2 hours ago [-]
Your last sentence sums it up. I was blown away by the system you described that would allow for such a humane transition through such a difficult time. At least process wise it seems like a good place to work.
mistrial9 43 minutes ago [-]
you left out the people who enjoy the suffering and pain of the person it is being done to, while they supervise (and film it, in some cases)
repelsteeltje 47 minutes ago [-]
I suppose that's a very powerful way of preventing "accidents" on termination. But isn't that just theatre? I mean - as though termination is the one and only case where an employee with the power to destroy the company gets angry and might do something really stupid?!
lesuorac 2 hours ago [-]
Yeah but if you defense against somebody erasing a database is "we remove their access when they're fired" then your defense is garbage.
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
tempaccount5050 1 hours ago [-]
I'm talking about off-boarding not general day to day security.
beAbU 2 hours ago [-]
Having people with that level of access without some form of two-person-control is already a sign of incompetence.
dullcrisp 2 hours ago [-]
Twins can defeat two-person control (okay I know one of them was locked out).
saghm 2 hours ago [-]
Maybe they did, but since they were twins...
dylan604 59 minutes ago [-]
This takes the whole "you must mean my evil twin" to an actual example. Maybe this is more "you must mean my other evil twin". Part of me really wishes their names were Daryl
reactordev 1 hours ago [-]
They do all of that now though...
In the US, they'll terminate your access while you're on the Teams Meeting behind the scenes and if you have any gaps, issues, blips, or smudges in your resume it gets thrown into the recycle bin by some AI agent.
paulpauper 3 hours ago [-]
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately
The employee is always the last to know. This is standard fare.
aksss 1 hours ago [-]
> a more balanced version: <bunch of weedy ACLs, judgement calls, liability/>
Too complicated and subjective, stinks of more risk.
Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count). It's standard practice for involuntary terms at all companies we work with, whether employee is IT or not. If a company is not doing this already, I'd encourage them to.
soVeryTired 3 hours ago [-]
> On March 12, 2025, a search warrant was executed at Sohaib’s home in Alexandria. Agents grabbed plenty of tech gear but also turned up seven firearms and 370 rounds of .30 caliber ammunition. Given his former crimes, Sohaib should have had none of this.
For god's sake, don't commit crimes while you're committing crimes.
tclancy 2 hours ago [-]
I was kind of hoping he sprinted out his back door which happened to be on a state line and then mailed his guns back to his house, just to try to cover everything.
paulpauper 3 hours ago [-]
Only commit one crime at a time
giantg2 3 hours ago [-]
How did they get access to 5k passwords? Are they being sent/stored in cleartext? This is the most baffling part of the article for me.
The second part I'm unclear about is how you could pass SOC2 when you aren't terminating account access simultaneously with the employment termination.
inetknght 3 hours ago [-]
From the article, it sounds like the passwords are indeed stored in cleartext:
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
giantg2 2 hours ago [-]
It still blows my mind. Shouldn't the government audit their contracting companies for egregious issues like this? Seems extremely reckless not to.
at-fates-hands 1 hours ago [-]
I'm pretty shocked as well. I thought every company stopped doing this like 20 years ago? Even for a legacy system that is a long time to continue storing credentials like that.
liendolucas 42 minutes ago [-]
I can only think of a scenario where this is still valid: spying.
The minimum one can do is have a different randomized password for every service on a possibly completely offline password manager.
Yes, you will depend on a password manager at all times, but at least the blast radius is minimized to the affected service.
skinfaxi 2 hours ago [-]
Depends on what their offboarding policy is. If it's 72 hours or something they would not breach policy.
GorbachevyChase 2 hours ago [-]
Policy and practice might not be the same thing. The company and the entire management staff should be on somebody’s blacklist for future procurement.
giantg2 2 hours ago [-]
The whole point of stuff like SOC2 and audit to verify that policy is actually implemented. Seems like nobody actually checked.
kube-system 1 hours ago [-]
SOC2 requires an audit. But one of the weaknesses of SOC2 is that the audit mostly checks to determine that you are following whatever your policy is. It doesn't verify that your policy is rigorous.
BrandoElFollito 2 hours ago [-]
And how exactly do you want to store passwords if not in plain text (and then encrypted of course)? 5k is a lot, the authorization process is broken, but this is not related to how the passwords are stored.
