Cheryl Rofer has a couple of posts at LGM about who she calls “script kiddies” in the Treasury systems. She references Kevin Drum’s theory that they’re writing a “report writer” into the systems. Both Cheryl and Kevin have some experience writing code and/or system architecture, but they’re not working in those fields right now. I am, and here’s my take:
I don’t know any details of the Treasury system that the Musk’s chosen incel has access to, but here’s what Wired has reported:
Despite reporting that suggests that Musk’s so-called Department of Government Efficiency (DOGE) task force has access to these Treasury systems on a “read-only” level, sources say Elez, who has visited a Kansas City office housing BFS systems, has many administrator-level privileges. Typically, those admin privileges could give someone the power to log in to servers through secure shell access, navigate the entire file system, change user permissions, and delete or modify critical files. That could allow someone to bypass the security measures of, and potentially cause irreversible changes to, the very systems they have access to.
In addition, Wired is reporting that these incels have installed a server in the Office of Personnel Management.
Based on that, some assumptions/background, and some thoughts on what they could be doing.
Assumptions/Background:
- These kids could be the best “coders” in the world, meaning that they could build some pretty complex systems from scratch, quickly. This isn’t relevant to the task at hand, which goes by the name of “maintenance” coding on “legacy” systems — taking a crufty old system written in some language that the cool kids don’t use, and modifying it. They don’t know COBOL, PL/SQL (Oracle’s brand of SQL) or any other old language. They don’t have experience with multi-million row databases that have evolved over the years, that may have columns or entire tables that aren’t even used anymore, but are kept around because “don’t touch it, it might break!”
- Given that they are uncomfortable with the system at hand, they will try to do the minimum amount of coding in that system, and build an interface (“API -> Application Programming Interface”) that can be used to perform their mischief in the legacy system. This interface would, I’m guessing, send a message to one of their servers, let the incel-written code on that server do something, and then accept messages back.
Possible Usage:
- If Elon wants to stop paying certain payees, one thing this little gateway could do is give a “yes/no” answer on any given payment. So, the legacy system would shoot a message to the incel server, asking it if a certain payee is approved by President Musk. The incel server would say “yes” or “no”. The incel coder would only have to figure out how to shoot payment info to their server, and then shitcan a payment, to implement this little part of the coup. The benefit of doing it this way is all the complexity around denying payment is in the incel server that he knows how to use, and he can use AI magic or other cool tech to figure out how to deny payments to anyone who isn’t worthy.
- The danger of doing this is that one of the big problems with junior coders (which, however smart they are, these guys are) is that they don’t understand scale and optimization. So, if they do something dumb like firing an API call every time a check is about to be written, check writing could take weeks instead of hours. There are a ton of other possible issues, such as them not understanding exactly how to shitcan a payment correctly, or only seeing a little part of the whole picture and saying “shitcan” to a payment but really letting the payment through partially. There are probably hundreds of flags and variables involved in paying someone from the Treasury, and even the smartest incel isn’t going to understand those on the first go-round.
Other things to consider:
- Since the incel has access to the database on the server (if they have what’s called “root” access in Unix land) they could also just dump the database and send it to their server. The issue here is that our young incel coder, who probably doesn’t know a lot about databases (don’t get me started on why Computer Science and coding bootcamp grads don’t understand databases) is going to have a hell of a time interpreting it. Since government is complicated, I’m guessing that there are probably dozens of tables required to figure out how to pay someone. These tables are related in certain ways, and what each column in each table tells the payment program to do is also super complex, I’m guessing based on years of painful experience. So, having the database without understanding the code is just pure danger. For example, the right wing is currently freaking out about how much money the government pays Politico, but it’s probably just all the Politico subscriptions paid for by government, not some lump sum bribe. This might be traced back to some incel who didn’t understand the database just summing up all payments to one payee without understanding the relationships between the payments and the payees.
In other words, incels having the database means that they can leak important information all over the place, but they might not be able to figure out just exactly what is in the database. Incels having access to code lets them put in trapdoors that can be used to deny payment, but in doing so, they risk side effects that can crash systems.
Can this be fixed? Almost all code is kept in some kind of “version control system” — these allow you to “roll back” code to a certain date and time. So, code can be rolled back. Where the overzealous incel is going to really fuck up is with the database. If their inner Dunning-Krueger leads them to alter the database so their backdoor code can work, they can introduce corruption, which is just a fancy word for data in the wrong place. Databases have backups, but if you corrupt the database and keep running, sometimes the solution is a pretty convoluted fix program that someone who really knows the system needs to write. And, of course, those federal employee programmers are inferior beings. Just ask the 20 year-old with the nickname “big balls”.
Hunter Gathers
I got out of IT partially because I was really, really tired of explaining to recent grads how Active Directory worked.
