Politics aside, these auto-suggestions are a landmine in business contexts and should be disabled by IT where possible. Sometimes I'll be sending emails including both my client and internal team and the lawyers for the other side. The phone will decade that these email addresses are related in some way. So next time I want to send an internal strategy email to my client and the team, the app will helpfully suggest copying opposing counsel. Not great.
Then again if they had been ended by now, we might never have heard of this SNAFU.
When a feature is mildly useful 95% of the time and an awkward footgun 5%, I think it still remains a good addition, but one that can be turned off if necessary.
Double checking the recipients in a chat discussing national security is a super low bar and the parties involved are rightfully embarrassed by this one. I'm not letting them blame it on the product managers
It's interesting that this was the cause. I'm sure we all have our own stories of how UI/UX niggles (regardless of platform or app) have led to unintended behavior.
While I understand automatic suggestions can be helpful at times, when the UX doesn't clearly identify the cues that lead to the suggestion, with a way for a human to confirm it, this type of error is a likely result.
- deny anything wrong happened - Atlantic is a liar
- the leak might have happened, but nothing secret was shared
- ok fine, secret military information was shared
- here is an analysis that says it was the phone at fault, not human error
I have trouble believing anything except butt covering at play. When you are repeatedly caught lying, I do not immediately believe the latest story iteration, even if it is plausible.
Almost everything else out of his mouth, at least towards the media, has existed somewhere on the scale between 'large clump of BS wrapped around a tiny nugget of truth' and 'bald-faced lie'.
And when fairly obvious lies are repeated, the rest of what is said by himself and the rest of his administration retains the stink of the same taint.
> I have trouble believing anything except butt covering at play.
No, I did not cheat. We just happened to be hanging around without undergarments, and, you know, we had been eating bananas, and somehow some banana peel fell on the floor, and then I slipped, and grabbed the first thing I could hold on to, and that's how we both accidentally fell on the couch, and then the dog got excited and jumped on us to play, and that's how I unvoluntarily got jump-humped into this unfortunate event..
They must have different iPhones to me, because mine doesn't do that. If I were cynical I would say they made this up.
I wouldn't trust it with my bank details though (i.e. while I might send bank details to my life partner, I definitely wouldn't send them to someone my iPhone thinks might be my partner). And I DEFINITELY wouldn't trust it with military operation details.
Years ago I had my nicely arranges contacts in place, then added Gmail and it upload contacts so now they were all duplicated. Then when I dug into it, I realize you have have folders of different contacts, but depending on the view they are shown as combined.
Then add on top Gmail keeps asking me if I want to update someone's contacts from an email they sent me. I click yes, but it keeps coming up even though their contact info doesn't change (what?).
Then if I try to copy a message from iMessage, it will randomly assume a number is someone's phone number and ask me if I want to create a new contact (what?). If my fingers were fatter it would be easier to click "yes" and end up with a non-phone number added to some person's contacts.
I only trust the contacts that I add manually, everything else is suspect.
That would be weird to me.
For a consumer platform, it makes some sense, and the prompt is supposed to be “hey you might want to do this”, and the user can decide if it makes sense. I’ve used an iphone since they came out, have seen this prompt like twice, and got it right both times. But I’m not a national security advisor or anything so maybe it’s more clear to me.
I'm sorry, how is that knowable? Is there a log of iPhone users interactions that shows this?
Or is it the case that investigators pointed to the wrong number being saved in Waltz' phone and Waltz replied: "Oh, the only explanation is that I must have misclicked when my phone asked me to update my contacts."
If it was intended as a secure communications platform for government use, they wouldn't be using phone numbers and an address book that can have incorrect information.
I did read Signal was being used in the military etc, but only as a notification system that they should check their actually secure communications thing.
What?
It's just that Google Voice app on iPhone did something weird in a recent call. I hadn't been using it very much at all, and about a month ago I got a notice from Google saying, Use it or lose it. Ok. So I use it and the suggestion thing threw me for a loop.
On my phone's 120 mm screen, if you switch to the keypad, but before you type a number, the top of the screen says "Suggestions". But I didn't see that. I'm looking back and forth between a phone number in an email signature and the on screen keypad. Once you start typing the number, "Suggestions" goes away. So I finish typing and look up to see the name of a personal contact (never called from Google Voice, btw). I had to type the number again I was so confused.
