>>> overnment agencies have paid for versions of encrypted messaging apps that also have archive abilities before. In 2021, Customs and Border Protection (CBP) paid encrypted app company Wickr $700,000.
This seems like a perfect use case to support Signal. Have large, corporate or govt entities, pay for a custom fork of the app, built by the app developers themselves.
Why is telemessage getting the money ? Does the Signal Foundation not make it easy to do paid fork implementations ?
steamrolled 10 hours ago [-]
If Signal becomes financially dependent on government contracts, the govt gains a lot of leverage over the app. I'm not sure that's a great position for this particular platform to be in.
Nifty3929 9 hours ago [-]
This is a good point - but at some point we have to trust someone. I feel that the Signal folks are worth trusting. Plus it's open source, so the more technie among us can meaningfully audit what's going on. That's not foolproof, but it does seem better than most alternatives.
Certainly it's better for the gov't to pay Signal than to try to do it themselves.
Freak_NL 7 hours ago [-]
> I feel that the Signal folks are worth trusting.
The MobileCoin integration and the long standing refusal to support a way to use the messenger without using a phone number (or a smartphone at all) make me wary. To me they sit pretty much on the same level of trust as Meta's WhatsApp, which is a sad thing to have to conclude.
cantrecallmypwd 6 hours ago [-]
This. Session does desktop and mobile cheerfully without leaving metadata enabling government real-time location tracking.
Wickr is owned by AWS, and only has a government/enterprise product now. The personal version has been discontinued.
andrewinardeer 6 hours ago [-]
Pardon my ignorance here, does this mean that governments approach Wickr and buy licences to use their encrypted messenger? If so, what does Wickr do better than other encrypted messenger apps?
bigfatkitten 5 hours ago [-]
In short, paperwork.
Government has a ton of policy requirements around data retention, audit logging, where their data is stored, who can access it etc, as well as technical requirements for things like encryption algorithms. They also have a requirement to operate on isolated networks.
It is difficult for an ordinary consumer messaging app to meet these requirements. Matrix is really the only competitor.
SurfShoulders 5 hours ago [-]
[dead]
dmix 10 hours ago [-]
90% of the work is probably compliance and gov contract hoop jumping, not the code.
inhumantsar 9 hours ago [-]
that seems optimistic tbh. I'd guess 70/30 lobbying/compliance.
mmooss 7 hours ago [-]
Maybe Signal needs to devote all their resources to develping the main app, which is their mission - secure communications for the general public.
photonthug 8 hours ago [-]
Katherine Maher, the CEO of NPR, chairs the board of the Signal Foundation.
mmastrac 11 hours ago [-]
> TM SGNL appears to refer to a piece of software from a company called TeleMessage which makes clones of popular messaging apps but adds an archiving capability to each of them
denkmoon 11 hours ago [-]
Crikey that's terrifying. Not even a US company either.
Titan2189 9 hours ago [-]
TeleMessage is an Israeli software company based in Petah Tikva, Israel. Founded in 1999 by Guy Levit and Gil Shapira, it provides secure enterprise messaging, mobile communications archiving and high-volume text messaging services.
https://en.wikipedia.org/wiki/TeleMessage
bb88 8 hours ago [-]
Even though Israel is our "Ally" -- we really shouldn't trust a foreign company with our sensitive messaging.
If you're in the government, you should treat Hegseth and anyone who uses Signal and TMSIGNL as compromised.
decimalenough 8 hours ago [-]
It's not like Israel would ever spy on the US right?
US spy agencies are world famous weak and heavy relayed on UK and Israel communications.
EasyMark 7 hours ago [-]
Or the US spy on Israel.
hackernewds 8 hours ago [-]
trust me that's a feature not a bug
huijzer 8 hours ago [-]
Please tell that to European governments too. The Netherlands military police was using Whatsapp (e.g., https://www.defensie.nl/actueel/nieuws/2022/06/15/maatregele...). Only Germany has the BwMessenger (Matrix) as far as I know. It makes me wonder what the other militaries are using.
oaiey 7 minutes ago [-]
The matrix development is carried by France a lot for their secure communication. The German affair hopped onto that.
tnolet 7 hours ago [-]
This is misleading bordering on rage bait. There were 11 dutch military police who created a WhatsApp group. This was not allowed and is also not sanctioned or any form of official Military Police communications channel.
