Lambert here: A two-part interview by Roscoe, first with whistleblower Berulis, then with NPR reporter Jenna McLaughlin, and political analyst Stephen Fowler.
DANIEL BERULIS: I remember the moment vividly. I was at home, and I got a call from my boss saying, hey, my boss wants us to come in next week. It’s possible DOGE will show up.
RASCOE: On Monday, he sees a black SUV with a police escort pull into the parking garage at their office in D.C. … [Daniel] works at the National Labor Relations Board, or NLRB… After the DOGE team arrived, Berulis saw one red flag after another, indicating that sensitive data at the NLRB was at risk. It scared him enough to come forward as a whistleblower.
MCLAUGHLIN: So [Berulis’s] job at the NLRB specifically is to secure the cloud-based systems. He reinforces who gets access to those systems, and he helps keep out attackers…. [N]ormally anyone working on these systems, once they create an account, there’s a ticket filed. You get to track a little bit about what that account is doing. But when the DOGE staffers came in, Berulis said that his colleagues were asked not to track anything, to just completely act like they were never there.
BERULIS: The instructions given were very specific, and that was do not log the accounts, don’t log the access and stay out of our way.
RASCOE: How unusual is that request not to log? Like, does that happen often, or are there special situations where they don’t log?
MCLAUGHLIN: It’s really unusual. Every expert I talked to for this story, over 10 people, said there’s absolutely no reason that you wouldn’t want your activity logged if you’re doing something legitimate, because at the bare minimum, it allows you to troubleshoot to fix errors that are completely benign.
BERULIS: To give somebody a global admin account and not log or not track their activities or access, that’s keys to the kingdom. I’m going to close my eyes now and trust you. That’s something that you just don’t do. It violates every core concept of security and best practice.
FOWLER: So the big thing I want to talk about here is the Privacy Act. It was passed in 1974, and that’s a lot of the backbone of these lawsuits challenging DOGE’s access. Congress decided 50 years ago that there shouldn’t be this so-called god mode in government, and there shouldn’t be the ability for one person or a small group of people to be able to access virtually anything and everything about somebody that the federal government keeps. I mean, there’s Social Security numbers, employment information. You’ve got immigration information, bank accounts. The thing I want people to realize about this is that there is so much that we entrust to the federal government and federal agency data-wise, that individually doesn’t say that much.
But now there are people affiliated with DOGE that have access to that information and also have access to the Social Security Administration and your Social Security number, and any statements and benefits. And so even if they don’t use it that way, we are now at a point where a small handful of people could build dossiers on people and do who knows what with it, and that’s something that has concerned people across the ideological spectrum, who are very much worried about privacy.
MCLAUGHLIN: Yeah, Ayesha. So for the first couple of days, Berulis was continuing to do his job as normal. He went home on the weekend, and then he noticed that this political reporter, Roger Sollenberger, tweeted about one of the DOGE engineers and his public GitHub page. So basically, that’s a place where you can host coding projects, collaborate with other people on that project. And he noticed that a project was deleted or made private before he was able to figure out what it was. But the name was really interesting. The name of that project was NxGenBdoorExtract. NxGen is the name of an internal system that was designed specifically for the NLRB in-house, built just for them. And because of that name, Berulis was freaked out.
RASCOE: What is this file? Like, what is he looking at?
MCLAUGHLIN: Yeah, every single person I talked to about this immediately just gasped. They were shocked that someone would actually call something this because the name Bdoor essentially implies that you’re building a backdoor or a way to get into a system that’s not authorized, a possible way to extract information.
MCLAUGHLIN: Yeah, there was some really weird stuff going on that any IT specialist that you talk to is going to kind of scratch their head about. … In his disclosure to Congress, Berulis also said that they turned off multi-factor authentication, deleted logs, turned off security requirements for mobile access. You know, these are all security controls that would be really strange and unusual for a regular user to disable. And, you know, for Berulis, all of this points to a real attempt to obfuscate activities, to cover tracks.
BERULIS: I saw that there was a good 10-gigabyte spike within the manner of maybe two hours that lined up right about the time that they had their access accounts. It would represent data that was being copied from within our system to outside of our system. And for it to spike like that, that’s across the board probably the No. 1 indicator that you’ve been breached.
MCLAUGHLIN: Berulis actually found a printed letter in an envelope taped to his door at home, a place he had only been living for two months, and that included a ton of sensitive personal information. It had photos of him walking his dog that appeared to be taken with a drone. And, you know, when investigators and myself tried to follow this data trail and figure out where this could have come from, we could not find it, even in the tools that journalists have access to to search through public records.
FOWLER: Yeah. It is worth mentioning that at a lot of these agencies that DOGE has had access to data, there is a benefit of the doubt…
Lambert here: LOL.
…. to understand why they would have it. For example, you know, at the Social Security Administration, they are looking at data to try to find evidence of people receiving benefits that they shouldn’t have. This is nowhere like that. It could be used for business purposes, especially if you’re Elon Musk. His companies have several active cases before the NLRB. There’s a group of former SpaceX employees that have lodged a complaint against Musk, as an example, and Musk and SpaceX are part of a group of companies that have filed suits saying that the NLRB itself is unconstitutional.
BERULIS: I know that there are other admins at other agencies I’ve spoken to who have seen similar behavior, and they are uncomfortable speaking up. They’re uncomfortable reporting it because, at the end of the day, they have families, they have things on the line that have been implicitly threatened.
MCLAUGHLIN: So the place to go is Signal. The encrypted messaging application, Signal, is a great tool. You know, it does a really good job of protecting the average user. It’s not totally bulletproof if you’re using a work device or if the phone itself is compromised. But for the average person, it does a really good job of keeping your data safe. And, you know, just to note for full disclosure, NPR’s CEO, Katherine Maher, is chair of the board of Signal. To find us on Signal, click the little pen and pad in the top right corner of the app and search for our usernames.
Add new comment