It's not like he called Comcast and had them run a line on the weekend and they snuck it in there with no one noticing. He told Comms what he needed and they gave security a business justification to set it up in a way that had an acceptable amount of risk. It's all documented and approved.
And no we don't call these a "dirty" line that's something someone made up for the purposes of the article. We call it "unattrib" and it's quite common, serving many useful legitimate purposes.
One thing that I find surprising about the Hegseth case is that most SecDef do not use the computer in their office it all. A couple recent ones still don't even have a computer in there. Normally staff handle 100% of communication and briefing outside of phone calls and video calls. He's clearly still adjusting to the reality of operating within the _confines_ of DoD headquarters.
Also the article's mention of using Wi-fi in the back of his office doesn't make sense to me, there isn't any Wi-fi available in the suite or anywhere nearby.
Back in the day, I was an outside contractor installing a new storage system for the Livermore lab's secure computing facility. (Designing nuclear weapons) I had no security clearance. When I was present there was a rotating blue light, similar to a police car, warning people that an uncleared person was present. When I was in the facility, people would refer to the area being "dirty".
We don’t have a publicly released document, signed approval, or on-record statement confirming whether the line was approved or not. It’s all coming from “sources” which is rumor or conjecture. File a FOIA and report back. Investigative reporting is broken.
Legit can't tell if this is a real comment or someone put the article into an LLM with the prompt "Use technical jargon and an authoritative tone to make a response to this article justifying the SecDef's decision to have an unsecured line installed." I can't find anything online referencing unsecured lines being referred to as "unattrib".
DAA would have had to allow it with some risk acceptance. We don’t know for sure because all we have is an AP article asserting it is true and attributed to “sources”
It’s a complete outlier. Prior to this administration, people took classified information rules and federal laws around records retention very seriously and while Clinton’s personal server used for non-classified material was a grey area back then the rules were strengthened to make that clearly off-limits.
But how do others in DC use Signal while in federal buildings, or is Signal use way less common than I've understood it to be?
I'm not asking because what Hegseth did is excusable, the first offence likely would have led to his termination and charges if he was enlisted.
It is still interesting, though, whether this actually is an outlier or just an article pointing out one case of an individual they want to single out.
People don’t use Signal for official business. The federal government is required to keep records of how it operates, which Signal is not compliant with (deletion), and classified material is not allowed on unapproved systems. Most people take that seriously because it is a career-ending offense for a merit-hire which would effectively end their ability to get any job with the government or a contractor which requires a background check.
Your premise is incorrect. Laws allow use of these types of apps. Excerpt from FactCheck article
“ According to the National Archives and Records Administration: “Agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system.” Guidance from NARA in 2015 stated, “Employees create Federal records when they conduct agency business using personal electronic messaging accounts or devices. This is the case whether or not agencies allow employees to use personal accounts or devices to conduct agency business. This is true for all Federal employees regardless of status.”
An update of the federal records laws in 2014 allows federal employees “using a non-official electronic messaging account” to provide records of those communications to federal archivists within 20 days. So as Josh Gerstein wrote for Politico on March 25, “That means the officials involved in these discussions on Signal still have time to comply since these messages came about 10 days ago.””
First, you really want to read the link you posted because it highlights that there’s more to it than NARA’s general guidance for the entire federal government, including specific laws for defense information. That’s presumably why it quotes people saying that they think it’s illegal but avoids making a definitive statement.
Even if that defense-specific law is determined not to apply, as that article explains this is still at least borderline illegal. It links to the relevant law:
> (Sec. 10) Prohibits an officer or employee of an executive agency from creating or sending a record using a non-official electronic messaging account unless such officer or employee: (1) copies an official electronic messaging account of the officer or employee in the original creation or transmission of the record, or (2) forwards a complete copy of the record to an official electronic messaging account of the officer or employee not later than 20 days after the original creation or transmission of the record. Provides for disciplinary action against an agency officer or employee for an intentional violation of such prohibition.
