DOGE Denizen Marko Elez Leaked API Key for xAI Krebs on Security
pMarko Elez a 25yearold employee at Elon Musks Department of Government Efficiency DOGE has been granted access to sensitive databases at the US Social Security Administration the Treasury and Justice departments and the Department of Homeland Security So it should fill all Americans with a deep sense of confidence to learn that Mr Elez over the weekend inadvertently published a private key that allowed anyone to interact directly with more than four dozen large language models LLMs developed by Musks artificial intelligence company xAIppImage Shutterstock sdx15ppOn July 13 Mr Elez committed a code script to GitHub called agentpy that included a private application programming interface API key for xAI The inclusion of the private key was first flagged by GitGuardian a company that specializes in detecting and remediating exposed secrets in public and proprietary environments GitGuardians systems constantly scan GitHub and other code repositories for exposed API keys and fire off automated alerts to affected usersppPhilippe Caturegli chief hacking officer at the security consultancy Seralys said the exposed API key allowed access to at least 52 different LLMs used by xAI The most recent LLM in the list was called grok40709 and was created on July 9 2025ppGrok the generative AI chatbot developed by xAI and integrated into TwitterX relies on these and other LLMs a query to Grok before publication shows Grok currently uses Grok3 which was launched in Feburary 2025 Earlier today xAI announced that the Department of Defense will begin using Grok as part of a contract worth up to 200 million The contract award came less than a week after Grok began spewing antisemitic rants and invoking Adolf HitlerppMr Elez did not respond to a request for comment The code repository containing the private xAI key was removed shortly after Caturegli notified Elez via email However Caturegli said the exposed API key still works and has not yet been revokedppIf a developer cant keep an API key private it raises questions about how theyre handling far more sensitive government information behind closed doors Caturegli told KrebsOnSecurityppPrior to joining DOGE Marko Elez worked for a number of Musks companies His DOGE career began at the Department of the Treasury and a legal battle over DOGEs access to Treasury databases showed Elez was sending unencrypted personal information in violation of the agencys policiesppWhile still at Treasury Elez resigned after The Wall Street Journal linked him to social media posts that advocated racism and eugenics When Vice President JD Vance lobbied for Elez to be rehired President Trump agreed and Musk reinstated himppSince his rehiring as a DOGE employee Elez has been granted access to databases at one federal agency after another TechCrunch reported in February 2025 that he was working at the Social Security Administration In March Business Insider found Elez was part of a DOGE detachment assigned to the Department of LaborppMarko Elez in a photo from a social media profileppIn April The New York Times reported that Elez held positions at the US Customs and Border Protection and the Immigration and Customs Enforcement ICE bureaus as well as the Department of Homeland Security The Washington Post later reported that Elez while serving as a DOGE advisor at the Department of Justice had gained access to the Executive Office for Immigration Reviews Courts and Appeals System EACSppElez is not the first DOGE worker to publish internal API keys for xAI In May KrebsOnSecurity detailed how another DOGE employee leaked a private xAI key on GitHub for two months exposing LLMs that were custom made for working with internal data from Musks companies including SpaceX Tesla and TwitterXppCaturegli said its difficult to trust someone with access to confidential government systems when they cant even manage the basics of operational securityppOne leak is a mistake he said But when the same type of sensitive key gets exposed again and again its not just bad luck its a sign of deeper negligence and a broken security culturepp
This entry was posted on Monday 14th of July 2025 0923 PM
ppMusk and Trump hire only the best I doubt there will be any repercussions for his sloppy and dangerous disregard for securityppNot when those who should hand out the repercussions are clueless above the law can do no wrong and couldnt care less about who they hurt even when its themselvesppRussians dont take a dump without a plan son
Former US Presidential candidate Fred Thompson acting
One ping one ping only Proceeds to send two pings
Everyone knows you cant trust a Marko BuckarooppLooks like now we have Alfred E Neuman running the showppNow thats just MAD I nearly wet myself when I saw this comment ppAlfred E Neuman for president We could do worseppSeparated at birth AmIrite ppGeezappalling Will we hear about any exfiltration of data from govt databases or is everyone on the wrecking team now