The leader of those 11 was fired because of it.
It says it right there in the article. Stop making drama.
ahoef 6 hours ago [-]
I do not get the feeling that using WhatsApp was the source of the disciplinary measures here, but rather the racist contents they shared there. So to be fair to GP, this could be much more prevalent.
jmathai 10 hours ago [-]
FTA, fwiw: "404 Media found numerous U.S. government contracts that mention TeleMessage specifically. One for around $90,000 from December 2024 says “Telemessage (a Smarsh Co.) Licenses for Text Message Archiving, & WhatsApp and Signal Licenses.”"
Hobadee 7 hours ago [-]
Telemessage got bought out by Smarsh a couple years ago. (Which several other commenters are saying is a US company) Their service has gone way downhill since.
Source: use them for several of my clients.
diamondage 6 hours ago [-]
Distilx has a non publically advertised service
esafak 11 hours ago [-]
What is the point of using Signal if you are going to let a (foreign) company intercept your communications? I guess they wanted the UX of a commercial product instead of whatever clunky app that's approved for government. Does anyone know what the alternative was?
sorcerer-mar 11 hours ago [-]
It makes a lot more sense if you don't assume from the start these people have one iota of intellectual horsepower.
Signal is approved for government uses, just not non-public DOD information. They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
UnreachableCode 7 hours ago [-]
> They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
Guidance from CISA (an agency within the Department of Homeland Security) does not translate to an Approval for DOD.
The DOD memo does not supersede other DOD instructions referenced by the memo requiring RMF and NIAP things.
sorcerer-mar 10 hours ago [-]
We're saying the same thing, It's "use Signal for everything you'd use Whatsapp or SMS for, and use the standard secure channels for anything you'd typically need a secure channel for."
fiddlerwoaroof 10 hours ago [-]
From last year after Salt Typhoon became public:
> Adopt a free messaging application for secure communications that guarantees end-to-end
encryption, such as Signal or similar apps. CISA recommends an end-to-end encrypted messaging
app that is compatible with both iPhone and Android operating systems, allowing for text message
interoperability across platforms.
As Dev_VR said, that is a recommendation from CISA to private sector users, not an approval for DOD users.
fiddlerwoaroof 7 hours ago [-]
That’s only partially true: I know for a fact that people in government agencies were given permission to use Signal during the Salt Typhoon attacks. You might not be able to use Signal for certain DOD purposes, but non-DOD agencies do permit Signal.
pokstad 9 hours ago [-]
Traditionally you would use the plain old telephone system to communicate non-classified information. All of the major telcos services (voice and text) are no longer considered secure per CISA. CISA also recommended to instead use e2e encrypted services (specifically calling out Signal).
They need to let their foreign handlers know what they're doing... It is probably in the contract somewhere.
EasyMark 7 hours ago [-]
The alternative is not installing Signal on a phone with spy software on it. They aren't "intercepting" as in man-in-the-middle. They are intercepting by spying on the personal phone where signal is. signal is just another app on your phone. If you're using it for secrets comms you'd best have minimal or no software on the phone you're using and protect it every way you know how with passwords and encryption
t0lo 10 hours ago [-]
I don't get it. Why risk secuity vulnerabilities to archive when you can just ask israel and pegasus for the archives anyway.
t0lo 10 hours ago [-]
Wait this is israeli. Lol.
8 hours ago [-]
cge 11 hours ago [-]
As some details:
TeleMessage is/was an Israeli company [1], but was acquired last year by Smarsh [2], itself a subsidiary of K1 Investment Management, both US companies. It me whether the company moved. While not necessarily related at all, their terms of service also seem to explain specific arrangements for messaging in China that appear to involve disclosures to the Chinese government.
