Post AtpUBdR2my1Cu8pJDc by mcc@mastodon.social
 (DIR) More posts by mcc@mastodon.social
 (DIR) Post #AtpUBdR2my1Cu8pJDc by mcc@mastodon.social
       2025-05-06T21:05:06Z
       
       0 likes, 0 repeats
       
       Last month when it came out Pete Hegseth was doing big group Signal chats sharing operational details of ongoing military strikes, my first thought was "wait, if they're using Signal how are they complying with the Presidential Records Act?"We now have the answer to that question: "they're using a dodgy, apparently insecure fork of Signal to log the messages". Whether this is better or worse than simply *violating* government retention rules is a matter of perspective.https://infosec.exchange/@josephcox/114434692665724143
       
 (DIR) Post #AtpUBeb0TPa8VKUmO0 by xarph@rusty.cat
       2025-05-06T21:11:30Z
       
       0 likes, 0 repeats
       
       @mcc @josephcox it went from "they're using signal" to "they're using a fork of signal" to "the fork of signal's source code leaked" to "the fork of signal has hardcoded secrets" to "the fork of signal has shut down after multiple groups pillaged it" in a week.
       
 (DIR) Post #AtpUBj0g3uUcC6XKxE by mcc@mastodon.social
       2025-05-06T21:09:43Z
       
       0 likes, 0 repeats
       
       Now note, I don't think there's anything wrong with the idea of a Signal variant that can do offsite logging— designing a secure version of that is an interesting design problem and I think it's entirely feasible! It does not appear that the version of the product they actually selected is *not* the secure version, or at least, someone successfully nabbed a bunch of plaintext chats from the product by hacking an AWS server (!!!) which implies many alarming things about the system architecture