[saalweachter]

I feel like when I was a twenty- something I would have been at risk of exfiltrating data like this not for any specific nefarious purpose or money-making scheme but just out of data hoarding.

Anymore I have zero desire to keep any copy of work code or other data on any personal device. Nope, never gonna need it, don't want it, just a potential legal headache with no upside.

But when I was younger? I could totally imagine getting a big juicy dataset like that and wanting a copy for myself. It'd make me feel special, having information no one else had.

[sigmar]

It may not have been your intent, but this comment seems to downplay the crime here. It's a crime to take the data even if he wasn't shopping it around as alleged. and the fact that he was 'young and stupid' makes the circumstances of how this happened much more important for an investigation by the IG (ie why was an immature person given so much power?)

[rz2k]

I think it’s a great reaction to news stories to imagine how you could have made the same bad decisions. Furthermore this public confession of being able to imagine making bad decisions might encourage a similarly minded to 20-something to wonder why an older version of themself is so afraid of even having such a dataset. It might even prompt someone to destroy some long forgotten cache of data they exfiltrated a long time ago.

I don’t think there’s a risk that it will influence a rare person in power to enforce the rules to go lighter. I just think it encourages people to be less reckless with hoarding data who might otherwise put themselves in danger.

[atmavatar]

Over and above the fact that everyone should already know that the SSN database is extremely sensitive, DOGE had to strong-arm people out of the way to gain access to it in the first place. Even a fresh twenty-something should have known better than to download the entire thing onto a flash drive and carry it around, let alone take it home with them, and especially not to share with a future employer.

The idea that could be done accidentally and innocently lacks any sort of credulity. It's so far out of the ordinary that I don't think applying Hanlon's Razor can be done in good faith.

[swasheck]

yeah. ignorantia juris non excusat applies to both the speed limit and passive data theft

[Antibabelic]

So like Harold T. Martin who took 50 terabytes of data from the NSA because he was a data hoarder and was sentenced to nine years in prison?

https://en.wikipedia.org/wiki/Harold_T._Martin

[speefers]

> "Martin reportedly stole the information simply by walking out of his various secure workplaces with it in his possession"

"secure" eh?

[sumeno]

"Secure" workplaces means that you have to have the appropriate clearances and background checks to be allowed in and out. I'm sure there are more secure workplaces, but the security of your average SCIF largely depends on the people allowed inside of it not being bad actors.

Outside of strip searches upon arrival and leaving I'm not sure how you could eliminate that risk.

[dspillett]

> zero desire to keep any copy of work code or other data on any personal device

Same. I won't even have Teams or Authenticator on my phone unlike most others here (though wrt Teams, that is at least as much about not wanting work to bother me as it is about the danger of data seepage). I need the authenticator to do the job, but I have an old factory-reset phone that has that (and, just in case, Teams) on it.

> But when I was younger? I could totally imagine getting a big juicy dataset like that and wanting a copy for myself.

I'm pretty sure I never would have done. I've always resisted knowing credentials and personal information that aren't mine (so if anything untoward happens with/using that information there is no way it can be my fault/doing, as well as the less selfish reasons) despite people falling over themselves to do things like tell me their passwords & such when they were wanting some for of tech support.

But I think there is a different attitude to data risk in that age group today. They've grown up in a world where very little is really private, and every app and its dog has wanted their contact details and other information (and all too often information about their friends & family), do the idea that data is a free-for-all is dangerously normalised in their heads.

I find older people are similarly very lax with their own data, in fact often being rather too trusting of others generally, but not so much with other peoples. There are a lot more people who are appropriately careful (or even paranoid) in their 30s/40s/50s (I'm late 40s myself) - I think we are lucky to be in the middle, being exposed to information dangers enough to not have that “naivety or age” and not desensitised by having lax information security pushed at us from an early age.

[enoint]

Check out FreeOTP if you want an alternative to Google Autheticator.

[dspillett]

This is MS's authenticator, integrated with all our Azure gubbins, not something I get a choice about.

[GJim]

> But I think there is a different attitude to data risk in that age group today. They've grown up in a world where very little is really private, and every app and its dog has wanted their contact details and other information

Counterpoint from a UK/EU perspective.....

Anybody new being onboarded is given (company compulsory) GDPR training if their role involves any handling or processing of personal data whatsoever. Data security and privacy is being treated quite seriously here; though unfortunately not seriously enough IMO.

[dspillett]

Counterpoint also from a UK perspective: unfortunately a lot of people give no more than lip service to that training, and there are a great many people who have been in that sort of role who have avoided taking part in it at all. It sometimes worries me how seriously some people don't take the matter, and how many see that sort of regulation as pointless “innovation” preventing inconvenience. Heck, I know one fool who gave “the overreach manifest in GDPR” as one of his reasons for voting for brexit.

My DayJob company, and most of the people working here, do have the right attitude, as do most of our clients (if only because of the potential punishments, both in terms of fines and a slapping from the court of public opinion, if something done wrong has signifiant repercussions), but I do worry about how many people and companies seem to not care at all.