It's unclear to me how the app works. It appears to be advertised as a fork of the Signal client which uploads all content to a remote server, thus, of course, breaking the E2E encryption, unless the archive is considered an end and the connection to it is secure. It also appears to be advertised as being the same interface as Signal.
However, both the iOS and Android Signal clients are AGPLv3. I can't find any indication that the TeleMessage clients are anything other than proprietary. So are they going the route of giving the software and source only to paying customers under AGPLv3 (with those customers then free to distribute it)? Did they completely reimplement the client? Or are they an illegal proprietary fork?
The first option seems unlikely, and the latter two seem rather ominous for the security of the app.
E2E doesn't mean what I think you think it means; specifically, it has nothing to do with what the intended recipient (or their software) does with the message.
cge 10 hours ago [-]
That very much depends on who is running the archive system, and how it is implemented.
But more generally, your point is why I mentioned "unless the archive is considered an end and the connection to it is secure."
IgorPartola 8 hours ago [-]
The point of E2E is only to make sure that Alice is talking to Bob and nobody else can pretend to be either of them or eavesdrop. There is no reason whatsoever to include where else the message may be sent, encrypted or not.
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.
cwillu 7 hours ago [-]
Precisely. The security of a message endpoint ends at the point that the opposite party's leverage runs out.
If I care more about my snapchat account than I do about saving your disappearing message minus your ability to leverage snapchat into banning my account or apply outside social pressure, then your disappearing message may actually disappear. As the stakes go up, so does the leverage required for “endpoint security” to be a meaningful security boundary.
UnreachableCode 7 hours ago [-]
Is there a term for any application which offers full control of your messages then, ie, I send you messages on Signal, but I can make them self destruct and you cannot screenshot them? (Pretty sure Signal allows this?). Nothing stopping a user from taking photos of the screen using another device, of course. Or running their own fork of Signal (which, when run from the open source for Android at least, runs on production).
IgorPartola 3 hours ago [-]
Taking photos of your phone screen is the main loophole and is completely undetectable. Exactly what happened to Waltz and what caused TFA.
If you really need to, you can combine this with a rig that holds the phone and the camera just right, controls the lighting, and interacts with the phone via a hotdog mounted on a gantry. Come to think of it, any 3D printer can be adapted to archive Signal/Snapchat/etc. messages in a completely undetectable way. Could even reply if you rig up another phone to talk to your hot dog finger + camera robot.
cwillu 6 hours ago [-]
Dunno. Like I said, there's no way to do this effectively without some form of leverage over the counter-party. This sort of thing is why SCIF's exist, and is an example of the more extreme ends of leverage, but it still ultimately comes down to leverage: they can make you delete the message and will throw you in jail if you figure out a way to evade it.
One-time secret, maybe?
guappa 3 hours ago [-]
How can this exist?
tptacek 11 hours ago [-]
Smarsh is apparently a big deal in the compliance space. They're not randos. That doesn't take away the hilarity of using a Signal clone that defeats the whole purpose of Signal, though.
defen 10 hours ago [-]
Additional hilarity provided by their name being one letter different from the latinisation of a Soviet spy agency / Bond supervillain organization.
schoen 10 hours ago [-]
It looks like it was originally meant as a reference to the username of the founder (Stephen Marsh).
diamondage 5 hours ago [-]
Seems like an odd choice of name from an apparently low attack surface, cybersecurity aware company...
wisemang 9 hours ago [-]
Lousy smarsh weather
fluidcruft 11 hours ago [-]
Just wondering... if you work for a company and your employer provides you with modified GPL software, it's not considered distributed to you in ways that GPL would apply (so you are not free to further distribute it). At least that's how GPLv2 used to be explained as as business friendly--"private" modifications remain private and employees are not considered exterbal distribution. I'm not familiar with AGPL though.
giancarlostoro 11 hours ago [-]
AGPL is essentially GPL but over the network, if you can reach the service (be it website, or any other protocol) you should be able to receive a copy of the source code. TruthSocial was based on AGPL'd code, they had to comply.
sterlind 10 hours ago [-]
if your company itself modified the GPL software, you can't demand the modified source code from your boss. if your company purchased modified GPL software from a third party vendor, your company's legal department could force the vendor to cough up the source code.
wmf 10 hours ago [-]
The realpolitik here is that you can get fired if you leak the code, legal or not.