I haven’t seen even his most devoted defenders claim that he officially set up a process to archive all of their Signal messages at all, and the fact that the chats were set up to delete messages after 7 days certainly doesn’t suggest an intention in following it. Moreover, even if they didn’t have messages deleted automatically Signal allows people to manually edit or delete messages so they’d be placed in the difficult position of proving the negative that they hadn’t removed official records.
The law linked says that they must copy the official account at the time of the message, or
they can forward the message to the official account within 20 days. It doesn’t outright ban Signal. What I provided as parameters could have been followed. We don’t know. Someone would have to file a FOIA. The only ramifications are political in nature. Trump could decide to remove him.
Yes, he’s effectively above the law because his boss controls the DOJ and could pardon him. That doesn’t mean that he’s in compliance with the law, only that Republicans consider obeying laws optional if it interferes with their exercise of power.
I don’t agree. George Santos just got convicted and will be serving 7 years for fraud. He is/was Republican.
Not saying any one of them is perfect, just trying to be reasonable that he probably used Signal and maybe still does but it’s not this blazing fire that it’s made out to be.
Plus, the President is the ultimate classification authority. He can make the rules.
Santos isn’t comparable: he was charged under an administration which followed the law, at a time when his vote didn’t affect the balance of power, and he also lied to his fellow Republicans. Based on what we’ve seen so far with a newly-politicized DOJ, it’s debatable whether he’d have the same outcome now or be seen as a very safe vote after being given a deal like Eric Adams to avoid punishment as long as he toes the line.
While it’s true that the president can set policy, there’s no evidence that he’s done so in this case. You’ve made a really concerted effort to try to imagine scenarios where this wouldn’t be a big deal but there’s no evidence that they’re real. For example, if Trump had decreed that personal devices were approved for classified messages, you’d expect that Hegseth would have defended himself by pointing to that memo.
They're definitely not supposed to use signal for official business, especially anything classified. My question is whether people actually so though (not a question I expect answered by the way, from the outside we wouldn't really know).
Well, he has zero experience in administrative positions.
Here's a quote by Mitch McConnell (R-Ky), who voted against his nomination:
"Effective management of nearly 3 million military and civilian personnel, an annual budget of nearly $1 trillion, and alliances and partnerships around the world is a daily test with staggering consequences for the security of the American people and our global interests," the senator said. "Mr. Hegseth has failed, as yet, to demonstrate that he will pass this test. But as he assumes office, the consequences of failure are as high as they have ever been."
I can't understand how someone like that got into such a position.
It was deliberate. President Stable Genius wants a loyal "yes man" in that critical position. The Fox new host was it. Competence and continuity are not important for what the administration is doing.
If Hegseth gets cut-out, someone equally ridiculous will be chosen to fill that role.
Well, to explain that properly, I’m going to need to explain the Southern Strategy and how that and subsequent efforts helped transform the party of Lincoln into the party of Pete Hegseth and Michael Brown.
As a canuk, I was anxious a little bit when orange man kept blathering about annexing Canada, but now seeing how uttery incompetent this administration is, my anxiety died down.
sadly they haven't replaced all the competent people yet, so I'm afraid they can still do a lot of damage. but thankfully they're working their way through the list.
Failing checks and balances, and the wrong elected representatives given the power to put someone in that position. The current US administration was years in the making.
Not the only country by the way.
The issue here is classic shadow IT, the respective military/agencies are unable to supply anything as portable and usable as a mobile phone for classified communications.
Governments are simply run the same way businesses are now run
We weren't 'dragged' into the Ukraine war. We watched an invasion, we saw refugees arrive in our society, we sent resources to help, we are watching war crimes and we now count Ukrainians amongst us. Our systems were taken by surprise and have taken time to respond. But the previous administration's policy was one of alliances and diplomacy and not intimidation or force.
The EU has it's own agency and it is a perfectly good thing for us to 'take over'.
If you focus on one (admittedly ill formulated) part of a downvoted and now deleted comment, you can infer anything.
