This part is really damning: a real efficiency audit might need a lot of access to look for signs of hidden activity, but they’d never need to hide traces of what they did:

> Meanwhile, according to the disclosure and records of internal communications, members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them, turning off monitoring tools and manually deleting records of their access — evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or state-sponsored hackers might do.

The subsequent message about Russian activity could be a coincidence–Internet background noise-but given how these are not very technically skilled and are moving very fast in systems they don’t understand, I’d be completely unsurprised to learn that they unintentionally left something exposed or that one of them has been compromised.

Just read of this on BSky.

Has some of the protected disclosure document from the whistleblower.

https://bsky.app/profile/mattjay.com/post/3ln2dgoksce2e

Looks like Elon's staff went in and made a copy of everything - which in this case NLRB, so sensitive stuff, but any state department going to have a ton of sensitive stuff - and sent it who knows where; this after disabling all logging and a ton of security, presumably to try to cover their tracks.

This is bad. These guys are looking like bad actors, with State-level authorization for access to everything.

Also looks like they're kids and don't have the hang of security, and the professional Russian State run APTs have hacked them.

The unfortunate reality is that a half of the US population sees the NLRB as a burden on small businesses—primarily because its policies shift frequently, making compliance costly and complex for those without deep legal resources. [1]

And the same half of the population do not trust anything what npr.org says.

Understanding the above dynamic is key to grasping the current state of discourse in the U.S.

[1] https://edworkforce.house.gov/news/documentsingle.aspx?Docum...

This isn't really a shock to me, but what's more frustrating I guess is that absolutely nothing will come of this. I have zero confidence any of this will even be cleaned up, just the same ranting about "fake news".

Really feels like the fox is already in the coop.

(Non-American here.) If they weren't already, it seems like private businesses, security researchers, and I suppose the general public, should start treating US government agencies as privacy and security threats, just like you'd treat any other phisher, scammer, etc.

If government agencies are compromised - via software backdoors or any other mechanism - any data and systems they can access should be considered compromised too.