Bulwark Takes - Signalgate Just Got WAY WORSE! White House Secrets HACKED!?

Episode Date: May 5, 2025

Andrew Egger and Joseph Cox dig into the Signal clone breach that exposed sensitive White House communications and how a photo under the table helped blow the story up. ...

Transcript
Discussion (0)
Starting point is 00:00:00 Running a business is hard work. Building your website shouldn't be. With Wix, you can express your ideas, give direction, then leave the heavy lifting to AI, from site creation to branded content and images. Have fun with the details. Customize what you want the way you want. And manage your whole business
Starting point is 00:00:19 from a centralized dashboard with expert AI tools. Build, scale, and enjoy the incredible results. You can do it all yourself on Wix. You know where your business would be without you. Imagine where it could go with more of you. Well, with Wix, you can create a website with more of your vision, your voice, your expertise. Wix gives you the freedom to truly own your brand and do it on your own with
Starting point is 00:00:45 full customization and advanced AI tools that help turn your ideas into reality. Grow your business into your online brand. Because without you, your business is just business as usual. Go to Wix.com. Hey, everyone. This is Andrew Egger with The Bulwark. The Signalgate story, believe it or not, keeps getting more bizarre, keeps getting stranger. There were a lot of questions when these stories started to drop, when Jeffrey Goldberg first got added to the Signal chat about the hooties a couple of months back.
Starting point is 00:01:16 What's going on with Signal? Why are they using this encrypted private app? Is this too, is it vulnerable to leaks? Is it vulnerable to these kinds of OPSEC failures? Is it in keeping with federal records requirements where they need to log this stuff? We just got a brand new bit of reporting over the weekend from Joseph Cox.
Starting point is 00:01:33 He's the co-founder of 404 Media. He focuses on cybersecurity and the digital underground. He's here to talk about his scoop. Thanks for coming on, Joseph. Absolutely. Thanks for having me. So this is such a great story. I mean, in so many ways. But one of the most, well, let's start with the meat of it first.
Starting point is 00:01:50 I mean, like, can you just talk us through what do we know about Signal and how the White House is using it today that we didn't know before you guys had this story this weekend? As you know, the White House is using Signal. But then what we found recently was that they use a special version or a modified version called TeleMessage. And we found that because a Reuters photographer took a photo of Waltz at the recent cabinet meeting. And if you zoom in, you can see that it's a weird version of Signal. It turns out it's basically a version that copies the Signal messages for storage later. Huh, that's pretty interesting.
Starting point is 00:02:26 Also brought up even more questions of, well, how susceptible is that to being hacked? What if that is then targeted? Lo and behold, I don't know, it took 48 hours, something like that. And what we have now with this reporting over the weekend is that a hacker did target telemessage and did manage to obtain some users' direct messages and group chats sent over Signal, but then also some of these other modified versions of WhatsApp and Telegram and WeChat as well. But of course, to us, the Signal stuff is the most significant. Yeah. And until we learn that Donald Trump is messaging his stockbroker on WeChat, Signal will be the main one here. I mean, this is such a fascinating story to me because I think it does answer one question that a lot of us had had lingering in the back of our minds about
Starting point is 00:03:14 the Signal scandal from the beginning, which is these guys are bound by law to back this stuff up. And are they just ignoring that law? Are they just flouting it? What's going on here? And I think that so part of the like one of the puzzle puzzle pieces here is no, they don't appear to be flouting that. They appear to be using this kind of workaround system to be able to make use of the signal infrastructure while still preserving some kind of digital record. But at the same time, you open up a whole new kind of alarm bells set of questions about the reliability of that service and the and the, you know, how how susceptible that is to to to, you know, hostile actors or just bad actors of any kind getting in there and playing around with the data.
Starting point is 00:03:56 Can you talk in a little bit more detail about what the nature of this this breach was that that this hacker that you were that you were interviewing for this piece, I believe he's anonymous, right, in the piece. So what did he find? And kind of what should our level of alarm be as we're, you know, thinking about our top government officials making use of this service for their internal communications? Yeah, we don't know who the hacker is. That's actually often the case with some of these stories I work on. They provide accurate information that we go and verify, but we don't know who that is, because obviously they don't exactly want to reveal their real name or identity when they're doing something that's probably criminal in nature. was they found a way to target a telemessage server. And this was sort of where the messages were going, at least from our understanding,
Starting point is 00:04:51 where the messages were being routed through to before they were being archived, wherever that might be, right? And the hacker was able to find a way to see these sorts of snapshots of data as they flew across those. And that sounds, you know, a little bit technical. And we actually don't get too technical in the story because we don't want people to be able to go and replicate this as well obviously right and it looks like telemessage has actually taken their back end down at the moment we haven't put that in print yet but from everything it looks like that so the hacker managed to get there and then crucially in those snapshots of data they obtained, there were actually usernames and passwords to then log into more telemessage systems.
