White House communications director previously revealed (after “Signalgate”) that Signal was an approved and whitelisted app for gov’t officials to have on work phones and even discuss top-secret matters on. But I haven’t heard that TeleMessage was approved (and I’d have serious questions if it were given the foreign intelligence factor). Anyone know if there is a clear answer to whether it’s been approved?
It was incontrovertibly approved as it is only installable via MDM.
A likely explanation is that the communications director (or the people informing her) wouldn’t know to distinguish between Signal the app, and a Signal compatible app that is nearly indistinguishable from Signal. A lot like Kleenex is a common term for tissue paper regardless of brand.
When the leak was first revealed, there was loud speculation about the legality of government chat messages being set to auto-delete. This additional revelation, about the use of TeleMessage, shows that someone with a security background has actually thought about these things. It makes perfect security sense to archive messages somewhere secure, off phone, for record keeping compliance while ensuring that relatively vulnerable phones don’t retain messages for very long. It’s also an easy explanation for why such an app was created in the first place. There is an obvious market for it.
> It was incontrovertibly approved as it is only installable via MDM.
Only if this his standard govt issued phone. It's also been shown they are also using their own personal phones. The could easily be using unapproved phones some random DOGE'er bought gave them with an MDM setup, without any real oversight.
This is currently my bet. This looks like something I would set up— state actors are not in my threat list. But, I’m usually being paid to protect the employer not the employee.
> This additional revelation, about the use of TeleMessage, shows that someone with a security background has actually thought about these things.
We only have evidence they used TeleMessage after the scandal. When the same guy let the press take a photo of his messages with Vance, Rubio, Gabbard and others.
If DOGE can storm into government offices and get root access to sensitive system without proper procedure, couldn't SECDEF and co. strong arm their way past the IT worker managing the MDM?
According to the new 404 Media article [0] about the app's archive server actually being hacked, TeleMessage does have contracts with several governmental agencies. Still not a direct answer to the question, I know, but it tilts the answer overwhelmingly towards "yes."
This is so frightening. I worked in corporate security, and that was occasionally a leaking ship, but this wouldn’t even fly with our engineers even if we wanted their message history. This is negligence.
On a more meta note, I wonder who even works at companies founded on ideas that are just... bad. On average, I expect good engineers to push back on such business requirements and also have better job mobility so they can leave and work elsewhere. The researcher found the vulnerabilities "in less than 30 minutes" so it seems there's some lack of competence here.
Unfortunately, misguided business requirements like this won't simply disappear and I get that those can be niche offerings that attract juicy contracts.
Casinos, scams (both of these Web3 as well as traditional), game hack developers, ransomware and database hackers. Adtech, which thousands of HNers work in (anyone at Google). Temu, Shein, gacha/lootbox games, dopamine drug dealers (Meta, Bytedance). NSO group, spyware. Policeware, Clearview, surveillance tech. You could name defense as well, but I find that more ambiguous.
I wouldn't be surprised if it at least 25% of HN has worked for such companies for at least 2 years of their career.
The reality is that its a dog eat dog world out there. I know people who worked in adtech. Yeah, they thought it sucked too and was boring stupid work compared to doing something cool. But it paid the bills, and interesting work is hard to land even without having to pivot into it mid career.
People generally need jobs, and some of these jobs aren't so good. Not everyone is talented enough to work at the next hot startup building a frontend to ChatGPT.
The correct answer is no one outside US Government IT knows for sure what is or isn't approved per their own rules. Every article (and comments therein) are just speculation and people trying to confirm their own biases, desperately looking for something to blame someone for, to produce more rage-bait and thus feed more ad clicks.
Every single article is written with the presumption that there are no actual IT people in the White House, that someone wheeled in a Starlink dish on a dessert cart in the yard which is somehow running the entire government. It's silly and ridiculous.
> The correct answer is no one outside US Government IT knows for sure what is or isn't approved per their own rules
Veterans Affairs actually publishes a list of approved software as part of their Technical Reference Model: https://www.oit.va.gov/services/trm/ (don’t know how complete it is)
But I’m not aware of other agencies doing this. I suppose that VA, given the nature of what they do, likely feels that there is less risk in publicising this information
There’s also the FedRAMP program for centralized review of cloud services - fedramp.gov - I haven’t looked to see if Telemessage is listed as approved but I see some references to FedRAMP and Telemessage online suggesting that it may be
Another source of info is SAM.gov - https://sam.gov/opp/ab5e8a486e074d73bfe09b383ba819ab/view (that’s for NIH) - if there is an agency paying for it, you can assume they’ve approved it for use (or are in the process of doing so) even if they haven’t otherwise publicly said they are. But, not all contracts are public, so just because you can’t find it on SAM.gov doesn’t mean it doesn’t exist
>that someone wheeled in a Starlink dish on a dessert cart in the yard
That situation was ridiculous, in that to score the marketing points, but fighting with the whitehouse IT the starlink is installed at a remote location with much the same point of failure as their fibre services.
