They should, but they're young, naive and rich, a new generation of "move fast and break things", except this time they've been inserted into the government by a regime who doesn't care and/or who may have the intent to just leak the public's information.
The trump administration very briefly believed that publicly saying "I was racist before it was cool" and "normalize Indian hate" in public just months before being hired was crossing a line. Then they realized that no it actually wasn't and that their base likes people like this and rehired him.
I do wonder what JD Vance's kids think about situations like this.
> “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,”
It raises additional questions. Plenty of questions already unanswered. Seems likely it's been a shitshow.
Like, "why does this nominal government employee have the API key to XAI"/"why is an active X employee playing such a prominent role in the government"?
External tech workers have been a thing since at least the catastrophe that was the original ACA launch. That "tech surge" was definitely full of more experienced people than the "smart kids" we see in DOGE though.
More worrying is that the article points out at time of writing the key was still valid. Why such a high level key was used in an agent script, why it hasn't been rotated (can't be rotated?) and about a dozen other "whys" point to some rather damning practices.
I get that the idea was to avoid the obscene levels of red tape that can be common in government IT, but the pendulum has clearly swung far, far far too far the other way.
The ACA was external tech workers, a company called CGI Federal.
The government has some programmers, but the vast majority is done by contractors. That lets the executive branch claim to have reduced those dastardly government workers, and replaced them with upstanding, virtuous, competent, handsome private industry.
Even before the recent harrowing there weren't a lot of government programmers left. Government employees award and manage contracts.
Nothing to see here. Move right along. I'm sure one or two or a handful of repeated incidents don't represent a trend or potential for future fuck-ups.
What is DOGE even doing now? Can we get some status reports on what the DOGE employees are doing every week since they're such proponents of radical accountability?
Officially they are still re-writing the software that runs Social Security. Back in May, they said re-writing >1 millions lines of COBOL would only take a few months.
> But without flashy leadership, DOGE technologists are now quietly cycling into federal agencies, spending days or weeks building products and cutting contracts before cycling out once again. This is all done with little oversight from the White House or the United States DOGE Service (USDS), which these technologists purportedly represent.
Destroying things to justify privatization while stealing every detail about us to increase profits and target opponents. Sure, there are HIPAA, secrecy, and confidentiality violations happening but there's no one left to prosecute the criminals when the criminals are the police, COTUS, SCOTUS, and the unitary executive. The only meaningful distinction remaining is patronage vs. outsider.
These reports seem increasingly irrelevant. There are surely many people that care and are outraged, but that's about it. Tomorrow the news cycle will have something else, and the 20 year olds scrapping their pants at doge will be yesterday's news.
> DoD is also contracting for $200 million for grok
Somewhat to one side but when up to USD800 million is being spent (Grok, is not the only AI shaped snout at the trough) it's depressing to see the vagueness of the supposed uses [1] (in a five line paragraph this is the most specific description of why that need to spend the money ... "to support our warfighters and maintain strategic advantage over our adversaries")
As someone who is not very acquainted with blackhat or infosec, what is the priority list to do when you get an API key like this? Exfiltration? Access escalation? Presumably the hole gets closed so what do you do with that time?
I'd say so what.
I hardcode many API keys to pull data and so does many people, and worst case scenario you need to regenerate it if it leaks.
Not all access keys are the same.
Did you make an account just to justify questionable data security practices by the people fucking around the social security system without any oversight?
"if it leaks" -> "if you detect or get notified that it leaks and you're able to catch it before the credit card linked to your AWS account is drained by a thousand crypto miners"
Wild how one leaked xAI API key opened up access to 52 LLMs, including a brand-new Grok model, and they didn’t revoke it right away.
This shows how careless secret management can scale into a huge breach, especially when the same org handles sensitive data.
Shouldn’t teams building with LLMs have automated checks to catch exposed keys before they hit public repos?
They should, but they're young, naive and rich, a new generation of "move fast and break things", except this time they've been inserted into the government by a regime who doesn't care and/or who may have the intent to just leak the public's information.
Jokers, even GitHub auto checks if you push code with a private key.
I doubt it has an integration with grok
This was the "normalize Indian-hate" guy.
Very interesting that he had to resign from DOGE over this, yet xAI seemingly welcomed him.
He was rehired.
The trump administration very briefly believed that publicly saying "I was racist before it was cool" and "normalize Indian hate" in public just months before being hired was crossing a line. Then they realized that no it actually wasn't and that their base likes people like this and rehired him.
I do wonder what JD Vance's kids think about situations like this.
i dont think he had to, he voluntarily did after public pressure. And then JD Vance tried to get him back
> “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,”
It raises additional questions. Plenty of questions already unanswered. Seems likely it's been a shitshow.
Like, "why does this nominal government employee have the API key to XAI"/"why is an active X employee playing such a prominent role in the government"?
External tech workers have been a thing since at least the catastrophe that was the original ACA launch. That "tech surge" was definitely full of more experienced people than the "smart kids" we see in DOGE though.