Just one question how do you revoke an API key Replace maybe Revocation is possible for X509 public keysppHopefully the application has a way to deny the key Im not a developer but you could have a deny list and refuse any connections from keys in the deny list Also terminate any active sessions using that keyppDave M Yes thats how you do it There is a list of active keys you remove the compromised key from the list If its not done quickly then its probably because it is hard to change hardcoded in several places or the key owner does not care Worse they might think that it is safe again now that it was removedppRemembering how in the olden days of such terrible security ie the 1990s through some time in the late 2000s many firewall rules actually required an IP to match a key to be able to connect to an application I guess they dont do that anymore since everything is so webbed up now LMAiOppTheres already been evidence of data being exfiltrated to Russia Started very early on I believe it was from Treasury It was detected and shut downppPerhaps some enterprising hacker with a progressive streak will obtain and leak the personal financials of the current regime starting with the Tangerine Caligula and its entire family Hillbilly Vance and the whole cabinet straight through to the five Republican appointees of the Supreme Court five by presidents who lost the popular voteppDoes it make you feel better about yourself to call other people namesppCry harder magatppDoes it make you feel better about yourself to call other people namesppOh do you mean like the convicted felon and adjudicated rapist does virtually every single day using vulgar disgusting and obscene language in barely coherent sentences with syntax that would embarrass a grammar school childppDoes it make you feel better about yourself when you call other people namesppRepeat it a third time for effectppIts pretty bad when your pet beagle is smarter than the smartest people in governmentppYoung dumb and full of scumppDOGGY DUMBppbleepingcomputercomnewssecurityrussianprobasketballplayerarrestedforallegedroleinransomwareattacksppMarko cant even dunkppSo it should fill all Americans with a deep sense of confidence to learn that Mr Elez over the weekend inadvertently published a private keyppI used to read your articles due to the nonbiased nature Now I feel like Im reading an article from Foxnews or CNNppSadppAh yes the sacred neutrality test if something mildly inconveniences my worldview it must be propaganda Look if your political compass is so wobbly that a cybersecurity report makes you cry partisan hit piece maybe its not the articleppBrian literally reported a dude leaking a private key and you interpreted it as a political betrayal Thats not bias thats you projecting your own tribal lens onto reality like its a Rorschach test But sure lets cancel Krebs for reporting the news ClassicppWondering what your reaction would be to a report of repeated colossal comsec blunders by a regular civil service employeeppWheres the bias in that statementppI agree wyou 100 some simply cant help themselvesppIm concerned about your reading skills tooppSay what you want but Krebs has been relentlessly consistent for years Calling out cyber threats whichever side they come fromppWhat is the bias in that statement A bias against blatant incompetence among those with access to enormous troves of sensitive information Yeah I guess a lot of us are biased We should really examine our prejudices more carefullyppI think we are looking at a process issue Its true the security aspect is involved but the root of the problem is the process they use to post code on GitHub they need to refine the process to avoid this kind of mistakeppIt takes longer to select a vendor and give them a credit card number than to actually enable repository governance Secret scanning precommit and second approver enforcement are the bare minimum anyone should have for productionppBrian you used to be nonpartisan and nonpolitical but now were seeing your true colors emerge Its fine to publish the screw ups of these socalled experts but when you throw in the stupid political jabs it ruins the article Too bad your articles used to be worth readingppNot sure how you came away with the conclusion that this is somehow a story about rightleft politics Nevertheless I release you from your subscription Be wellppI dont see the political jabs in your report as was mentioned by a previous comment
I do see a report on sloppy incompetence or worse criminal behavior with critical consequences for all of us
It is important to report on it regardless of who may be offended or who the sloppy criminals are connected to Keep up the investigation and reporting BrianppHam is just being a crybaby If his complaints are that thin his skin must be like rice paperppThey want you to be a news reporter that publishes just the facts once you give your opinion as an expert it suddenly crosses the line as though they couldnt draw the conclusion themselves which is apparently the case Keep up the good workppOh no Brian used sarcasm Sound the alarm Apparently pointing out that government officials leaking an API key might not instill public confidence is now a fullblown political manifesto IncredibleppBut thank you for your bravery in calling out this injustice Truly the real victim here is your feelings Not the compromised API key not the laughable opsec no its you because Brian dared to say something that vaguely pricked your partisan bubble Stay strong soldierppReally ham Its amazing to see your lack of reading and understanding You are the problem with this country When people like you try to politicize everything Facts are facts get use to it dudeppOh no did your feelings get hurt snowflake
The true colors of being appalled by the lack of professionalism of the current administration