Hobadee 7 hours ago [-]
> unless the archive is considered an end and the connection to it is secure
LMAO NO! I have quite a few clients using Telemeasage, and most of them use Global Relay on the backend. It's a little terrifying actually, as Global Relay just ingests everything via SMTP. I haven't checked if they have DNSSEC or MTA-STS set up, but with how Global Relay operates I would be surprised if they did. I suspect a well-placed proxy or DNS poisoning could siphon off a good chunk of sensitive emails being sent to Global Relay.
giancarlostoro 11 hours ago [-]
> Or are they an illegal proprietary fork?
As long as their clients can redistribute it, its not illegal, especially if their clients have 0 interest in leaking the source code, the real trick is, has anyone who is NOT using that client hit any of the AGPL relay servers?
For context, I worked for an employer that sold a custom software solution, which used GPL'd software, client was in the military space, so I guess DOD, anyway, for over a decade nobody asked for any of the code, till some years back. I am guessing they just wanted to have it evaluated, but it was a workhorse of many many things, good luck trying to fork it, LOTS of moving pieces involved.
Nothing illegal unless someone who touches a TM SGNL server (somehow) requests the source and they reject you from having it.
Christ. Install it using an App Centre distribution
11 hours ago [-]
arghandugh 11 hours ago [-]
This is because they are lawless, careless, under the thumb of foreign interests, and have no intention of serving the interests of the people of the United States of America.
JumpCrisscross 11 hours ago [-]
Waltz was chosen for loyalty. He simply isn’t very smart. There is no grand plan behind getting your screen photographed while chatting with the VP, DNI and SecState.
UnreachableCode 6 hours ago [-]
Shouldn’t any government issued smartphone have privacy screen protectors at the very least?
qingcharles 9 hours ago [-]
Would love to know what the message from JD means: "I have confirmation from my counterpart it's turned off."
brewdad 7 hours ago [-]
OMG. He turned off the Pope!
11 hours ago [-]
JumpCrisscross 11 hours ago [-]
“On Thursday Reuters published a photograph of Waltz checking his mobile phone during a cabinet meeting held by Donald Trump. The screen appears to show messages from various top level government officials, including JD Vance, Tulsi Gabbard, and Marco Rubio.”
Head of NatSec, ladies and gentlemen. Once the domain of Kissinger, Brzezinski, Powell and Rice. Now with the opsec of a brain-damaged cocaine dealer.
grg0 10 hours ago [-]
Pin is 1234.
stateofinquiry 8 hours ago [-]
"That's amazing! I've got the same combination on my luggage!"
cantrecallmypwd 6 hours ago [-]
Looks at each other disapprovingly.
(It was 1-2-3-4-5.)
pseudo0 8 hours ago [-]
They are shuffling him off to be UN ambassador per recent reporting. Better late than never, I suppose.
timmytokyo 7 hours ago [-]
I'm sure his replacement will be so much better. /s
KerrAvon 9 hours ago [-]
Kissinger and Rice are war criminals who should have gone to jail for the rest of their respective lives. Trump’s guy can’t even manage that level of evil.
wiseowise 9 hours ago [-]
War criminals or not, you can’t deny they were smart. Unlike current administration.
cantrecallmypwd 6 hours ago [-]
Intelligence isn't a respectable quality in the face of illegal (allegedly), unethical, and/or immoral behavior.
Kissinger shared culpability for what happened in Cambodia, Laos, and Vietnam.
Rice shares culpability for what happened in Afghanistan and Iraq.
Hegseth may still participate in war crimes regardless of being a dim bulb. One can only hope his disability makes him less effective in causing harm deliberately, but he still may cause great harm inadvertently as well.
America needs to acknowledge that it has a multitiered system of selective criminal prosecution where some people get away with crimes because of who they are.
cryptonector 8 hours ago [-]
At least this takes care of the open records issues, no?
