Tech

5 things you need to know about the NPR report on the DOGE at the NLRB

admin

DOGE’s Access to National Labor Relations Board is Scarce and Unconstitutional: A Correspondence to Berulis, a NLRB Whistler, and Other Labor Critics

The top Democrat of the House Oversight Committee called for an investigation into the access of DOGE to the National Labor Relations Board after learning about the whistle-blower disclosure.

U.S. Rep. Gerry Connolly, D-Va., expressed concern that DOGE “may be engaged in technological malfeasance and illegal activity,” in a letter sent to two independent labor watchdogs.

The whistleblower’s story sheds further light on how DOGE is operating inside federal systems and comes on the heels of testimony in more than a dozen court cases across the United States that reveal how DOGE rapidly gained access to private financial and personal information on hundreds of millions of Americans. It’s unclear how or whether the data is being protected. The threatening note is indicative of the current climate of fear and intimidation towards whistle-blowers.

“I can’t attest to what their end goal was or what they’re doing with the data,” the whistleblower, Daniel Berulis, said in an interview with NPR. I can tell you that the parts of the puzzle that I can measure are very frightening. This is a very bad picture we’re looking at.”

There are multiple ongoing cases involving the NLRB and companies controlled by Musk. After a group of former employees filed a complaint with the NLRB, lawyers for SpaceX filed a lawsuit against the National Labor Relations Board. They argued that the structure of the agency is unconstitutional.

Berulis saw around 10 gigabytes of data leave NLRB’s network — or the equivalent of a full stack of encyclopedias if someone printed them. Information about pending cases and proprietary data from corporate competitors are some of the types of data that came from the system. Access to that data is protected by numerous federal laws, including the Privacy Act.

The letter asks the inspectors general to answer a number of questions regarding ways DOGE may have potentially violated federal law, including any NLRB networks DOGE staffers had access to and what records of DOGE’s work within NLRB systems exist.

The disclosure says that a Russian person with an Internet Protocol address in Russia tried to log into the newly created account with the usernames and passwords right after it was created.

Weeks after DOGE staffers descended on federal buildings across Washington, Trump issued an executive order urging increased data sharing “by eliminating information silos” in what’s seen by experts like McClanahan as an attempt to give DOGE engineers further top cover in accessing and amalgamating sensitive federal data, despite laws concerning privacy and cybersecurity.

The National Labor Relations Board’s headquarters was the location of a team of advisers from President Trump’s new Department of Government Efficiency initiative.

The small, independent federal agency investigates and adjudicates complaints about unfair labor practices. It has potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.

A Techniologist’s Story of Securing DOGE and a Culture of Fear: When a Software Engineer Meets President Donald Trump

He said he could also see foreign adversaries trying to recruit or pay DOGE team members for access to sensitive data. “It would not surprise me if DOGE is accidentally compromised.”

It’s a familiar story for tech nerds the world over: He methodically took the machine apart “to figure out how it works,” just like he had dissected radios from the thrift store years earlier. He said that he cut himself once.

He couldn’t join the military because of a knee injury. He was a volunteer firefighter and answered calls from the rape crisis hotline, working in addition to his job as a police officer. He told NPR he had an interest in serving his country.

Berulis had been a technical consultant for many years, including in auditing and modernizing corporate systems, when a job opened up at the National Labor Relations Board.

He didn’t know much about the agency but his long standing desire to help people motivated him to protect employees’ rights.

He started about six months before President Trump was inaugurated for his second term this past January. Berulis said he got off to a good start by securing the cloud-based data server and reinforcing the “zero trust” principles, which means users can’t access certain parts of the system in order to perform their jobs. If a single username and password is held up by an attacker, that person cannot access the whole system.

He said that it was a dream when he first started. There was a chance to build up and do some good. But after the inauguration, he described a “culture of fear” descending over the agency.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

Forensic Logs as a Probe of the State and Homeland Security of a Hacker’s Cyber-Vulnerability

Berulis said he and several colleagues saw a black SUV and police escort enter the garage, after which building security let the DOGE staffers in. They interacted with a small number of staffers, never introducing themselves to most of the IT team.