Thats the color of anyone with a functioning brainppWaaaah he pointed out incompetence and fraud in the Trump administration waaaaahppGrow up babyppWhat is the political jab in the pieceppJust curious Ham when did careless idiots become a political party and better yet one free from criticism of their misdeedsppwhen did careless idiots become a political partyppIts hard to point to a specific date but sometime around when Trump started winning primaries in the 2016 raceppnow THAT was a stupid political jab See the difference HamppBrian thank you for the reporting Its sad that reporting inconvenient facts about API key leaks and lapses in security at the highest levels is seen as politicalppKeep up the good workppI would like to think this person would be removed the moment this was found out This is not only extremely dangerous but seems like a malicous actor Anyone in the Tech field this looks and feels like malicous inside actor This person needs to be removed and investigatedppThis person seems like they are a malicous actor Something we in the tech field worry about He should be removed and investigated You dont accidentally do this sort of thing This is a deliberate act and it would be grounds for investigationsppIf he wanted to grant access to 3PLA he could just grant their users access to the model or email them the API keys This behavior is totally consistent with the incompetent chūni clowns in Elons entourageppgrounds for investigationsppOh Pam Bondi and Kash Patel will put down their Nintendo Switch and get right on that Im sureppIn one of Brians earlier reports his source noted within minutes of DOGE folks being given administrator access there was at least one login from an IP geolocated to Moscow if memory serves me correctly It passes the reasonable person on the street test that government systems have been breached data exfiltrated and stealthware installed courtesy the carelessness of DOGE staffers They do not seem to be the sharpest knives in the draw and ironically I wonder how many of them will omit Worked for DOGE from their LinkedIn biosppSo the kid is some combination of carelessincompetent but the one quality demanded by this administration he likely has in spades loyaltyobedience He has a fine career ahead of him or at least the next 35 yearsppDont forget hateful racial supremacist nazi propaganda ppnewsweekcomfactcheckdonaldtrumpadolfhitlerviralquotecomparisonaccurate1843501ppYes I would imagine they are a very highly trusted contractor for DHSICE searching all government databases for targeting ethnocities or whatever Im ursprünglichen Chelsea Football Trikot ist alles legalppWasnt this guy fired for saying pretty racist stuff onlineppWasnt this guy fired for saying pretty racist stuff onlineppYep Then he was rehired through the collaboration of Musk and Trump back before their bromance ended with Vance chiming in to avoid feeling left out of the proeugenics bandwagonppEugenics genetics its all kinda futuristic right Easy mistake even for a time travelerppAny sufficiently advanced incompetence is indistinguishable from malice At some point this carelessness around cybersecurity goes beyond oversight and inexperience It has to be winked at and excused by people who should know better Homie should have stayed fired because he obviously has no business handling classifiedsensitive information Were he working for any private enterprise he would have been handed his hat long ago but this organization i use that term ironically seems to be happy to let him continue As a taxpayer Im offended As an IT professional Im appalledppTrump said he never hires anybody smarter than himself
Very very few qualifyppThis has gotta be some kind of criminal negligenceppStorytime I did a summer internship at a DoD contractor doing software engineering On Day 1 I was told in no uncertain terms that as an engineer of record I could be held liable or prosecuted for computer crimes should I fail to meet certain basic security requirements for certain computer systemsppFortunately they made it real simple You classify information and then you protect it using appropriate controls for the classification levelpp1 Classification httpsnvlpubsnistgovnistpubsFIPSNISTFIPS199pdf
2 Controls httpsnvlpubsnistgovnistpubsFIPSNISTFIPS200pdfppThese are not best practices or nicetohaves These are the Minimum Requirements This is the For Dummies guide This was the stuff they bothered to tell the piddly little summer intern who was only gonna be there for a couple months and probably wasnt gonna work on anything consequential anywaysppTo wit one of the Minimum Security Requirements listed is the requirement to train personnel on this stuff before anybody gets access in the first place See FIPS200 Section 3 Requirements AC and ATppMeanwhile hardcoding an API key committingpushing to a publiclyaccessible remote and then failing to revokerotate when notified How about we start with FIPS200 Section 3 Requirements AC CM IA IR PS SA SI before moving onto any specific rules or regulations that might further protect SSATreasuryJustice dept computers in particular YikesppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Monday 14th of July 2025 0923 PM
ppMusk and Trump hire only the best I doubt there will be any repercussions for his sloppy and dangerous disregard for securityppNot when those who should hand out the repercussions are clueless above the law can do no wrong and couldnt care less about who they hurt even when its themselvesppRussians dont take a dump without a plan son
Former US Presidential candidate Fred Thompson acting
One ping one ping only Proceeds to send two pings
Everyone knows you cant trust a Marko BuckarooppLooks like now we have Alfred E Neuman running the showppNow thats just MAD I nearly wet myself when I saw this comment ppAlfred E Neuman for president We could do worseppSeparated at birth AmIrite ppGeezappalling Will we hear about any exfiltration of data from govt databases or is everyone on the wrecking team now
