Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have to get Americans to really feel the pain, and to do that I need to <horrible violence> to them to wake them up and make them see how things are bad."
Hurting people in order to make them see how they are being hurt is almost never the right call.
Lying, propaganda, and shooting a bunch of people are also really effective techniques to spur revolution, but that doesn't mean they're good ideas.
Lying to people in order to make them never see how they are being hurt is almost never the right call.
There is a lot of daylight between dropping a bunch of texts for government officials and committing horrible violence against people as a whole! These are not the same thing! One could be good/fine while the other is bad!
Having said that I would worry for a WikiLeaks-style "oh now this random person's info is out there because it was in one of these e-mails".
I just want to see the gossip
I'm not saying these chats shouldn't be released. But I'd hope the names and other identifying info of people who weren't uninvolved would be redacted, just keeping the context to show what kind of information was being carelessly shared. Of course, given the admin's shamelessness, they'd claim anything with redacted info was faked. It might be better to leave it verifiable.
We had the Cabinet Leaks in Aus https://www.abc.net.au/news/2018-01-31/cabinet-files-reveal-...
The national broadcaster picked 2 things to report on, then gave the rest of it back to the government.
The act of helping cover this shit up likely changed the course of politics in this country for decades. Theres likely stuff in that cabinet that was well in the public interest and needed disclosure.
Signalgate or whatever is likely the same. And I dont care which party it harms or whatever. It seems relevant that people should have more information, not less considering everything that is happening.
The consequences likely wouldn’t be felt by those leaders though. Who knows what info is in those logs about informants, agents etc etc. Leak it openly and they’re dead.
Especially in conditions when you don't have to lie at that.
It's not because voters are so gullible that they are ready to believe any word of a charismatic leader. The loss of trust to the mainstream media and to the scientific community is a natural phenomenon in environment when they only tell lies to push their political agenda.
Unfortunately, the financial structure doesn't really make it easy for custom DoD software.
The less charitable one is that Moxie was the opinionated and uncompromising core of the Signal Foundation and has been removed from the board and completely vanished from the public eye. What it stands for now is a touch less clear.
How is Molly doing these days? Is there an alternative server you could selfhost?
This mess is entirely the fault of Telemessage and the people who chose to use it for top-secret comms.
this is about an overseas elite who profited from US war aid for decades holding the US presidency by the balls, and everyone think this is just incopetence.
think for a second, if any other administration was using a telephone or a communication software made by a never heard before company overseas, would you think it was just incompetence? why these traitors clowns get a pass?
One interesting thing I saw in the original article was that the US was using TeleMessage since February 2023. If that's true, it means we have two administrations who are responsible for this choice.
Mozilla still allows you to install and download add-ons and use other Mozilla services like VPN and Relay from your LibreWolf build.
Probably not much they could do, because I'm sure that's why TeleMessage didn't call their app "Signal", but "SGNL".
I don't know if that use was authorized or not.
Malfeasance or misfeasance could include flat-out spyware versions of software, often made available in internal "software stores," instead of legitimate software distributed from the developer or through official channels.
Java Server Pages is now Jakarta Server Pages, part of Java EE (Jakarta EE) and it's latest version 11 was released just a year ago. Spring Framework 7 will be released by the end of 2025 and be based on it. Tomcat 11 is already based on it as well.
And all of this is based on the thriving Java ecosystem.
Version 12 is under development.
If they kept their stuff updated, nothing about this is legacy. It just declined in popularity.
You can build insecure trash and expose unprotected endpoints with next.js, or whatever is currently considered state of the art, as well.
- Pete Hegseth
That line simultaneously becomes funnier and more depressing.
"At the helm of TeleMessage, my leadership is defined by strategic innovation and a steadfast commitment to advancing telecommunications solutions. With a focus on SaaS products, our team has successfully navigated the industry's evolution, ensuring that we remain at the forefront of technological advancements. My role encompasses not only the oversight of our direction but also the cultivation of a culture that values ethical standards and collaborative success.
Our achievements are anchored in a proven track record of delivering results and solving complex problems with efficiency. Spearheading business development and marketing initiatives, we have established a reputation for excellence within the telecom sector. The acquisition of TeleMessage by Smarsh in 2024 stands as a testament to our team's dedication and my leadership in driving growth and fostering a united vision."