A few decades ago, the Republican party had one foot in the anti-intellectual camp, but only one.
They were the party of young-earth creationists, religious pro-lifers, climate-deniers and gun-lovers - but also of educated fiscally conservative folks. The party would welcome economics professors and leaders of medium-sized businesses, promising no radical changes, no big increases in spending or regulation, and a generally pro-market/pro-business stance.
The genius of Trump was in realising the educated fiscally conservative folk were driving 95% of the republican policy agenda but only delivering 10% of the votes. The average Republican voter loves the idea of disbanding the IRS and replacing all taxes with tariffs on imports. Sure, you lose the educated 10% who think that policy is economic suicide - but you can more than make up for it with increased turn-out from the other 90% who are really fired up by the prospect of eliminating all taxes.
And it works - jumping into the anti-intellectual camp with both feet has delivered the house, the senate, the presidency (electoral college and popular vote), and the supreme court.
The conservative movement has a brain-drain because they've realised they don't want the votes of smart, educated people.
Their take on scripture is deliberately anachronistic. We didn’t have the medicine or sanitation 2000 years ago to place their kind of value on a fetus.
The medicine in question comes from the very scientific establishment that grew out of scholasticism, which is why I find the accusation of anti-intellectualism rather strange.
My point is that you have to distinguish between arguing against the output of the intellectual activity and arguing against the intellectual activity taking place.
It’s possible that I misread it, since I don’t understand the accusation of anti-intellectualism.
Isn’t it rather pro-intellectual to found universities like that of Bologna in 1088 and pour massive amounts of resources into research to ensure we eventually get to the level of obstetric medicine that we have?
And isn’t it on the contrary intellectually lazy to throw your hands up and declare life to be disposable simply because you don’t know how to treat and prevent diseases and can’t be bothered to figure out how?
If I'm following you, I should state that I don't see anything anti-intellectual in Christianity as a concept or in practice. The anti-intellectualism I was referring to is specifically regarding the idea that the bible proscribes abortion, solely because the train of thought is anachronistic.
Would be interesting to dump the app binaries so people can take a look at how its put together, I suspect its a minefield of sloppy injection functions into how signal works.
I felt the writer implied open source code was a bad/insecure thing, since they downloaded a zip file from some WordPress upload folder. I'm guessing the code was being made available to companies that "legally" obtained TM-SGNL.
>> Signal was an approved and whitelisted app for ... discuss top-secret matters on.
No. Just no. Anyone who has handled TS information would know how nutz that sounds. Irrespective of software, TS stuff is only ever displayed in special rooms with big doors and a man with a gun outside. The concept of having TS on an everyday-use cellphone is just maddening.
You're leaving out crucial information. Obama didn't keep his BlackBerry for classified information, he was given the then-standard government secure mobile communications device, a Secure Mobile Environment Personal Encryption Device (SME-PED).
More specifically, the device Obama was given was a Sectéra Edge [0][1] by General Dynamics, a device specifically designed to be able to operate on Top Secret voice and Secret data networks. It had hardware-level separation between the unclassified and classified sides, even having separate flash memory for both. [2]
The NSA contributed to the design and certified it and another device (L3's Guardian) on the SCIP, HAIPE, Suite A/B, Type 1, and non-Type 1 security protocols.
It was absolutely not a regular BlackBerry, it didn't run any RIM software, no data ever went through RIM's servers, and secure calls were encrypted and didn't use SS7. It was a clunky purpose-designed device for the entire US government to be able to access Secret information and conduct Top Secret voice calls on the go.
Even then, there were limitations to when and where it could be used and when a SCIF was required.
The current equivalent of the SME-PED programme is the DoD's Mobility Classified Capability[3], which are specially customised smartphones again made by General Dynamics.
There is no excuse whatsoever for the current administration's use of Signal, let alone TeleMessage Signal, for Secret and Top Secret discussions on regular consumer and personal devices. It's deeply irresponsible and worse than any previous administration has done.
Your reference [0] appears to contradict what you've said here. It speaks at length about several NSA approved options as alternatives, but says Obama used a BlackBerry.
The photo attached to the article captioned "President-elect Barack Obama checks his BlackBerry while riding on his campaign bus in Pennsylvania last March." appears to show a blackberry.
I take it from the article that this was as controversial as I remember it being at the time. Thanks for posting it.
He was allowed to keep his BlackBerry for personal communication only, not classified communication, and had to use a Sectéra Edge for classified communication. [0]
The Blackberry for personal use wasn't a stock BlackBerry, but hardened by the NSA and fitted with the SecurVoice software package to encrypt voice calls, emails, and messages. The few people he had on his approved communication list were given the same devices.[1]
That BlackBerry was, again, not used for classified communication. So it's not the same thing as the current scandal.