Searcher
God, I hope these systems had some kind of version control, I hope that their source repositories were backed up, and I hope those backups are somewhere easy to overlook and leave untouched for years if you don’t know anything about the systems.
MobiusKlein
Payment systems at scale are hella complex. Like – OK, the BofA batch got uploaded, and had a malformated ‘date of death’ on the line for account 3452. Entire batch now is in a grey zone of completeness, and you re-run, and do some accounting fix-ups, and …
For the size of the US govt, there will be 20 people doing the reconciling, 24/7/365 monitoring, maintenance alone. Before you even get to coding the system.
Those punks may be smart, but the coders maintaining those systems will have experience with the edge cases that hit one in a million cases – which means every day at the scale of the US Govt
A Ghost to Most
They’re rummaging through databases, likely Oracle dbs. PL/SQL would be used to alter db code. They’re probably running specific SQL selects as well, and capturing info of interest, without altering anything. COBOL? I wonder how that got brought up.
@mistermix.bsky.social
@A Ghost to Most: I just put in COBOL as an example. I don’t know what the system is written in.
One of the stories claims that the incel has write access to the codebase, and is using it.
Searcher
@A Ghost to Most: Honestly just the idea of someone running arbitrary SELECTs against a large production database freaks me out.
“Why have none of the payments gone out since Tuesday, and why are all of the DBs CPUs pegged at 100%?”
Baud
Via Reddit. Points for acronyming.
@mistermix.bsky.social
@Searcher: God yes.
SELECT * FROM <humungous_fucking_table> AS hft
LEFT JOIN <other_humungous_fucking_table> AS ohft
ON hft.<unindexed_column> = ohft.<unindexed_column>
GROUP BY <something that doesn’t make sense>
HAVING <something I don’t understand>;
A Ghost to Most
@@mistermix.bsky.social: PL/SQL was correct for procedures inside an Oracle dbs. I’ve never seen it, but there are probably ancient govt COBOL programs accessing Oracle dbs.
comrade scotts agenda of rage
@Hunter Gathers:
Hah! That comment just made my day.
@mistermix.bsky.social
@A Ghost to Most: PL/SQL is actually quite nice. Worked for a company where almost all of the business logic was in PL/SQL.
Redshift
That seems like a good rundown of what they may possibly be trying to do. The other thing that keeps me up at night is the tremendous damage they’re almost certainly doing that they’re not intending, because they’re young punks with no process and no review. Forgive the length, but this was posted on FB by a lifelong friend, and FB has steadfastly defeated any attempts to share it from there, and I think it’s important. (And he did send it to his reps, FYI.)
Scout211
Here’s the latest on the lawsuit.
The hearing is tomorrow.
I’m sure that “handful of individuals” at “OPM overseen by the CIO” will be perfectly fine. ////
MattF
And, just supposing that our child-prodigy coders screw things up in a genuinely major way— how long will it take for the bad news to ooze out? The guiding principle here is don’t believe anyone or anything.
bbleh
I fear the worst, because they don’t care if they screw things up. At best they create/install things that allow them to “PROFIT!!” (and don’t tell me their motivation is otherwise), and at worst they cripple or destroy systems that are Evil Oppressive Gummint something private enterprise libertarian freedom! and in any case Move Fast and Break Things. And in both they have the support not only of the Orange Guy but — more importantly — his legions of cultists and the spineless zombies in Congress. The cultists will cheer the blowing up of institutions and benefits that benefit them, right up until it bites them hard, and then they’ll throw angry tantrums and look for someone else to blame.
I fear the task now is merely to limit the damage and hope we’re not discovered in the process.
Kirk
@Scout211:
So, they installed a spambot server and want to call it good?
Lord Fartdaddy (Formerly Mumphrey, Smedley Darlington Mingobat, et al.)
I cannot begin to fathom how awful this could–and sadly, likely will–turn out to be. I know it could be awful, but my understanding of how awful is woefully inadequate. I’m not a computer guy, after all.
Like, I can kind of imagine a hundred million people not getting their Social Security checks. And I know that would be awful, but I also know that that’s a staggeringly tiny dollop of awfulness next to the cavalcade of titanic, colossal awfulnesses that are headed our way. I’m looking at a tiny millpond of awfulness, and what’s coming down the road is more like the Mariana Trench.
A Ghost to Most
@Searcher: Yeah, me too. Free rein to the data. They probably got around any security and audit checks. Which is pretty standard for govt work.
sauron496
Ouch, ouch, ouch.
For personal purposes, I created a project to track my media consumption — books, movies, games. That meant a database, a backend controller to that database, and a website making requests to that controller and presenting the results.
Among other things, it tracks relationships between pieces of media — so you could see which book a movie was based on, what tv shows were part of the same franchise, which podcasts had the same hosts. It also tracks media series — so you can see prequels/sequels and how far along you are.
