I haven’t had much to say about this kerfuffle, but CDR Salamander has a pretty good take, IMO.
9 thoughts on ““The Signal I Was Waiting For””
That cabinet members were using a communication system which could be accessed without a smartcard and 2FA is remarkable but no longer unthinkable. The US government is in a positive feedback loop of suck.
Signal isn’t secure because Russian hackers already figured out, and have been executing, a simple trick of adding their own “linked devices” to the target’s phone. Then the target’s phone sends the plain text of signal chats (text or voice) to the Russian hackers.
Two of the chat participants were shown twice in the list of participants. Where the duplicate entries their linked devices? I don’t know, but it’s definitely a question to ask.
Frankly, no smart phone out in the wild (one that isn’t vetted from the manufacturing line on) should be acceptable for any secure communications because there’s almost no way to guarantee it hasn’t been compromised at some point. They need something like an early model Nokia or Blackberry that is so primitive that there’s nothing hackable in it, kind of like using an Apple II or CP/M machine. They don’t have enough memory to run a highly sophisticated virus.
But the leak was just an oopsie. All anyone needed to do was say “We screwed up. We’re making changes. It won’t happen again.”
Instead they started acting like frat boys in Dean Wormer’s office trying to brazen their way through to escape any consequences for being found passed out and pantless on the sorority house’s lawn.
Hegseth, Waltz, and Vance (who wasn’t found pantless, but is nevertheless trying to eloquently bullsh*t Dean Wormer) need to be put on triple secret probation.
Agree, it was a good take. The open discussion of ToT and systems (F/A-18, which suggests this CVN-75) is bad. However, I’m ok with the discussion amongst the people supposed to be present. Yes, it is embarrassing that everyone present wasn’t checked before discussion.
The major thing to add is this:
“[Katherine] Maher is the Chair of the Board of Signal Foundation, responsible for the secure, private Signal Messenger app”
That’s the same Katherine Maher, CEO NPR.
This feels more like a Vindman like setup. Someone else pointed out that the mistake seems to be Waltz inclusion of JG, but Democrats, and the CDR noted this as well, are going on about what SECDEF wrote in the open. I get it. Still, he thinks he is talking to members of the NSC. Not sure why they didn’t take this to something more secure, but this is the modern era. The question is, as CDR Salamander noted; why did they think Signal was secure enough?
Personally, I think anything sent via an ordinary cellular phone, regardless of the application, is unsecure for a discussion that discusses time on target for an ongoing Op, so yeah Hegseth, “don’t do that”.
The only person to fire is whoever really got JG connected. Based on other comments by Waltz, I don’t think it was him. It may have been him that included JG, but who put JG in as Jeff Goldberg? Also, concur full names should be the norm.
Well given Katherine Maher’s humongous involvement with Signal, we need to ask if Waltz added JG or if Signal added him and said Waltz did it. Basically, can Signal send out special updates to particular people’s phones?
And that question raises another question about why the Biden Administration wanted government people using Signal. Perhaps it was because its encryption was secure, as was their ability to compromise the communications of any user they wanted to target.
I’m ISSO at a small contractor office, nothing NATSEC. It was sloppy. the Feds had gotten sloppy with security. I see sloppiness all the time. But in my realm, it is not critical. Just fines if someone becomes aware of a PHI release.
There was a time in my checkered past, when I was working as a contractor in Q/A for a once well-known company that was selling Unix workstations to the feds that met the NSA’s B1/CMW rating.
Talk about paranoia at the next level. One of the things our group was responsible for was certifying attachable hardware that wouldn’t compromise the B1/CMW rating.
One customer wanted to attach a color offset printer to our workstation, one that was in a secured area. We said no. Why? Two reasons, ability to compromise and a clandestine channel.
How do you compromise a printer? Well in this case a thermal offset color printer uses a tri-color film to attach images to paper using a film that is one time use. Say your TOP SECRET documents have the words TOP SECRET printed across the top of each page. So what our Spy #1 does, if he/she wants to steal 12 pages of TOP SECRET document is he/she prints 12 blank pages of TOP SECRET. Then re-rolls the film in the printer back to the beginning and now prints their 12 pages of secret document. Because the film has already pressed the TOP SECRET on paper (remember one-time use) the words do not show up on the printed page!
Clandestine channel? The film once used contains a negative image of every document printed regardless of classification. So at the end of the day Spy #2 merely replaces the used film roller with a new one and walks out the door with trash bag in hand…
Personally the thing that appalls me the most is the news that Mike Waltz communicates in security meetings with emojis. I am embarrassed for my country.
Cdr. Sal’s take is a good one: nothing serious revealed but you now have experienced security issues with that system to fix things. They use the system because of “inertia” and I suspect there’s a lot of that in government changeovers.
So now that you are aware of the issue, fix it; look for other instances; be smart. Be secure.
