Joseph Cox (3:20)

Yeah, we don't know who the hacker is. That's actually often the case with some of these stories I work on. They provide accurate information that we go and verify, but we don't know who that is because obviously they don't exactly want to reveal their real name or identity when they're doing something that's probably criminal in nature. But what they did was, was they found a way to target a telemessage server. And this was sort of where the messages were going, at least from our understanding where the messages were being routed through to before they were being archived, wherever that might be. Right. And the hacker was able to find a way to see these sorts of snapshots of data as they flew across those. And that sounds, you know, a little bit technical. And we actually don't get too technical in the story because we don't want people to be able to go and replicate this as well, obviously. Right. And it looks like Telemessage has actually taken their backend down at the moment. We haven't put that in print yet, but from everything, it looks like that. So the hacker managed to get there. And then crucially, in those snapshots of data they obtained, there were actually usernames and passwords to then log into more telemessage systems. So they went in and they found various things, such as a bunch of contact information for officials from Customs and Border Protection indicating that agency uses the tool as well, a bunch of contact information for employees at Coinbase to the Cryptocurrency company. So we verified this data in various different ways. But one was I took that list of customs and border officials, and I just started phoning them up and asking them, hi, you're an official customs and border Protection. Some confirmed it either through their voicemail messages or just talking to me on the phone, then very quickly hanging up when they realized what was going on. But that was one of the different ways we verified all of this, because, as you say, we don't know who the hacker is. We don't. We're not going to have any insight into that. But this is clearly significant, even though, you know, I don't have Mike Walt's messages necessarily right, and we don't think the hacker has obtained those either. But the fact that this hacker spent 15 or 20 minutes, they say it took to break into this system, and they were able to do that so quickly and get all of these messages, I mean, it is alarming. And if a random basically hacker could do this, it makes you think, well, have foreign nation, adversary state intelligence agencies been looking into this as well? And it just creates all of these even more questions. Now somehow, even though I thought we just got some more answers too.

Andrew Egger (5:52)

And obviously, maybe it goes without saying, but I'll say it anyway. A hostile foreign entity, a foreign intelligence agency, something like that, they get their hands on this data. They do a slightly different thing than 404 Media does with it, which is they don't immediately trumpet that there, this vulnerability exists so that, you know, the different firms can go and quickly shut it all down. I mean, like, I think, as the guy said in your piece, who the heck knows how long this. This has been open and how long people have been. Have had their eye, you know, or had. Had, you know, one sensor down in the, in the data stream of all of this stuff. I mean, it really is just kind of. I was shocked. My jaw was kind of on the floor when I was, When I was reading your piece. And obviously, now just to kind of drill down on what you mean by sort of snapshots of data, right? I mean, obviously the gold standard for, for finding out what's going on in White House Telegram or I'm sorry, White House Signal chats, is being accidentally added to the, to the chats under your own power, right? That's the. We call that the Jeffrey Goldberg standard. But, you know, so, like, this is somewhat, somewhat less than that, right? It's sort of like kind of random snapshots of data that happen to be passing through this one Random server. Can you just talk to me a little bit about kind of what the potential vulnerabilities are, even though it's a much more oblique or a much less direct route to, I mean, route to the kind of information that I think you and I would be very alarmed to just have out there in the public eye.

Joseph Cox (7:19)

Yeah. And I mean, there are concrete aspects of it as well. We have seen some messages, even though it wasn't of Trump officials or whatever. There was one in there, to a group chat, I believe, where it looked like people from a cryptocurrency company called Galaxy Digital were just talking about this cryptocurrency bill, which may or may not go through, and they're talking about different Dems support for it, or they don't want to support it, that sort of thing. I'm not super interested in whatever that bill is itself, but it shows how highly sensitive this is where you have internal communications and they're talking about something that's happening right now. These are not historical messages. These are things that are happening exactly at the time where the hacker is intercepting them. Now, of course, it does get a little bit hypothetical and speculative, but I think it's absolutely fine to do so when we've shown there are real messages going across this. Imagine if a foreign adversary was able to intercept messages from Waltz from other top tier US Government officials. It completely undermines the idea that, oh, I use signal to communicate securely and signal is secure. But when you tack on this extra tool for archiving purposes, which as you say, is also good because they have to keep copies of messages, it just, it does introduce this severe new risk that you are basically hiding the key under the doormat for your security. And all the hacker has to do is look under there. Oh, okay, take it, and then start reading messages. And you know, this hacker, as I said, did it in 15 to 20 minutes. If they had just sat there for a long time, even if they sat there for 48 hours, they would have had a lot, lot, lot more material. And if a nation state had been doing that, I mean, there's no telling what they could have intercepted from those chats.