The employees of the independent agency demanded the highest level of access, which is called a tenant owner level account, Berulis said. Berulis’ disclosure to Congress states that those allow unrestricted permission to read, copy and alter data.

For cybersecurity professionals, a failure to log activity is a cardinal sin and contradicts best practices as recommended by the National Institute of Standards and Technology and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, as well as the FBI and the National Security Agency.

Those forensic digital records are important for record-keeping requirements and they allow for troubleshooting, but they also allow experts to investigate potential breaches, sometimes even tracing the attacker’s path back to the vulnerability that let them inside a network. The records can help experts see what happened to the data. Basic logs may not be enough to demonstrate the extent of a bad actor’s activities, but it would be a start. There’s no reason for any legitimate user to turn off logging or other security tools, cybersecurity experts say.

“If he didn’t know the backstory, any [chief information security officer] worth his salt would look at network activity like this and assume it’s a nation-state attack from China or Russia,” said Jake Braun, a former White House cyber official.

Massachusetts Institute of Technology graduate and DOGE engineer Jordan Wick had been sharing information about coding projects he was working on to his public account with GitHub, a website that allows developers to create, store and collaborate on code.

After journalist Roger Sollenberger posted about his account, Berulis noticed that he was working on something called “NxGenBdoorExtract.”

NxGen, a Virtual Computer for the National Labor Relations Board, is a Brazen Device, Not a Hacker’s Tool

“So when I saw this tool, I immediately panicked, just for lack of a better term,” he said. “I kind of had a conniption and said, ‘Whoa, whoa, whoa.'” His whole team was immediately notified by him.

“It definitely seems rather odd to name it that,” said one of the engineers who built NxGen and asked for anonymity so as not to jeopardize their ability to work with the government again. If you’re not worried about consequences, it’s brazen.

Several engineers who created NxGen say the tool was designed to be used by the NLRB, which means they can’t be retaliated against for future government work.

In an interview with NPR, the general counsel of the National Labor Relations Board said that deliberative and confidential information should never leave the agency.

But he counted on DOGE leaving at least a few traces of its activity behind, puzzle pieces he could assemble to try to put together a picture of what happened — details he included in his official disclosure.

Then, DOGE engineers installed what’s called a “container,” a kind of opaque virtual computer that can run programs on a machine without revealing its activities to the rest of the network. On its own, that wouldn’t be suspicious, though it did allow the engineers to work invisibly and left no trace of its activities once it was removed.

While investigating the data taken from the agency, Berulis tried to determine its ultimate destination. The disclosure states that whoever exfiltrated it had hidden its destination as well.

An NLRB whistleblower’s disclosure details how DOGE may have taken sensitive labor data: An informal response to a CISA request for assistance

Regardless, that kind of spike is extremely unusual, Berulis explained, because data almost never directly leaves from the NLRB’s databases. There is only one noticeable spike in data going out of the system that Berulis shared in his disclosure. He confirmed that there had been no migrations for any projects, or backups for that week.

Labor law experts who worked with the National Labor Relations Board or the Inspector General told NPR it was only permissible for external parties like lawyers to view files relevant to their case or investigation after they are granted guest accounts on the system.

They eventually launched a formal breach investigation, according to the disclosure, and prepared a request for assistance from the Cybersecurity and Infrastructure Security Agency (CISA). Berulis said that the efforts were disrupted without an explanation. Berulis felt he needed assistance to try to understand what happened and what new vulnerabilities might be exploited as a result.

The case is especially sensitive because of the possibility of foreign intelligence gaining access to sensitive government systems, the lawyer told NPR in a statement.

Berulis discovered some troubling details about what happened when DOGE was online, which he described in his official declaration.

The SAS token is called a high level access key because it is used to access storage accounts before they are deleted. Berulis said there was no way to track what they did with it.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

The DOGE engineer’s revelation of an attack on a public company: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

Berulis noticed five downloads of a program that would allow engineers to run automated commands. There were several code libraries that got his attention — tools that he said appeared to be designed to automate and mask data exfiltration. There was a tool to generate a seemingly endless number of IP addresses called “requests-ip-rotator,” and a commonly used automation tool for web developers called “browserless” — both repositories starred or favorited by Wick, the DOGE engineer, according to an archive of his GitHub account reviewed by NPR.

