> “Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”
More competent technical control means a random contractor doesn't have passwords from mid-2025 to copy to their home machine that even still work after 30 days, if not 5.
This. In fact I thought the government had long since gotten pretty serious about using smartcards and HSMs for everything? Why let anyone take any sort of accessible credential at all vs handing out hardware they can use but that cannot have the credentials taken off? At some organizations the extra cost would be a concern of course but that wouldn't be the case here.
Or maybe that'd have been the sort of project and standard CISA would have formerly done before the Republicans gutted it last year I guess, and this is just another symptom of rot? But yeah to your point technology certainly can absolutely help with this sort of thing. It's not some inevitable act of nature.