20 comments

[ 4.6 ms ] story [ 33.9 ms ] thread
> “If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,”

It raises additional questions. Plenty of questions already unanswered. Seems likely it's been a shitshow.

All of this is a mess. But it should never even have been possible for it to fall to a single developer to screw up and commit a key like that.

If there were anything like proper processes in place, controls would have made that very difficult.

Then there are the weird issues about why obvious close ties to xAI here....

Nothing to see here. Move right along. I'm sure one or two or a handful of repeated incidents don't represent a trend or potential for future fuck-ups.

What is DOGE even doing now? Can we get some status reports on what the DOGE employees are doing every week since they're such proponents of radical accountability?

Maybe the US should start another government department for this.
These reports seem increasingly irrelevant. There are surely many people that care and are outraged, but that's about it. Tomorrow the news cycle will have something else, and the 20 year olds scrapping their pants at doge will be yesterday's news.
Jokers, even GitHub auto checks if you push code with a private key.
Once, I can understand, but twice? come on... And the keys were still valid hours later (according to the article)
I regularly expose my AI api keys in my weekly zoom meetings for our AI Playground :)

So far no one has taken me up on them.

Feel free to join as a VIP anytime!

Love the downvoters! You are people too!
Just another example showing that power and persistence does not equal competence.
I'd say so what. I hardcode many API keys to pull data and so does many people, and worst case scenario you need to regenerate it if it leaks. Not all access keys are the same.
"if it leaks" -> "if you detect or get notified that it leaks and you're able to catch it before the credit card linked to your AWS account is drained by a thousand crypto miners"
[flagged]
Which is more important: people's data, or "getting things done"? What did this guy "get done" by leaking private keys, or in general anyway?
Wild how one leaked xAI API key opened up access to 52 LLMs, including a brand-new Grok model, and they didn’t revoke it right away.

This shows how careless secret management can scale into a huge breach, especially when the same org handles sensitive data.

Shouldn’t teams building with LLMs have automated checks to catch exposed keys before they hit public repos?

They should, but they're young, naive and rich, a new generation of "move fast and break things", except this time they've been inserted into the government by a regime who doesn't care and/or who may have the intent to just leak the public's information.
Why was this flagged? Isn't Krebs on Security generally considered reliable and relevant?