Someone appeared to be trying to prevent the data exfiltration from being detected by using a type of tunneling called DNS tunneling. He came to that conclusion, outlined in his disclosure, after he saw a traffic spike in DNS requests parallel to the data being exfiltrated, a spike 1,000 times the normal number of requests.

When someone uses this tactic, they set up a domain name to send questions or queries to the system. A server compromised by them so they can answer the domain name queries by sending packets of data will allow an attacker to steal information that has been broken down into smaller pieces.

The researcher said that they were given keys to the front door. While the researcher clarified that it would be difficult to fully verify what happened without full access to the NLRB system, they said Berulis’ conclusions and accompanying evidence were a cause for concern. “This isn’t standard,” they said.

Russ Handorf, who served in the FBI for a decade in various cybersecurity roles, spoke to NPR about his findings after reviewing Berulis’ extensive technical forensic records.

“All of this is alarming,” he said. If this was a public company, I would have to report it to the SEC. The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated. There is no reason for disabling security controls and exposing them to the internet to raise the security risk profile. They didn’t copy the data to encrypted and local media for escort.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

Accessing Government Information Isn’t a Good Idea: Labor Law Experts Reveal How Information Gets Out of a Case Management System

There are inefficiencies across the government that need further review, but experts interviewed by NPR don’t see a reason to remove the data from the case management system.

“There is no reason whatsoever for accessing the information. Is there any agency that could be more efficient? Is it more effective? Positively. But what you need for that is people who understand what the agency does. Harley Shaiken, professor of labor and information technology at the University of California, Berkeley, said that it is not by mining data, putting machines in and creating a breach of security.

There is nothing I can see that would lead to an audit with integrity that follows the standard procedures for an audit that looks for fraud, waste and abuse.

“The mismatch between what they’re doing and the established, professional way to do what they say they’re doing … that just kind of gives away the store, that they are not actually about finding more efficient ways for the government to operate,” Block said.

If a sensitive record is copied, labor law experts warn that it could lead to a chilling effect for workers who use the National Labor Relations Board for protection.

“Just saying that they have access to the data is intimidating,” said Kate Bronfenbrenner, the director of labor education research at Cornell University and co-director of the Worker Empowerment Research Network. “People are going to go, ‘I’m not going to testify before the board because, you know, my employer might get access.'”

According to the child of immigrant parents who fled the Soviet Union and Nazi controlled Germany, she spends a lot of time thinking about how systems can fall under certain circumstances. “You know, there’s this belief that we have these checks and balances … but anyone who’s part of the labor movement should know that’s not true,” she told NPR.

It is possible to fire employees for union organizing and keep blacklists of organizers if you have access to the data. People are fired in this country if they try to organize a union.

It might be more than just employees who suffer if this data gets out. Companies also sometimes provide detailed statements on internal business planning and corporate structure in the midst of unfair-labor-practice complaint proceedings. If a company was attempting to fire someone who it alleged had disclosed trade secrets and was fighting an unfair-labor-practice complaint based around that decision, those trade secrets might come up in the NLRB’s investigation. That information would be valuable to competitors, regulators and others.

“I think it is very concerning,” said Shaiken. It could cause damage to individual workers, to union-organizing campaigns and to unions themselves.

Representatives of DOGE and former colleagues of Musk’s who have been installed across the federal government have failed to reassure the public or the courts that they have taken the proper precautions to protect the data they’re ingesting and that private business interests won’t influence how that data is used or what policy decisions are made, Block and the other labor law experts interviewed by NPR say.

Sen. Chris Murphy, D-Conn. raised his concerns about Musk accessing sensitive labor investigation data on cases against his companies or competitors during the confirmation hearing for Trump’s labor secretary, Lori Chavez-DeRemer, in mid-February. He asked her to say if she believed the National Labor Relations Board was constitutional and if she would keep sensitive data confidential. While she said she was committed to “privacy” and said she respects the NLRB’s “authority,” she insisted that Trump “has the executive power to exercise it as he sees fit.”

