Hacker Neue

Preferences
SketchySeaBeast parent (dead)
[flagged]
snickerbockers
He did say last year he was going to make this the most open and transparent administration in US history. What other administration would grant a hostile journalist an inside look at the planning and execution of an airstrike? Promises made, promises kept.
femiagbabiaka
"hostile"
snickerbockers
The article itself commented on how ironic it is that of all the journalists they could have invited to the chat, it was one who has been highly critical of the president and not some sycophant who might have kept it a secret or turned it into a puff piece like what I just did except without the sarcasm.
game_the0ry
That wasn't signal's fault. They accidentally invited a journalist to the chat.
ben_w
While it is correct that this was a PEBKAC error rather than Signal's error, I would like to suggest that, in general, all mobile phone apps are poor choices for anything as sensitive as planning a missile strike.
Zak
I think one could design a procedure involving a mobile phone and Signal that would be reasonably secure for that kind of use case. The number one point on that procedure would be that the phone in question isn't used for anything other than secure communication.

Of course, the US government already has approved procedures and devices for secure communication, so senior official making up their own is reckless and unprofessional.

game_the0ry
I wouldn't disagree with you, here.
snickerbockers
I agree in principle but this was (probably) a result of somebody fat-fingering the wrong contact and I do think there's some culpability on either the app or the phone for making that possible to do by mistake. Touch screens are an inherently clumsy interface, and Android in general has a lot of problems with UI elements suddenly moving around without warning as you're clicking on things. And then there's auto correct, UI hanging for several seconds at a time only to suddenly wake up and replay everything that you tried to do while it was non responsive, phantom button presses caused by the device getting too warm, etc.

None of this is meant to excuse these officials for not authenticating everybody in that group or for using highly informal text messages to plan an airstrike of all things.

Ultimately there's no excuse for leaking information when you're at that level of government; I just feel like the app industry needs to take responsibility and fix several obvious, well-known and common UI issues.

upofadown
>but this was (probably) a result of somebody fat-fingering the wrong contact...

Supposedly, it was the result of a helpful Apple feature getting the wrong phone number for one of the intended group participants. Then Signal cheerfully used that wrong phone number to add the reporter to the group.

* https://www.theguardian.com/us-news/2025/apr/06/signal-group...

bee_rider
I don’t think there’s any culpability or responsibility for the app, it doesn’t really bill itself as a good platform to do the high-level planning of military strikes.

If there are UI issues, they should be fixed because they are also annoying when planning somebody a surprise birthday party. (Or all the other stuff an encrypted chat app might be good for).

On the other hand, PGP just calling itself “pretty good” was pretty funny. Maybe that’s the level of active humbleness that everybody should aim for.

mapmeld
I thought the latest on this was that the journalist's number was in an internal email from spokesman Brian Hughes, and software or human error led to his phone number being associated with Hughes in Waltz's phone contact
upofadown
Yeah, but Signal really didn't help them at all with that. As with most of these phone oriented encrypted messengers, Signal is pretty sloppy with identity management. It would be hard to find a better example of this than SignalGate 1.0.

* https://articles.59.ca/doku.php?id=em:sg End to End Encrypted Messaging in the News: An Editorial Usability Case Study (my article)

jeroenhd
It wasn't Signal's identity management that proved to be a problem: https://www.theguardian.com/us-news/2025/apr/06/signal-group...

When it comes to practical cryptography, nobody is doing signing parties anyway. It's all TOFU unless someone forces people's hands, and when you force people to do security you can assume they won't bother checking if the QR code they're scanning is coming from a real app or a livestream of someone else's app, they just want to get the scanning done. The whole key scan thing is probably only of any use to people keeping contact after meeting with journalists.

upofadown
If you blame the incorrect phone number in the Apple address book then sure, but that implies that you think that a smart phone address book should be responsible for identity management in an end to end encrypted messenger. Oh, and the telephone number to identity mapping is the responsibility of:

* Signal

* Twillo

* The phone company

That's all OK as far as it goes, but the root problem here is that a typical Signal user is made aware of none of this. Sure it's legit to take convenience over security, but it is not OK to leave this tradeoff completely unknown to the people affected.

iAMkenough
The federal government uses a third-party Signal client that saves their conversations in clear text to a database, which has been breached before. Clearly user error, not Signal's fault.
sandworm101
Well, if you just cannot be botherer to drive to the scif, and if you are best buds with the man in charge, do whatever least impacts your workout schedule.
FuriouslyAdrift
What, you don't bring your SCIF wherever you go?

https://www.theemcshop.com/benchtop-faraday-tents/select-fab...

This item has no comments currently.