Greetings! Late last night, I entered into a discussion with Kel McClanahan - the lawyer currently suing the Office of Personnel Management on behalf of two employees who believe their privacy was breached. Through Kel, I met Jay - a systems security expert with 29 years of experience - and we talked about what he found when he ran an inquiry into what subdomains were published to public Domain Name System (DNS) servers for the opm.gov domain.

What he found could be potential evidence that on-premises servers were moved to the cloud, possibly exposing private OPM employee data. There were control panels for infrastructure, what looked to be personal workstations, and other administrative level items. None of which should be publicly available. Jay noticed that after some time, several of the admin portals had stopped communicating. He ran another scan and found that more than half of them had been redacted from the public record.

The newly-redacted subdomains include the HR@opm.gov email servers, plus three load sharing appliances dedicated to load balancing (which could explain the 20 different email addresses numbered HR0 - HR19), and active admins from (presumably) offsite and possibly in a foreign country.

I asked about the OPM employee that claims someone came in and attached a box to OPM’s on-premises servers, and it turns out that would be a way to transfer the on-premises data to the cloud.

Additionally, the security certificates associated with the original on-premises mail servers no longer functioned when the data was transferred to the cloud, which could explain the reason that early tests of the HR@opm.gov email bounced back when replied to. Eventually, those security certificates were corrected - possibly leading to the second test of HR@opm.gov, and successful replies would authenticate the cloud-based servers. But whomever updated the email server certificates, failed to correct any of the other ones.

I asked why someone would want to move on-premises data to the cloud and add email servers there. Apparently, that makes it much easier to delete those servers and destroy any evidence that could be subject to future FOIA requests or subpoenas.

So while there is evidence that the entire operation surrounding HR@opm.gov was rushed, sloppy, and likely engineered by a small team of three or four people outside the agency, the much bigger problem is that while those subdomains were public, OPM email servers were compromised. Not to mention the frightening possibility that outsiders installed a box to upload opm.gov servers to the cloud for outsider access.

Couple all this with reporting from WIRED today, and you can see why there’s a bigger problem here. Vittoria Elliott writes:

Sources within the federal government tell WIRED that the highest ranks of the Office of Personnel Management (OPM)—essentially the human resources function for the entire federal government—are now controlled by people with connections to Musk and to the tech industry.

That list of people includes Amanda Scales, formerly at Musk’s xAI, and whose email address was included in one of the first OPM memos that asked employees to snitch on their DEI co-workers. It almost feels like when there was an uproar that she was included as a contact for informers, they decided they needed a more stealth and more easily-destroyable email server. The other email for snitches listed in that memo was DEIATruth@opm.gov, but that email was quickly overrun with spam and Bee Movie scripts - a problem that could possibly be averted with 20 different email addresses disguised to look like one. Had I put out a call to spam HR@opm.gov, they likely would have gone nowhere because the real email addresses were HR0 - HR19 @opm.gov

Also on that list of Musk acolytes atop OPM are Riccardo Biasini and Steve Davis, who worked for Musk at the Boring Company. According to WIRED, it’s rumored that Davis is advising Musk on DOGE cuts just as he did with Twitter cuts. I’m sure you wouldn’t be surprised to learn that the subject line of Musk’s email asking for Twitter employees to resign was also entitled “A Fork in the Road.”

There are also a couple of “software engineers” advising OPM who are 21 and 19 years old. It’s anyone’s guess as to whether they were a part of the slapdash on-premises data transfer that left OPM servers exposed.

All of this brings back memories of the Alfa Bank Trump Tower server mystery of 2016. You’ll recall that a group of computer scientists disclosed, on the basis of DNS (Domain Name System) logs, that two internet servers belonging to Alfa Bank had looked up the address of the Trump Organization server 2,820 times between May and September that year. A DNC lawyer alerted the FBI to that activity. That DNC lawyer was Michael Sussman - who was eventually indicted by Trump/Barr henchman John Durham who was tasked with investigating the Mueller probe. Sussman was acquitted of all charges, and the only apparent crime found in that investigation was one that Trump himself committed.

I urge you all to listen to this interview, and I apologize in advance for my lack of systems security knowledge. I really just wanted to bring this story to the public as best I could.

Thank you so much for listening and subscribing!

~AG