The Signal Chat Leak and the NSA
Bruce Schneier (March 31, Hacker News):
“I didn’t see this loser in the group,” Waltz told Fox News about Atlantic editor in chief Jeffrey Goldberg, whom Waltz invited to the chat. “Whether he did it deliberately or it happened in some other technical mean, is something we’re trying to figure out.”
Waltz’s implication that Goldberg may have hacked his way in was followed by a report from CBS News that the US National Security Agency (NSA) had sent out a bulletin to its employees last month warning them about a security “vulnerability” identified in Signal.
The truth, however, is much more interesting. If Signal has vulnerabilities, then China, Russia, and other US adversaries suddenly have a new incentive to discover them. At the same time, the NSA urgently needs to find and fix any vulnerabilities quickly as it can—and similarly, ensure that commercial smartphones are free of backdoors—access points that allow people other than a smartphone’s user to bypass the usual security authentication methods to access the device’s contents.
There’s a debate over whether the information shared constituted “war plans” and whether it was technically classified. But putting that aside, there are some interesting privacy and design questions here. Did they use Signal simply because it’s more convenient than the official government system? Because they didn’t trust the government system? Because they wanted to evade record-keeping requirements?
Did Waltz add Goldberg by mistake, e.g. picking the wrong name in auto-complete, in which case maybe there was someone intended to be in the chat who never actually got added? Did he add Goldberg on purpose, to sabotage, without knowing it would be traced back to him? If, as he insists, he never met or communicated with Goldberg, how did the number get into his phone? Can they really figure out whether Waltz did it and where the phone number came from?
It has always seemed to me that the privacy danger with systems like Signal and iMessage is not that someone would be able to decrypt the messages but that there would be a vulnerability that allows covert participants to be injected into the conversation, i.e. become part of the E2EE group. But if there is such a vulnerability in Signal, it’s hard to see why an adversary country or rogue elements within the NSA would want to waste it in this manner. It’s got to just be a mistake.
I was thinking about how this might have worked differently with iMessage. Would iOS ever look up Goldberg’s name or address or would he only show up as a phone number for participants who didn’t have him in their contacts?
The main issue with iMessage is that I don’t trust the device added to your account notifications. I get these all the time, and they’re seemingly unrelated to when I’m actually logging into iMessage or updating a device that uses it. Even assuming that there’s no way to add a device to an iMessage account without triggering this alert, device names can be spoofed and I don’t see how I would be able to detect if someone removed a device that I don’t frequently use and added a fake device with the same name. Without checking the serial number (which itself could perhaps be spoofed) or checking that the original device was still logged in, how do you know that the listed devices are what they claim to be? And how many people even check the device list every time this notification pops up?
Hugo Lowell (April 6, via Hacker News):
According to three people briefed on the internal investigation, Goldberg had emailed the campaign about a story that criticized Trump for his attitude towards wounded service members. To push back against the story, the campaign enlisted the help of Waltz, their national security surrogate.
Goldberg’s email was forwarded to then Trump spokesperson Brian Hughes, who then copied and pasted the content of the email – including the signature block with Goldberg’s phone number – into a text message that he sent to Waltz, so that he could be briefed on the forthcoming story.
Waltz did not ultimately call Goldberg, the people said, but in an extraordinary twist, inadvertently ended up saving Goldberg’s number in his iPhone – under the contact card for Hughes, now the spokesperson for the national security council.
[…]
According to the White House, the number was erroneously saved during a “contact suggestion update” by Waltz’s iPhone, which one person described as the function where an iPhone algorithm adds a previously unknown number to an existing contact that it detects may be related.
This seems plausible, though it’s unclear to me how they were able to track down this history with any certainty. I don’t think we can discount the possibility that Waltz really did know Goldberg. But the data detectors explanation does have the advantage of explaining both how Golberg’s number got into his phone and how he inadvertently added Goldberg to the conversation without realizing his mistake. His phone, I guess, would have shown Hughes’ name in the conversation.
Previously:
- US Officials Recommend Encrypted Messaging Apps
- Criticism of Signal
- Beeper’s Final Fixes and Government Investigations
- Google Accused of Violating Retention Obligations
- Turning Off Apple Data Detectors in Mail
Update (2025-04-08): CM Harrington:
I still find the data detectors idea implausible. You can try and recreate that scenario, and it won’t work (admittedly, in my limited single test).
Also, how does signal do the rectifying between phone number and internal contacts (ie, in the app, not the initial contacts.app dump). If it doesn’t do any server lookup, it should still have Hughes’ name in the chat list. If it does server verification matching, you would see that immediately.
It doesn’t add up.
Presumably, this is related to Siri suggestions. This version of events sounds plausible to me, if a little too perfect, but stranger things have happened.
The distrustful and cynical voice deep inside me wants to think Waltz has been a source or contact for Goldberg, and that this is a neat way to keep that secret. There is no evidence for this.
I’ve seen a lot of people doubt this report and suggest that Waltz was secretly leaking stuff to Goldberg and that’s why he was in his iPhone to be added to the Signal chat, but the explanation that it was an unthinking “tap yes to add” tap that led to a ticking time bomb in Waltz’s contacts file rings true to me.