Just one question how do you revoke an API key Replace maybe Revocation is possible for X509 public keysppHopefully the application has a way to deny the key Im not a developer but you could have a deny list and refuse any connections from keys in the deny list Also terminate any active sessions using that keyppDave M Yes thats how you do it There is a list of active keys you remove the compromised key from the list If its not done quickly then its probably because it is hard to change hardcoded in several places or the key owner does not care Worse they might think that it is safe again now that it was removedppRemembering how in the olden days of such terrible security ie the 1990s through some time in the late 2000s many firewall rules actually required an IP to match a key to be able to connect to an application I guess they dont do that anymore since everything is so webbed up now LMAiOppTheres already been evidence of data being exfiltrated to Russia Started very early on I believe it was from Treasury It was detected and shut downppPerhaps some enterprising hacker with a progressive streak will obtain and leak the personal financials of the current regime starting with the Tangerine Caligula and its entire family Hillbilly Vance and the whole cabinet straight through to the five Republican appointees of the Supreme Court five by presidents who lost the popular voteppDoes it make you feel better about yourself to call other people namesppCry harder magatppDoes it make you feel better about yourself to call other people namesppOh do you mean like the convicted felon and adjudicated rapist does virtually every single day using vulgar disgusting and obscene language in barely coherent sentences with syntax that would embarrass a grammar school childppDoes it make you feel better about yourself when you call other people namesppRepeat it a third time for effectppIts pretty bad when your pet beagle is smarter than the smartest people in governmentppYoung dumb and full of scumppDOGGY DUMBppbleepingcomputercomnewssecurityrussianprobasketballplayerarrestedforallegedroleinransomwareattacksppMarko cant even dunkppSo it should fill all Americans with a deep sense of confidence to learn that Mr Elez over the weekend inadvertently published a private keyppI used to read your articles due to the nonbiased nature Now I feel like Im reading an article from Foxnews or CNNppSadppAh yes the sacred neutrality test if something mildly inconveniences my worldview it must be propaganda Look if your political compass is so wobbly that a cybersecurity report makes you cry partisan hit piece maybe its not the articleppBrian literally reported a dude leaking a private key and you interpreted it as a political betrayal Thats not bias thats you projecting your own tribal lens onto reality like its a Rorschach test But sure lets cancel Krebs for reporting the news ClassicppWondering what your reaction would be to a report of repeated colossal comsec blunders by a regular civil service employeeppWheres the bias in that statementppI agree wyou 100 some simply cant help themselvesppIm concerned about your reading skills tooppSay what you want but Krebs has been relentlessly consistent for years Calling out cyber threats whichever side they come fromppWhat is the bias in that statement A bias against blatant incompetence among those with access to enormous troves of sensitive information Yeah I guess a lot of us are biased We should really examine our prejudices more carefullyppI think we are looking at a process issue Its true the security aspect is involved but the root of the problem is the process they use to post code on GitHub they need to refine the process to avoid this kind of mistakeppIt takes longer to select a vendor and give them a credit card number than to actually enable repository governance Secret scanning precommit and second approver enforcement are the bare minimum anyone should have for productionppBrian you used to be nonpartisan and nonpolitical but now were seeing your true colors emerge Its fine to publish the screw ups of these socalled experts but when you throw in the stupid political jabs it ruins the article Too bad your articles used to be worth readingppNot sure how you came away with the conclusion that this is somehow a story about rightleft politics Nevertheless I release you from your subscription Be wellppI dont see the political jabs in your report as was mentioned by a previous comment
I do see a report on sloppy incompetence or worse criminal behavior with critical consequences for all of us
It is important to report on it regardless of who may be offended or who the sloppy criminals are connected to Keep up the investigation and reporting BrianppHam is just being a crybaby If his complaints are that thin his skin must be like rice paperppThey want you to be a news reporter that publishes just the facts once you give your opinion as an expert it suddenly crosses the line as though they couldnt draw the conclusion themselves which is apparently the case Keep up the good workppOh no Brian used sarcasm Sound the alarm Apparently pointing out that government officials leaking an API key might not instill public confidence is now a fullblown political manifesto IncredibleppBut thank you for your bravery in calling out this injustice Truly the real victim here is your feelings Not the compromised API key not the laughable opsec no its you because Brian dared to say something that vaguely pricked your partisan bubble Stay strong soldierppReally ham Its amazing to see your lack of reading and understanding You are the problem with this country When people like you try to politicize everything Facts are facts get use to it dudeppOh no did your feelings get hurt snowflake