Is this group not very seriously discredited, with ties to FBI, convicted child porn criminals, etc? Or am I getting something mixed up?
This could still be a legitimate leak, of course. I'm just wondering if this info is publically known, or if I'm conflating things
https://smarsh.my.salesforce.com/sfc/p/#30000001FgxH/a/Pb000...
Anedote: in Wall Street, Global Relay and TeleMessage are the major players when it comes to achieving communication for compliance.
The WhatsApp archiver, from what I can tell, seems to install a patch on the user's WhatsApp installation. Probably a security nightmare, sure, but I don't think it would be illegal.
https://techcrunch.com/2024/03/21/doj-calls-out-apple-for-br...
It’s not the same thing as providing a compatible app with their own branding
I think that's giving them too much benefits. They know what they're doing, it's clear they want "security for me, but not for you", and claiming they're too dumb to know exactly what they're doing is playing it exactly like how they want it.
Sorry, but no, journalists and researchers have implicit bias.
Aurornis•8mo ago
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
barbazoo•8mo ago
I hope the message dump is juicy.
viraptor•8mo ago
conradev•8mo ago
The US only has voluntary military service, so the dynamics are different
lysp•8mo ago
aorloff•8mo ago
gruez•8mo ago
kennywinker•8mo ago
Big presumption.
If I were israeli, there’s no way in hell anybody with half a brain would want me near their spy agency.
When a gov is committing a genocide, their decisions are based on control and fear, not getting the best out of people.
Edit: downvote all you want. Israel is still committing a genocide. No hospitals left standing. Killing aid workers, journalists, and doctors. A million people on the brink of starvation. Literally salting the earth to prevent crops from being grown. That is war crimes, ghettoization, and genocide.
oceanplexian•8mo ago
ripley12•8mo ago
coolcase•8mo ago
karn97•8mo ago
stefs•8mo ago
czl•8mo ago
msy•8mo ago
sillystu04•8mo ago
[1] https://www.bloomberg.com/news/articles/2024-05-15/ftx-bankr...
coolcase•8mo ago
bn-l•8mo ago
fredoliveira•8mo ago
coolcase•8mo ago
stackskipton•8mo ago
underdeserver•8mo ago
This is a country of 10 million people, a rather heterogeneous one at that. There are going to be better and worse companies.
treebeard901•8mo ago
coolcase•8mo ago
H8crilA•8mo ago
rsynnott•8mo ago
rainworld•8mo ago
It’s especially true for spooks of a certain entity. Also, it’s easy to confuse brazenness, being protected from consequences, and usually downplayed or secret Western complicity with competence.
rsynnott•8mo ago
keeda•8mo ago
ExoticPearTree•8mo ago
Working with a few companies like these, I can tell you that the marketing is top-notch, and very aggressive. The products not so. Most get better with time.
coolcase•8mo ago
elzbardico•8mo ago
mingus88•8mo ago
And charging for it?!
I’m not sure what is more embarrassing: to be the company or to be a user.
hypeatei•8mo ago
Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
dylan604•8mo ago
Which does not bode well for the customers' counter intelligence abilities
n2d4•8mo ago
How does this make sense? If they were gathering data, why would they add a public download? Surely the Israeli officials would not want foreign powers to access this?
Per Hanlon's razor, I don't think this is attributable to anything other than incompetence.
g-b-r•8mo ago
barbazoo•8mo ago
notpushkin•8mo ago
jojohohanon•8mo ago
pigbearpig•8mo ago
So the heapdumps being available is a Spring Boot feature so it does not appear to be malicious.
evrflx•8mo ago
bryanrasmussen•8mo ago
terom•8mo ago
Looks like there is a change [2] coming to the `management.endpoint.heapdump.access` default value that would make this harder to expose by accident.
Let's look for `env` next...
[1] https://docs.spring.io/spring-boot/reference/actuator/endpoi...
[2] https://github.com/spring-projects/spring-boot/pull/45624
flarecoder•8mo ago
It seems that users commonly misconfigure Spring Boot security or ignore it completely. To improve the situation, I made this PR: https://github.com/spring-projects/spring-boot/pull/45624.