MaxPock 8 hours ago [-]
Wouldn’t it be more effective for the government to develop a highly secure communication app, known only to individuals in top-level positions?
This app would be discreetly installed upon appointment to a senior government role and automatically removed upon departure from office.
kristjansson 8 hours ago [-]
That's ... that's the communication network they're avoiding? Because the problem is not _which_ app, it's that it's _an_ app, on standard hardware, on the public internet?
UnreachableCode 7 hours ago [-]
Only, made by an Israeli company that presumably doesn’t make their version of Signal open source
aorloff 7 hours ago [-]
A lot more legal too.
cantrecallmypwd 6 hours ago [-]
Yes and no.
No, not for classified comms. They already have secure comms and SCIFs but they're not using them. This is what they should be using. And they should be following sterile opsec so they don't carry tracking and listening devices into classified meetings or strategy discussions with decision makers.
They do need better opsec for unclassified and personal comms. It would be nice™ for them to have a Signal-like app controlled by the NSA because depending on Signal or WhatsApp is vulnerable to a malicious insider. Few Meta employees have security clearances, while I don't know about Signal.
sagarpatil 8 hours ago [-]
So is signal safe or not?
EasyMark 7 hours ago [-]
Signal is fine, what's not fine is using it for top secret messages on your average everyday phone which is apt to get hacked by state actors and their mercenaries if you're important enough to be on their radar.
mmooss 7 hours ago [-]
Also it's not secure to share info in Signal chats with people who lack clearance.
brewdad 7 hours ago [-]
There's nothing to suggest Signal is compromised. Once you are passing your Signal data through a third party...who knows?
SurfShoulders 5 hours ago [-]
[dead]
mdhb 6 hours ago [-]
So wait…
They are using a Signal clone that is run by a group of Israeli intelligence officers??
I don’t think that part of the story has broken yet properly.
When you go to google maps for the address listed for that company you actually get a company called “Cyberint” which seems extremely not good.
Worse.. when you take a look at the bios for the company on their website I see that it’s filled with supposedly “ex” Israeli intelligence officers including the CEO among others.
https://www.telemessage.com/team/
That seems like a MUCH MUCH bigger deal than they currently known story.
Like several orders of magnitude bigger than the original signalgate story.
The implication here is that a bunch of Israeli intelligence officers have maybe the best access of anyone in the world right now in that they have a real time feed of every conversation that the US national security advisor is a part of.
6 hours ago [-]
whimsicalism 9 hours ago [-]
> 404 Media found numerous U.S. government contracts that mention TeleMessage specifically. One for around $90,000 from December 2024 says “Telemessage (a Smarsh Co.) Licenses for Text Message Archiving, & WhatsApp and Signal Licenses.”
A blatant AGPL violation, no? Were they using Signal in the Biden admin or do these contracts get setup in prep for the new team?
janalsncm 11 hours ago [-]
It’s possible Mike Waltz didn’t think the archiving capability was reliable enough, so he added a journalist to the group chat.
pokstad 9 hours ago [-]
That’s like in the old days when you needed to get married and grabbed a random nearby person to be the witness.
onionisafruit 8 hours ago [-]
I doubt that’s happened more than twice in the history of marriage
joecool1029 7 hours ago [-]
I was the random person asked once before, didn't work though as my state requires a 72hour wait from filling out marriage application before you can be legally married. (Couple was eloping from another state and wanted to get married same day, were told it would have to be a different state)
incanus77 7 hours ago [-]
My parents got married in 1975 in this way.
mattl 8 hours ago [-]
It's happened more than once to me!
joejoo 11 hours ago [-]
[flagged]
bamboozled 10 hours ago [-]
"He's just joking"
michaelteter 7 hours ago [-]
Clown car.
_heimdall 11 hours ago [-]
It seems reasonable enough that the government may have built a forked version of signal with message archiving that meets documentation requirements.
If its an app they wanted kept under wraps, it will make the while Hegseth situation seem a lot more benign.