Yes, Germany supplied moderate amounts of weapons in the beginning, so they were involved from the start if you like. Then Nordstream happened, then the previous US administration repeatedly put pressure on Germany and other EU countries to do more:
The US policy that the EU should get more involved has been a recurring theme during the Biden administration. Now the EU is begging the US to continue. We do not know if all this is political theater or if Trump really wants to end the war. We might know by the end of this year.
Germany is not sole EU country. For example Poland delivered 300 tanks starting from April 2022 (also - SPG, aircraft and other heavy equipment and also lighter equipment)
I just spoke up because something we're seeing a lot as Europeans is these subtle twists and turns in the narrative. When you live here a lot of this stuff is up close and personal - we don't need to infer anything from internet comments or past news articles. We've been paying attention - I have personally watched the military convoys running east-west. We have Ukrainians integrated into our communities.
We expended much energy internally consumed by internal debates and arguments about who is supplying what, how much, through which channel. As EU member states we're not always aligned and we are different cultures speaking different languages. This has been used against us in the information warfare layer.
I really don't believe you can simplify the entire EU and say we're begging. There are certain capacities that we can't replace, and for decades member states prioritized dismantling our military industrial complex (in perfectly good faith!). Winding up heavy military industrial supply chains can't be an over-night process. And yeah, I believe you're absolutely correct - a lot of this is political theater.
My own personal view: the war won't be over anytime soon. The other side has gone all in on it. Even if they were to slam the brakes it would take years to reduce that momentum. They've had their own internal wars and purges fueling this thing and whatever they do, they would need to have a solid explanation. It's basically a sacred crusade to them.
Now, this might be controversial, but my personal belief is that on some level, we too prefer that the war grinds on. Only as long as it does not escalate into nuclear. It might be a cynical belief, but at this point it's the Ukrainians who are going to have years of real-life warfare experience and the EU wants access to this to learn from.
Anyways, there's a fucking TV host running the US DoD. These aren't serious people. Trump doesn't have nuanced ideas to read into on any of this - he wants to end the war as much as he wants to eat cheeseburgers and have crowds cheer for him. Maybe he'll get that headline, maybe he won't.
> We do not know if all this is political theater or if Trump really wants to end the war...
The utterly confused picture of what the president is thinking is itself a considerable problem. Political theater would be unconscionable, yet that is mostly what we get.
The question was why Hegseth got into that position. The now deleted comment speculated, perhaps in a clumsy fashion, why polarizing, incompetent but loyal figures can be useful for a permanent bureaucracy to achieve its long term goals.
The fact that the figures are polarizing helps, because everyone focuses on the person and not on what is actually happening.
Note that this is speculation, because we do not have full information.
The comment provided a BBC link about Hegseth's speech that the EU must raise its military spending to 5% and essentially take over Ukraine protection.
I'm not sure why you mention Fox News, which does not raise the points that were made in the deleted comment at all.
It was revealed not too long ago that its common for the CIA to use signal. They probably spend all day every day trying to crack it, so if they feel comfortable with its encryption, I'm sure the def department does too.
I don’t know how you can access Signal without a public Internet connection. It isn’t like Signal is setup on Azure US Government (as far as I am aware) or Amazon equivalent. Does anyone know?
Signal uses HTTPS for contact discovery and account registration. Then, it switches to its own Signal protocol to provide end-to-end encryption.
There would have to be some egress rule to allow Signal access from Azure. Signal is a commercial app.
Even if access was allowed from Cloud or some other Defense network, it would still be considered “dirty” as the article says because it’s still going over the Public Internet to a commercial software provider.
Communications are encrypted barring some MiTM attack.
Not a good idea to discuss secret things on an app that isn’t approved for it but is this article reaching a bit?
I think the article is pointing out the obvious. The only way to access Signal is over the public Internet with HTTPS and end to end encryption provided by Signal.
Is it? This circumented the Pentagon's security protocols, presumably disrupting its air gap. This is a national security breach on the highest level, I'd say it's pretty serious and I don't understand why anyone is in the comment section trying to downplay or defend it.