The only solution is correct access segregation and a bastion
Dangeranger 2 hours ago [-]
You should never store passwords in plain-text, encrypted or not, you should always use a one-way cryptographic hash like bcrypt [0], scrypt [1], or PBKDF2 [2], combined with a single use salt [3] and optionally a pepper [4], and then store the output of the hash in the database.
To confirm a user supplied password matches you run input into the same hash function again with the salt+pepper and compare it to the value in the database.
That way if the database is stolen, the attacker cannot recover the contents of the passwords without brute forcing them. Encrypting passwords is not recommended because too often attackers are able to recover the encryption keys during the same attack where the password data is extracted.
Hashed, you store them hashed (and salted). A breach should never reveal passwords.
jm_l 2 hours ago [-]
Typically you store a hash of user passwords instead, then when logging in you hash the user password client-side and compare the hashes. This acts like a one-way function that protects the password while letting the user authenticate themselves.
CyberLily 2 hours ago [-]
Hashing passwords client-side is generally a bad idea, since it means that the hash effectively becomes the password. For example, if I have a database row that has the hash of the password and a bad-guy gets access to the database, they will get the hash. The benefit of a hash is that it is a one-way operation, I can't figure out the plaintext from the hash, so my account is safe. If the password is hashed on the client, and sent to the server the attacker doesn't need to reverse the hash, they can just send the hash in the request. Instead, you should send the password to the server (using TLS encryption) and do the hash and compare on the server.
jmull 34 minutes ago [-]
You actually want to one-way passwords both client-side, for transport, and again server-side, for storage/comparison.
Otherwise, there's a hole, between the end of the TLS connection and where the server-side encryption happens, where the password is in plain text. Think logs and load-balancers and proxies.
While the client-side hashing doesn't help protect your site a lot (as you say, the hashed value the client sends effectively becomes the password), it helps protect the users who use the same password across multiple sites.
Notice in this case, that's exactly what the brothers are accused of doing: using credentials harvested from their site to log into other, potentially more lucrative accounts.
I didn't see if that's the hole the brothers exploited but it very well could have been.
The client-side encryption may have been all that was missing in this case.
jmull 24 minutes ago [-]
People shouldn't be downvoting this...
Hashing client-side is a good idea. You must also hash server-side, for storage/comparison.
Otherwise, an insider may be able to harvest the original password, from logs, proxies, load balancers, etc. that requests pass through after the end of the TLS connection, on the way to the db.
They can then try the credentials on other, perhaps more lucrative sites. That's what the brothers are accused of doing here, so client-side hashing (or just simple encryption) may have been the missing piece of security that would have thwarted the credential stealing.
Tangurena2 2 hours ago [-]
Also, you need to add salt. Otherwise every person using "Password123" has the exact same hash. Before they broke their search engine, it was common to google the MD5/MD4 hashes to "decrypt" or "unhash" them.
ellg 2 hours ago [-]
I hope youre joking
kjs3 41 minutes ago [-]
I don't think those words mean what you think they mean.
jjk7 2 hours ago [-]
Assuming you're serious? Store passwords with salted one-way hashes.
chatmasta 21 hours ago [-]
> At 4:58 pm, he wiped out a Department of Homeland Security database using the command “DROP DATABASE dhsproddb.”
This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data.
game_the0ry 3 hours ago [-]
> At 4:59 pm, he asked an AI tool, “How do i clear system logs from SQL servers after deleting databases?” He later asked, “How do you clear all event and application logs from Microsoft windows server 2012?”
So many red flags, I can't even.
t0mas88 15 minutes ago [-]
> In the space of a single hour, Muneeb deleted around 96 databases with US government information. He downloaded 1,805 files belonging to the EEOC and stashed them on a USB drive, then grabbed federal tax information for at least 450 people.
Maybe whoever runs infosec at that place should also be fired?
darkwater 2 hours ago [-]
Yep, Windows Server 2012 being a big one :o
plagiarist 2 hours ago [-]
They forgot a
> "How do I clear chat logs from LLM?"
I guess?
jiggawatts 2 hours ago [-]
I love how this leaks out the fact that the DHS is running production databases on operating systems that are months away from end of extended support.
For Linux users: Windows goes through phases of mainstream support, security updates only support, and then after the end of support there’s and extra three year window of paid “extended” support that provides only critical security patches.