As a Mac user since the ’90s, it pretty sad that the explanation for this as a data detector failure is immediately believable to me, whereas it would have been part of a Switcher commercial in the early 00s.
7 Comments RSS · Twitter · Mastodon
I, for one, totally believe the data detectors explanation. I've had several near misses on adding the wrong contact information to someone's contact because of scenarios just like this. If you are paying attention, it shouldn't be a problem, but data detectors are pretty dumb and if some contact info is in an email from someone it will often suggest a info update, even if the data is unrelated to the person actually sending the data.
Honestly, I'm not sure why the Fed hasn't stood up their own Signal network/app that doesn't use the phone address book, etc. The thing is freaking open source. I've considered setting something like that up for better parental controls for family/friends and find it hard to believe that the government couldn't setup something like that. Either the encryption works or it doesn't. Outside of user error or the person's device being compromised, I've seen zero indication that Signal is less secure than the government networks. You could argue that Signal is more secure because it doesn't retain messages in a manner that can be retrieved from archives. Of course not storing that runs into Federal records laws, but that is a different argument from the security of the conversation.
I know there is an argument that conversations like this should be taking place in specific secure facilities, and while I buy it for really sensitive stuff, I'm not sure this qualifies. If they were talking about the mole they have standing behind Putin for instance, that shouldn't be talked about outside of the most secure devices.
>I, for one, totally believe the data detectors explanation
I don't understand what they're saying. I haven't used an iPhone in a few years. Still, when I did, it never exhibited the above behavior ("an iPhone algorithm adds a previously unknown number to an existing contact that it detects may be related)."
If this actually happens, this is clearly the most plausible explanation, but does it happen?
>I'm not sure why the Fed hasn't stood up their own Signal network
They have officially sanctioned secure messaging apps (e.g. they use Wickr). These people just don't want to use them.
>I've seen zero indication that Signal is less secure than the government networks
It is. Not because it's technically insecure but because it's controlled by a private company outside of government control. The threat model for these people is very different from ours.
>I buy it for really sensitive stuff, I'm not sure this qualifies
Hegseth detailed the operational timeline for the strikes and specified launch times for F-18 fighter jets and MQ-9 drones. He gave the timeline for when bombs would be dropped.
I agree. But still....why did Waltz need to call Goldberg "a loser"? It was a mistake on the part of Waltz. Has he apologized or been fired for *his* actions? (I'd go for a simple - but public - reprimand. American soldier lives were put in danger because of this.)
@Plume It looks like this and has happened to me, though I think Siri was correct in my experience. I’ve also seen a bunch of cases when I wish it would have offered the option but didn’t. I don’t understand what the criteria are.
> If this actually happens, this is clearly the most plausible explanation, but does it happen?
Absolutely does happen. It doesn't just add it without some level of user interaction, but it does suggest it and if you weren't paying attention it would be an easy mistake to make.
> These people just don't want to use them.
The evidence I've seen from the last 1.5-2 decades is that no one in government wants to use the official secure communication channels. See Hillary Clinton and her email server. Having never used any of the official government tools, I don't know how insufferable they are to use, but having used other IT from various government organizations, I'd guess pretty terrible. And there is zero incentive to improve it because that would cost money and everyone /has/ to use it anyway.
> Hegseth detailed the operational timeline for the strikes and specified launch times for F-18 fighter jets and MQ-9 drones. He gave the timeline for when bombs would be dropped.
That is fair. I was uncertain on the timing of the details vs the attacks happening. If it was hours in advance, yeah, that is, at best, unwise. If it was more or less real time, I have less of a problem with it as after the attacks are happening, keeping such information secret is minimally important.
I’ve got a little over 500 contact cards. On the Mac, back on 10.14 Mojave (and earlier; I can’t speak to later macOS versions), Siri/data detectors will display information that’s been found in other apps in an existing contact card. I found an instance of this, essentially like this:
TimCook@gmail.com (added by me)
tim.cook@gmail.com (noticed by Siri in an email)
I prefer the capitalization, and I remove periods from Gmail usernames since they have no effect. The two addresses as shown would get to the same person.
But the Siri-added info isn’t really in the contact card. For one, it’s not shown in Contacts on my up-to-date iPhone (13 mini, so no AI). On top of that, in Mac Contacts, off to the right of the Siri/data detectors suggestion, is a lowercase i in a circle, akin to an Information icon/emoji. Clicking that, the data source is shown and buttons are there to add the information to the contact or to ignore it. Again, this is only on the Mac, not on an up-to-date iPhone.
For as tight-lipped as Apple can be, for as obstinate as Apple can be about product mistakes/shortcomings, I’m more confident it’s not their work that was the problem rather than a mistake by a politician within a group of people who never admit any wrongdoing.
>It looks like this
That's wild. If Apple makes this association based on a phone number merely just appearing in an email, then I absolutely believe this is what happened. The fact that this prompt doesn't even give any context for where the number was found is atrocious design.
>no one in government wants to use the official secure communication channels
This actually pisses me off. I work for a company that has government contracts, and we have some security restrictions, and I just do that shit even if it's annoying and makes my work harder.
These people are literally making decisions that affect the whole world, and they can't be bothered to follow the most basic security protocols.