Not downplaying or defending - but I don’t understand the failure mode here - presumably hegseth had to ask someone in pentagon IT to set this up? Submit a form etc. sure he asked for something illegal* but someone actually following a set of rules had to enable this, no?
The failure mode is that the Secretary of Defense unilaterally bypassed security protocols to use technology that had not been evaluated for that use case in a national security context by the appropriate experts.
It doesn't matter if he happened to use something that has a solid security model. The problem isn't Signal, it's that he ignored all the rules.
And it does have an impact, as we see in other news, because one failure mode of Signal is that it's super easy to add the wrong people to a group. Which has actually happened. Twice (at least.)
Of course it’s not approved for classified use. There is a leap here until it’s been proven it’s been used for classified communications. There is no proof yet. Open to changing my mind if an authority on the topic says it is classified.
> "Michael Waltz has learned a lesson, and he’s a good man," Trump said Tuesday in a phone interview with NBC News.
> Asked what he was told about how Goldberg came to be added to the Signal chat, Trump said: “It was one of Michael’s people on the phone. A staffer had his number on there.”
—-
“The Secretary of Defense is the original classification authority," Ratcliffe said, "and my understanding is that um his comments are that any information that he shared was not classified.”
—-
So, I am back to what I have been saying from the beginning.
This is an AP hit piece via corrupt MSM and until someone can point to further evidence from these unknown “sources” then this story can’t be trusted.
Hit piece! Sec of Def can say anything he wants, it was automagically cleared for release, and his wife applying for clearance as soon as story leaked is just a coincidence!
I 100% agree - I’m only saying hegseth didn’t run an unsecured line into his office himself no?
Why didn’t some automated system say “installation of unsecured lines in this building is not possible” or similar
To be course : I didn’t think something so obviously wrong would have been allowed and enabled by several people who made this possible - removing absolutely no accountability from the person who asked for this to happen
If this happened the way it's being reported, yeah, several people should lose their jobs.
I suspect this is a case of being more afraid of saying "no" to the boss than of facing consequences for violating policy. Policies are unfortunately not self-enforcing.
Trump's been firing Inspectors General and dismantling mechanisms of internal accountability across the government, so perhaps that's a correct calculus in this case.
Not downplaying or defending - but I don’t understand the failure mode here
Like so many others, this particular 'failure mode' doesn't exist if you're a Republican. What if Hillary Clinton did it? Now that would be a democracy-threatening 'failure mode.'
I'd note that he's not subject to them. It's a civilian position, and he's no longer serving in the military. You're obviously allowed to wear makeup as a former soldier.
I agree he's a clown, but not for this. Politicians frequently wear makeup. It's part of the job.
Just to clarify - I am not presuming to shift blame - I am asking about a failure mode here- absolutely hold hegseth accountable (he should have never been in this position and is completely unqualified in my opinion).
I am also not suggesting we hold an IT person accountable-
I am only saying there should be rules/systems in place so that if someone else asks for something obviously wrong like this again, there’s a clear stop gap to say “that’s not possible”
Maybe there already is one(several) - if so, then of course the chain of accountability continues to ensnare…
Why are you so upset about men wearing makeup? I mean clearly he is not a member of any of the armed services anyway. Your whole comment is essentially a rant about how this guy should adhere to gender norms. You have a point about spending the money for a studio, but that has nothing to do with the article.
If you think I'm upset about men wearing makeup, you're totally missing the point on purpose.
It's not me, it's the military that enforces adherence to gender roles, even much more so under Hegseth's rule and Trump's Project 2025 bigotry. You're just being performatively dense. It's all about their hypocrisy, homophobia, and transphobia, and you know it.
Anyway, Hegseth isn't a man, he's a clown, so I think he should be wearing clown makeup, not no makeup.
I'm only talking shit about a hypocritical transphobic bigot who denies your right to serve your country or even exist, all while wearing makeup himself.
We're both on the same side. See my previous post about Lynn Conway, for example:
No software—whether on a secure or non-secure (dirty-line) government computer—can be installed without IT being alerted within milliseconds. Likewise, absolutely no unauthorized hardware can be connected to a military system without immediate detection.