This exists only for incompetent organisations like government departments.
harrisi 1 hours ago [-]
It can be quite politically valuable to kick the can to the next administration.
lostlogin 3 hours ago [-]
Ready access to AI tools sure makes vandalism easy.
game_the0ry 3 hours ago [-]
Ai is just a tool. You can kill with hammer, doesn't mean you ban hammers. And they could have used stack overflow instead of ai.
xethos 2 hours ago [-]
The tools we use are not neutral. A sword can be made to work like an axe, but we use axes for chopping wood because a sword makes a shitty axe. A sword is designed to kill people. The handle, the mass, the weight distribution, and every other aspect I am not qualified to get in to, means swords are designed to kill. They are a tool, and their use is not neutral.
This is a clear example, but I don't believe any tools are neutral. Your immediate fallback was to a hammer, not a mouse, with the obvious corrollary being to bludgeon, but the same line applies. Tools are not neutral, and that's why when you looked for something that causes harm, you grabbed something that's objectively been serving a dual-purpose for hundreds of years. Nobody's using a computer mouse to bludgeon someone to death; it makes a shitty bludgeon, and the design of the tool reflects that.
That's also why these comparisons always fall back to knives, or hammers, or the AK-47: they are dangerous tools that are designed to make killing easier. Nobody is making these comparisons to more benign tools, like desk lamps, coffee cups, or car stereos, and it's because tools are not neutral, and none of my examples are designed to make direct, bodily harm, easier.
collingreen 2 hours ago [-]
My god, they didn't say ban ai they said it makes vandalism easy.
No need to knee jerk react to an argument that hasn't been made.
fugalfervor 2 hours ago [-]
You are the first person in this conversation to mention banning. I am not sure what your comment has to do with anything.
fn-mote 2 hours ago [-]
This vandalism is a joke. You could find the method in an XKCD comic.
The fact that they didn't already know how to do it is the crazy part.
bmitc 21 hours ago [-]
Those two in the movies were always a highlight for me, especially when the one joins the other in the Mexican factory riot.
noboostforyou 1 hours ago [-]
One of my favorite lines "Peligroso es mi nombre medio" (which of course is not grammatically correct in Spanish) and then his short inspirational speech invoking general Zapata were great.
He may be a bad person but he has a very pretty handwriting.
disqard 35 minutes ago [-]
Your comment made me go read TFA, and yes, that is rather pretty handwriting.
chrisra 23 hours ago [-]
I have no problem with my credentials being revoked everywhere before I know about a layoff. I don't really care how I learn about it, just please don't make me come in to the office.
nine_k 4 hours ago [-]
> just please don't make me come in to the office.
But how do you pick up the stuff from your desk? I once lost a nice pair of headphones this way.
jimmaswell 2 hours ago [-]
I've never had a job with a permanent individual desk like this. The one in-person real job I had, it was only shared working space that different people used at different times of the day or on different days, and I think you were discouraged from leaving anything. The idea of there being "your desk" with a framed photo of your kids and favorite coffee mug seems like a nearly extinct piece of nostalgia. It must have been nice in a way, far preferable to the new style of open office at least.
pavel_lishin 2 hours ago [-]
May I ask how long you've been working?
I'm in my early 40s, and I've never had a job where we've "hot-desked" like that, even when a company was out-growing an office.
paulpauper 3 hours ago [-]
ship it?
jagged-chisel 4 hours ago [-]
Meh. Don't leave anything at work. Forgo the convenience and carry your things on your commute. Use a bag. If there's "too much stuff", that's a sign to pare back what you "need" at work.
whatshisface 3 hours ago [-]
I know this is not a good year on the job market, but if you are traveling to work with a "go bag" and not leaving coffee mugs on your desk to prepare for being laid off maybe it is time to carry that go bag to some other buildings...
nkrisc 2 hours ago [-]
The obvious middle ground is don’t leave anything valuable at your desk that you wouldn’t want to lose. You shouldn’t leave valuable stuff at your desk even if you don’t expect to be laid off. Unless you work in a very secure environment, you don’t really know who will be sniffing around your desk.