> He was allowed to keep his BlackBerry for personal communication only, not classified communication
Presence of the senior staff on his (very limited) contact list would seem to contradict that statement. Communication with them would be, by definition, not personal.
I agree with you that our government officials should be using the secure infrastructure our patriotic service members and civil servants work so hard to build and maintain.
Obama wasn't allowed to keep his Blackberry; he requested a secure commercial-quality cellphone to communicate with his aides, and NSA (which was, to be sure, not really happy about the request) selected the Blackberry as their platform. The end solution was a highly pared-down device that could only communicate via a hosted encryption server (a commercial product, SecurVoice) to a small number of paired devices, which were distributed to Obama's inner circle. The Presidential devices had additional security limitations (e.g., they could only connect to WHCA-controlled base stations). End of the day, what they had was an encrypted closed network of devices, some of which communicated over public wireless infra, running a very limited, NSA-reviewed, approved, and altered, software suite.
What's clear is that NSA put a fair amount of effort into securing and maintaining that system, so much that its use was limited to the White House; Hillary Clinton wanted a similar setup (her predecessor, Condoleezza Rice, had been allowed to use unaltered "off the shelf" Blackberries under an NSA waiver, but NSA had declined to renew those waivers due to security concerns), but NSA slow-walked and effectively derailed the discussions with State's security team, perhaps because they wanted to limit the amount of technical detail discussed outside the White House, or because they were concerned that State would be unable to provide SecState with the kind of technical support necessary to secure the devices during global travel. (We all know what happened next, of course.)
If you’d prefer, we can call it unclassified communication rather than personal communication. The point is that it was not used for Secret, Top Secret, or other classified communications. For that, he had the SME-PED device.
So, again, it’s not a parallel to the current situation. Nobody is saying the SecDef and other staff shouldn’t have unclassified devices as well as their classified devices, the issue is that they’ve been using the unclassified devices to conduct Secret or Top Secret discussions.
But how could he have created accidentally a conversation for discussing targets during military attack with a journalist if secret communication was not done on his clear-text device ?
I think you're misunderstanding me, I'm referring to Obama's use of an NSA-hardened BlackBerry for unclassified communication with a select group of people, while using a purpose-built and NSA-cleared secure phone for classified communication. All of which was done correctly in terms of information security processes.
Secretary of Defence Hegseth sent Secret or Top Secret information over a channel (Signal/TM Signal and a regular mobile phone) that was never cleared for classified communications. The person I was replying to was trying to equate Obama's actions to those of Hegseth (and Waltz and others), I was providing context showing that to be a false equivalence.
That's not a counter-argument. You're introducing a hypothetical with no substantiating evidence, trying to create a parallel to a situation where we have unambiguous evidence of non-classified devices and software being used to discuss classified material. The onus is on you to prove the claim, not on others to prove a negative.
It has been eight years since Obama's presidency, had there been any use of this hardened BlackBerry for classified communications it would have emerged by now. Similarly, all messages on that device were subject to the Presidential Records Act, and are archived by NARA. You can FOIA them if you want to.
There were also no claims made during his administration that he ignored security protocols. Even his insistence on retaining a BlackBerry for unclassified communications was done through a compromise and an NSA-hardened device, not by ignoring the rules.
Similarly, how do we know that Reagan didn't hold cleartext phone calls with his aides on the Top Secret plans to contain the USSR? We don't, but in the absence of any supportive evidence over the years it's safe to assume he did not.
Person you're replying to is using an "absence of evidence" fallacy as their argument, also known as an "appeal to ignorance" [0]. They're inferring that the absence of evidence that Obama didn't use his BlackBerry "for Secret, Top Secret, or other classified communications" is potentially evidence that he did in fact do so.
(I would have replied to him directly, but the comments have since been [appropriately] flagged)
In reality, no argument could ever be made if you had to prove the negative of every argument. Some other common applications of this fallacy off the top of my head:
"Well we don't have proof that children weren't trafficked in Comet Pizza, so it's proof that it did actually happen."
"We don't have proof that no kids used litterboxes at school, so it's proof that they did use litterboxes."
My statements were complete. You were not completing them, but trying to spin them in a way that implies wrongdoing when no evidence exists of it. I can only presume you're doing so for partisan reasons, to try to defend the actions of the current administration.
Whatever the reason, I have made my case. Feel free to make yours with a similar level of evidence.
How is your voting record public? Who anyone voted for is not a matter of public record, and even if you claimed to disclose it, nobody would be able to fact check that..
Do you have evidence that Obama discussed or viewed topsecret intel on that blackberry or are you just trying to muddy the waters with a false equivalence?
You think he used it only to discuss what flavor of ice cream was being served that day in the whitehouse dining hall? With only the senior staff? If so, I have a bridge for sale which may interest you.
