The National Security Agency has recently published some open-source projects on GitHub. A Cyber Security branch of the Dutch government has done the same in the past, however this backfired a little when it was discovered that personal data had slipped in to a public repository on GitHub.
Something similar has happened now. Although no personal data was committed (that I know of), the authors and NSA employees of some of these repositories did not commit anonymously. In fact, some developers used personal GitHub accounts.
On the 19th of June the NSA released, amongst 28 other projects, a QGIS plugin, Timely, a WebSocket Apache pluginand a system automation tool. These repositories contain commits from actual GitHub accounts with (seemingly) real names.
This got me thinking. Were these contributors and members of the NSA’s GitHub organisation actual employees of the NSA, or were they simply aliases? I took a better look at some of their GitHub profiles, uploaded images (EXIF data) and code commits. I discovered quite a lot of personal information within less than an hour.
Using only online and publicly available resources, I was able to obtain home addresses, telephone numbers, email addresses, LinkedIn accounts, full-face pictures and much more of some of these NSA developers. This concerned me, this information could put the safety of these developers at risk, as the NSA isn’t that popular these days.
I sent an email through the NSA’s online contact form (as there is no other form of contacting the NSA that I know of). I haven’t received any form of a reply to this date. This concerned me even more. Why can’t an outsider get in contact with the NSA, when the subject is the safety of their own employees?
Note that I intentionally did not post any personally identifiable information (PII) in this publication. My concern is the privacy and security of the NSA employees. Disclosing the information I found would perhaps help to make my point, but that would unnecessarily expose these employees. People that would really want this information, should be able to find it themselves using the same tools and resources I used.
Hopefully the NSA will take action and anonymize the git contributors of its repositories when this story gets the attention of the public.
Jun 19 — Discovery
Jun 20 — Contacted NSA using webform
Jul 14 —Contacted NSA Inspector General using webform
Jul 17 — Published disclosure
Our IP Address: