They're not defending it as an established workflow pattern or some kind of best practice.

The usage of "exhibit a pattern consistent with..." is just describing what it looks like the repository was used for. i.e. it's not a set of government sourcecode for an internal project, it's not something indicative of intentionally leaking large amounts of data, etc.

> What pattern do they think this is consistent with?

They clearly stated what pattern this usage is consistent with: using it as a sort of personal scratch pad.

You’re assigning more meaning to the statement than there is. They are simply stating an observation.

not at all a mistake; the us govt is fully-compromised by foreign intelligence and this ‘breach’ was fully intentional

Worse—it may even be compromised by domestic interests

If I had a dollar for the amount of secrets committed to public repositories I could probably retire. No, that isn’t an excuse. Pretending the US govt isn’t made up of people just like you or I is quite silly.

Hold up, I think we have some sort of math denominator problem here.

You'd be rich if you got a dollar for every worldwide murder too, but that doesn't make murder a common workplace occurrence.

Your general point here is reasonable. But to provide some domain knowledge context: secrets are leaked _very_ often!

In public data (source code on GitHub, etc.) you can expect a prevalence somewhere in the range of 0.5-2.5 live secrets per gigabyte of content. Now yes, there are more than 8 billion people on earth now and the murder prevalence is a lot higher than 0.5-2.5 per billion. But there are _far_ more bytes of public content than there are people on earth, so in absolute terms, there are far more leaked secrets than murders.

If you look at other types of data (like internal Git forges), the prevalence is much higher.

I think you could indeed retire with $1 per leaked secret!

‘Tis a lot different mentality typing git commit/git push than it is to murder someone in cold blood, I guess?

I was thinking more purely in terms of frequency. For a dollar a pop, you can be "rich" for worldwide events that are actually very rare things.

Probably. Was just a silly turn of phrase.

“Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.”

This makes it seem more intentional to me. Regardless of what the ultimate purpose were use of the repository was it says to me, the person knew what they were doing and it wasn’t just an innocent oversight like anybody could’ve made.

If I had a dollar for each secret I’ve committed to a public repo, I could probably buy a couple of sandwiches. I’m not smarter and my opsec probably isn’t any better than most old devs, but I also don’t have a treasure trove of government secrets on disk and—crucially!—_I would make different decisions if did_.

The nuance here: when I’ve slipped and committed secrets, it’s typically a relative nothing burger: most common case is API keys to some third-party service. I’ve worked across a bunch of regulated industries and, within those, not caused a breach—because being in that space you know to be more careful, and because the companies in those spaces (wisely!) tend to support good security practices, more so than the industry average.