> “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,”
It raises additional questions. Plenty of questions already unanswered. Seems likely it's been a shitshow.
Nothing to see here. Move right along. I'm sure one or two or a handful of repeated incidents don't represent a trend or potential for future fuck-ups.
What is DOGE even doing now? Can we get some status reports on what the DOGE employees are doing every week since they're such proponents of radical accountability?
These reports seem increasingly irrelevant. There are surely many people that care and are outraged, but that's about it. Tomorrow the news cycle will have something else, and the 20 year olds scrapping their pants at doge will be yesterday's news.
I'd say so what.
I hardcode many API keys to pull data and so does many people, and worst case scenario you need to regenerate it if it leaks.
Not all access keys are the same.
"if it leaks" -> "if you detect or get notified that it leaks and you're able to catch it before the credit card linked to your AWS account is drained by a thousand crypto miners"
They should, but they're young, naive and rich, a new generation of "move fast and break things", except this time they've been inserted into the government by a regime who doesn't care and/or who may have the intent to just leak the public's information.
20 comments
[ 4.6 ms ] story [ 33.9 ms ] threadIt raises additional questions. Plenty of questions already unanswered. Seems likely it's been a shitshow.
If there were anything like proper processes in place, controls would have made that very difficult.
Then there are the weird issues about why obvious close ties to xAI here....
What is DOGE even doing now? Can we get some status reports on what the DOGE employees are doing every week since they're such proponents of radical accountability?
So far no one has taken me up on them.
Feel free to join as a VIP anytime!
This shows how careless secret management can scale into a huge breach, especially when the same org handles sensitive data.
Shouldn’t teams building with LLMs have automated checks to catch exposed keys before they hit public repos?