Bulwark Takes - Signalgate Just Got WAY WORSE! White House Secrets HACKED!?
Episode Date: May 5, 2025Andrew Egger and Joseph Cox dig into the Signal clone breach that exposed sensitive White House communications and how a photo under the table helped blow the story up. ...
Transcript
Discussion (0)
Running a business is hard work.
Building your website shouldn't be.
With Wix, you can express your ideas,
give direction, then leave the heavy lifting to AI,
from site creation to branded content and images.
Have fun with the details.
Customize what you want the way you want.
And manage your whole business
from a centralized dashboard with expert AI tools.
Build, scale, and enjoy the incredible results.
You can do it all yourself on Wix.
You know where your business would be without you.
Imagine where it could go with more of you.
Well, with Wix, you can create a website with more of your vision,
your voice, your expertise.
Wix gives you the freedom to truly own your brand and do it on your own with
full customization and advanced AI tools that help turn your ideas into reality. Grow your business
into your online brand. Because without you, your business is just business as usual. Go to Wix.com.
Hey, everyone. This is Andrew Egger with The Bulwark. The Signalgate story, believe it or not,
keeps getting more bizarre, keeps getting stranger.
There were a lot of questions
when these stories started to drop,
when Jeffrey Goldberg first got added to the Signal chat
about the hooties a couple of months back.
What's going on with Signal?
Why are they using this encrypted private app?
Is this too, is it vulnerable to leaks?
Is it vulnerable to these kinds of OPSEC failures?
Is it in keeping with federal records requirements
where they need to log this stuff?
We just got a brand new bit of reporting
over the weekend from Joseph Cox.
He's the co-founder of 404 Media.
He focuses on cybersecurity and the digital underground.
He's here to talk about his scoop.
Thanks for coming on, Joseph.
Absolutely.
Thanks for having me.
So this is such a great story. I mean, in so many ways.
But one of the most, well, let's start with the meat of it first.
I mean, like, can you just talk us through what do we know about Signal and how the White
House is using it today that we didn't know before you guys had this story this weekend?
As you know, the White House is using Signal.
But then what we found recently was that they use a special version or a modified
version called TeleMessage. And we found that because a Reuters photographer took a photo of
Waltz at the recent cabinet meeting. And if you zoom in, you can see that it's a weird version
of Signal. It turns out it's basically a version that copies the Signal messages for storage later.
Huh, that's pretty interesting.
Also brought up even more questions of, well, how susceptible is that to being hacked? What if that
is then targeted? Lo and behold, I don't know, it took 48 hours, something like that. And what we
have now with this reporting over the weekend is that a hacker did target telemessage and did manage to obtain some users' direct messages
and group chats sent over Signal, but then also some of these other modified versions of
WhatsApp and Telegram and WeChat as well. But of course, to us, the Signal stuff is the
most significant. Yeah. And until we learn that Donald Trump is messaging his stockbroker on
WeChat,
Signal will be the main one here. I mean, this is such a fascinating story to me because I think it does answer one question that a lot of us had had lingering in the back of our minds about
the Signal scandal from the beginning, which is these guys are bound by law to back this stuff up.
And are they just ignoring that law? Are they just flouting it? What's going on here? And I think
that so part of the like one of the puzzle puzzle pieces here is no, they don't appear
to be flouting that. They appear to be using this kind of workaround system to be able to make use
of the signal infrastructure while still preserving some kind of digital record. But at the same time,
you open up a whole new kind of alarm bells set of questions about the reliability of that service and the and the, you know,
how how susceptible that is to to to, you know, hostile actors or just bad actors of
any kind getting in there and playing around with the data.
Can you talk in a little bit more detail about what the nature of this this breach was that
that this hacker that you were that you were interviewing for this piece,
I believe he's anonymous, right, in the piece. So what did he find? And kind of what should our
level of alarm be as we're, you know, thinking about our top government officials making use
of this service for their internal communications? Yeah, we don't know who the hacker is. That's
actually often the case with some of these stories I work on. They provide accurate information that we go and verify, but we don't know who that is, because obviously they don't exactly want to reveal their real name or identity when they're doing something that's probably criminal in nature. was they found a way to target a telemessage server.
And this was sort of where the messages were going,
at least from our understanding,
where the messages were being routed through to before they were being archived, wherever that might be, right?
And the hacker was able to find a way
to see these sorts of snapshots of data as they flew across those.
And that sounds, you know, a little bit technical.