I was thinking, that's what you get for free IP phone number and free app. Now I read the OP and think, now my iPhone is going to start acting like crap too?
Funny to think it, but I wonder if these Gov peeps are using the free versions or if they pay for these services?
Cause SIPR, JWICS, GIANT etc… are nearly impossible to access - to the extent where for SCI info (which is arguably the level of data they were passing) they constrain you to having to communicate in a certified SCIF
The SecDef has a bunch of SCIFs but even NSC staff don’t to the same degree.
People pass TS/SCI data outside of the system regularly - congress is notorious for this and I have personally had multi year operations shut down because a congressman talked about it at a hearing.
I know of plenty of parking lot “SCIF” and sneakernet SCI conversations because time was an issue
The reality is this admin doesn’t care about the structures that the national security community is statuatorily mandated to use, but there’s nobody that is going to do anything to them about deviating.
Classified networks suck to use, anyone who can get around it does. The fact that its the secdef and nsc and they got busted just demonstrates that they view their behavior as more important than the system.
Left to the viewer to determine if thats a good tradoff
You can go around legally too just ask what is and isn't considered classified by derivative.
Most OCAs are 2-3 stars and are marginally aware of what they are signing
Rescinding or otherwise ignoring OCAs and caveats as an appointee, NSC officers or especially cabinet level person (don’t get me started on elected officials who have zero respect for classified information ntk) is basically an embedded privilege of rank
RHIP is always applicable
Well, Chinese intelligence, but probably not anyone else, right?
A bit of a conundrum then since multiple folks in the admin said it wasn't classified.
It's not unique either; the former prime minister of the Netherlands, Rutte, insists on using a Nokia phone and plain text messages, refusing to divulge what is in those messages and deleting them as there's limited space, thus not adhering to any archival requirements.
Still not an excuse, because the people with the power to fix it are using Signal instead.
https://www.bleepingcomputer.com/news/security/cisa-urges-sw...
- all communication must be stored for legal purposes
- all communication must be on secure government hardware
- the entire security infrastructure must be operated by the government
Which of these aren't fundamental and practical?
> all communication must be on secure government hardware
> the entire security infrastructure must be operated by the government
...only matter practically, if the Government hardware and infrastructure are guaranteed to be more secure than the alternative, also considering the fallibilty of the users. And while I appreciate that iPhones and Signal likely aren't infallible, I'm not sure we know what level of absolute trust to place on Government-supplied hardware or infrastructure provided by whoever got the contract?
I would put the market value of a backdoor into all Senior White House communications as certainly >$10B, and probably >$100B, limited only by how long the buyer believed it would be a reliable source of intel. (it may be better to offer it as a subscription service.)
At that point everything should be assumed to be compromised until demonstrated to a reasonable degree of confidence that it's probably safe. A random install from an app store is not that.
Yes - how much would Russia, China, or Iran - and US allies - pay to know what the US is planning? What secrets the US has - strengths and weaknesses. It could be existential for their countries. They even could cash in on market-moving information, and even if they wouldn't pay $100B, so could investors.
But I don't know if I'd try the subscription model with state intelligence agencies. It exposes you indefinitely, rather than take the money and disappear; they won't like you having access to the valuable information; they can just take what you have; they are very dangerous.
But the auto-delete-after-1-week messages from Signal would never be recovered (unless someone is logging all that data and in the future will be able to crack it).
This is precisely why the government has its own very inconvenient devices and network, which cannot possibly fall victim to the same completely understandable human error. Had the team been using secure devices on the secure network, no journalist would ever have been accidentally added to the chat.
That these people are in charge of national security is beyond ridiculous. It speaks volumes about the unprecedented political setup we find ourselves in that such frankly inexperienced and naive people are in charge after Senate confirmations that were intended to protect us all from such a mistake.
It also tries to blame past administrations for this (which includes Trump last time).
Mike Walz is a Special Forces officer and only retired as a Colonel from the National Guard to take his position as National Security Advisor.
Tulsi Gabbard is still a Lieutenant Colonel in the National Guard.
Pete Hegseth was a Major in the National Guard, ending his service in 2021.
JD Vance is probably the most junior of the veterans, leaving the Marine Corps as a Corporal in 2007.
https://www.disa.mil/-/media/Files/DISA/Fact-Sheets/DMCC-TS-...