That cabinet members were using a communication system which could be accessed without a smartcard and 2FA is remarkable but no longer unthinkable. The US government is in a positive feedback loop of suck.
Signal isn’t secure because Russian hackers already figured out, and have been executing, a simple trick of adding their own “linked devices” to the target’s phone. Then the target’s phone sends the plain text of signal chats (text or voice) to the Russian hackers.
Two of the chat participants were shown twice in the list of participants. Where the duplicate entries their linked devices? I don’t know, but it’s definitely a question to ask.
Frankly, no smart phone out in the wild (one that isn’t vetted from the manufacturing line on) should be acceptable for any secure communications because there’s almost no way to guarantee it hasn’t been compromised at some point. They need something like an early model Nokia or Blackberry that is so primitive that there’s nothing hackable in it, kind of like using an Apple II or CP/M machine. They don’t have enough memory to run a highly sophisticated virus.
But the leak was just an oopsie. All anyone needed to do was say “We screwed up. We’re making changes. It won’t happen again.”
Instead they started acting like frat boys in Dean Wormer’s office trying to brazen their way through to escape any consequences for being found passed out and pantless on the sorority house’s lawn.
Hegseth, Waltz, and Vance (who wasn’t found pantless, but is nevertheless trying to eloquently bullsh*t Dean Wormer) need to be put on triple secret probation.
Agree, it was a good take. The open discussion of ToT and systems (F/A-18, which suggests this CVN-75) is bad. However, I’m ok with the discussion amongst the people supposed to be present. Yes, it is embarrassing that everyone present wasn’t checked before discussion.
The major thing to add is this:
“[Katherine] Maher is the Chair of the Board of Signal Foundation, responsible for the secure, private Signal Messenger app”
That’s the same Katherine Maher, CEO NPR.
This feels more like a Vindman like setup. Someone else pointed out that the mistake seems to be Waltz inclusion of JG, but Democrats, and the CDR noted this as well, are going on about what SECDEF wrote in the open. I get it. Still, he thinks he is talking to members of the NSC. Not sure why they didn’t take this to something more secure, but this is the modern era. The question is, as CDR Salamander noted; why did they think Signal was secure enough?
Personally, I think anything sent via an ordinary cellular phone, regardless of the application, is unsecure for a discussion that discusses time on target for an ongoing Op, so yeah Hegseth, “don’t do that”.
The only person to fire is whoever really got JG connected. Based on other comments by Waltz, I don’t think it was him. It may have been him that included JG, but who put JG in as Jeff Goldberg? Also, concur full names should be the norm.
Well given Katherine Maher’s humongous involvement with Signal, we need to ask if Waltz added JG or if Signal added him and said Waltz did it. Basically, can Signal send out special updates to particular people’s phones?
And that question raises another question about why the Biden Administration wanted government people using Signal. Perhaps it was because its encryption was secure, as was their ability to compromise the communications of any user they wanted to target.
I’m ISSO at a small contractor office, nothing NATSEC. It was sloppy. the Feds had gotten sloppy with security. I see sloppiness all the time. But in my realm, it is not critical. Just fines if someone becomes aware of a PHI release.
Ahhh ISSO, boy that brings back a memory…
There was a time in my checkered past, when I was working as a contractor in Q/A for a once well-known company that was selling Unix workstations to the feds that met the NSA’s B1/CMW rating.
Talk about paranoia at the next level. One of the things our group was responsible for was certifying attachable hardware that wouldn’t compromise the B1/CMW rating.
One customer wanted to attach a color offset printer to our workstation, one that was in a secured area. We said no. Why? Two reasons, ability to compromise and a clandestine channel.
How do you compromise a printer? Well in this case a thermal offset color printer uses a tri-color film to attach images to paper using a film that is one time use. Say your TOP SECRET documents have the words TOP SECRET printed across the top of each page. So what our Spy #1 does, if he/she wants to steal 12 pages of TOP SECRET document is he/she prints 12 blank pages of TOP SECRET. Then re-rolls the film in the printer back to the beginning and now prints their 12 pages of secret document. Because the film has already pressed the TOP SECRET on paper (remember one-time use) the words do not show up on the printed page!
Clandestine channel? The film once used contains a negative image of every document printed regardless of classification. So at the end of the day Spy #2 merely replaces the used film roller with a new one and walks out the door with trash bag in hand…
I have no idea how the NSA treated IBM Selectric typewriters.
Burn the ribbon after use?
Personally the thing that appalls me the most is the news that Mike Waltz communicates in security meetings with emojis. I am embarrassed for my country.
Cdr. Sal’s take is a good one: nothing serious revealed but you now have experienced security issues with that system to fix things. They use the system because of “inertia” and I suspect there’s a lot of that in government changeovers.
So now that you are aware of the issue, fix it; look for other instances; be smart. Be secure.