And we actually don't get too technical in the story because we don't want people to be able to go and replicate this as
well obviously right and it looks like telemessage has actually taken their back end down at the
moment we haven't put that in print yet but from everything it looks like that so the hacker managed
to get there and then crucially in those snapshots of data they obtained, there were actually usernames and passwords to then log into more telemessage systems.
So they went in and they found various things such as a bunch of contact information for officials from Customs and Border Protection, indicating that agency uses the tool as well.
A bunch of contact information for employees at Coinbase to the cryptocurrency company.
So we verified this data in various different ways. But one was I took that list of customs
and border officials, and I just started phoning them up and asking them, Hi, are you an official
of customs and border protection? Some confirmed it either through their voicemail messages or just
talking to me on the phone, then very quickly hanging up when they realized what was going on but that was one of the different ways we verified
all of this because as you say we don't know who the hacker is we don't we're not going to have any
insight into that but this is clearly significant even though you know i don't have mike waltz
messages necessarily right and we don't think the hacker has obtained those either but the fact that
this hacker spent 15 or 20 minutes they they say, it took to break into
this system, and they were able to do that so quickly and get all of these messages.
I mean, it is alarming.
And if a random, basically, hacker could do this, it makes you think, well, have foreign
nation adversary state intelligence agencies been looking into this as well. And it just creates all of these even more questions now somehow, even though I thought
we just got some more answers to. And obviously, you know, maybe it goes without saying, but I'll
say it anyway. A hostile foreign entity, a foreign intelligence agency, something like that,
they get their hands on this data. They do a slightly different thing than 404 Media does
with it, which is they don't immediately trumpet that there this vulnerability exists so that, you know, the the different firms can go and quickly shut it all down.
I mean, like I think as as the guy said in your piece, who the heck knows how long this this has been open and how how long people have been have had their eye, you know, or had had, you you know, one sensor down in the, in the data stream
of all of this stuff. I mean, it really is just kind of, I was shocked. My jaw was kind of on the
floor when I was, when I was reading your piece. And obviously now to, just to kind of drill down
on, on what you mean by sort of snapshots of data, right? I mean, obviously the gold standard for,
for finding out what's going on in, in a White House telegram, or I'm sorry, White House signal
chats is being accidentally added to the, to the chats under your own power, right? That's the, we'd call that the
Jeffrey Goldberg standard. Um, but, uh, but you know, so like this, this is somewhat,
somewhat less than that, right? It's sort of like kind of random snapshots of, of data that
happened to be passing through this one random server. Can you just talk to me a little bit
about kind of what the, what the potential vulnerabilities are, you know, even though it's a much more oblique or a much less direct route to, I mean, route to the kind of information that I think you and I would be very alarmed to just have out there in the public eye.
Yeah, I mean, there are concrete aspects of it as well.
Like we have seen some messages, even though it wasn't of Trump officials or whatever.
There was one in there to a group chat, I believe,
where it looked like people from a cryptocurrency company
called Galaxy Digital were just talking about this cryptocurrency bill,
which may or may not go through.
And they were talking about different Dems support for it
or they don't want to support it, that sort of thing.
I'm not super interested in whatever that bill is itself, but it shows how highly sensitive this is,
where you have internal communications. And they're talking about something that's happening
right now. These are not historical messages. These are things that are happening exactly at
the time where the hacker is intercepting them. Now, of course, it does get a little bit hypothetical
and speculative, but I think it's absolutely fine to do so when we've shown that our real
message is going across this. Imagine if a foreign adversary was able to intercept messages from
Waltz from other top tier US government officials, it completely undermines the idea that, oh, I use Signal to communicate securely, and Signal is secure.
But when you tack on this extra tool for archiving purposes, which, as you say, is also good because they have to keep copies of messages, it does introduce this severe new risk that you are basically hiding the key under the doormat for your security.
And all the hack has to do is look under there, Oh, okay, take it and then start reading messages. And you know, this hacker,
as I said, did it in 15 to 20 minutes. If they had just sat there for a long time, even if they sat
there for 48 hours, they would have had a lot, lot, lot more material. And if a nation state
had been doing that, I mean, there's no telling what they could have intercepted from those chats. Can we just dwell for a moment? I mean, every every every element of the story is is so remarkable, so fascinating.
