Comment by psunavy03
1 day ago
The DOD is not using "flagrantly using Signal." The Secretary of Defense, whatever his preferred pronouns are, is breaking the law.
1 day ago
The DOD is not using "flagrantly using Signal." The Secretary of Defense, whatever his preferred pronouns are, is breaking the law.
CISA recommended Signal for encrypted end-to-end communications for "highly targeted individuals."
https://www.cisa.gov/sites/default/files/2024-12/guidance-mo...
The best part is that, in trying to comply with this guidance, the government chose Telemessage to provide the message archiving required by the Federal Records Act.
The only problem is that Telemessage was wildly insecure and was transmitting/storing message archives without any encryption.
Recommendations to the private sector don't condone violating security and retention laws for people working in the public sector.
Military personnel are currently only allowed to use Signal for mobile communications within their unit. Classified information is a different story, though.
I don't think I agree with the following from this guide:
> Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different use case.
What do you disagree with?
> Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface.
That's true. A VPN service replaces the ISP as the Internet gateway with the VPN's systems. By adding a component, you increase the attack surface.
> Many free and commercial VPN providers have questionable security and privacy policies.
Certainly true.
> if your organization requires a VPN client to access its data, that is a different use case.
Also true: That's not a VPN service; you are (probably) connecting to your organization's systems.
There may be better VPN services - Mullvad has a good reputation around here - but we really don't know. Successful VPN services would be a magnet for state-level and other attackers, which is what the document may be concerned with.
Come on, man. We're talking about classified information, not general OPSEC advice. I worked in a SCIF. Literally every piece of equipment, down to each ethernet cable, has a sticker with its authorized classification level. This system exists for a reason, like making it impossible to accidently leak information to an uncleared contact in your personal phone. What Hegseth did (and is doing?) is illegal. It doesn't even matter what app is used.