More worrying is that the article points out at time of writing the key was still valid. Why such a high level key was used in an agent script, why it hasn't been rotated (can't be rotated?) and about a dozen other "whys" point to some rather damning practices.
I get that the idea was to avoid the obscene levels of red tape that can be common in government IT, but the pendulum has clearly swung far, far far too far the other way.
The ACA was external tech workers, a company called CGI Federal.
The government has some programmers, but the vast majority is done by contractors. That lets the executive branch claim to have reduced those dastardly government workers, and replaced them with upstanding, virtuous, competent, handsome private industry.
Even before the recent harrowing there weren't a lot of government programmers left. Government employees award and manage contracts.
> It raises additional questions
Ones we should be ready to prosecute with official resources come ‘26 and ‘28.
In the meantime, I wouldn’t let him into my country. But the EU will be the EU.
All of this is a mess. But it should never even have been possible for it to fall to a single developer to screw up and commit a key like that.
If there were anything like proper processes in place, controls would have made that very difficult.
Then there are the weird issues about why obvious close ties to xAI here....
Nothing to see here. Move right along. I'm sure one or two or a handful of repeated incidents don't represent a trend or potential for future fuck-ups.
What is DOGE even doing now? Can we get some status reports on what the DOGE employees are doing every week since they're such proponents of radical accountability?
Officially they are still re-writing the software that runs Social Security. Back in May, they said re-writing >1 millions lines of COBOL would only take a few months.
https://www.wired.com/story/doge-rebuild-social-security-adm...
Unofficially, they are the worst people so they are probably doing the worst things you can imagine.
Wired also had this recent update, on "DOGE 2.0".
> But without flashy leadership, DOGE technologists are now quietly cycling into federal agencies, spending days or weeks building products and cutting contracts before cycling out once again. This is all done with little oversight from the White House or the United States DOGE Service (USDS), which these technologists purportedly represent.
Big Balls for example is officially no longer a GSA employee of the United States DOGE Service (USDS) but an SSA employee https://www.independent.co.uk/news/world/americas/us-politic...
It's unspeakable how these goons get to fuck up everything without any accountability.
If people value accountability, then voting for a felon to become president isn't the smartest move.
Destroying things to justify privatization while stealing every detail about us to increase profits and target opponents. Sure, there are HIPAA, secrecy, and confidentiality violations happening but there's no one left to prosecute the criminals when the criminals are the police, COTUS, SCOTUS, and the unitary executive. The only meaningful distinction remaining is patronage vs. outsider.
> What is DOGE even doing now?
Forcing the NRC to rubber stamp any requests that come in front of it, apparently[0].
[0] https://www.politico.com/news/2025/07/14/doge-to-regulator-r...
Just ask Grok with the free key!
the sound of one hand clapping (AI generated)
Maybe the US should start another government department for this.
[flagged]
Why was this flagged? Isn't Krebs on Security generally considered reliable and relevant?
Just another example showing that power and persistence does not equal competence.
Once, I can understand, but twice? come on... And the keys were still valid hours later (according to the article)
[dead]
[flagged]
Which is more important: people's data, or "getting things done"? What did this guy "get done" by leaking private keys, or in general anyway?
Hi Marko
[flagged]
I cant, as a professional i dont leak private infos ><
absolutely cooked 'em
[dead]
These reports seem increasingly irrelevant. There are surely many people that care and are outraged, but that's about it. Tomorrow the news cycle will have something else, and the 20 year olds scrapping their pants at doge will be yesterday's news.
XAI key is potentially root into X (social media), and Tesla via grok, yes?
If so, sounds potentially life threatening.
NTSB might wanna look into that.
Edit: DoD is also contracting for $200 million for grok. Yeah, this is bad. https://www.washingtonpost.com/technology/2025/07/14/elon-mu...
> DoD is also contracting for $200 million for grok
Somewhat to one side but when up to USD800 million is being spent (Grok, is not the only AI shaped snout at the trough) it's depressing to see the vagueness of the supposed uses [1] (in a five line paragraph this is the most specific description of why that need to spend the money ... "to support our warfighters and maintain strategic advantage over our adversaries")
[1] https://archive.ph/p1ZXR#selection-719.61-719.141
There are a lot of classified contracts, services, etc.
As someone who is not very acquainted with blackhat or infosec, what is the priority list to do when you get an API key like this? Exfiltration? Access escalation? Presumably the hole gets closed so what do you do with that time?
That's kind of my point. It is bad And likely no one will be held accountable for it.
I regularly expose my AI api keys in my weekly zoom meetings for our AI Playground :)
So far no one has taken me up on them.
Feel free to join as a VIP anytime!
Love the downvoters! You are people too!
I'd say so what. I hardcode many API keys to pull data and so does many people, and worst case scenario you need to regenerate it if it leaks. Not all access keys are the same.
Did you make an account just to justify questionable data security practices by the people fucking around the social security system without any oversight?
ok, Marko
doth protest too much, or something.
"if it leaks" -> "if you detect or get notified that it leaks and you're able to catch it before the credit card linked to your AWS account is drained by a thousand crypto miners"