There is simply no realistic scenario in which PH could have operated an unknown system with unapproved software inside one of the most secure facilities in the United States without it being known and approved. If I’m proven wrong, I’ll gladly apologize for doubting. But when it’s confirmed I’m right, I hope you’ll extend the same courtesy to those your post may have misled or unfairly accused.
>If I’m proven wrong, I’ll gladly apologize for doubting.
No you won't. You've been proven wrong many times in this discussion, and not once apologized, gladly or begrudgingly. So that's a flat out lie.
Where's your insincerely promised apology to ceejayoz for proving you spectacularly wrong in the sibling comment? And your incessant sealioning and trolling hasn't earned you a shred of courtesy.
You also owe me an apology for being wrong about me not being a US citizen, and trying to banish me from this conversation because of that, which is totally rude and inappropriate gatekeeping and censorship, even if you were right about my citizenship.
How did it disrupt its air gap? Thats presumably still in tact. If the article is true then he has an Internet connection in his office. He also has one on his personal cell, and probably his home. He could use Signal anywhere.
That is not a breach. That’s a leak. If true then he spilled secrets. I don’t know what is and isn’t secret in his communications. Everyone is just assuming it was.
At no point should anything semantically in the neighborhood of a breach or a leak be caused by the person who is #2 over a military. Full stop. There is no further argument.
We do know what was said in at least one chat. Tactical battle information including timing and sequencing. Highly protected information, and a federal crime to disclose.
What’s the difference between a breach, a leak, and a spill? It seems like you’re the one reaching here.
> What’s the difference between a breach, a leak, and a spill?
A breach is when security measures are bypassed and a leak is when information is given to someone who should not have it (a spill is a leak). If he was using an insecure connection for sensitive communications, then the “breach” would be his decision to do that while accidentally including the wrong people in the chat and the “leak” would be Jeffrey Goldberg receiving the messages.
(Just answering the question. They were correct in a very literal way but it seems a bit pedantic. The overall point is moot given what we know.)
“ An air gap involves physically isolating a computer or network from other networks to prevent unauthorized access and data breaches. This method creates a literal "air gap" between the secured network and any other unsecured networks. Air gaps are an isolation method crucial for data integrity and security and can be deployed across various industries.”
I’m not doing your homework for you. If you’re asking these questions you’re either sea lioning or incredibly lazy. A short google will tell you exactly what occurred.
So go read up enough that you can then. It really doesn't take a law degree or unreasonable time. More constructive use of your time than arguing for something completely ungrounded (unless spreading doubt is actually your goal here).
Or, you could take five minutes, skim the texts, and come to the obvious conclusion that “we attack Yemen with F-18s at this specific time, and have surveillance on one of the targets at his usual location” would be definitely be classified.
The one you are referring to was prior to his confirmation and he wouldn’t be privy to anything but open source information. The other was proven not to contain classified info.
Not a fan of using Signal, but we have to accurate about what happened
Unless you can point me at a security classification guide then it’s a moot point. MSM is reaching again. These are all hit pieces. I can’t evaluate something objectively without a security classification guide.
Everyone here is confusing classified and op sec which can overlap but also cannot. No one here can point me to say what he reportedly did was release classified info. We also don’t know if the President who has the ultimate classification authority will allow it either.
Page 36 indicates "General information or assessments regarding the military plans, intentions, capabilities, or activities of the US, its allies, coalition partners or foreign adversaries" would be classified CONFIDENTIAL, "Specific information" as SECRET, and "Information providing indication or advance warning that the US or its allies are preparing an attack" as TOP SECRET.
These texts included the location (Yemen), the equipment (F-18s, Tomahawks, MQ-9s), and down-to-the-minute timing, in advance. That would very clearly fall under TS for the DNI, and that's pretty solid evidence it'd be TS for the DOD.
>"If I’m proven wrong, I’ll gladly apologize for doubting." -firesteelrain
So where's your glad apology, then?