Go ahead and leave a coffee mug, who cares if you lose a coffee mug?
pavel_lishin 2 hours ago [-]
I would be devastated if a few of my coffee mugs were eaten by a firing/layoff. (But I would also not bring those specific coffee mugs to the office, either.)
jdev-hn 3 hours ago [-]
[dead]
afavour 3 hours ago [-]
God, if we're at the point where we're so paranoid about being laid off that we don't dare leave a single piece of personal property in the office then I think we're in a very dark place indeed. Can’t imagine the mental damage from considering losing your job every single day you wake up.
alexjplant 2 hours ago [-]
I never left anything valuable or personal at my desk when I worked in an office simply because I had a very nonzero number of colleagues who acted like animals. My fizzy waters, coffee, and snacks would be consumed without permission or replenishment. Chairs, monitors, and input peripherals would get swapped without asking. Desks surfaces would be sat on with chairs used as footstools. Corporate effluvia of all types would end up on my "unused desk" because I wasn't in at the exact moment some roving bandit walked by looking for a spot to dump their crates of paper and binders.
Some people simply have no regard for others and will mess with or jack your shit. Don't give them the chance.
eks391 2 hours ago [-]
I always thought it was weird that all of the equipment issued to me beyond the laptop was registered to me, such as the monitors and desk phone. Your comment enlightens me... That's wild to imagine folks just swiping things from other peoples desks. We even have storage rooms of office supplies where someone could drop off their crate of paper and binders if they had one for some reason.
buckhx 2 hours ago [-]
well this did just happen to me. laid off while taking care of my father in laws estate and my personal belongings were thrown away. 7 years at the company as an EM ftr.
cromka 3 hours ago [-]
I had my gym stuff in a gym locker. The reason I was able to commit to a gym routine was being able to get off my desk, get down the elevator, enter the gym and change in gym clothes in literally 5 minutes. I would never be willing to commute with all that gear. And I never got that gear back.
Still a net positive in my experience.
eks391 2 hours ago [-]
Same, almost. When I was a student, I rented a locker near the showers so I could start my day at the school gym, shower, and go to my first class.
My workplaces have not had gyms, but I bought equipment for my home that maintains the streamline. I haven't been perfect at my routine because my work schedule isn't consistent which is annoying, but I do still get some exercise in at least twice per week with it. I doubt I'd be getting at least that otherwise.
forlorn_mammoth 2 hours ago [-]
If they are keeping your personal possessions, isn't that theft?
BrandoElFollito 2 hours ago [-]
Yes, I will bag my two tree-sized plants, 4 paintings, 1 old map, 2 posters, drawings of my kids, figurines and a few more things. Ah yes, the ball I sit on.
I spend in the office more time than at home so I want a nice environment.
ccimmergreen 20 hours ago [-]
So this was why the FBI Director Kash Patel was in a panic when he couldn't log in one day. Revoking credentials before firing someone makes a lot of sense in security.
lostlogin 3 hours ago [-]
> So this was why the FBI Director Kash Patel was in a panic when he couldn't log in one day
Ever tried to login with two factor and justify a maxed out company card while high as a kite and drunk?
It’s stressful.
deepsquirrelnet 3 hours ago [-]
Professionally, he spells his name thusly: FBI Director Ka$h Patel, so you know he’s serious.
tty456 3 hours ago [-]
Written in bourbon
metalman 13 hours ago [-]
no, becaus the simple and pragmatic solution for ANYONE who is subject to arbitrary termination, is to litter everything they build with caltrops and dead man triggers
and then hint that they will go into "consulting" when fired.
I know of one case where this was totaly unintentional, and a machinest at a local pulp and paper plant had self delegated to
write the software that controlled tension
on the giant machines in the mill, but as it was his only real forey into sofware, nobody else could operate it, and they fired him after a manegment reshuffle, and then after the next scheduled shut down, nothing worked right, greasy dusty ancient screen with a blinking cursor was what they had, plugged into the important bits of a half sqare mile plant.
still funny to think about!
cj 4 hours ago [-]
Or if you don't want to booby trap your code, buy one of those tiny devices that make a cricket noise randomly every 5-15 minutes, and hide it somewhere in the restroom.
These are too obvious - 5-15 minutes gives your victim way too many opportunities to narrow down the location.
What you really need is one that chirps once every (multiple of) 20-28 hours (with weighting towards 23-25 to keep it roughly around the time you set it going and an infrequent skipping of a day.) Also with different volumes and, ideally, different chirps. Occasionally a double chirp just for extra insanity causing.
(A Michael Jackson "hee heee" would be another good option.)
