Technical analysis of the Signal clone used by Trump officials

See also: &quot;<i>The Signal Clone the Trump Admin Uses Was Hacked</i>&quot; <a href="https:&#x2F;&#x2F;www.404media.co&#x2F;the-signal-clone-the-trump-admin-uses-was-hacked&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.404media.co&#x2F;the-signal-clone-the-trump-admin-use...</a>

Still trying to grasp the idea of archiving messages from E2E encrypted communication system into a storage that entirely breaks the purpose of using something like Signal.<p>It’s like encashing on the trust of Signal protocol, app while breaking its security model so that someone else can search through all messages.<p>What am I missing here?

The bigger story is the follow up that shows someone already hacked telemessage because the app seems to be vulnerable to several exploits (and transmits data in the clear apparently).<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43896138">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43896138</a>

The big part of this story which nobody is talking about is the fact that the app is literally controlled by a bunch of “former” Israeli intelligence officers. Who now have what is arguably the worlds most valuable access out of anyone.

White House communications director previously revealed (after “Signalgate”) that Signal was an approved and whitelisted app for gov’t officials to have on work phones and even discuss top-secret matters on. But I haven’t heard that TeleMessage was approved (and I’d have serious questions if it were given the foreign intelligence factor). Anyone know if there is a clear answer to whether it’s been approved?

More and more I am starting to understand that making money with software really has nothing to do with quality. It&#x27;s about checking boxes. Enterprise SSO? Check. Auditing? Check. Does it &quot;kinda&quot; do the thing as advertised? Sort of, poorly, and slower than many free open source offerings. Oh, and also the company is in talks for an acquisition, so the entire engineering team is just drawing up plans for their vacation homes and picking out their BMWs at this point, while the product rots. Doesn&#x27;t matter, here&#x27;s your eight figure contract so we can tell the SLT we did a thing. By the time enough people have had to deal with it to get rid of it, all the decision makers will have moved on to something else.

Is Signal allowing arbitrary apps to connect to its network? How do I know that my correspondent is using TM Sgnl or another unofficial app?<p>Doesn&#x27;t that break Signal&#x27;s security guarantees? For example, what if I set my message to delete in 1 hour but TM Sgnl archives it, or some other app simply ignores the retention setting?<p>If Signal allows it, it seems like a major vulnerability? I suppose I must trust other users - they could always screenshot a conversation. But while I trust them not to intentionally cheat me, I shouldn&#x27;t have to trust them to accurately evaluate the security implementation of a software application - something most people can&#x27;t do, Mike Waltz being the most famous example.<p>Maybe Signal should identify users unofficial clients. A downside is that it would provide significant identifying information - few people use unofficial apps.

I thought the only client allowed on Signal was the official build provided by Signal itself? Does this mean Signal does officially allow another build (Telemark&#x27;s TM SGNL) access to the Signal network?

There’s chatter on bsky.<p>But tl;dr anything said on those phones is assumed to be compromised until proven otherwise by time or a whole lot of very interesting security verifications. So far the evidence that this is a very large leak looks probable based on the evidence presented.

We should all feel relieved that trump admin are following law to archive their chats after all.<p>Unfortunately this Israeli company is just incompetent, should try something from Russia next time, given that’s all the data end up to be anyway.

I presume that there is an official application that has been created by the US military &#x2F; NSA &#x2F; some other entity to facilitate secure encrypted messaging for a presidential administration?<p>If such a beast exists what is it called? How does it work?<p>I would more expect it to be a specific combination of hardware physically approved phones and software.<p>Did the prior administration use it exclusively?<p>I remember Obama allegedly refusing to part with his Blackberry.

This news story has been strange for me for awhile because on one hand NO our public officials should not be using Signal, but it isn’t because Signal is a bad technology choice. Signal is great. It’s probably the most useable service that’s verifiably secure.

Speculation, as no &#x27;technical&#x27; analysis could be performed without access to the actual binaries. These aplications are unlisted and otherwise assigned to organisations using device management. This analysis is based on documentation and how this assignment process works. There is no way to determine if an original application got modified, as this would be the same for the WeChat, WhatsApp applications, or that they recompiled the open source version?

Here is the thing about e2e encrypted messengers: They lock you and your data in and do not allow you control of your life. There is a right to data portability (at least in the eu) that they violate and there is no one fighting for it. Whenever i engage in conversation about this i get empty faces, hostility and vague references to features that are crippled or just don&#x27;t work at all. There are people and institutions that have to archive the communication centrally and they don&#x27;t have control over how they are contacted and cannot have conversation about the channel used in every interaction all the time. The solution is to finally force messengers to allow api access to all communication data and then show a sign similar to ssl warnings in browsers to the other side that this user is using an archival api service.

Installing Signal using this method provides none of the guarantees Signal can normally provide by being an open verifiable application. It not only opens you up to state actors, but also IT folks like us. This is very much tech news. It helps explain why MDM is both critically important for businesses and terrible for security.

what is going on in the US gov IT?<p>They took an Israeli app, that is a modified version of signal. the modification BREAKS the one thing signal is excellent at (keeping your messages encrypted so that only the desired endpoints can read them), then distributed it within the US Gov.<p>This is insanity!<p>US&#x27;s enemy&#x27;s couldn&#x27;t manufacture a better result themselves!