I use Molly Messenger on a secondary phone that doesn't have a SIM, its a fork of Signal with a few differences related to encryption at rest. It still works with normal signal users just fine, on the other end you can't tell I have a different client. If the government has a similarly forked version you could likely still accidentally invite the wrong user in from their normal Signal app and they wouldn't know you're on a forked version with government archiving features.
davidcbc 11 hours ago [-]
It was not built by the government and it's not some secret software, it's off the shelf software by an Israeli company.
_heimdall 10 hours ago [-]
I didn't catch this in the article here. Is that well known elsewhere?
davidcbc 10 hours ago [-]
> But the message is slightly different: it asks Waltz to verify his “TM SGNL PIN.” This is not the message that is displayed on an official version of Signal.
> Instead TM SGNL appears to refer to a piece of software from a company called TeleMessage which makes clones of popular messaging apps but adds an archiving capability to each of them.
Acquired by a US company, Smarsh, according to other comments
UnreachableCode 6 hours ago [-]
> If the government has a similarly forked version you could likely still accidentally invite the wrong user in from their normal Signal app and they wouldn't know you're on a forked version with government archiving features.
Is there no way Signal can prevent this in the official app?
poink 11 hours ago [-]
It's not only reasonable the US government should be archiving communications between officials, it should be compulsory. We've already had problems with this re: agents of government agencies like CBP and big bankers using E2EE messaging apps to skirt regulatory requirements.
That said, whether this makes the situation better or worse depends on who can actually see these archives. "Smarsh" is a US-based company, but they acquired TeleMessage, which was (is?) based in Israel.
dmix 9 hours ago [-]
Some of the top US government IT contractors are British, Canadian, and Italian owned companies. Running servers in the US for a government contract isn’t a big deal at a technical level.
9 hours ago [-]
FreakyT 11 hours ago [-]
Molly is great; I use it for the same purpose.
I find the Signal devs' attitude so frustrating; they deliberately disable the ability to use Signal in secondary device mode for phone-sized-devices, because they know the Correct Way To Use Signal™ is to only use it on one phone-sized-device.
firesteelrain 11 hours ago [-]
6 days ago there was the Hegseth article regarding this being hotly debated in here and it’s a great example of not having all the facts before jumping to conclusions. Part of the debate was regarding archiving of messages which now apparently there is a way to archive Signal messages automatically. Huh who would have figured
ceejayoz 11 hours ago [-]
Great motivated thinking, but wrong.
It would appear they're using this app now, post-incident, because they got in trouble. (And having messages with Vance, Gabbard, etc. be visible to the press pool camera is... not a great look for the guy who accidentally added a reporter.)
> All of the messages from a leaked group chat have been deleted from the phone of John Ratcliffe, the C.I.A. director, the agency said in a court filing.
chrisco255 10 hours ago [-]
Those are just accusations from a 3rd party agency. They have no way of knowing if Ratcliffe archived the messages before deleting. Signal has been approved since the Biden admin. It was most likely already distributed with the Telemessage feature.
ceejayoz 2 hours ago [-]
“the agency said in a court filing”
The agency is the CIA, to a court, saying the messages are gone.
UnreachableCode 6 hours ago [-]
> Signal has been approved since the Biden admin. It was most likely already distributed with the Telemessage feature.
How do you know this? Also I would not consider this a “feature”. We should assume they’re different apps, insofar as Telemessage can add whatever they please to the source
firesteelrain 3 hours ago [-]
"One of the things I was briefed on very early … was by the CIA records management folks about the use of Signal as a permissible work use," Ratcliffe said during a March 25 Senate Intelligence Committee hearing (see 45:05). "It is. That is a practice that preceded the current administration to the Biden administration."
This seems like a perfect use case to support Signal. Have large, corporate or govt entities, pay for a custom fork of the app, built by the app developers themselves.
Why is telemessage getting the money ? Does the Signal Foundation not make it easy to do paid fork implementations ?
Certainly it's better for the gov't to pay Signal than to try to do it themselves.
The MobileCoin integration and the long standing refusal to support a way to use the messenger without using a phone number (or a smartphone at all) make me wary. To me they sit pretty much on the same level of trust as Meta's WhatsApp, which is a sad thing to have to conclude.
