Signalgate Just Got WAY WORSE! White House Secrets HACKED!? - Bulwark Takes

Summary5 min read

Bulwark Takes: Detailed Summary of "Signalgate Just Got WAY WORSE! White House Secrets HACKED!?"

Podcast Information:

Title: Bulwark Takes
Host/Author: The Bulwark
Description: The news cycle doesn’t slow down, and neither does The Bulwark. Bulwark Takes brings you bite-sized takes on the news of the day from the entire Bulwark team, including Tim Miller, Sarah Longwell, and Bill Kristol, and more.
Episode: Signalgate Just Got WAY WORSE! White House Secrets HACKED!?
Release Date: May 5, 2025

1. Introduction to the SignalGate Scandal

[00:00] Andrew Egger:
Andrew Egger opens the episode by highlighting the escalating complexity and strangeness surrounding the SignalGate story. Originally sparked by questions over Jeffrey Goldberg's addition to a Signal chat, the saga now delves deeper into the use and vulnerabilities of Signal by the White House.

Key Points:

Initial concerns about the White House’s use of Signal, an encrypted private messaging app.
Questions about Signal’s vulnerability to leaks and operational security (OPSEC) failures.
Compliance with federal records requirements regarding message logging.

2. Exclusive Insights from Joseph Cox

Andrew welcomes Joseph Cox, co-founder of 404 Media, an expert in cybersecurity and the digital underground, to discuss his latest reporting on the SignalGate scandal.

[00:43] Joseph Cox:
Expresses gratitude for being on the show and sets the stage for an in-depth discussion on the new findings related to Signal’s use by the White House.

3. The White House’s Use of a Modified Signal App: Telemessage

[00:59] Joseph Cox:
Reveals that the White House employs a specialized version of Signal called Telemessage. This revelation came to light when a Reuters photographer captured a photo of Mike Waltz using an atypical version of Signal during a cabinet meeting.

Notable Quote:
"It turns out it's basically a version that copies the Signal messages for storage later." – Joseph Cox [00:59]

Key Points:

Telemessage is a modified Signal app designed to archive messages, addressing federal record-keeping requirements.
The discovery was triggered by visual discrepancies in Signal's user interface captured in a photograph.
Raises concerns about the modified app’s security and potential for data breaches.

4. The Data Breach: Hacker Exploits Telemessage

[01:59] Joseph Cox:
Details a significant data breach where a hacker successfully targeted Telemessage, accessing users' direct messages and group chats not only on Signal but also on other modified messaging platforms like WhatsApp, Telegram, and WeChat.

Notable Quote:
"The hacker managed to get there... they were able to see these sorts of snapshots of data as they flew across those." – Joseph Cox [03:20]

Key Points:

The breach involved unauthorized access to Telemessage servers, allowing the hacker to capture data snapshots.
Access included usernames, passwords, and sensitive contact information of officials from agencies like Customs and Border Protection and companies like Coinbase.
Verification of the breach was conducted through direct contact with affected officials, confirming the validity of the leaked information.
Raises alarms about the potential for foreign intelligence agencies to exploit such vulnerabilities for espionage or data theft.

5. Implications for Government Security

[07:19] Joseph Cox:
Explores the broader implications of the breach, emphasizing the risks introduced by the use of Telemessage as a workaround for archiving Signal communications.

Notable Quote:
"It completely undermines the idea that, oh, I use Signal to communicate securely... it introduces this severe new risk." – Joseph Cox [07:19]

Key Points:

The combination of Signal's encryption with Telemessage's archiving function creates new security vulnerabilities.
The ease with which the hacker breached the system (in 15-20 minutes) suggests that even more sophisticated attacks by nation-state actors could have far-reaching consequences.
Highlights the delicate balance between operational security and compliance with record-keeping mandates.

6. The Role of the Leaked Photograph

[09:05] Andrew Egger:
Andrew Egger points out the irony that the breach was initiated due to a seemingly minor incident—a photograph of Mike Waltz’s phone during a cabinet meeting.

Notable Quote:
"My jaw was kind of on the floor when I was reading your piece." – Andrew Egger [09:05]

Key Points:

The photograph inadvertently exposed the use of a modified Signal app, prompting increased scrutiny.
Accelerated media attention led to the discovery and subsequent breach by hackers.
Illustrates how small lapses can have significant security repercussions.

7. Journalistic Ethics in Reporting Security Vulnerabilities

[12:28] Joseph Cox:
Discusses the ethical considerations in reporting cybersecurity breaches, especially when sources remain anonymous or the reporting could potentially amplify vulnerabilities.