The NLRB was created “to guarantee workers’ rights to organize and to address problems that workers have in the workplace,” said Shaiken, of UC Berkeley. Under President Joe Biden, he recalled, the labor movement enjoyed an unusual amount of support from Washington. “But what we have seen is a sharp slamming of the brakes to that and putting the vehicle in reverse in terms of what Trump has done so far,” he continued.

In addition to sending DOGE to the NLRB, the Trump administration tried to neutralize the board’s power to enforce labor law by removing its member Gwynne Wilcox. Courts have gone back and forth on whether Wilcox’s removal was illegal, as presidents are meant to demonstrate cause for dismissal of independent board members.

DoGE Engineers Have a Role in the Investigation of Spies and Criminals: From Employee Emails to Campaigns against Musk and xAI

“It’s not that he’s a random person who’s getting information that a random person shouldn’t have access to,” said Harvard Law’s Block. If they really did get everything, he has information about the cases the government is building against him.

“DOGE is headed by a person who is the subject of active investigation and prosecution of cases, whether they admit it or not.” She said that it was incredibly troubling.

Musk’s company xAI could also benefit from sucking up all the data DOGE has collected to train its algorithms. Cybersecurity experts such as Brucek Schneier, who is an instructor at the Harvard Kennedy School and also a well-known mathematician, have pointed out the alarm in numerous interviews and writing pieces.

According to two federal government sources who were not authorized to speak publicly about their workplaces and who shared email documentation with NPR, managers have consistently been warning employees that their data could be subject to AI review, particularly their email responses to the Musk-led campaign to get federal employees to detail “what they did last week” in five bullet points every Monday.

“It isn’t a flight of imagination to think that the DOGE staff might do something to help Musk or someone close to him,” said Shaiken.

“Both criminals and foreign adversaries traditionally have used information like this to enrich themselves through a variety of actions,” explained Handorf, the former FBI cyber official. They include targeting intellectual property theft for espionage or harming a company to enrich another.

On their own, a few failed login attempts from a Russian IP address aren’t a smoking gun, those cybersecurity experts interviewed by NPR said. But given the overall picture of activity, it’s a concerning sign that foreign adversaries may already be searching for ways into government systems that DOGE engineers may have left exposed.

“When you move fast and break stuff, the opportunity to ride the coattails of authorized access is ridiculously easy to achieve,” said Handorf. What he means is that if DOGE engineers left access points to the network open, it would be very easy for spies or criminals to break in and steal data behind DOGE.

“This is exactly why we usually architect systems using best practices like the principle of least privilege,” Ann Lewis, the former director of Technology Transformation Services at the General Services Administration, told NPR in an interview. “The principle of least privilege is a fundamental cybersecurity concept … that states that users should have only the minimum rights, roles and permissions required to perform their roles and responsibilities. This protects access to high-value data and critical assets and helps prevent unauthorized access, accidental damage from user errors and malicious actions. “

Putting IT Systems at Risk: Public Comment on DOGE’s Operation at the Labor Board and Privacy Laws in the U.S.

But government cybersecurity officials are already resigning or being fired, forced to relocate or put on administrative leave all over the federal government, from the Cybersecurity and Infrastructure Security Agency to the Interior Department. That has made it hard to respond to the ongoing disruptions or keep an eye on what DOGE is doing.

When she heard about how DOGE engineers operated at the NLRB, particularly the steps they took to obfuscate their activities, she recognized a pattern.

She said she was trembling after hearing about the exposure of data from the labor board. “They can get every piece of whistleblower testimony, every report, everything. This is not good.

“Our cyber teams are pissed because they have to sit on their hands when every single alarm system we have regarding insider threats is going off,” said one employee at an agency of the Interior Department who requested anonymity, fearing retribution. Cybersecurity teams wanted to shut off new users’ access to the system, the employee continued, but were ordered to stand down.