HeyLaughingBoy 30 minutes ago [-]
Next time I'm bored and need a project, I'm building that ;-)
therobots927 4 hours ago [-]
That is some top notch wrongthink… HN does NOT find it funny!
xingped 21 hours ago [-]
[flagged]
JumpCrisscross 28 minutes ago [-]
> Muneeb and Sohaib Akhter, now both 34, had been in trouble before. Back in 2015, the brothers pled guilty in Virginia to a scheme involving wire fraud and computers. Muneeb was sentenced to three years in prison, while Sohaib got two.
After their stints in jail, the brothers worked their way back into the tech world. In 2023, Muneeb got a job with a Washington, DC, firm that sold software and services to 45 federal clients; Sohaib got a job at the same company a year later.
What in the actual fuck. I'm all for giving people second chances. But maybe some ringfencing?
29 minutes ago [-]
libpcap 3 hours ago [-]
Nice handwritings, though.
capibara13 3 hours ago [-]
A true professional always makes sure to leave their workspace completely spotless before going home
lostlogin 3 hours ago [-]
So no guns and ammo?
nostrademons 4 hours ago [-]
> Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter.
WTF?
dzonga 2 hours ago [-]
prosecute the company too.
storing passwords in plaintext should be persecuted & having unlimited access to customer databases.
nrmitchi 1 hours ago [-]
This whole story is just line after line of utter incompetence.
The "after they were fired" sounds catchy, but isn't even the biggest failure.
This organization shouldn't be permitted anywhere near government, or any non-public, data/information.
ge96 2 hours ago [-]
Some good handwriting
iJohnDoe 18 hours ago [-]
It’s crazy that people are desperate for jobs and these clowns get hired.
alphawhisky 8 hours ago [-]
Well, who else would you hire for the circus?
hunterpayne 4 hours ago [-]
Perhaps don't hire people who act as foreign adversaries for government work? Is that really such an absurd proposition?
titanomachy 3 hours ago [-]
You can’t assume someone is foreign based on their name.
In fact I’d guess they’re not, since they’ve been employed on government projects since a young age.
leptons 3 hours ago [-]
>who act as foreign adversaries
This does not mean they are from another country.
ChrisMarshallNY 3 hours ago [-]
I don't think they were spies. They have ethnic names, but it sounds like they are just good ol' red-blooded Yankee crooks.
GorbachevyChase 2 hours ago [-]
I can understand wanting to be perceived as being on “the right team” but that comment is so silly that it undermines credibility. To put it otherwise, could you imagine a scenario where I had a labor, arbitrage opportunity that involved a higher paying job in Shanghai, China and that I had lived there for a few years to do that. Let’s also say that I was found guilty of some similar crime. Would you call me a good old fashioned red-blooded Chinese crook?
It’s OK to acknowledge that economic migrants are a thing, and that they likely have only transactional interest in where they live, such as a Bengali construction worker in Dubai, for example. That’s just part and parcel of labor mobility. For better or worse, shareholders, or middleman representing shareholders, have decided this sort of thing is a really good idea in the US, and now around half the population falls in that bucket. It’s a free country, and freedom means being free to choose short term interests. That also means you’re free to support such policies because they are good for Blue-team redistricting so we can provide free healthcare to all 8 billion people in the world somehow.
But please, nobody becomes a Yankee by the mere fact of standing on the ground. If you want that pejorative title, then you need to earn it.
ChrisMarshallNY 2 hours ago [-]
It was a silly comment. It was meant to be.
As opposed to...
lostlogin 3 hours ago [-]
> Perhaps don't hire people who act as foreign adversaries for government work?
Hilarious in the context of this administration.
2 hours ago [-]
toast0 2 hours ago [-]
Yeah. Here in america, we demand domestic adversaries!
leptons 3 hours ago [-]
Uhh... The guy in charge of the whole thing does things a foreign adversary would do. Has for years and he's back for round two. He even tried to overthrow the government once.
waterTanuki 22 hours ago [-]
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
It should be a federal crime with prison time to make a DB for a federal agency and not hash and salt passwords or other auth credentials.
wildzzz 2 hours ago [-]
It's probably some sort of crusty old application written before salt and hash was SOP. No agency is going to spend money on hardening something non-critical unless there's an incident or there's free money to do so. And that application was likely written by some contractor who's no longer around or has the source code available so any fixes would require an entire redo. And while you're redoing the whole thing, let's add in a bunch of features and scope creep to balloon the cost and schedule. Oops, the new contractor writing the app is overrun so let's bail and go back to the old version.
mijoharas 11 hours ago [-]
This is what I want to know. Are there any consequences for this contractor? At least fraud or negligence or something?