Your lack of response with the sincere glad apology you insincerely promised, after being so thoroughly schooled and corrected with facts and citations, proves the hard cold truth about you:
You're just a bald faced liar and a sealioning troll, not posting in good faith.
I haven’t been proven wrong. SecDef has classification authority. He can make the rules as to what is and isn’t classified. And we have to live with it. It’s part of the US National Security Policy not Constitution.
Ignoring the rest of your immature comments.
Unless you have something more constructive to add in order to be in compliance with HN guidelines that over time discussion gets more constructive then I think we are done here. Please don’t stalk my comments.
You've been proven wrong about many things, and moving the goalposts each time doesn't prove you right, it proves you're not arguing in good faith.
You STILL owe me an apology for incorrectly accusing me of not being American, and for rudely and unjustifiably claiming that I have no right to participate in this conversation because of my incorrectly presumed nationality, and for claiming I'm "stalking" your comments.
You have absolutely no right to police who is allowed to participate in this discussion or reply to your comments. It doesn't matter what my nationality is, I have as much of a right to be here and reply to your comments as you or anyone else does. There is absolutely no rule or guideline that says non-Americans can't participate in Hacker News discussions, and you're absolutely wrong that I'm not American.
And I have every right to "stalk" your comments by replying to your posts to this discussion, when you're spamming this conversation and stalking and harassing me and other people with your assinine and incessant sealioning, after you've promised to gladly apologize to anyone if you're wrong.
First you accuse me of not being American, then you claim non-Americans are excluded from this conversation, then you accuse me of stalking you by replying to your comments.
Well among other things, you were totally 100% wrong about me not being American, and totally 100% wrong about whether non-Americans have a right to participate in this discussion, and totally 100% wrong about me "stalking" your comments.
If you don't want people to reply to your comments, then don't post them. If you don't want people to demand you gladly apologize when you're wrong, then don't promise you will, and then don't say things that are wrong so often.
So where are the THREE apologies that you gladly owe me? And where are all the apologies you owe other people, for having all your other facts wrong, and refusing to admit it, and sealioning, and moving the goalposts, and arguing in bad faith, and lying through your teeth? You're the one of your own free will and in your very own words promised to "gladly apologize" to anyone if you're wrong, and you're objectively wrong, beyond any doubt, absolutely proven.
You have no shred of evidence that I'm not American, or that non-Americans aren't allowed to post, or that I'm "stalking" you by simply replying to your repeated posts.
I'll keep replying to any of your comments I want, for as long as you owe me or anyone else apologies. So get started apologizing, because you owe me THREE so far, and other people MANY MORE. Make them specific sincere apologizes, fully admitting guilt, precisely naming and describing what you did and why it was wrong, promising not to do each of those things again, and not "non-apology apologies". And do it "gladly" like you promised, not begrudgingly. If you keep refusing, then that is not "gladly" (YOUR OWN WORDS), but it proves you're a liar.
It's not a "laundry list of what's classified". It's how you determine what needs to be classified. The DOD's classification guides will absolutely deem information of this nature - attack timing, specific aircraft, intelligence details indicating tracking and confirmation of specific targets, etc. - to be classified.
(They are also, themselves, classified information. For you to get access to the specific one here, it'd have to be voluntarily declassified... by the folks currently trying to cover their asses. Example here: https://www.dni.gov/files/documents/FOIA/DF-2015-00044%20(Do... - note the SECRET//NOFORN original classification of it, and "The public release of the Guide or any portion of the Guide is prohibited." on page 7.)
> These are all hit pieces.
How did you evaluate that objectively without a guide?
In what world would "1345: 'Trigger Based' F-18 1st Strike Window Starts (Target Terrorist is @ his Known Location so SHOULD BE ON TIME — also, Strike Drones Launch (MQ-9s)" not be a piece of classified information? If revealed, every likely target in Yemen would be potentially forewarned.
"NBC News first reported that the launch times and bomb drop times of U.S. warplanes about to strike Houthi targets in Yemen — details multiple officials have said are highly classified — came from the secure channel."