When the PR was created in 2016, endpoints were marked as "sensitive" and, for example, the heapdump endpoint would have to be explicitly enabled. However, Spring Boot has evolved over the years, and only the "shutdown" endpoint was made "restricted" in the later solutions. My recent PR will address that weakness in Spring Boot when users misconfigure or ignore security for a Spring Boot app so that heapdumps won't get exposed by default.
testplzignore•8mo ago
I think it would be wise to either disallow the ports being the same, or if they are the same, only enable the health endpoint.
smaudet•8mo ago
Sure, punching buttons for money is a widespread issue in the industry, but devs also like convenience.
Security has the hard problem that it's infuriatingly difficult to troubleshoot (ever tried to write security policies for an app or figure out how to let an app through a firewall, or set of firewalls?), and there's a bit of a culture of "security by obscurity".
So it's kind of expected that this is the behavior...
Sure some people will really just not care, mistakes will be made, but secure defaults, easy to configure and simple to understand are features not often seen from security products generally. This is driven by poor motivations from security folk who want to protect their industry...
stackskipton•8mo ago
Your end users are not security savvy, they will never be security savvy and you need to protect them from themselves instead of handing them loaded handgun. This language more than most is filled with people punching buttons for paycheck.
- Signed, Angry SRE who gets to deal with this crap.
michaelt•8mo ago
Would you have them make a secure back door that could only be intentionally designed, and potentially traced back to you?
Or would you just have them be incompetent in plausible, deniable ways?
Nobody’s getting shot for espionage because they chose log4j and it had the shell shock bug.
donnachangstein•8mo ago
But why would they? It's not their job. They have massive IT staff supporting them. "High level U.S. officials" are just executives; the pointy-haired bosses to the pointy-haired boss. Only difference is these wear little decorative pins over their breast pocket.
Every Fortune 500 company has dedicated IT staff for execs; someone you can call 24/7 and say "my shit's broke" and they respond "we just overnighted you a new phone".
These people couldn't even install an app on their MDM-controlled device, now the narrative has become we expect them to be making low-level IT decisions too?
Next week we'll be scrutinizing Pete Hegseth's lack of thoughts on rotating backup tapes.
Jedd•8mo ago
I think that's a misdirection.
The narrative is that:
a) they were using a compromised piece of software
b) they should not have been using that software - not (necessarily) because it was compromised, but because it wasn't US DoD accredited for that use case.
(I understand your point that these guys are not tech savvy, and do not need to be, but they should be regulation-savvy (clearly they either are not, or willingly broke those regulations), and they should be following organisational guidelines that presumably cover the selection and use of these tools types.)
da_chicken•8mo ago
This is the exact same problem as Clinton's blackberry enterprise server. Doing it right was hard and time consuming, so they ignored that and did what they wanted.
Only we should be a lot more demanding that our officials in 2025 have a better basic understanding of the importance of computer security than in 2005.
hristov•8mo ago
TeMPOraL•8mo ago
microtonal•8mo ago
input_sh•8mo ago
Yes, there's a fleet of people who are supposed to make such tech decisions. The people involved specifically went against those rules. The existence of a group chat using an authorised app is a violation on its own, adding a journalist to it is a violation on top of a violation.
Adding a journalist was accidental, but using such an app (despite it not being approved) is very intentional.
cornholio•8mo ago
This is typical for highly corrupt governments and autocracies, they crumble from within because the autocrats can't trust random, competent people so their inner circle becomes saturated with people who are selected on the basis of loyalty not competence, and these people end up making the most important decisions and running the country.
3rdDeviation•8mo ago
I assume he did and they said it was a bad idea - the memo they'd released a few weeks prior about Signal vulnerabilities seems to suggest a lack of faith in that approach - but he was already banging away on his phone with all the grocery reminders and definitely not battle plans he needs to keep pushing out. Which is also how it feels in the enterprise space these days.
Strange thing to see our bureaucracy start to behave like a corporation instead of the other way around.
nkrisc•8mo ago
If their staff makes bad decisions, that’s their failure too.