Several months of usage in, I realized something — a series can be related to a single piece of media and vice versa, and the current system couldn’t capture that, because I had separate DB tables ‘items’ and ‘series’, with similar structures, but no way to connect elements from one to the other.
So I revised things to have a single table, with a new field indicating the type (single piece or series). My process was as follows:
Was about two weeks of work. And this was about half a gig worth of data, used by a single user, with no money involved anywhere except me paying Heroku for hosting. But in the end, it felt really good to have a better version without a) losing any data, and b) knowing that had this been a system more widely used, the worst thing that would happen is several minutes of invalid state (between the first fuckup on the live version and the restore from backup).
What didn’t even occur to me is to work the fix on the live version and hope for the best. These DOGE kids would probably think I was stupid.
The whole thing is perfectly captured by a post on my Mastodon feed yesterday:
Redshift
@Lord Fartdaddy (Formerly Mumphrey, Smedley Darlington Mingobat, et al.): Yeah, I wish I could shake the cowardly clowns elected from red states and ask them if they understand what’s likely to happen to them if the social security and Medicaid stop flowing to all those people they’ve made sure have plenty of guns.
kalakal
@@mistermix.bsky.social:
I fear that as superusers they are going to enact the biggest version of the old UNIX rm -rf * jokes the world has ever seen
Betty
All I know is that I have seen a report that Musk’s goons have blocked payment to ex pat recipients of Social Security, and both my husband and I have not had our February payments deposited on time. I am freaking out. Unsuccessful in reaching Social Security so far but will keep trying. Have contacted both my PA Senators. No point in contacting my rep, Scott Perry, who would probably cheer Musk on.
Urza
Move fast and break things is their mantra. Its absolutely the opposite of government working properly.
trnc
I was an AD admin, and I sure as hell didn’t understand it.
OK, mostly kidding, but I will say I missed eDirectory for many years after we migrated from Novell/Suse to Windows terminal servers in AD. I was fortunate enough to be able to build our department OU from scratch and have time to ease into it during a fairly drawn out migration, so I had plenty of time to test and to rectify problems as they came up.
I also cared about making things work for the clients, vs the douchebros who will giggle when the entire system crashes.
Lily
fwiw, They say the prefrontal cortex doesn’t fully develop until age 25; these guys are 18-24. Acc to wiki,, some of its functions (in its different areas) are risk processing and executive function.
“Executive function relates to abilities to differentiate among conflicting thoughts, determine good and bad, better and best, same and different, future consequences of current activities, working toward a defined goal, prediction of outcomes, expectation based on actions, and social “control” (the ability to suppress urges that, if not suppressed, could lead to socially unacceptable outcomes).” (wiki)
It actually rings true for my behavior, etc before age 26. Not so much for the friends I remember as the “most mature” of my friends.
My guess, not very sophisticated, has been that Elon is directing them in data mining like mad, reveling in the massive amount of data in those systems to develop something he can market that will be a huge advantage over his competitors.
trnc
I would recommend you contact Perry’s office. We know where his loyalties lie, but he’s probably getting a lot of flack from others. The more he hears it, the more pressure he feels. Also, if you get any response left than “Holy shit! I’ll fix that,” let the media know your congressional rep told you he doesn’t care if you get your social security.
I hope it’s rectified for you soon!
TBone
Made me remember the “Prove Mike Lindell Wrong” cybersymposium challenge winner.
https://spectrum.ieee.org/software-detective
am
As a fan and with due respect, I don’t think this is correct analysis. I expect these developers are excellent beyond your expectations, and unfortunately a far more potent concern. I expect they are proficient with relational database theory and design, and I think they comfortable with systems at extremely large scale. I share your belief they probably lack experience with mainframe design and operations, though.
I expect they are or will shortly be hacked and an external nationstate will have admin level control over Treasury systems. The fact they have signed up for this at all shows how naive they are.
J. Arthur Crank
@kalakal:
find . -delete is also a knee slapper as far as UNIX jokes, and is faster for large file systems.
rekoob
Though I’m not in the IT field, it reminded me of this XKCD:
https://xkcd.com/327/
annamal
Not an American but I do support a some 15+ year old database based systems , We had a genuinely talented external team evaluating one of them for redevelopment and it still took more than a month to convince them to look at the right part of the system for the business logic.
There are so many ways to screw up a sql based system (especially an elderly one…) and my impression is that the rise of ORMs (and an endless parade of NoSQL options) mean that there aren’t as many junior devs engaging with SQL.
My Partner once bought down his organisation’s system country wide for half a day with a single query so even with read access these kids could be doing damage…
davidjoseph1
The DOJ lied to Colleen Kollar-Kotelly yesterday. Elez and Krause had write access and used it to cancel payments on USAID contracts.
https://www.nytimes.com/2025/02/06/us/politics/trump-musk-usaid.html?smid=url-share