"'This information was clearly taken from the real time order of battle sequence of an ongoing operation. It is highly classified and protected,' said Mick Mulroy, a former Marine who was the Pentagon’s top official for Middle East policy during the first Trump administration."
what you need is a document called a "Security Classification Guide". there will be a unique version for the specific mission / command that was running the attack against the Houthi's, and there will be one for the SecDef office.
this document describes the type of information that is classified, who decides if it is not classified any more, and to some extent, the why.
'secret' means disclosure will 'damage the national security.
'top secret means disclosure will 'cause exceptionally grave damage to the national security'.
political discussions about dealing with world events is probably 'top secret', especially during the deliberation stage. operational information like 'TOT is 1pm local, 4 F18's with LGB's are inbound' is probably considered Secret until the crews return; in which case it is probably considered lower in criticality.
Wouldn't MiTM be relatively easy for a state actor or even well-coordinated non-state actors? At least, if I was a state, I'd have backdoors in as many open source projects as I could and agents in the orginzations in the supply chain.
It's a crazy world when the person in charge of the US military is more paranoid about their own government than random people they don't even know.
If you go back far enough in the Twitter archives, you can see where Jack Dorsey basically tells everyone to switch to Signal to communicate with him. Was that the point when they all started colluding on Signal?
Or even the infamous and highly sophisticated reporter-in-the-middle attack, where the victim is drunk and rambling, has no idea how to verify public keys in order to actually use the e2ee correctly, then fat-finger adds people by nickname from a contact list that’s full of personal connections.
You need to verify safety codes on someone's device to actually verify they control the device with the Signal account you're communicating too, rather then it just being relayed by a false account somewhere due to a MITM attack.
I'm not following your logic here. He is not allowed to use Signal for his work. It sounds like there were some measures in place to block lots of "normal internet" (for any number of good reasons), which would include Signal. He then deliberately circumvented those measures so he could use Signal.
Deliberately circumventing security and policy protocols is a bad thing in itself.
The article premise is that he used dirty Internet connection to access Signal. My argument is that is the only known way to access Signal as far as we are all aware. Because as has already been stated, it’s only approved for unclassified communications only per DoD policy. I don’t know what’s secret in his communications because we don’t know what the government has designated as such.
I just want to say, as someone who was in the military at a point in time, if a private (lowest rank) did anything like this, they'd be burned at the stake. Actually if most officers did this the same would happen.
“A threat actor compromised a mobile app that Ukrainian artillery units used to assist with targeting. The compromise of the app is believed to have allowed the threat actor to monitor the movements of Ukrainian units in order to facilitate military targeting by Russian-backed rebels in eastern Ukraine”
That rule doesn't apply to this administration anymore. Once is incompetence. Every single thing is a coordinated effort to gut every government service for personal gain.
unless of course there's a lot of evidence that the whole administration is rotten to the core. it can be both malice and stupidity. it doesn't need to be one or the other.
> it connects directly to the public internet where the user’s information and the websites accessed do not have the same security filters or protocols that the Pentagon’s secured connections maintain
(I’m not able to find the phrase “industry standard”. Where does the article use that?)
The point is that he intentionally broke policy to set up a communications system which doesn’t meet federal security standards for sensitive information and also doesn’t comply with the rules for retaining records. Think of it like hiring a new bank manager who decides that they need to start storing the money in a second location with a combo lock only they have the password to. They say they’re not doing it to commit fraud but it’s unambiguously more vulnerable and, far more importantly, there’s absolutely no reason to do that except if you’re planning to do something illegal because the existing system works fine for everything they officially need to do.
The Trump administration largely doesn't trust the employees and infrastructure which it oversees. Not only did career government employees sabotage administration priorities throughout Trump's first four years, some of the government devices provided to the administration were used against it during the "Russia collusion" investigations [1]. Based on this experience, the administration rejected the government devices offered by the GSA the second time around [2]. Because of this deep distrust, we also have the "anti-FBI guy" in charge of the FBI, the "anti-IC" gal in charge of the intelligence community, the "anti-FDA" guy in charge of the HHS and FDA, etc. I wish it weren't this way, but sow the wind and reap the whirlwind, I guess.