But you mentioned it right off the top. The fact that anybody got onto this at all was just because Mike Waltz, his phone under the table at a cabinet meeting was photographed by, you know, a White House
photographer. I mean, like, that's just I'm not asking you to get editorial here, but it's just
kind of like every every element of this kind of compounds the clownishness one one after another,
at least from from my point of view. I mean, how long did it even take from from when that
did the hacker himself only know about uh only know about any of this from
that picture as well i don't know maybe you can't talk about that but uh but i'm curious if there is
anything you can say about like like the that picture is only like four days old and you already
have this story out right yeah so i don't know the exact series of events for the hacker and what
they learned and when but you know we were first to report that watts was using this tool because
when i zoomed into the photo i was like that is not exactly the same as the signal ui and i'm a
sucker for those details you know that's strange i spend a lot of time all day every day looking
at signal so i know what signal looks like and this was not that and then we published that and
a lot of other media outlets jump on as well so it was very very high profile and then people
started to go through the telemessage website the the website of this company and they found oh a
version of the app was uploaded so people could dig through that and when something like this
happens technologists just descend on it because they're very very curious um some of them want to
you know fix vulnerabilities or find out what's going on and i do think that's what the hacker
did here they yes they did something which controversial, but they wanted to see how secure it was. And now,
now maybe it's going to be fixed as well. But yeah, I mean, I'm pretty sure the media firestorm
led to it. What I would say is that just purely from like a security perspective, yes, Waltz
accidentally revealed they use this
weird version of signal but if you really want to be secure that shouldn't be an issue you know
it shouldn't be an issue that oh the government uses this tool because the tool should just be
secure like if that secret got out that shouldn't be an issue you know everybody's going to figure
that out um the tool should just be well designed in the first place and it seems in this case
well it probably wasn't because now we have a bunch of these internal messages.
Right, right, right. Which obviously just kind of compounds the argument that this is a risk
that you run when you are, I mean, the whole meta scandal is the idea of using these private apps
where you are kind of trusting various different companies. Maybe some of them are more well-known
like Signal, and maybe some of them are more well-known, like Signal,
and maybe some of them are significantly less well-known,
like TeleMessage that you're talking about here.
And it just kind of compounds the potential vulnerabilities there.
Can I just ask you one more kind of like meta question here,
which is just because, you know,
we don't do a lot of reporting in this space, obviously.
We're a political publication.
This is a lot more like just sort of your day in, day out stuff. Can we just talk a little bit about kind of what the
journalistic kind of ethics are that are involved with, you know, you obviously have a source here
who's anonymous, who is, you know, doing this work that's probably illegal. And yet there's
this big public interest in knowing that these vulnerabilities exist and that the White House
is exposed to them and all these sorts of things. Can you just talk a little bit about that at kind of the basic level?
Yeah. So it's often about the trade-off between what you hold back and what you
publish. Like I write about vulnerabilities in websites, companies, data breaches all day,
every day. And often what you do is you have to email the company, give them obviously a chance
to comment and say, hey, this is going on. Maybe they fix it. Maybe they don't.
And it's very similar for technologists or so-called white hat hackers who they'll go and they'll tell a company, hey, there's an issue with your server.
You should probably fix this.
And maybe they get some money or maybe they get a free T-shirt or something.
In this case, the hacker came to the press because they thought this company would probably cover it up.
Now,
I don't know whether that's fair or not. That's impossible for me to say. But as a journalist,
it's always about, okay, if we report on this, are we amplifying the risk or the issue at all?
And for example, that's why in the article where we did include screenshots of, you know,
the telemessage panel where all this contact information of Customs and Border Protection's officials were. I mean, we redacted that information, of course, we're not
going to publish a bunch of names, phone numbers and email addresses of random officials. But we
do want to publish redacted screenshots, because it shows just how serious this breach is. I think
it's one thing to describe it to a reader. It's another to show them, look, this is literally
what the breach looks like. And we did that with a redacted signal message as well. I think we can leave it there. Joseph Cox with
404 Media, thank you so much for coming on and talking to us about this stuff. It's a crazy
story. It's a fascinating story. We'll link the story below. And I'll say thanks to everybody
out there who's watching. Please subscribe to the feed. Head to thebullwork.com to get our
written stuff, although that's kind of cheating. I'm slipstreaming. Head over to 404 Media. What's your URL, man? I forget. Is it 404 Media dot com?
Dot co. We can't afford a dot com.
Okay. All right. 404 Media dot co to get Joseph stuff. It really is a remarkable story. I'm
gassing you up a lot, but I was I was my jaw was on the floor. All right. Thanks, everybody.
And we'll see you next time.