3 hours ago [-]
kaikai 22 hours ago [-]
How on earth did someone previously convicted of what sounds like hacking get job access to so many prod government databases? Wild that it took them so long to get caught.
AlexB138 4 hours ago [-]
I had the same questions. Apparently discovery of the prior conviction is what lead to them being fired:
> When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025
That prompts the question of why background checks are so lax that they were hired before this was discovered.
charonn0 4 hours ago [-]
The company involved here is apparently based in Washington, DC, which has a "Ban the Box" ordinance that limits employment background checks for most kinds of jobs. And apparently DC's version of the law is particularly strict.
giantg2 3 hours ago [-]
Shouldn't this force companies that need to pass a SOC2 out of the district? Doesn't SOC2 require background investigation of personnel with access to sensitive systems?
anonSrEng202309 4 hours ago [-]
And I recently couldn't get a job through a federal contractor for a federal position (requiring NO security clearance) because they didn't like something on my credit report.
sieabahlpark 4 hours ago [-]
[dead]
game_the0ry 3 hours ago [-]
No back ups? Skill issue.
Tangurena2 2 hours ago [-]
Not many people test their backups. I've encountered some situations where the backups didn't work. And one previous employer who was so lazy that he didn't rotate the backup tapes so that the one tape cartridge was used so long that the oxide layer was rubbed off of the tape - so it was no longer brown but was transparent instead (imagine adhesive tape with no adhesive).
zeroonetwothree 2 hours ago [-]
The article says that they did have backups
taffydavid 2 hours ago [-]
> While this was going on, the brothers held a running conversation. (The government is not clear about whether this took place over text, instant message, or in person.)
Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.
2 hours ago [-]
kittikitti 1 hours ago [-]
This is very surprising that they would pass a background check. I've been denied an offer because of a low credit score multiple times.
paulsutter 2 hours ago [-]
Deleting data like that is a crime investigated by the FBI. In a very sad story, a brilliant former coworker made a mistake of deleting data after leaving employment and ended up in prison. Brilliant guy, momentary mistake. Overzealous employer.
cyanydeez 23 hours ago [-]
so, apparently, the passwords were stored in cleartext.
whynotmaybe 21 hours ago [-]
Remind me of a forum a long time ago that sent me my password in clear when I used the "forgot password" link.
When I advised them that it was a bad idea to store password in clear, they answered that they keep it in clear so that they can send it when someone forget.
Defeated by such argument, I deleted my account.
syntheticnature 4 hours ago [-]
In my free time, I help maintain the web presence for a small non-profit org with memberships. The original system when I started helping was a bespoke system that was smart in many ways (essentially a static site generator with membership control years before SSGs were cool, with regular automated tests), but the guy who wrote it absolutely insisted on storing passwords in plaintext and could not be convinced otherwise. Eventually he had to drop the volunteer position due to other things in life, and the first thing we did was correct this issue.
miki123211 3 hours ago [-]
There was a screenshot of some website floating around a few years ago, where if you entered the correct password but a wrong username, it would helpfully tell you which user the password is really for.
mekdoonggi 2 hours ago [-]
But did they handle the edge case of two users having the same password?
nodesocket 3 hours ago [-]
Product manager; “That’s a great UX.”
asveikau 2 hours ago [-]
Circa 2012 the San Francisco water bill pay was able to send me my password in plaintext when I forgot it. I was scandalized. But the alternative was to not pay the water bill, so I just made extra sure the password was very random and wasn't one that got re-used anywhere... I think they fixed this issue in the years since.
moebrowne 2 hours ago [-]
> Defeated by such argument, I deleted my account.
I'd bet your account wasn't actually deleted, just marked as deleted or inactive.
scorpioxy 18 hours ago [-]
I've got a better one. I once had the same argument mentioned to me by my manager at the time when I pointed out that passwords were being stored in clear text. That it needs to be this way so that it is read/sent when the users forget their passwords(which happened a lot). I tried to explain that typically a "reset password" flow is used for that but that fell on deaf ears. That system contained healthcare data.
