‼️An Anduril engineer uploaded a hardcoded private key, hashed root passwords, and internal Anduril emails to a public repository. We sent a responsible disclosure to Anduril last year but received no reply. This company is currently operating autonomous killer drones above
UPDATE: Anduril's CISO, Joe McCaffrey, clarified to us: "It was an example of a disk repartitioning module he was working on. Nothing related to Anduril and didn’t provide access to anything." Glad to hear!
@IntCyberDigest Again, @grok, can you help me fully unpack what this means and why they'd post this?
@IntCyberDigest Your audience largely appears to be non-technical, which explains why they aren't contextualizing the fact this this very well could have zero risk exposure. You have no idea what this key is for, if it's valid, if it's encrypted, etc etc TL;DR author is thriving off clickbait
@IntCyberDigest @PalmerLuckey maybe address this internally?
@IntCyberDigest "internal Anduril emails" that's fine "hashed root passwords" that's fine "private key" that might not be fine, but depends what its for.
@IntCyberDigest Yea, a Chinese hacker could launch a predator missile into a crowd. But look on the bright side.
@IntCyberDigest Shouldn’t you have included @CISACyber and @DHSgov before you posted here ?
@IntCyberDigest Why is the military using nixOS?? :D ... bait
@IntCyberDigest Actually lol’d at how non-sensical this post is. Why censor public keys? Why assume private key is actually used for anything other than testing? The email is an innocuous bug report. Literally nothing here.
@IntCyberDigest Assume it’s been fixed. It’s a defense company. No acknowledgement needed.
@IntCyberDigest @PalmerLuckey How much do you think this alleged key to your email inbox is worth?
@IntCyberDigest @PalmerLuckey thoughts?
@IntCyberDigest does andruil need devops workers? is this a really elaborate way for them to say "we're hiring more devops guys"
@IntCyberDigest It's the private key for some random test VM: imports = [ "${modulesPath}/profiles/qemu-guest.nix" ];
@IntCyberDigest @anduriltech i'm available for devsecops and i work for cheap.
@IntCyberDigest Wait you mean @PalmerLuckey was busy manscaping his ermine beard and committed treason? No!! 👶
@IntCyberDigest If I was them, I’d actually use this as a honeypot
@IntCyberDigest Considering the autonomous killer drones - do you want to take the chance and use those keys on their system?
@IntCyberDigest this is insane, how are they still allowed to operate?
@IntCyberDigest https://git.uninsane.org/shelv... oH nO i LeAkEd My KeY
@IntCyberDigest this mode="0777" part also looks great.
@IntCyberDigest Corporate espionage is as old as time tbf
@IntCyberDigest Cc @anduriltech . What could possibly go wrong with a killer drone..
@IntCyberDigest waclaude fixes this btw