Indeed, like this:
https://www.fbi.gov/news/press-releases/statement-by-fbi-dir...
"From the group of 30,000 e-mails returned to the State Department, 110 e-mails in 52 e-mail chains have been determined by the owning agency to contain classified information at the time they were sent or received."
Why the double standard?
And for the individual lawmaker who tries to work with their colleagues to mount a primary-proof challenge to the administration, there is always the risk of being outed at any point in the process of organizing. Once outed, the more powerful adversary picks off the opponents one by one, with the others retreating back into darkness to avoid the same fate.
I have often observed government officials carrying two phones and using both of them in the same meeting.
I have two phones. One for work and my personal phone. What's your point?
> the White House had authorized the use of Signal, largely because there is no alternative platform to text in real time across different agencies, two people familiar with the matter said.
> Previous administrations, including the Biden White House, did not develop an alternative platform to Signal, one of the people said.
Are you saying these sources are dissembling? Wouldn't surprise me at this point, but just making sure I understand what you're saying.
> White House had authorized the use of Signal, largely because there is no alternative platform to text in real time across different agencies, two people familiar with the matter said.
What these guys are arguing is that there's a case for using Signal for something like what Waltz was initially doing - telling people to check a more secure system and asking them to name a point person. But of course the risk is that a) even that information is extremely useful to an adversary; b) once the more convenient system exists, you're relying on people to carefully adhere to the rules about what should go on it, and guys like Hegseth are morons who don't feel like they need to follow the rules.
It's also proof that 1) security processes are important for a reason and 2) don't discuss information you don't want getting out on a consumer device (or really on any internet connected device) and 3) these guys' plan of using signal to avoid record keeping was foolish and stupid, more than just because of their silly fear that Democrats would release their records (that would require Democrats growing a spine).
s/was/is. As in -- they're going to keep using Signal.
And yeah it is all for naught because as you say, there is no sign the dems as a group will grow a spine.
If that does turn out to be the case then I am certain this won't be the last time they inadvertently share information.
Oooh I actually think that's the question that history will ask. We've seen groups choose party over country before, but I can't think of a time in my life where it was to this extent.
For one thing, as far as I know, the iphone doesn’t attach phone numbers to contacts automatically, it just asks. The article claims the iphone did it, but I think Waltz must have.
Also, this why you don’t use a random group chat app for national security conversations. Your general app is designed for engagement which includes building out the social network. Of course it’s going to err on the side of inclusion, when here you want to err on the side of exclusion.
For national security, contact info would be vetted, verified, and strictly up-to-date. There would be multiple guards that would prevent a thoughtless tap months earlier from leading to the wrong person being given national security information.
It sure is frightening that these bozos are in charge of things that have high stakes.
Either way, yes using a communication system on the public internet and outside of official documentation processes is bad no matter how you do it. Deleting those communications could be a bad sign, though to be fair it could also be a sign of someone trying to do what they think is more secure (avoiding old messages being leaked or hacked later).
This is a problem and it needs to be stopped.
1. https://americanoversight.org/investigation/the-trump-admini...
"in the case of Clinton involved bringing it up for nearly a decade, an FBI investigation, an Inspector General's report on the FBI's and DOJ's handling of the case and a three year State Department investigation. It's only fair to apply the same standard here"
Does that clear it up for you? Do you still need justification to treat this seriously? Or are you a person unwilling to try and address poor leadership because of the (R) after their names?
There should be just as thorough of an investigation into this one, and assuming there isn't that's a miscarriage of justice.
That said, I'm of the opinion that its great and all that they investigated Clinton's email server but the fact that nothing came of it is a problem. It absolutely violated the intent of the law in my opinion. The mere fact that they found so many emails with information that should have been marked confidential is, in my opinion, a violation of the intent of confidential information protection laws.
that would be in a group of even minimally qualified professionals, not the clowns who got their jobs on a whim of the bigger clown. You know the monkey with a nuclear bomb. I hope we wouldn't see how they handle the real bomb, and for now just the tariffs have like an extremely large nuke just wiped $10T+, and it isn't "just stock market", it is large complicated efficient logistics chains and trade relations that were built over years and were powering this civilization. To compare, the damage from the Ukraine war - you'd need several tens of nukes to produce such damage - is just around a "meager" $1T.
