@GossiTheDog @kimzetter but isn't that also pretty irrelevant in this case. It wouldn't have mattered how secure the communications channel was. The failure point was the human.
@GossiTheDog @kimzetter even encrypted at rest would just require an infostealer like how Microsoft’s boneheaded recall works to capture it from the framebuffer. Anything rendered on a compromised device can be extracted if the device has the ability to display it in plaintext
@GossiTheDog @kimzetter Signal also doesn't protect against "one participant is literally in Russia, his phone has been handled by customs, and everybody else in chat just blindly assumes that he is fully secure in his person and effects."
@GossiTheDog How good is Signal att deleting messages? Hmm backups might be enabled by default, that would be funny.
@GossiTheDog or. Crazy idea. Don't use public apps for top secret communications
@GossiTheDog I remember all the articles of Obama not using an iPhone for security reasons. Sound decision 👍
@GossiTheDog that is so for every device you are running on your phone. Unless you use a password for it. In the hope nobody can crack it.
@GossiTheDog
And the pertinent point here is that one of the idiots with the incredibly bad opsec was in Russia at the time, possibly on Russian wifi and likely had a compromised phone. These dufuses are so bad at this they likely have already been hacked by every other nation state that has tried to get at their devices.
@kimzetter
🇺🇦
@GossiTheDog user error seems more likely - maybe Waltz has a contact with JG's number and a company name or note of "Librul Commie Press!" but Signal just showed the initials ("JG is on Signal!").
@GossiTheDog @kimzetter is one of my favorite (tech) journalists. Doing what journalist should do, factual reporting.
@GossiTheDog @kimzetter C'mon though, what are the odds that highly placed individuals in the US gov't would be surveillance targets for those groups. The odds of that would be like finding a needle in a stack of other highly useful needles.
@GossiTheDog That was my take. Russian Trollollol? Ukrainian? Scattered Spider? Heck, anyone.
No kidding. This is literally the definition of e2ee. Is web searching dead? Are we that helpless?
@GossiTheDog @kimzetter
Signal does store & forward of messages. Are they encrypted on the server, with a destination key?
Even if they are, there's a vulnerability of the signal server being hacked by a major hacker, eg a state.
And these were personal devices, because you can't install non-approved apps like #Signal on a government-issued device unless you illicitly bypass the device management system. And as personal devices, they are much more likely to be compromised because they are managed by people without any cybersecurity expertise. And because they're not monitored no one will know if they are compromised. It's just an awful cyber security rabbit hole.
They should all go to jail.
@GossiTheDog @kimzetter
Are the messages protected on device in any way? Obviously they can be ready by opening the app for anyone with physical access. But if it's locked, are the messages stored encrypted?
@GossiTheDog @simonoid Do these actually work on up-to-date iPhones? I know I've seen a lot of claims about tools to gain access to mobile devices that then turn out to only actually work on older OS versions (presumably old enough to have known exploits).
@GossiTheDog @kimzetter They technically didn't say it wrong, it is kinda obvious it only applies for transit of communication, not who reads it in the group chat or who has that message on the phone that isn't secured from physical access... That's kinda obvious.
Like, even old SMS is also secure from every day users who weren't involved in chat, but isn't if they have access to the phone that has them stored... That's kinda obvious.
People also tend to think if the message is encripted everything else does not matter.
Even with secure encription, there still is data you give away: When you communicate, with who you communicate, the freqency of communication.
All data that is at least as interesting as the content of your communication because unlike the content it can easily be analysed automaticly.
@Ehay2k @GossiTheDog @kimzetter What makes you think Signal was not an approved app on a government-issued device? Whoever manages these devices surely works in/for/with an agency that reports to the POTUS in the end. They probably have vK on that list as well by this point
I don't THINK it, I KNOW it, because it is NOT an approved app for government communications. Period. And you can't just install apps on government managed devices that handle classified (and even SBU) data. AND there was an NSA Opsec special bulletin warning DoD and intelligence staff about Signal vulnerabilities and that it was NOT TO BE USED for non-public official info
See this: https://www.npr.org/2025/03/25/nx-s1-5339801/pentagon-email-signal-vulnerability
But I'm betting you knew that.
JFC, that's from #Foxnews, so they whitewashed this small detail:
"Organizations may already have these best practices in place, such as secure communication
platforms and multifactor authentication (MFA) policies. In cases where organizations do not, apply the
following best practices to your mobile devices"
#Signal is absolutely NOT approved for DoD classified/SBU comms. It is recommended for personal, non official comms only
Stop spreading #misinformation
@GossiTheDog @kchr @kimzetter
Nope. Show me where #Signal is approved anywhere within the #USGovernment for official non-public communications.
#CISA is recommending best practices in the absence of any official guidelines: "Organizations may already have these best practices in place, such as secure communication platforms and multifactor authentication (MFA) policies."
And you can bet 100% that everybody in the national security apparatus has official policies and apps. Signal isn't one.
And again, I challenge you to show me ANYWHERE that #Signal is permitted for the processing or storage of non-public government information. The NSA memo (link below) explicitly calls out that it shall not be used even for *unclassified* (protected, FOUO, CUI) data. And that would apply to everybody in the national security apparatus.
Anybody stating anything to the contrary is a liar, a shill or both.
Here's the #departmentofdefense policy.
TLDR - not allowed.
https://dodcio.defense.gov/Portals/0/Documents/Library/Memo-UseOfUnclassMobileApps.pdf
Haven't found the CIA handbook yet but at this point I'm pretty sure that they haven't deviated from literally everybody else's position that these apps are not to be used even for CUI, SBU, or other unclassified government data. Top secret active war plans would definitely be prohibited.
@GossiTheDog @simonoid Oh, yeah, I was aware iPhones have 0-days; I just wasn't aware that they're regularly known (by non-state entities) long enough ahead of patching to have them incorporated into "off the shelf" products.
- replies
- 1
- announces
- 1
- likes
- 0
@GossiTheDog Is there any E2E encryption that protects data stored on or in use on a device? I mean, how would the data even be used in that case? Signal is E2E encrypted within the common meaning of that term. It is not just encryption in transit. The correct concern Kim Zetter idientified here is the potential for compromised endpoints, right?