[GJim]

To be fair, it is apparent the tide is turning and awareness of data privacy is growing; even if this is unfortunately due to the increasing damage data breaches are causing.

[simonw]

Even in your twenties would you have then taken that data and attempted to share it with a future employee?

[saalweachter]

I don't think I would have offered to sell it or accepted an offer to buy it, but I think I could have easily been talked into sharing it, in a "I think my boss is a cool guy and I want him to like me and/or impress him" situation.

I'm not doing anything wrong! It's not like I'm selling it! I'm just showing off the cool data no one else has! I'm saving the day, probably, by letting us solve a problem with my cool data that would be impossible otherwise.

[estearum]

This is why we normally have hiring standards for USG.

I had access to insane amounts of highly sensitive data as an early 20-y/o and never once felt inclined to share it or brag about it with anyone.

Hiring processes around these roles should distinguish between past-me and past-you.

[saalweachter]

Eh, over time I've come to believe having systems that manage insider risk is more important than expecting to be perfect in hiring.

Like, any system will fail if too many of its members don't care about maintaining it, but you're going to hire the wrong person from time to time.

It's important to design your systems to minimize access, both in terms of not allowing everyone access to everything and to only allow people as much access as then need to do their jobs, to require multiple people to sign off on temporary access grants, to create audit trails and to actually audit them and have consequences for violating the rules.

(Which, in this case, DOGE purposefully dismantled.)

It doesn't just protect the data from nefarious villains, it also protects young idiots from themselves, who don't realize you can cause harm just by being curious.

[estearum]

Sure, I'm not proposing that we shouldn't have systems to mitigate insider risk.

I'm proposing that we both have systems to mitigate insider risk and we try to avoid hiring ideologically motivated and ethically compromised goobers to highly sensitive government jobs.

And I'm proposing that we don't write this off as, "welp he's a kid!"

[marcosdumay]

Hum... The buck still has to end at some point. Somebody will have the power to override process or access things directly.

At DOGE, those somebodies were a bunch of red-piled barely adults that worshiped Musk.

[elicash]

I don't think you deserve downvotes; I think it's totally plausible that some people would steal this data just to feel special.

But:

1) That's why we have traditionally had the safeguards that we have had, to protect against this sort of crime, and

2) The allegation in this case is that he later approached coworkers to do something with this data, even if they ultimately didn't help him do it. So it doesn't appear to be hoarding just for the sake of it here.

[saalweachter]

> I don't think you deserve downvotes

Speaking of things that have changed from my 20s, I also take internet points way less seriously than when I was sitting in a computer lab at 3am.

Now, I just double-check to make sure I didn't say anything I didn't want to and take it as a signal for how to be more clearly understood in the future; in this case a lot of people seemed to take what I wrote as a hypothesis about the motivation of the accused or a call for leniency, which wasn't what I was going for, but eh, live and learn.

[elicash]

The way I'm different from in my 20s is I'm more likely to assume charitable interpretations. I kinda guessed you meant it like you just stated, but wanted to add more context.

[freejazz]

How would you get it in the first place?

[saalweachter]

I mean, insider risk is insider risk.

In the DOGE case, they specifically broke all the controls that existed to manage insider risk and keep people from making copies like this, but (especially 20-30 years ago) I've been on plenty of networks that just had no concept of insider risk and everything was just open for anyone to access (or protected by shared passwords everyone knew).

[freejazz]

So you're saying that if you worked there you would also steal the social security data? What am I supposed to be taking away from this besides the fact that you would make poor choices and lack ethics? Didn't seem like it was a problem for people who worked in gov't prior to DOGE existing, so I'm not really getting any other takeaway here.

[saalweachter]

Steal?

Oh no no no no no, not once, not ever.

But look around the network, see what file shares are world readable, maybe see if there's any FTPs or Telnet servers with no username/password (or at least, no password stronger than "guest")? That's just being curious. And if I see any interesting files, and I make a copy to look at later, that's not a crime, is it?

I'd like to think my younger self, if he'd been hired at the SSA or somewhere similar, would see the difference between "the personal data of hundreds of millions of people" and the networks I actually had access to at the time. I know I wouldn't be trying to sell the data or trying to otherwise leverage it for financial gain, but I don't really have such a high opinion of my younger self's judgement that I would completely rule out making a copy for objectively dumb reasons.

[Cipater]

Why are you telling on yourself so hard?

[tantalor]

> they specifically broke all the controls

Is there a reference or citation for this? I didn't see in the article.

[saalweachter]

I don't know about this person specifically, but the news from when DOGE was active was full of "employee of department fired for trying to prevent DOGE employees from directly accessing system no one is allowed to directly access".

[JKCalhoun]

And further, I would absolutely leverage it to get myself a job.

Oh, wait. No I would never have done that. That's just insane.

[tw-20260303-001]

> having information no one else had

A broken logic. Of course the people who you would have stolen the data from, had it. A question pops up, though... what's in your possession you should not be in the possession of.

[kreco]

I'm pretty sure you can adjust the logic from "no one else" to "very very very few" and the logic just works the same...

[tw-20260303-001]

Yeah, I'm pretty sure.