Meanwhile, in a letter published on March 13 on Federal News Network, 46 former senior officials from the General Services Administration, one of the government agencies hardest hit by DOGE’s cost-cutting efforts and that oversees nearly all federal buildings and purchasing, wrote that they believed “highly-sensitive IT systems are being put at risk and sensitive information is being downloaded to unknown, unvetted external sources in clear violation of privacy and data-protection rules.”

The Privacy Act was created because Congress realized that the federal government was overflowing with information about ordinary people, and needed some safeguards in place. “The information silos are there for a reason,” he continued.

Berulis felt it was important for the public to know how the government’s data and computer systems are at risk and how to prevent further damage. Berulis says that if he were an IT consultant, he’d be fired for operating like DOGE.

He said that he believes this goes far beyond just case data. I am aware that people at other agencies have seen similar behavior. I firmly believe that this is happening maybe even to a greater extent at other agencies.”

“It was my goal by disclosing to Congress not to focus on me at all, but to give them information that they might not necessarily have, the things that you don’t necessarily look for unless you know where to look,” he continued.

Berulis’s Request for Information regarding DOGE’s Open Workflow: “Shut Up, and I’ll See You Around,”

Berulis had a simple request for the DOGE engineers. If you have nothing to hide, don’t delete logs, don’t be covert. … Be open, because that’s what efficiency is really about. If this is all a huge misunderstanding, then just prove it. Put it out there. That’s all I’m asking.

“This could just be the start of the operation. … They still haven’t crossed that line where they are plugged into every federal system. Maybe there is more time left.

According to the disclosure, someone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings. The interface was exposed to the internet and could allow malicious actors access to their systems. The internal systems were turned off manually. It was no longer possible to use multifactor authentication.

Having a list of key organizers and potential members of a union would make that easier, as would having a copy of the opposing counsel’s notes as companies prepare for legal challenges, she continued.

The ad hoc Department of Government Efficiency team is assigning two staffers to work at the independent agency where a whistleblower alleged Tuesday DOGE may have already removed sensitive labor data from its systems.

Two employees at regional offices who are not authorized to speak publicly received the email and it said that the agency would get information from the General Services Administration.

“The representatives have requested information about agency operations but asked us to remove any personally identifiable information from documents we provide,” the email reads. The agency will comply with requests from the DOGE as per the President’s Executive Order.

In
Previous post The pan-genome of a potato
Next post China reports 4.9% GDP growth in the first quarter

More Stories

Tensions grow after a deadly Kashmir attack

admin

India has suspended the Indus Waters Treaty with Pakistan after a militant attack on Tuesday killed 26 people in Jammu and Kashmir’s Pulwama. “The Indus Waters Treaty of 1960 will be held in abeyance with immediately effect until Pakistan credibly and irrevocably abjures its support for cross border terrorism,” Foreign Secretary Vikram Misri said.

The Nintendo Switch 2 preorders at GameStop are expected to be open at 11AM

admin

Nintendo has announced a set of Joy-Con 2 controllers that attaches magnetically to the console. The controllers, which magnetically attach to the console, feature a “C-button” shortcut to Nintendo’s newGameChat feature. The standalone Switch 2 comes with a pair of Joy-Con 2 controllers, which magnetically attach to the console, and feature a new “C-button” shortcut to GameChat.

European and U.S. officials met in London for Ukrainian peace talks

admin

Russia and Ukraine have agreed on the formation of a contact group to discuss the conflict between the two countries that began on July 9, Russian President Vladimir Putin’s chief of staff Dmitry Peskov said. The group will be made up of representatives of Russia, Ukraine, France, Germany and the UK, he added. “It’s very important for us to maintain contacts,” Peskov further said.

The Alien Enemies Act is used to deport hundreds of people from Venezuela despite the Supreme Court decision

admin

US immigration authorities have decided to immediately deport a group of Venezuelans who were detained in a Texas detention facility, the American Civil Liberties Union (ACLU) said. The group is suspected to be members of a criminal gang. Earlier, the US Supreme Court had barred the deportation of Venezuelans under the Alien Enemies Act, which allows for accelerated removal of foreigners deemed a threat.