We expect them to be ultimately responsible for what happens on their watch.
Was it Truman who said, “Woah, don’t bring the buck anywhere near me, it stops with my assistant”.
aucisson_masque•8mo ago
kube-system•8mo ago
brookst•8mo ago
sneak•8mo ago
They could have used user-custody public key cryptography, where the end devices have the pubkey of the customer, and archive only re-encrypted messages to TM that they can’t read.
That is not, of course, what they did. They just archive them in plaintext.
kevincox•8mo ago
_kb•8mo ago
HenryBemis•8mo ago
I haven't used WhatsApp for 'a very long time' as I have exited the FB ecosystem, but back in the day I remember seeing "lite" or "WhatsApp+" or other variations of the software. I wouldn't be surprised that those "lite" or "+" come with baggage.
yapyap•8mo ago
miki123211•8mo ago
If you want to keep the branding of Signal being the secure app, you need to make sure that all Signal users are actually using a secure version of Signal.
If an insecure fork (like this one) becomes too popular, most groups will have at least one member using it, and then the security is gone.
calvinmorrison•8mo ago
ctxc•8mo ago
ctxc•8mo ago
pchristensen•8mo ago
xandrius•8mo ago
fn-mote•8mo ago
Sure, this is HN, we know one of the effects of locking the ecosystem and coloring in-system messages differently is to encourage people to be in the ecosystem.
At the same time, you ALSO need to consider that obviously there will be leaks.
Malicious/advertising apps will target the new messaging interface to gain more data on their victims, etc.
smaudet•8mo ago
Locking down a platform is not an acceptable solution to the above conundrum - it doesn't matter if the user is using an official device/app whatever if they are untrusted. They can always turn around and leak everything you say without any technical measures.
Should we have no security? No, if you want to color messages differently based on perceived platform, fine. This is just an illustration that no technical measures can replace the fundamental trust necessary in these types of situations.
aesh2Xa1•8mo ago
The third-party federation problem is real, but the vulnerability caused by TeleMessage isn't solved by removing federation.
xorcist•8mo ago
I believe the main criticism against Signal is that they should focus on getting widespread traction of secure messaging, and that perhaps the brand can be a relatively distant concern.
jfim•8mo ago
0xbadcafebee•8mo ago
I just wonder where they were storing them all? At one place I worked, we jiggered up an auto shutdown dump that then automatically copied the compressed dump to an S3 bucket (it was an ephemeral container with no persistent storage). Wonder if they got in through excessive cloud storage policies and this was just the easiest way to exfiltrate data without full access to a DB.
pigbearpig•8mo ago
"Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default."
formerly_proven•8mo ago
davedx•8mo ago
teekert•8mo ago
callamdelaney•8mo ago
teekert•8mo ago
callamdelaney•8mo ago
Took a while to workout that for some reason docker-compose is messing directly with iptables to shoot holes in the firewall we'd configured. Figured out you have to write your compose in some super special way to disable that functionality. Compose should never ever open network ports, ever in my book - to do so without a warning or anything though is like I said, insane!
kbouck•8mo ago
napkin math:
diggan•8mo ago
Edit: reading the description on the dump again, seems exactly what they did:
> Some of the archived data includes plaintext messages while other portions only include metadata, including sender and recipient information, timestamps, and group names. To facilitate research, Distributed Denial of Secrets has extracted the text from the original heap dumps.
https://ddosecrets.com/article/telemessage
coolcase•8mo ago
trebligdivad•8mo ago
BearOso•8mo ago
That's very important to say. I went through one of these massive data dumps recently and it was literally all cached operating system package updates and routine logs. Nothing at all of interest.
It's easy to cut the size on a heap dump. When it's not done it seems sketchy. But it could be a 512GB dump and already pruned, so I could be wrong.
harrall•8mo ago
Though the heap dump would have messages in flight at the time. It's obviously not as useful if you are just trying to grab messages for a specific person.
Frankly the most useful part might be any in-memory secret keys, which could be useful for breaking deeper into the system.
aorloff•8mo ago
But these guys are only interested in "journalists" not people who spent decades digging into ad server heap dumps
kleton•8mo ago
aorloff•8mo ago