Any 'loving message' to her from the early days ("you are so perfect") and any 'nasty message' to others ("oh that bitch!!") sent to anyone was presented in court. So for caution he auto-deleted even the messages that were innocuous, just in case it could be used against him "oh he wanted to spend money for a new phone/laptop, thus he has money, thus I will take it"
For most people and companies record keeping is important and valuable.
I'm not surprised. My own company sends out several emails that Whatsapp can't be used as it's not secure, yet I get Whatsapp messages from leadership I work with constantly.
People ignore directives all the time. Usually out of convenience.
People have even called it out in a Whatsapp chat "hey guys, we're not supposed to use Whatsapp" and people usually ignore it.
During Biden's administration the CISA even encouraged the use of Signal.
I’m not excusing it, just saying it was and still is, incredibly common among Whitehouse people.
Information concerning capability or location should not come near unclassified networks or civilian phones. Somebody could drop or steal that phone or glance over a shoulder which could necessitate cancelling the operation or much worse.
And no one ever says, "Don't share operational details in this chat," either before Hegseth's details message or after. It's perfectly clear that was normal and expected.
The chat starts with pulling together the group, continues with high-level agreement to proceed, then the details start dropping... You know... exactly the way work-related chats go. I've had innumerable work chats like this.
Hegseth's own severe incompetence doesn't somehow absolve Waltz of his. I used "bozo" in the plural for a reason.
You don't have to carry water for these idiots. They may nominally be on your "side", but they aren't holding up their end of it. They are making huge mistakes which have real consequences for us all. Time to start calling them out on it, not trying to defend them with technicalities, false dichotomies, and misdirection.
>It's perfectly clear that was normal and expected.
Their lack of protocol, lack of humility, and just lying about everything shows how unfit they are for leadership.
The work I do isn't 1/10th as sensitive as this but we have this branch in our threads all the time. I can't imagine the carelessness required for this to happen this way.
The other issue is having this chat outside of formal means. I am not as well educated but having civilians that serve at the pleasure of the president I would assume must follow some rules around formal and recorded communications.
It's not surprising that given a choice between {serving the needs of the military} and {serving the needs of the administration}, he defaulted to the latter.
1. Limit what was shared in the Signal group to non-operational details and refer all involved to their secured systems.
2. Make it easier for everyone else and just post the details directly in the chat.
He chose the one that he thought would curry favor with other members of the administration.
——
Being a Major in the Minnesota Army National Guard.
And the following Overseas deployments:
- Guantanamo Bay (2004-2005): He served as a second lieutenant with a security platoon, guarding detainees.
- Iraq (2005-2006): He deployed with the 3rd Brigade of the 101st Airborne Division, serving as an infantry platoon leader in Baghdad and later as a civil-military operations officer in Samarra.
- Afghanistan (2011-2012): He served as a captain and senior counterinsurgency instructor at the Counterinsurgency Training Center in Kabul.
Awards
Hegseth earned two Bronze Star Medals for his service in Iraq and Afghanistan, as well as a Combat Infantryman Badge, which recognizes soldiers who have directly engaged in ground combat. He also received two Army Commendation Medals and the National Defense Service Medal with Bronze Service Star, along with Expert Infantryman and Combat Infantryman badges.
His military career spanned from 2002 to 2021, including active duty and time in the Individual Ready Reserve.
In addition to his military service, Hegseth holds a Bachelor of Arts in Politics from Princeton University and a Master of Public Policy from Harvard University’s John F. Kennedy School of Government, which complement his practical experience with academic credentials relevant to leadership and policy.
———-
You can argue he’s good at the job or bad at the job.
I would have no issue if you said he was completely incompetent.
But saying that hs a ‘primary qualification is being a yes man’ is a ridiculous laughable argument.
If he was the only reserve O-4 with combat experience we could find to serve as Secretary of Defense, then yes, that would be a primary qualification.
Given the rank, that's ridiculous. Ergo his primary qualification is something else.
Not you, but many others were arguing at the time that his primary qualification was ‘being a Fox News anchor’, which is infuriating. It’s not - it’s his military service. There are many people that are Fox News anchors, none of them were eligible for the job because they do not have a military record.