Starting point is 00:05:28 So they went in and they found various things such as a bunch of contact information for officials from Customs and Border Protection, indicating that agency uses the tool as well. A bunch of contact information for employees at Coinbase to the cryptocurrency company. So we verified this data in various different ways. But one was I took that list of customs and border officials, and I just started phoning them up and asking them, Hi, are you an official of customs and border protection? Some confirmed it either through their voicemail messages or just talking to me on the phone, then very quickly hanging up when they realized what was going on but that was one of the different ways we verified all of this because as you say we don't know who the hacker is we don't we're not going to have any insight into that but this is clearly significant even though you know i don't have mike waltz
Starting point is 00:06:18 messages necessarily right and we don't think the hacker has obtained those either but the fact that this hacker spent 15 or 20 minutes they they say, it took to break into this system, and they were able to do that so quickly and get all of these messages. I mean, it is alarming. And if a random, basically, hacker could do this, it makes you think, well, have foreign nation adversary state intelligence agencies been looking into this as well. And it just creates all of these even more questions now somehow, even though I thought we just got some more answers to. And obviously, you know, maybe it goes without saying, but I'll say it anyway. A hostile foreign entity, a foreign intelligence agency, something like that,
Starting point is 00:06:59 they get their hands on this data. They do a slightly different thing than 404 Media does with it, which is they don't immediately trumpet that there this vulnerability exists so that, you know, the the different firms can go and quickly shut it all down. I mean, like I think as as the guy said in your piece, who the heck knows how long this this has been open and how how long people have been have had their eye, you know, or had had, you you know, one sensor down in the, in the data stream of all of this stuff. I mean, it really is just kind of, I was shocked. My jaw was kind of on the floor when I was, when I was reading your piece. And obviously now to, just to kind of drill down on, on what you mean by sort of snapshots of data, right? I mean, obviously the gold standard for, for finding out what's going on in, in a White House telegram, or I'm sorry, White House signal chats is being accidentally added to the, to the chats under your own power, right? That's the, we'd call that the
Starting point is 00:07:49 Jeffrey Goldberg standard. Um, but, uh, but you know, so like this, this is somewhat, somewhat less than that, right? It's sort of like kind of random snapshots of, of data that happened to be passing through this one random server. Can you just talk to me a little bit about kind of what the, what the potential vulnerabilities are, you know, even though it's a much more oblique or a much less direct route to, I mean, route to the kind of information that I think you and I would be very alarmed to just have out there in the public eye. Yeah, I mean, there are concrete aspects of it as well. Like we have seen some messages, even though it wasn't of Trump officials or whatever. There was one in there to a group chat, I believe, where it looked like people from a cryptocurrency company
Starting point is 00:08:33 called Galaxy Digital were just talking about this cryptocurrency bill, which may or may not go through. And they were talking about different Dems support for it or they don't want to support it, that sort of thing. I'm not super interested in whatever that bill is itself, but it shows how highly sensitive this is, where you have internal communications. And they're talking about something that's happening right now. These are not historical messages. These are things that are happening exactly at the time where the hacker is intercepting them. Now, of course, it does get a little bit hypothetical
Starting point is 00:09:06 and speculative, but I think it's absolutely fine to do so when we've shown that our real message is going across this. Imagine if a foreign adversary was able to intercept messages from Waltz from other top tier US government officials, it completely undermines the idea that, oh, I use Signal to communicate securely, and Signal is secure. But when you tack on this extra tool for archiving purposes, which, as you say, is also good because they have to keep copies of messages, it does introduce this severe new risk that you are basically hiding the key under the doormat for your security. And all the hack has to do is look under there, Oh, okay, take it and then start reading messages. And you know, this hacker, as I said, did it in 15 to 20 minutes. If they had just sat there for a long time, even if they sat there for 48 hours, they would have had a lot, lot, lot more material. And if a nation state had been doing that, I mean, there's no telling what they could have intercepted from those chats. Can we just dwell for a moment? I mean, every every every element of the story is is so remarkable, so fascinating.