The true colors of being appalled by the lack of professionalism of the current administration
Thats the color of anyone with a functioning brainppWaaaah he pointed out incompetence and fraud in the Trump administration waaaaahppGrow up babyppWhat is the political jab in the pieceppJust curious Ham when did careless idiots become a political party and better yet one free from criticism of their misdeedsppwhen did careless idiots become a political partyppIts hard to point to a specific date but sometime around when Trump started winning primaries in the 2016 raceppnow THAT was a stupid political jab See the difference HamppBrian thank you for the reporting Its sad that reporting inconvenient facts about API key leaks and lapses in security at the highest levels is seen as politicalppKeep up the good workppI would like to think this person would be removed the moment this was found out This is not only extremely dangerous but seems like a malicous actor Anyone in the Tech field this looks and feels like malicous inside actor This person needs to be removed and investigatedppThis person seems like they are a malicous actor Something we in the tech field worry about He should be removed and investigated You dont accidentally do this sort of thing This is a deliberate act and it would be grounds for investigationsppIf he wanted to grant access to 3PLA he could just grant their users access to the model or email them the API keys This behavior is totally consistent with the incompetent chūni clowns in Elons entourageppgrounds for investigationsppOh Pam Bondi and Kash Patel will put down their Nintendo Switch and get right on that Im sureppIn one of Brians earlier reports his source noted within minutes of DOGE folks being given administrator access there was at least one login from an IP geolocated to Moscow if memory serves me correctly It passes the reasonable person on the street test that government systems have been breached data exfiltrated and stealthware installed courtesy the carelessness of DOGE staffers They do not seem to be the sharpest knives in the draw and ironically I wonder how many of them will omit Worked for DOGE from their LinkedIn biosppSo the kid is some combination of carelessincompetent but the one quality demanded by this administration he likely has in spades loyaltyobedience He has a fine career ahead of him or at least the next 35 yearsppDont forget hateful racial supremacist nazi propaganda ppnewsweekcomfactcheckdonaldtrumpadolfhitlerviralquotecomparisonaccurate1843501ppYes I would imagine they are a very highly trusted contractor for DHSICE searching all government databases for targeting ethnocities or whatever Im ursprünglichen Chelsea Football Trikot ist alles legalppWasnt this guy fired for saying pretty racist stuff onlineppWasnt this guy fired for saying pretty racist stuff onlineppYep Then he was rehired through the collaboration of Musk and Trump back before their bromance ended with Vance chiming in to avoid feeling left out of the proeugenics bandwagonppEugenics genetics its all kinda futuristic right Easy mistake even for a time travelerppAny sufficiently advanced incompetence is indistinguishable from malice At some point this carelessness around cybersecurity goes beyond oversight and inexperience It has to be winked at and excused by people who should know better Homie should have stayed fired because he obviously has no business handling classifiedsensitive information Were he working for any private enterprise he would have been handed his hat long ago but this organization i use that term ironically seems to be happy to let him continue As a taxpayer Im offended As an IT professional Im appalledppTrump said he never hires anybody smarter than himself
Very very few qualifyppThis has gotta be some kind of criminal negligenceppStorytime I did a summer internship at a DoD contractor doing software engineering On Day 1 I was told in no uncertain terms that as an engineer of record I could be held liable or prosecuted for computer crimes should I fail to meet certain basic security requirements for certain computer systemsppFortunately they made it real simple You classify information and then you protect it using appropriate controls for the classification levelpp1 Classification httpsnvlpubsnistgovnistpubsFIPSNISTFIPS199pdf
2 Controls httpsnvlpubsnistgovnistpubsFIPSNISTFIPS200pdfppThese are not best practices or nicetohaves These are the Minimum Requirements This is the For Dummies guide This was the stuff they bothered to tell the piddly little summer intern who was only gonna be there for a couple months and probably wasnt gonna work on anything consequential anywaysppTo wit one of the Minimum Security Requirements listed is the requirement to train personnel on this stuff before anybody gets access in the first place See FIPS200 Section 3 Requirements AC and ATppMeanwhile hardcoding an API key committingpushing to a publiclyaccessible remote and then failing to revokerotate when notified How about we start with FIPS200 Section 3 Requirements AC CM IA IR PS SA SI before moving onto any specific rules or regulations that might further protect SSATreasuryJustice dept computers in particular YikesppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