I have no argument with claiming he won the job because of his connections.
William J. Perry (94-97, 2+5yr Army)
William Cohen (97-01)
Robert Gates (06-11, 2yr AF)
Leon Panetta (11-13, 2yr Army)
Chuck Hagel (13-15, 1yr Army)*
Ash Carter (15-17)
Who do you have in mind? Carter, Cohen, and Cheney were the only confirmed secretaries from the past 40 years who fit "no military experience".
There are a handful of recent secretaries with < 5 years of military experience who did not even reach the rank of Captain (e.g. Rumsfeld, Robert Gates, Panetta, Perry).
To be clear: I agree with you that military experience is not really a qualification for the job, unless the individual has achieved high enough rank (i.e. General) to be involved in strategic planning. And certainly most secretaries of defense don't have that (Austin and Mattis are quite rare on that front, doubly so because they needed congressional waivers to serve in the position while still being active-duty military).
Trump saw him and liked him on TV
Trump made him SecDef
There are hundreds of thousands (millions?) of people with a similar or greater military record.
There are probably less than a dozen who have a clearer record of being a yes-man (by virtue of very few people being on TV to begin with, and even fewer willing to rhetorically fellate POTUS unconditionally)
You intersect the two and you get Hegseth, but the criterion that did the heavy lifting is absolutely the yes-man one.
"...a ridiculous laughable argument"
Right back at you.
If I was on Slack at work and someone tried sharing secrets I would immediately say hey, we have protocols for this. Now we have to rotate keys. Please follow the protocols. Let’s walk you through it if you don’t remember. Etc.
And those are just API keys or similar data. We take it seriously because 1. It actually matters and 2. The habit will save your ass when it counts. Make it a habit
These guys have not made security a habit. It doesn’t actually matter to these guys. That’s scary. This is so much more than access to my org’s AWS services.
The group already had the supposed who's who of dedicated security professionals .. as appointed by Trump admin, of course.
Vice President JD Vance, senior White House staff, three Cabinet secretaries, and the directors of two Intelligence Community agencies.
Oh, and Marco Rubio .. the actual "acting archivist of the United States" responsible for ensuring that such conversation chains are preserved for posterity and not auto discarded on Signal.
~ https://en.wikipedia.org/wiki/United_States_government_group...
Speaking from an allied five eyes perspective .. it was an amateur hour clown show of epic proportions.
Followed up by Trump trashing America’s intelligence capability on the say so of a far-right conspiracy theorist and 9/11 truther.
He was tripping on power (reminds any other washed out alcoholic talking). It was a collective orgasm in that chat.
The media ... not covering a story accurately, or with integrity?!
Say it isn't so!
Including Waltz.
They deserve punishment at the Executive level.
I want a President who follows laws.
https://www.cnn.com/interactive/2025/03/politics/yemen-war-p...
They wanted to send a message to the recipients without going through an official channels. What is a better way than adding a journalist to the "secret" group to "leak" it?
Politicians regularly intentionally leak information they want leaked, and politicians also encounter leaks that they don't want leaked. Perhaps Goldberg did the only thing he could - he identified the trap.
https://archive.is/YmtqQ/bb4da26bd1dd20371c772ed26070f066358...
Signal just released a change that lists all the members in the chat itself. You can guess why ;-)
https://github.com/signalapp/Signal-Android/commit/da3fc408f
The same memo where they made that recommendation also said: "Unmanaged 'messaging apps,' including any app with a chat feature, regardless of the primary function, are NOT authorized to access, transmit, process non-public DoD information. This includes but is not limited to messaging, gaming, and social media apps. (i.e., iMessage, WhatsApps, Signal). "
Even after that, they were again explicitly warned not to use Signal for anything sensitive:
https://www.cbsnews.com/news/nsa-signal-app-vulnerabilities-...
But neither of those applies for the Signal chat in question. That was not confidential communication, it was top secret active military data. And, like any other military-related decision, it was very much in the category of information that must be recorded and was going to eventually be releasable under public record laws, as soon as its confidential nature expired, 50+ years from now most likely.
Of course, the more fundamental reason was that he wasn't looking at where the aeroplane was going, not even periodically.
Clicks the button without knowing what impact it will have on a device he uses for national security communication -- reckless.
Uses a personal device -- careless and reckless.