Something bad did end up happening due to that lax security and there were oh so many meetings about it.
bluefirebrand 3 hours ago [-]
> Something bad did end up happening due to that lax security and there were oh so many meetings about it.
This is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me
So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings
And I've seen it play out a few times. After a point, why bother...
SoftTalker 3 hours ago [-]
Gnu Mailman still does this, and sends a monthly reminder email of your password.
tetris11 8 hours ago [-]
Greetings, Bioconductor
dionian 2 hours ago [-]
The penmanship of the guy is extremely neat, like, uncannily so
ck2 2 hours ago [-]
imagine the delete-fest the current whitehouse is going to do in a few years
all with pardons waiting so they can't be convicted
they might not even wait a few years
Tangurena2 2 hours ago [-]
"Legal Eagle" has a new video about this. The administration's viewpoint is that the Presidential Records Act is unconstitutional, plus the President owns every document, so he can't be forced to return anything because it belongs to him.
chinathrow 49 minutes ago [-]
They might not leave, at all.
htx80nerd 2 hours ago [-]
>Muneeb and Sohaib Akhter
typical american names
chasing 2 hours ago [-]
Don't be a bigot.
htx80nerd 16 minutes ago [-]
oy cant say bad things or make jokes about people who did terrible thing cuz their not white. my mistake m8
Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).
I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
In the US, they'll terminate your access while you're on the Teams Meeting behind the scenes and if you have any gaps, issues, blips, or smudges in your resume it gets thrown into the recycle bin by some AI agent.
The employee is always the last to know. This is standard fare.
Too complicated and subjective, stinks of more risk.
Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count). It's standard practice for involuntary terms at all companies we work with, whether employee is IT or not. If a company is not doing this already, I'd encourage them to.
For god's sake, don't commit crimes while you're committing crimes.
The second part I'm unclear about is how you could pass SOC2 when you aren't terminating account access simultaneously with the employment termination.
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
The minimum one can do is have a different randomized password for every service on a possibly completely offline password manager.
Yes, you will depend on a password manager at all times, but at least the blast radius is minimized to the affected service.
The only solution is correct access segregation and a bastion
To confirm a user supplied password matches you run input into the same hash function again with the salt+pepper and compare it to the value in the database.
That way if the database is stolen, the attacker cannot recover the contents of the passwords without brute forcing them. Encrypting passwords is not recommended because too often attackers are able to recover the encryption keys during the same attack where the password data is extracted.
[0] https://en.wikipedia.org/wiki/Bcrypt
[1] https://en.wikipedia.org/wiki/Scrypt
[2] https://en.wikipedia.org/wiki/PBKDF2
[3] https://en.wikipedia.org/wiki/Salt_(cryptography)
[4] https://en.wikipedia.org/wiki/Pepper_(cryptography)
Otherwise, there's a hole, between the end of the TLS connection and where the server-side encryption happens, where the password is in plain text. Think logs and load-balancers and proxies.
While the client-side hashing doesn't help protect your site a lot (as you say, the hashed value the client sends effectively becomes the password), it helps protect the users who use the same password across multiple sites.
Notice in this case, that's exactly what the brothers are accused of doing: using credentials harvested from their site to log into other, potentially more lucrative accounts.
I didn't see if that's the hole the brothers exploited but it very well could have been.
The client-side encryption may have been all that was missing in this case.
Hashing client-side is a good idea. You must also hash server-side, for storage/comparison.
Otherwise, an insider may be able to harvest the original password, from logs, proxies, load balancers, etc. that requests pass through after the end of the TLS connection, on the way to the db.
They can then try the credentials on other, perhaps more lucrative sites. That's what the brothers are accused of doing here, so client-side hashing (or just simple encryption) may have been the missing piece of security that would have thwarted the credential stealing.
This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data.
So many red flags, I can't even.
Maybe whoever runs infosec at that place should also be fired?
> "How do I clear chat logs from LLM?"
I guess?
For Linux users: Windows goes through phases of mainstream support, security updates only support, and then after the end of support there’s and extra three year window of paid “extended” support that provides only critical security patches.
This exists only for incompetent organisations like government departments.