Notable Quote:
"As a journalist, it's always about, okay, if we report on this, are we amplifying the risk or the issue at all?" – Joseph Cox [12:28]

Key Points:

Balancing the public interest in knowing about security vulnerabilities with the potential risks of disclosing sensitive information.
The importance of verifying information through multiple channels to ensure accuracy.
Decisions to redact sensitive data (e.g., names, contact information) to protect individuals while conveying the severity of the breach.

8. Conclusion and Final Thoughts

[13:46] Andrew Egger:
Andrew wraps up the discussion by emphasizing the gravity and fascination of the SignalGate scandal, thanking Joseph Cox for his insights, and encouraging listeners to engage with 404 Media for further information.

Key Points:

Acknowledges the remarkable nature of the story and its implications for government security.
Encourages continued vigilance and transparency in the use of encrypted communication tools by government officials.
Highlights the ongoing nature of the investigation and the necessity for robust cybersecurity measures.

Key Takeaways:

Telemessage, a modified version of Signal used by the White House, was compromised, exposing sensitive communications.
The breach underscores the vulnerabilities introduced when encryption tools are modified for additional functionalities like message archiving.
The incident was inadvertently triggered by a photograph, illustrating how minor oversights can lead to significant security breaches.
Ethical journalism plays a crucial role in responsibly reporting such vulnerabilities, balancing public awareness with security considerations.

Notable Quotes:

Joseph Cox [00:59]: "It turns out it's basically a version that copies the Signal messages for storage later."
Andrew Egger [09:05]: "My jaw was kind of on the floor when I was reading your piece."
Joseph Cox [07:19]: "It completely undermines the idea that, oh, I use Signal to communicate securely... it introduces this severe new risk."
Joseph Cox [12:28]: "As a journalist, it's always about, okay, if we report on this, are we amplifying the risk or the issue at all?"

For more in-depth coverage and continual updates on cybersecurity and political reporting, visit 404 Media.