Government has a ton of policy requirements around data retention, audit logging, where their data is stored, who can access it etc, as well as technical requirements for things like encryption algorithms. They also have a requirement to operate on isolated networks.
It is difficult for an ordinary consumer messaging app to meet these requirements. Matrix is really the only competitor.
If you're in the government, you should treat Hegseth and anyone who uses Signal and TMSIGNL as compromised.
https://en.wikipedia.org/wiki/Jonathan_Pollard
The leader of those 11 was fired because of it.
It says it right there in the article. Stop making drama.
Source: use them for several of my clients.
Signal is approved for government uses, just not non-public DOD information. They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
Sort of like the drug dealers from The Wire
[Ref. needed]
Not approved for non-public DOD information: https://dodcio.defense.gov/Portals/0/Documents/Library/Memo-...
The DOD memo does not supersede other DOD instructions referenced by the memo requiring RMF and NIAP things.
> Adopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps. CISA recommends an end-to-end encrypted messaging app that is compatible with both iPhone and Android operating systems, allowing for text message interoperability across platforms.
https://www.cisa.gov/sites/default/files/2024-12/guidance-mo...
https://investigations.cooley.com/2025/01/15/federal-law-enf...
TeleMessage is/was an Israeli company [1], but was acquired last year by Smarsh [2], itself a subsidiary of K1 Investment Management, both US companies. It me whether the company moved. While not necessarily related at all, their terms of service also seem to explain specific arrangements for messaging in China that appear to involve disclosures to the Chinese government.
It's unclear to me how the app works. It appears to be advertised as a fork of the Signal client which uploads all content to a remote server, thus, of course, breaking the E2E encryption, unless the archive is considered an end and the connection to it is secure. It also appears to be advertised as being the same interface as Signal.
However, both the iOS and Android Signal clients are AGPLv3. I can't find any indication that the TeleMessage clients are anything other than proprietary. So are they going the route of giving the software and source only to paying customers under AGPLv3 (with those customers then free to distribute it)? Did they completely reimplement the client? Or are they an illegal proprietary fork?
The first option seems unlikely, and the latter two seem rather ominous for the security of the app.
[1]: https://en.wikipedia.org/wiki/TeleMessage [2]: https://en.wikipedia.org/wiki/Smarsh
E2E doesn't mean what I think you think it means; specifically, it has nothing to do with what the intended recipient (or their software) does with the message.
But more generally, your point is why I mentioned "unless the archive is considered an end and the connection to it is secure."
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.
If I care more about my snapchat account than I do about saving your disappearing message minus your ability to leverage snapchat into banning my account or apply outside social pressure, then your disappearing message may actually disappear. As the stakes go up, so does the leverage required for “endpoint security” to be a meaningful security boundary.
If you really need to, you can combine this with a rig that holds the phone and the camera just right, controls the lighting, and interacts with the phone via a hotdog mounted on a gantry. Come to think of it, any 3D printer can be adapted to archive Signal/Snapchat/etc. messages in a completely undetectable way. Could even reply if you rig up another phone to talk to your hot dog finger + camera robot.
One-time secret, maybe?
LMAO NO! I have quite a few clients using Telemeasage, and most of them use Global Relay on the backend. It's a little terrifying actually, as Global Relay just ingests everything via SMTP. I haven't checked if they have DNSSEC or MTA-STS set up, but with how Global Relay operates I would be surprised if they did. I suspect a well-placed proxy or DNS poisoning could siphon off a good chunk of sensitive emails being sent to Global Relay.
As long as their clients can redistribute it, its not illegal, especially if their clients have 0 interest in leaking the source code, the real trick is, has anyone who is NOT using that client hit any of the AGPL relay servers?
For context, I worked for an employer that sold a custom software solution, which used GPL'd software, client was in the military space, so I guess DOD, anyway, for over a decade nobody asked for any of the code, till some years back. I am guessing they just wanted to have it evaluated, but it was a workhorse of many many things, good luck trying to fork it, LOTS of moving pieces involved.