This is a clear example, but I don't believe any tools are neutral. Your immediate fallback was to a hammer, not a mouse, with the obvious corrollary being to bludgeon, but the same line applies. Tools are not neutral, and that's why when you looked for something that causes harm, you grabbed something that's objectively been serving a dual-purpose for hundreds of years. Nobody's using a computer mouse to bludgeon someone to death; it makes a shitty bludgeon, and the design of the tool reflects that.
That's also why these comparisons always fall back to knives, or hammers, or the AK-47: they are dangerous tools that are designed to make killing easier. Nobody is making these comparisons to more benign tools, like desk lamps, coffee cups, or car stereos, and it's because tools are not neutral, and none of my examples are designed to make direct, bodily harm, easier.
No need to knee jerk react to an argument that hasn't been made.
The fact that they didn't already know how to do it is the crazy part.
But how do you pick up the stuff from your desk? I once lost a nice pair of headphones this way.
I'm in my early 40s, and I've never had a job where we've "hot-desked" like that, even when a company was out-growing an office.
Go ahead and leave a coffee mug, who cares if you lose a coffee mug?
Some people simply have no regard for others and will mess with or jack your shit. Don't give them the chance.
Still a net positive in my experience.
My workplaces have not had gyms, but I bought equipment for my home that maintains the streamline. I haven't been perfect at my routine because my work schedule isn't consistent which is annoying, but I do still get some exercise in at least twice per week with it. I doubt I'd be getting at least that otherwise.
I spend in the office more time than at home so I want a nice environment.
Ever tried to login with two factor and justify a maxed out company card while high as a kite and drunk?
It’s stressful.
I know of one case where this was totaly unintentional, and a machinest at a local pulp and paper plant had self delegated to write the software that controlled tension on the giant machines in the mill, but as it was his only real forey into sofware, nobody else could operate it, and they fired him after a manegment reshuffle, and then after the next scheduled shut down, nothing worked right, greasy dusty ancient screen with a blinking cursor was what they had, plugged into the important bits of a half sqare mile plant. still funny to think about!
https://annoyingpcb.com/
What you really need is one that chirps once every (multiple of) 20-28 hours (with weighting towards 23-25 to keep it roughly around the time you set it going and an infrequent skipping of a day.) Also with different volumes and, ideally, different chirps. Occasionally a double chirp just for extra insanity causing.
(A Michael Jackson "hee heee" would be another good option.)
After their stints in jail, the brothers worked their way back into the tech world. In 2023, Muneeb got a job with a Washington, DC, firm that sold software and services to 45 federal clients; Sohaib got a job at the same company a year later.
What in the actual fuck. I'm all for giving people second chances. But maybe some ringfencing?
WTF?
storing passwords in plaintext should be persecuted & having unlimited access to customer databases.
The "after they were fired" sounds catchy, but isn't even the biggest failure.
This organization shouldn't be permitted anywhere near government, or any non-public, data/information.
In fact I’d guess they’re not, since they’ve been employed on government projects since a young age.
This does not mean they are from another country.
It’s OK to acknowledge that economic migrants are a thing, and that they likely have only transactional interest in where they live, such as a Bengali construction worker in Dubai, for example. That’s just part and parcel of labor mobility. For better or worse, shareholders, or middleman representing shareholders, have decided this sort of thing is a really good idea in the US, and now around half the population falls in that bucket. It’s a free country, and freedom means being free to choose short term interests. That also means you’re free to support such policies because they are good for Blue-team redistricting so we can provide free healthcare to all 8 billion people in the world somehow.
But please, nobody becomes a Yankee by the mere fact of standing on the ground. If you want that pejorative title, then you need to earn it.
As opposed to...
Hilarious in the context of this administration.
It should be a federal crime with prison time to make a DB for a federal agency and not hash and salt passwords or other auth credentials.
> When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025
from https://www.justice.gov/opa/pr/federal-jury-convicts-virgina... which is a better source on this.
That prompts the question of why background checks are so lax that they were hired before this was discovered.
Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.
When I advised them that it was a bad idea to store password in clear, they answered that they keep it in clear so that they can send it when someone forget.
Defeated by such argument, I deleted my account.
I'd bet your account wasn't actually deleted, just marked as deleted or inactive.
Something bad did end up happening due to that lax security and there were oh so many meetings about it.
This is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me
So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings
And I've seen it play out a few times. After a point, why bother...
all with pardons waiting so they can't be convicted
they might not even wait a few years
typical american names