Starting point is 00:10:11 But you mentioned it right off the top. The fact that anybody got onto this at all was just because Mike Waltz, his phone under the table at a cabinet meeting was photographed by, you know, a White House photographer. I mean, like, that's just I'm not asking you to get editorial here, but it's just kind of like every every element of this kind of compounds the clownishness one one after another, at least from from my point of view. I mean, how long did it even take from from when that did the hacker himself only know about uh only know about any of this from that picture as well i don't know maybe you can't talk about that but uh but i'm curious if there is anything you can say about like like the that picture is only like four days old and you already have this story out right yeah so i don't know the exact series of events for the hacker and what
Starting point is 00:10:59 they learned and when but you know we were first to report that watts was using this tool because when i zoomed into the photo i was like that is not exactly the same as the signal ui and i'm a sucker for those details you know that's strange i spend a lot of time all day every day looking at signal so i know what signal looks like and this was not that and then we published that and a lot of other media outlets jump on as well so it was very very high profile and then people started to go through the telemessage website the the website of this company and they found oh a version of the app was uploaded so people could dig through that and when something like this happens technologists just descend on it because they're very very curious um some of them want to
Starting point is 00:11:38 you know fix vulnerabilities or find out what's going on and i do think that's what the hacker did here they yes they did something which controversial, but they wanted to see how secure it was. And now, now maybe it's going to be fixed as well. But yeah, I mean, I'm pretty sure the media firestorm led to it. What I would say is that just purely from like a security perspective, yes, Waltz accidentally revealed they use this weird version of signal but if you really want to be secure that shouldn't be an issue you know it shouldn't be an issue that oh the government uses this tool because the tool should just be secure like if that secret got out that shouldn't be an issue you know everybody's going to figure
Starting point is 00:12:20 that out um the tool should just be well designed in the first place and it seems in this case well it probably wasn't because now we have a bunch of these internal messages. Right, right, right. Which obviously just kind of compounds the argument that this is a risk that you run when you are, I mean, the whole meta scandal is the idea of using these private apps where you are kind of trusting various different companies. Maybe some of them are more well-known like Signal, and maybe some of them are more well-known, like Signal, and maybe some of them are significantly less well-known, like TeleMessage that you're talking about here.
Starting point is 00:12:50 And it just kind of compounds the potential vulnerabilities there. Can I just ask you one more kind of like meta question here, which is just because, you know, we don't do a lot of reporting in this space, obviously. We're a political publication. This is a lot more like just sort of your day in, day out stuff. Can we just talk a little bit about kind of what the journalistic kind of ethics are that are involved with, you know, you obviously have a source here who's anonymous, who is, you know, doing this work that's probably illegal. And yet there's
Starting point is 00:13:17 this big public interest in knowing that these vulnerabilities exist and that the White House is exposed to them and all these sorts of things. Can you just talk a little bit about that at kind of the basic level? Yeah. So it's often about the trade-off between what you hold back and what you publish. Like I write about vulnerabilities in websites, companies, data breaches all day, every day. And often what you do is you have to email the company, give them obviously a chance to comment and say, hey, this is going on. Maybe they fix it. Maybe they don't. And it's very similar for technologists or so-called white hat hackers who they'll go and they'll tell a company, hey, there's an issue with your server. You should probably fix this.
Starting point is 00:13:56 And maybe they get some money or maybe they get a free T-shirt or something. In this case, the hacker came to the press because they thought this company would probably cover it up. Now, I don't know whether that's fair or not. That's impossible for me to say. But as a journalist, it's always about, okay, if we report on this, are we amplifying the risk or the issue at all? And for example, that's why in the article where we did include screenshots of, you know, the telemessage panel where all this contact information of Customs and Border Protection's officials were. I mean, we redacted that information, of course, we're not going to publish a bunch of names, phone numbers and email addresses of random officials. But we
Starting point is 00:14:33 do want to publish redacted screenshots, because it shows just how serious this breach is. I think it's one thing to describe it to a reader. It's another to show them, look, this is literally what the breach looks like. And we did that with a redacted signal message as well. I think we can leave it there. Joseph Cox with 404 Media, thank you so much for coming on and talking to us about this stuff. It's a crazy story. It's a fascinating story. We'll link the story below. And I'll say thanks to everybody out there who's watching. Please subscribe to the feed. Head to thebullwork.com to get our written stuff, although that's kind of cheating. I'm slipstreaming. Head over to 404 Media. What's your URL, man? I forget. Is it 404 Media dot com? Dot co. We can't afford a dot com.
Starting point is 00:15:09 Okay. All right. 404 Media dot co to get Joseph stuff. It really is a remarkable story. I'm gassing you up a lot, but I was I was my jaw was on the floor. All right. Thanks, everybody. And we'll see you next time.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.