Nothing illegal unless someone who touches a TM SGNL server (somehow) requests the source and they reject you from having it.
https://www.telemessage.com/how-to-install-and-register-sign...
Head of NatSec, ladies and gentlemen. Once the domain of Kissinger, Brzezinski, Powell and Rice. Now with the opsec of a brain-damaged cocaine dealer.
(It was 1-2-3-4-5.)
Kissinger shared culpability for what happened in Cambodia, Laos, and Vietnam.
Rice shares culpability for what happened in Afghanistan and Iraq.
Hegseth may still participate in war crimes regardless of being a dim bulb. One can only hope his disability makes him less effective in causing harm deliberately, but he still may cause great harm inadvertently as well.
America needs to acknowledge that it has a multitiered system of selective criminal prosecution where some people get away with crimes because of who they are.
No, not for classified comms. They already have secure comms and SCIFs but they're not using them. This is what they should be using. And they should be following sterile opsec so they don't carry tracking and listening devices into classified meetings or strategy discussions with decision makers.
They do need better opsec for unclassified and personal comms. It would be nice™ for them to have a Signal-like app controlled by the NSA because depending on Signal or WhatsApp is vulnerable to a malicious insider. Few Meta employees have security clearances, while I don't know about Signal.
They are using a Signal clone that is run by a group of Israeli intelligence officers??
I don’t think that part of the story has broken yet properly. When you go to google maps for the address listed for that company you actually get a company called “Cyberint” which seems extremely not good.
https://maps.app.goo.gl/L7vVHw5x4VdgS8859?g_st=com.google.ma...
Worse.. when you take a look at the bios for the company on their website I see that it’s filled with supposedly “ex” Israeli intelligence officers including the CEO among others. https://www.telemessage.com/team/
That seems like a MUCH MUCH bigger deal than they currently known story.
Like several orders of magnitude bigger than the original signalgate story.
The implication here is that a bunch of Israeli intelligence officers have maybe the best access of anyone in the world right now in that they have a real time feed of every conversation that the US national security advisor is a part of.
A blatant AGPL violation, no? Were they using Signal in the Biden admin or do these contracts get setup in prep for the new team?
If its an app they wanted kept under wraps, it will make the while Hegseth situation seem a lot more benign.
I use Molly Messenger on a secondary phone that doesn't have a SIM, its a fork of Signal with a few differences related to encryption at rest. It still works with normal signal users just fine, on the other end you can't tell I have a different client. If the government has a similarly forked version you could likely still accidentally invite the wrong user in from their normal Signal app and they wouldn't know you're on a forked version with government archiving features.
> Instead TM SGNL appears to refer to a piece of software from a company called TeleMessage which makes clones of popular messaging apps but adds an archiving capability to each of them.
https://en.wikipedia.org/wiki/TeleMessage
Is there no way Signal can prevent this in the official app?
That said, whether this makes the situation better or worse depends on who can actually see these archives. "Smarsh" is a US-based company, but they acquired TeleMessage, which was (is?) based in Israel.
I find the Signal devs' attitude so frustrating; they deliberately disable the ability to use Signal in secondary device mode for phone-sized-devices, because they know the Correct Way To Use Signal™ is to only use it on one phone-sized-device.
It would appear they're using this app now, post-incident, because they got in trouble. (And having messages with Vance, Gabbard, etc. be visible to the press pool camera is... not a great look for the guy who accidentally added a reporter.)
https://www.nytimes.com/2025/04/15/us/politics/cia-director-...
> All of the messages from a leaked group chat have been deleted from the phone of John Ratcliffe, the C.I.A. director, the agency said in a court filing.
The agency is the CIA, to a court, saying the messages are gone.
How do you know this? Also I would not consider this a “feature”. We should assume they’re different apps, insofar as Telemessage can add whatever they please to the source
https://www.c-span.org/program/senate-committee/dni-director...
That doesn’t mean you won’t get in trouble if you flap them in a way that says “we bomb x at y o’clock” where uncleared people can hear.