You couldn't even be bothered to read the sources you're quoting.
> That doesn't sound "extremely reckless negligent and careless". It sounds like he misclicked one time on an unexpected popup.
hwut? We're not talking about accidently texting your ex-girlfriend though I know people like you need to rely on false equivocations to sanewash the garbage.
That sounds like cleared to the standards expected of politicians.
This is just a case where there's an individual to blame. We're looking back at at least eighty years of negligence and recklessness. Basically every conflict we've been in indicates clearly we don't have the competence nor the honesty that a reasonable human would find sufficient to manage such a destructive entity.
That's about Michael Waltz. The decision is based not on whether Waltz revealed classified info, but about appearances. Seems dangerous to make decisions this way.
An alternative interpretation is simply "I don't care": So top secret info leaked; don't do it again. You're doin' a heck of a job.
If it does happen again... honestly, would the rationale be different?
Sure, they'd have a conniption if it had happened under Biden. But that would be purely about harassing Biden rather than a serious consideration of national security.
> Donald Trump’s national security adviser Mike Waltz included a journalist in the Signal group chat about plans for US strikes in Yemen after he mistakenly saved his number months before under the contact of someone else he intended to add, according to three people briefed on the matter.
That clears him? That should implicate him!
Rules for thee but not for me. Pepperidge farm remembers.
This case is a single incident (that we are aware of) where a clearance holder manually bypassed security and tracking by transcribing attack plans to a commercial chat platform.
Didn't Comey say Clinton wasn't found to have obstructed justice?
They also decided not to go after charges for the nobody staffer who did the deed, and controversially Hillary didn't face any consequences with the FBI saying: "To be clear, this is not to suggest that in similar circumstances, a person who engaged in this activity would face no consequences. To the contrary, those individuals are often subject to security or administrative sanctions. But that is not what we are deciding now."
A news reporter turned SecDef will make one be like that… eager
Anything less is certainly dereliction of duty.
At that point they’re bringing an org chart to a gun fight.
OTOH a waiver undoes all of that. It shows how much of democracy depends on people following conventions and traditions.
I've been more wrong before . . .
I was surprised Hegseth even desired a side channel that had the potential downside that he could accidentally text the coordinates of a carrier. Stuff like that gets Generals relieved immediately.
I am not as educated in these manners but this type of information seems to be of the type you don’t text on commercial applications and would be on a need to know basis. Maybe you can communicate the idea that something is planned to happen but not timelines of the specific assets.
Previous administrations, including the Biden White House, did not develop an alternative platform to Signal, one of the people said."
Is that true? There is no alternative platform to text in real time across different agencies? And nobody had a problem with that?
- No alternative platform: Presumably on purpose. If it were a good security practice to text this type of information in real time across existential-level national-security agencies by using multiple private vendors (e.g., Apple, Signal, AT&T, Verizon, …), I'll go out on a limb to guess that the government would have implemented that idea before 2025.
It's not on purpose, it's a lack of IT coordination and has been a long-standing issue in the government. As an example, until about 2010-2012, nearly every US military base hosted its own email server and employees (military, civilian, contractor) received an email address like first.last@base.af.mil (replace af with another branch as appropriate). Now it'll be first.last@us.af.mil.
They consolidated each branch's email and other comm systems over a number of years with good and bad results. Cross-branch communication could still be improved, but it's much better than it used to be. Cross department and agency communication is still broken. And the only purpose is so they can retain control of their fiefdoms.
These are the standard communication device for senior members of the US government who are working regularly with classified information.
https://www.disa.mil/-/media/Files/DISA/Fact-Sheets/DMCC-TS-...
The issue with these devices is that the systems they use follow all recordkeeping laws and any communications are subject to FOIA.
That was over 50 years ago, and now no one over a 90 IQ thinks these guys are bright.
You can then write as many rules as you like about how you're not allowed to that, but if you don't follow up and enforce those rules then people will keep doing it. Bottom line, no one cares about security enough to compromise convenience, and unless you start to literally throw people in jail they never will.
For anyone who studies this in detail, I suggest passing the information to credible investigative journalists exclusively. This may be a dumpster fire. (If not exclusively, then on embargo.)
There's a limit to what security officials can do when top-level people are deliberately circumventing the controls.