I think that's a very understandable response seeing as they colluded with Russia, serve their aims, and have every reason to worry that their continued efforts to serve Russia and undermine America will cause American government employees to be upset with them.
It would be mighty silly of them NOT to take precautions against their efforts being undermined. Of course this effort of theirs will face attempts to undermine it: it's entirely hostile effort on every level, obviously in service of a hostile foreign power.
Why would they trust they won't be resisted? Not everybody is foolish.
Signal (or something like it) probably should supported by the DOD for high-level communication among defense & administration people. Under the traditional rules, certain topics can only be discussed in SCIFs, which are a huge pain in the butt to arrange a meeting in, especially as politicians travel a lot. So military topics end up disconnected from politics.
(Maybe the military likes being disconnected from politics, but that's not the setup that political philosophers recommend to preserve democracy.)
If the DOD managed dedicated phones with no apps except Signal, that might be better than whatever they do between SCIFs.
I think the biggest issue with using Signal in these cases is not the risk of leaks from a compromised network (although obviously sloppy opsec has already led to unauthorized parties being added to these conversations), it's that it bypasses the kind of retention policies that are required for the purpose of holding public servants accountable. And I think that's probably on purpose.
> retention policies that are required for the purpose of holding public servants accountable
I suppose that ship has sailed. The powerful just discuss at golf clubs and such, no public records. There are public records of the things the powerful decided should be public.
Signal is always E2EE. Your confusion comes from whether the other party on that E2EE link is the one you expect, which is a different question but also one where the risk goes down with usage: the reason Hegseth’s chats blew up was that they added a reporter but never actually talked to them.
There’s a lot wrong with that for discussing classified information but for normal people it’s fine because in most cases you’re going to notice when your friend doesn’t respond or shows no sign of awareness of your past conversations. “Literally useless” isn’t true in any scenario but it’s bad advice for anyone outside of such sensitive situations because it encourages use of apps which aren’t any better or are actually worse (WhatsApp, Telegram, Facebook, etc.).
When someone says e2ee in this context they two “ends” clearly matter here.
Trusting signal, without the out of band verification, does make its primary property useless yes. And for classified information that’s actually dangerous.
The reason I use strong language here is that your comment clearly demonstrates the powers of marketing. People think just because they’re using signal now, everything is a-ok.
It would be better to acknowledge that you used the wrong term the first time than trying to blame marketing.
Signal always provides E2EE and that is always useful because it reduces the problem to worrying about the other end of the conversation, not all of the intermediaries. That doesn’t mean that you can blindly trust the other end, but that’s always true to varying extent - just because they’re using Signal doesn’t mean that their device hasn’t been compromised or that they are not forwarding messages or blabbing about something you expected to be secret. Signal doesn’t promise anything other than that your messages are secure between you and the other party.
That’s the point to focus on rather than trying to redefine end-to-end encryption. It’s why you want to talk about security in the context of a threat model: Signal is designed for normal people, not high-level government officials working with classified information, where they have entire professions because the problem is fundamentally harder and mistakes can have significant consequences.
DOD's IT department should be in charge of making sure everyone in the employee directory has their credentials properly installed on everyone's phone. You don't need to fork it, just administer it properly.
You don't need an external trust store. Just have IT add and verify the relevant contacts, being careful not to include any journalists with similar names.
And no we don't call these a "dirty" line that's something someone made up for the purposes of the article. We call it "unattrib" and it's quite common, serving many useful legitimate purposes.
One thing that I find surprising about the Hegseth case is that most SecDef do not use the computer in their office it all. A couple recent ones still don't even have a computer in there. Normally staff handle 100% of communication and briefing outside of phone calls and video calls. He's clearly still adjusting to the reality of operating within the _confines_ of DoD headquarters.
Also the article's mention of using Wi-fi in the back of his office doesn't make sense to me, there isn't any Wi-fi available in the suite or anywhere nearby.
reply