Comment by jdcasale
8 months ago
Without commenting on the (important) political or reputational considerations here, I want to talk a bit about the operational risk presented by this practice. There is a somewhat sizable "So what? Signal is e2e encrypted. Nothing bad happened and you're all overreacting." narrative floating around. (not so much in this thread, but in the general discourse)
If this operation was planned in Signal, then so were countless others (and presumably so would countless others be in the future).
If not for this journalist, this would likely have continued indefinitely. We have high confidence that at least some of the officials were doing this on their personal phones. (Gabbard refused to deny this in the congressional hearing -- it does not stand to reason that she'd do that unless she was, in fact using her personal phone).
At some point in the administration, it's likely that at least one of their personal phones will be compromised (Pegasus, etc). E2E encryption isn't much use if the phone itself is compromised. This is why we have SCIFs.
There was no operational fallout of this particular screwup, but if this practice were to continue, it's likely certain that an adversary would, at some point, compromise these communications. Not through being accidentally invited to the chat rooms, but through compromise of the participants' hardware. An APT could have advance notice of all manner of confidential and natsec-critical plans.
In all likelihood this would lead to failed operations and casualties. The criticism/pushback on this is absolutely justified.
Or not even the device: The other reason we have SCIFs is they provide a secure location. These personal devices could have been in use anywhere, including places where they were subject to observation. Including but not limited to Moscow. :)
Something I havnt seen discussed is that you can get the information from signal without compromising the phone or person. Just reading the texts "over the shoulder" would be enough of a leak. Being in Moscow is bad, but even a Starbucks has security cameras good enough to read text on a phone. A SCIF would fix that
Another excellent point.
I agree with all of this, my only quibble is that I would bet there have already been costs associated with this idiocy. Hostile powers knew going in that this would be an incompetently run administration and I'm sure were looking at gaining access to personal devices out of the gate. It's possible that a great many highly sensitive conversations have already been read by adversaries. I also expect that similar sloppiness like adding the wrong person to a Signal chat has already happened without being reported on.
Yes, this was one of the main points on infosec Mastodon today. While everyone is aware enough to be concerned with encryption over the wire, it's the endpoints that matter. Personal Android devices capable of running Signal are going to be some of the easiest to compromise for a sufficiently motivated attacker. I've seen n00b cops do it for drug gangs here. There's no question that Russia, China, et al. can do it just as well and we have as good as much as confirmation that that's what's going on in at least Tulsi Gabbard's case.
Exactly. Signal on Android uses your phone PIN, for some insane reason.
3 replies →
I suspect we won't know the true damage until all these people are gone, kind of like how Apollo 13 didn't know the true damage to the service module until they jettisoned it.
It seems one of the people (and thus the phone) was actually in Moscow during the chat!
That counts as a friendly country these days =(
> if this practice were to continue
My prediction is, given the way the narrative is shifting to digging in their heels and insisting they did nothing wrong, the lesson they are learning from all this is that they should have hid their activity better. Nothing will happen to them, they will continue with impunity, and they'll just be more careful about not inviting outsiders. I suspect this isn't the last leaked top-secret group chat we'll see.