Loading summary

Transcript13 lines

[00:00]
Andrew Egger
Hey everyone, this is Andrew Egger with the Bulwark. The Signal Gate story, believe it or not, keeps getting more bizarre, keeps getting stranger. There were a lot of questions when these stories started to drop when Jeffrey Goldberg first got added to the Signal chat about the hooties a couple of months back. What's going on with Signal? Why are they using this encrypted private app? Is it vulnerable to leaks? Is it vulnerable to these kind of OPSEC failures? Is it in keeping with federal records requirements where they need to log this stuff? We just got a brand new bit of reporting over the weekend from Joseph Cox. He's the co founder of 404 Media. He focuses on cybersecurity and the digital underground. He's here to talk about his scoop. Thanks for coming on, Joseph.
[00:41]
Joseph Cox
Absolutely, thanks for having me.
[00:43]
Andrew Egger
So this is such a great story. I mean, in so many ways, but one of the most. Well, let's start with the meat of it first. I mean, like, can you just talk us through what do we know about Signal and how the White House is using it today that we didn't know before you guys had this story this weekend.
[00:59]
Joseph Cox
As you know, the White House is using Signal. But then what we found recently was that they use a special version or a modified version called Telemessage. And we found that because a Reuters photographer took a photo of Waltz at the recent cabinet meeting. And if you zoom in, you can see that it's a weird version of Signal. It turns out it's basically a version that copies the Signal messages from for storage later. Huh, that's pretty interesting. Also brought up even more questions of, well, how susceptible is that to being hacked? What if that is then targeted, lo and behold? I don't know, it took 48 hours, something like that. And what we have now with this reporting over the weekend is that a hacker did target Telemessage and did manage to obtain some users direct messages and group chats sent over Signal. But then also some of these other modified versions of WhatsApp and Telegram and WeChat as well. But of course, to us the Signal stuff is the most significant.
[02:00]
Andrew Egger
Yeah, until we learn that Donald Trump is messaging his stockbroker on WeChat, Signal will be the main one here. I mean, this is such a fascinating story to me because I think it does answer one question that a lot of us had had lingering in the back of our minds about this Signal scandal from the beginning, which is these guys are bound by law to back this stuff up and are they just ignoring that Law. Are they just flouting it? What's going on here? And I think that. So part of the, like, one of the puzzle pieces here is, no, they don't appear to be flouting that. They appear to be using this kind of workaround system to be able to make use of the signal infrastructure while still preserving some kind of digital record. But at the same time, you open up a whole new kind of alarm bells, set of questions about the reliability of that service and the, and the, you know, how, how susceptible that is to, to, to, you know, hostile actors or just bad actors of any kind getting in there and playing around with the data. Can you just talk in a little bit more detail about what the nature of this, this breach was, that that this hacker that you were, that you were interviewing for this piece, I believe he's anonymous. Right in the piece. So what did, what did he find? And kind of what should our level of alarm be as we're thinking about our top government officials making use of this service for their internal communications?
[03:21]
Joseph Cox
Yeah, we don't know who the hacker is. That's actually often the case with some of these stories I work on. They provide accurate information that we go and verify, but we don't know who that is because obviously they don't exactly want to reveal their real name or identity when they're doing something that's probably criminal in nature. But what they did was, was they found a way to target a telemessage server. And this was sort of where the messages were going, at least from our understanding where the messages were being routed through to before they were being archived, wherever that might be. Right. And the hacker was able to find a way to see these sorts of snapshots of data as they flew across those. And that sounds, you know, a little bit technical. And we actually don't get too technical in the story because we don't want people to be able to go and replicate this as well, obviously. Right. And it looks like Telemessage has actually taken their backend down at the moment. We haven't put that in print yet, but from everything, it looks like that. So the hacker managed to get there. And then crucially, in those snapshots of data they obtained, there were actually usernames and passwords to then log into more telemessage systems. So they went in and they found various things, such as a bunch of contact information for officials from Customs and Border Protection indicating that agency uses the tool as well, a bunch of contact information for employees at Coinbase to the Cryptocurrency company. So we verified this data in various different ways. But one was I took that list of customs and border officials, and I just started phoning them up and asking them, hi, you're an official customs and border Protection. Some confirmed it either through their voicemail messages or just talking to me on the phone, then very quickly hanging up when they realized what was going on. But that was one of the different ways we verified all of this, because, as you say, we don't know who the hacker is. We don't. We're not going to have any insight into that. But this is clearly significant, even though, you know, I don't have Mike Walt's messages necessarily right, and we don't think the hacker has obtained those either. But the fact that this hacker spent 15 or 20 minutes, they say it took to break into this system, and they were able to do that so quickly and get all of these messages, I mean, it is alarming. And if a random basically hacker could do this, it makes you think, well, have foreign nation, adversary state intelligence agencies been looking into this as well? And it just creates all of these even more questions. Now somehow, even though I thought we just got some more answers too.
[05:52]
Andrew Egger
And obviously, maybe it goes without saying, but I'll say it anyway. A hostile foreign entity, a foreign intelligence agency, something like that, they get their hands on this data. They do a slightly different thing than 404 Media does with it, which is they don't immediately trumpet that there, this vulnerability exists so that, you know, the different firms can go and quickly shut it all down. I mean, like, I think, as the guy said in your piece, who the heck knows how long this. This has been open and how long people have been. Have had their eye, you know, or had. Had, you know, one sensor down in the, in the data stream of all of this stuff. I mean, it really is just kind of. I was shocked. My jaw was kind of on the floor when I was, When I was reading your piece. And obviously, now just to kind of drill down on what you mean by sort of snapshots of data, right? I mean, obviously the gold standard for, for finding out what's going on in White House Telegram or I'm sorry, White House Signal chats, is being accidentally added to the, to the chats under your own power, right? That's the. We call that the Jeffrey Goldberg standard. But, you know, so, like, this is somewhat, somewhat less than that, right? It's sort of like kind of random snapshots of data that happen to be passing through this one Random server. Can you just talk to me a little bit about kind of what the potential vulnerabilities are, even though it's a much more oblique or a much less direct route to, I mean, route to the kind of information that I think you and I would be very alarmed to just have out there in the public eye.