The decision to use a signal knockoff was a planned and managed one, not just on a whim. Who&#x27;s responsible for managing the phones?

You have to archive messages in some sectors by law, fine. But taking an E2E encrypted app and decrypting and storing the messages in plain text is a brain dead solution.<p>You get a group of people, say 5, and you generate a Shamirs Secret Split key requiring a minimum of 3 shares to recover, call it the archive key, with each share encrypted to one of those people. You have the modified apps encrypt chat logs every day to a new one time use key, and encrypt that to the Archive key, and upload the encrypted logs somewhere all can access.<p>Now 3 people in that set of 5 people get a subpoena to disclose logs in a given time period. Each one can consent to using their archive key in an ephemeral secure enclave server to decrypt the daily log keys in the requested date ranged, and decrypt the requested logs.<p>This way everything is end to end encrypted unless M-of-N people agree to decrypt specific archived logs to comply with a court order.<p>This shit is not that hard and with the budget of the White House there are 0 excuses for not running a private server and end to end encrypted chat apps with reproducible builds using archive tactics along the lines I just described.<p>But, I am also not mad at them making public fools of themselves either.

They took down the source code page: <a href="https:&#x2F;&#x2F;www.telemessage.com&#x2F;developer&#x2F;api-libraries&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.telemessage.com&#x2F;developer&#x2F;api-libraries&#x2F;</a><p>Screenshot of previous version: <a href="https:&#x2F;&#x2F;0x0.st&#x2F;8Jqf.png" rel="nofollow">https:&#x2F;&#x2F;0x0.st&#x2F;8Jqf.png</a>

What are the visually distinguishing features of this TM SGNL app compared to the official one? To my eyes, the app in the Waltz picture looks the same as the official one.

Kinda curious why meta isnt the one developing these government versions of messaging apps. Seems like a nice side biz

Is this feigned incompetence. Perhaps a cry for help, or a calculated disclosure?<p>I can&#x27;t imagine anyone who would make the mistakes this guy makes, yet here he is; freely using his computer in clear view of a reporter with a camera.

Fun fact: <a href="https:&#x2F;&#x2F;x.com&#x2F;wongmjane&#x2F;status&#x2F;1596615573303357440" rel="nofollow">https:&#x2F;&#x2F;x.com&#x2F;wongmjane&#x2F;status&#x2F;1596615573303357440</a>

From what I have read, the various secretaries have a &quot;work&quot; phone and a private phone. The work one is hardened and communicates on a secured government VPN system

[edit: apparently I responded to the wrong post. uh, oops. that&#x27;s embarrassing.]

So this whole app exists because Signal doesn&#x27;t have a way to archive messages on iPhone. Maybe they should take the hint and see that this is actually something a lot of people would find useful, instead of keeping it the backlog for a decade.

Wait, wait, wait.<p>Did TM SGNL archived conversations at a central server for later dissemination in an decryptable manner at the central server?

To me the shocking thing about the USA Gov&#x27;t is that they manage to lose trillions in the defense dept that they can&#x27;t account for, but somehow are unable to develop their own communications apps? What? Signing messages with a crypto key takes like 4 lines of code. It&#x27;s not rocket science. Yet they use some corporate app?<p>My only theory is that they&#x27;re pretending to have only &#x27;Signal&#x27; so that when they want to they can allow hackers to &quot;see&quot; stuff they WANT to be seen. Like a disinformation honey pot designed to misdirect America&#x27;s enemies. While they actually have a totally separate secret app that <i>is</i> secure and <i>is</i> developed by the NSA.

enjoyed this but not sure how technical it is if you can&#x27;t actually look at or disassemble the app in question.

OK, so now a foreign power has dirt on senior US officials as well as operational details about their plans. The first possibility leads to blackmail, the second to defeat, and both to scandal.

Mike should have used a GDPR-enabled app.

There is new reporting that a hacker has breached the parent company, TeleMessage, including live data being passed across servers in production.<p><a href="https:&#x2F;&#x2F;www.404media.co&#x2F;the-signal-clone-the-trump-admin-uses-was-hacked&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.404media.co&#x2F;the-signal-clone-the-trump-admin-use...</a><p>It was marked as a DUPE of this discussion, despite being a major new development <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43890034">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43890034</a> Hopefully that decision can be reconsidered

<a href="https:&#x2F;&#x2F;archive.is&#x2F;2025.05.04-225615&#x2F;https:&#x2F;&#x2F;www.404media.co&#x2F;the-signal-clone-the-trump-admin-uses-was-hacked&#x2F;" rel="nofollow">https:&#x2F;&#x2F;archive.is&#x2F;2025.05.04-225615&#x2F;https:&#x2F;&#x2F;www.404media.co...</a><p>Why are these being instantly marked as dead?

I appended a &#x27;d&#x27; to the end of the title to pre-empt objections that they&#x27;re not still using it. If it&#x27;s known for sure that they are, we can de-&#x27;d&#x27; that bit.<p>Edit: this subthread is obsolete now - I took a phrase from the author&#x27;s update to the article to use as the title above.

&gt; 404 Media journalist Joseph Cox published a story pointing out that Waltz was not using the official Signal app, but rather &quot;an obscure and unofficial version of Signal that is designed to archive messages&quot;<p>Wow. And that&#x27;s while their entire point of using Signal is to have conversations scrapped after a week to leave no no traces of criminal activity.