So there are three explanations:
1. Everything happened on his personal phone
2. He was logged into Signal on his personal phone to update the contact, and was also logged into the same Signal account on his government-issued phone. He imported the contact on his personal phone and then added it to the chat on his government-issued phone. From an infosec standpoint, this is not much better than #1 because he still has an unsecured device logged into the same Signal account that he's using for secure comms.
3. He was only logged into Signal on his government-issued phone and then manually copied the number into his government phone from his personal phone, not noticing that it was the wrong number. For anyone who has worked with users, this doesn't seem realistic. These guys have huge numbers of contacts, are very busy, and they do the most convenient thing possible for them. They do not sit around for hours copying information from one phone to another.
Let's assume that Waltz only used Signal from his government-issued phone and manually copied the number from his personal phone. He thought that the number he was copying was from Hughes' personal phone - it was in his personal contacts and he had been using it before either of them were in government. So even if Waltz himself was using a government-issued phone, which seems unlikely, he was simultaneously assuming that his subordinate was using a personal phone.
Even if you take the most generous interpretations you end up with the conclusion that NSC personnel were routinely using personal devices and accounts for secure comms.
Even Teams flags external participants to a chat. How was a phone number not known to be within the government perimeter allowed to be added with no alarm to a chat thread in an app pre installed and approved by the agency ?
There are more questions than answers here and its clearly suspicious to say the least that a prominent threat vector such as a mistaken phone number could go unnoticed and not trip a single flag. We're not talking about compromised sim cards or anything, a simple fat finger could expose a secure messaging app thread to an external participant and this is approved by the department for years? How many "Mistakes" over the years have gone unreported ?
Waltz or anyone on that thread isn't responsible for IT, so who ultimately didn't secure this vector?
There are absolutely no institutional guardrails. If Mike Waltz says he wants to put his personal contacts into Signal, nobody is going to stop him from doing that because they know from numerous examples that the administration does not care about laws or civil service protections an is happy to fire anyone who stands in their way.
Discussing classified information using Signal is not approved. I'm no lawyer but it probably violates the Federal Records act, as messages were set to expire on a 30 day schedule.
I mean, Jesus Christ when I was 16 and working at a Dairy Queen I saw people get fired for their drawer coming up a dollar short. Why are we holding fast food cashiers to a higher standard than our top government officials? Does that legitimately sound okay to anyone?
The problem today is that some (many?) politicians either don't understand or agree with those goals and pick more convenient tools that they may have been used to as a civilian.
There was nothing necessary about the conversation that couldn't wait for a secure location. The government will go as far to set up a secure comms room in employees homes if needed, it's not like they don't know how to secure communication.
A lot of us have had to work within specific constraints for data security, I've had to make hour long trips because I forgot a secure laptop in my office. No one would have died if I did some work on my personal device, but I still went out of my way to follow procedure.
These people have the self control of toddlers.
There are more than enough enterprise chats out there with security levels ranging from "good enough if you trust a major US corp" (Teams DoD) to "complete paranoia" (finance communication apps with on-premise encryption/decryption modules plugged into your HSM)
End of day, you just need to communicate, most software, how ever outdated, should be sufficient.
It’s a user problem, blaming software is a distraction.
When you design a feature for a business app, it has to be immculate, brain dead easy to use, and be explained 9 times in 3 different training seminars before anyone will figure it out.
Meanwhile, if the new hit filter on TikTok was buried under a hidden search, with a feature toggle, consent form and rotating secret password, end users would figure it out in 5 minutes.
As you say, people are spoiled.
It makes no sense for the media on one side of the political spectrum to claim the right to unfettered access to secrets.
Why would this investigation be classified?
If you read the original piece in the Atlantic, Goldberg didn’t publish much of the information initially thinking it would be irresponsible to do so.
This is precisely why the political divide is impossible to bridge. Everything I said indicates seriousness about classified information or even simply unauthorized access to information in such a cavalier manner that it’s published in the Guardian. Somehow, calling it out is more problematic than achieving a political end.
This is a difference in law, there is a difference in duty of care (although even then, the Trump administration is responsible in both cases), and an enormous in impact (mission failure vs Trump embarrassment).
The information about a sensitive investigation, clearly not meant for anyone outside the White House seems to be available freely to the Guardian. How come? Where is the line if any?