[07:20]
Joseph Cox
Yeah. And I mean, there are concrete aspects of it as well. We have seen some messages, even though it wasn't of Trump officials or whatever. There was one in there, to a group chat, I believe, where it looked like people from a cryptocurrency company called Galaxy Digital were just talking about this cryptocurrency bill, which may or may not go through, and they're talking about different Dems support for it, or they don't want to support it, that sort of thing. I'm not super interested in whatever that bill is itself, but it shows how highly sensitive this is where you have internal communications and they're talking about something that's happening right now. These are not historical messages. These are things that are happening exactly at the time where the hacker is intercepting them. Now, of course, it does get a little bit hypothetical and speculative, but I think it's absolutely fine to do so when we've shown there are real messages going across this. Imagine if a foreign adversary was able to intercept messages from Waltz from other top tier US Government officials. It completely undermines the idea that, oh, I use signal to communicate securely and signal is secure. But when you tack on this extra tool for archiving purposes, which as you say, is also good because they have to keep copies of messages, it just, it does introduce this severe new risk that you are basically hiding the key under the doormat for your security. And all the hacker has to do is look under there. Oh, okay, take it, and then start reading messages. And you know, this hacker, as I said, did it in 15 to 20 minutes. If they had just sat there for a long time, even if they sat there for 48 hours, they would have had a lot, lot, lot more material. And if a nation state had been doing that, I mean, there's no telling what they could have intercepted from those chats.
[09:05]
Andrew Egger
Can we just dwell for a moment? I mean, every element of this story is so remarkable, so fascinating, but you mentioned it right off the top. The fact that anybody got onto this at all was just because Mike Waltz, his phone under the table at a cabinet meeting was photographed by a White House photographer. I mean, that's just. I'm not asking you to get editorial here, but it's just kind of like every element of this kind of compounds the clownishness one after another, at least from my point of view. I mean, how long did it even take from when that. Did the hacker himself only know about any of this from that picture as well? I don't know, maybe you can't talk about that, but I'm curious if there is anything you can say about. That picture is only four days old and you already have this story out.
[09:55]
Joseph Cox
Yeah. So I don't know the exact series of events for the hacker and what they learned and when. But you know, we were first to report that Waltz was using this tool because when I zoomed into the photo, I was like, that is not exactly the same as the Signal ui and I'm a sucker for those details. That's strange. I spend a lot of time, all day, every day looking at Signal, so I know what Signal looks like. And this was not that. And then we published that and a lot of other media outlets jump on it as well. So it was very, very high profile. And then people started to go through the telemessage, the website of this company and they found, oh, a version of the app was uploaded so people could dig through that. And when something like this happens, technologists just descend on it because they're very, very curious. Some of them want to fix vulnerabilities or find out what's going on. And I do think that's what the hacker did here. Yes, they did something which is controversial, but they wanted to see how secure it was. And now maybe it's going to be fixed as well. But, yeah, I mean, I'm pretty sure the media firestorm led to it. What I would say is that just purely from a security perspective, yes, Waltz accidentally revealed they used this weird version of Signal, but if you really want to be secure, that shouldn't be an issue. It shouldn't be an issue that, oh, the government uses this tool because the tool should just be secure. If that secret got out, that shouldn't be an issue. Everybody's going to figure that out. The tool should just be well designed in the first place. And it seems in this case, well, it probably wasn't because now we have a bunch of these internal messages.
[11:29]
Andrew Egger
Right, right, right. Which obviously just kind of compounds the argument that this is a risk that you run when you are. I mean, the whole meta scandal is the idea of using these private apps where you are kind of trusting various different companies. Maybe some of them are more well known like Signal, and maybe some of them are Significantly less well known like telemessage that you're talking about here. And, and it just kind of compounds the potential vulnerabilities there. Can I just ask you one more kind of like meta question here, which is just because, you know, we, we don't do a lot of reporting in this space, obviously we're a political publication. This is a lot more like just sort of your, your day in, day out stuff. We just talk a little bit about kind of what, what the journalistic kind of ethics are that, that are involved with, with, you know, you obviously have a source here who's anonymous, who is, you know, doing this, this work that's probably illegal and yet there's this big public interest and in knowing that these vulnerabilities exist and that the White House is exposed to them and all these sorts of things. Can you just talk a little bit about that at kind of the basic level?
[12:28]
Joseph Cox
Yeah, so it's often about the trade off between what you hold back and what you publish. Like I write about vulnerabilities in websites, companies, data breaches, all day, every day. And often what you do is you, you have to email the company, give them obviously a chance to comment and say, hey, this is going on, maybe they fix it, maybe they don't. And it's very similar for technologists or so called white hat hackers who, they'll go and they'll tell a company, hey, there's an issue of your server, you should probably fix this. And maybe they get some money or maybe they get a free T shirt or something. In this case, the hacker came to the press because they thought this company would probably cover it up. Now I don't know whether that's fair or not. That's impossible for me to say. But as a journalist, it's always about, okay, if we report on this, are we amplifying the risk or the issue at all? And for example, that's why in the article where we did include screenshots of the telemessage panel, wherever this contact information of customs and border protections officials were, I mean, we redacted that information. Of course we're not going to publish a bunch of names, phone numbers and email addresses of random officials. But we do want to publish redacted screenshots because it shows just how serious this breach is. I think it's one thing to describe it to a reader, it's another to show them, look, this is literally what the breach looks like. And we did that with a redacted signal message as well.
[13:47]
Andrew Egger
I think we can leave it there. Joseph Cox with 404 Media. Thank you so much for coming on and talking to us about this stuff. It's a crazy story. It's fascinating story. We'll link the story below. And I'll say thanks to everybody out there who's watching. Please subscribe to the feed. Head to the bulwark.com to get our written stuff, although that's kind of cheating. I'm slipstreaming. Head over to 404 Media. What's your URL, man? I forget. Is it 404media.com.co we can't afford the dot com. Okay. All right. 404 Media Co to get Joseph stuff. It really is a remarkable story. I'm gassing you up a lot, but I was. I was. My jaw was on the floor. All right, thanks, everybody, and we'll see you next time.