Andrew Egger (9:05)

Can we just dwell for a moment? I mean, every element of this story is so remarkable, so fascinating, but you mentioned it right off the top. The fact that anybody got onto this at all was just because Mike Waltz, his phone under the table at a cabinet meeting was photographed by a White House photographer. I mean, that's just. I'm not asking you to get editorial here, but it's just kind of like every element of this kind of compounds the clownishness one after another, at least from my point of view. I mean, how long did it even take from when that. Did the hacker himself only know about any of this from that picture as well? I don't know, maybe you can't talk about that, but I'm curious if there is anything you can say about. That picture is only four days old and you already have this story out.

Joseph Cox (9:55)

Yeah. So I don't know the exact series of events for the hacker and what they learned and when. But you know, we were first to report that Waltz was using this tool because when I zoomed into the photo, I was like, that is not exactly the same as the Signal ui and I'm a sucker for those details. That's strange. I spend a lot of time, all day, every day looking at Signal, so I know what Signal looks like. And this was not that. And then we published that and a lot of other media outlets jump on it as well. So it was very, very high profile. And then people started to go through the telemessage, the website of this company and they found, oh, a version of the app was uploaded so people could dig through that. And when something like this happens, technologists just descend on it because they're very, very curious. Some of them want to fix vulnerabilities or find out what's going on. And I do think that's what the hacker did here. Yes, they did something which is controversial, but they wanted to see how secure it was. And now maybe it's going to be fixed as well. But, yeah, I mean, I'm pretty sure the media firestorm led to it. What I would say is that just purely from a security perspective, yes, Waltz accidentally revealed they used this weird version of Signal, but if you really want to be secure, that shouldn't be an issue. It shouldn't be an issue that, oh, the government uses this tool because the tool should just be secure. If that secret got out, that shouldn't be an issue. Everybody's going to figure that out. The tool should just be well designed in the first place. And it seems in this case, well, it probably wasn't because now we have a bunch of these internal messages.

Andrew Egger (11:29)

Right, right, right. Which obviously just kind of compounds the argument that this is a risk that you run when you are. I mean, the whole meta scandal is the idea of using these private apps where you are kind of trusting various different companies. Maybe some of them are more well known like Signal, and maybe some of them are Significantly less well known like telemessage that you're talking about here. And, and it just kind of compounds the potential vulnerabilities there. Can I just ask you one more kind of like meta question here, which is just because, you know, we, we don't do a lot of reporting in this space, obviously we're a political publication. This is a lot more like just sort of your, your day in, day out stuff. We just talk a little bit about kind of what, what the journalistic kind of ethics are that, that are involved with, with, you know, you obviously have a source here who's anonymous, who is, you know, doing this, this work that's probably illegal and yet there's this big public interest and in knowing that these vulnerabilities exist and that the White House is exposed to them and all these sorts of things. Can you just talk a little bit about that at kind of the basic level?

Joseph Cox (12:28)

Yeah, so it's often about the trade off between what you hold back and what you publish. Like I write about vulnerabilities in websites, companies, data breaches, all day, every day. And often what you do is you, you have to email the company, give them obviously a chance to comment and say, hey, this is going on, maybe they fix it, maybe they don't. And it's very similar for technologists or so called white hat hackers who, they'll go and they'll tell a company, hey, there's an issue of your server, you should probably fix this. And maybe they get some money or maybe they get a free T shirt or something. In this case, the hacker came to the press because they thought this company would probably cover it up. Now I don't know whether that's fair or not. That's impossible for me to say. But as a journalist, it's always about, okay, if we report on this, are we amplifying the risk or the issue at all? And for example, that's why in the article where we did include screenshots of the telemessage panel, wherever this contact information of customs and border protections officials were, I mean, we redacted that information. Of course we're not going to publish a bunch of names, phone numbers and email addresses of random officials. But we do want to publish redacted screenshots because it shows just how serious this breach is. I think it's one thing to describe it to a reader, it's another to show them, look, this is literally what the breach looks like. And we did that with a redacted signal message as well.

Andrew Egger (13:46)

I think we can leave it there. Joseph Cox with 404 Media. Thank you so much for coming on and talking to us about this stuff. It's a crazy story. It's fascinating story. We'll link the story below. And I'll say thanks to everybody out there who's watching. Please subscribe to the feed. Head to the bulwark.com to get our written stuff, although that's kind of cheating. I'm slipstreaming. Head over to 404 Media. What's your URL, man? I forget. Is it 404media.com.co we can't afford the dot com. Okay. All right. 404 Media Co to get Joseph stuff. It really is a remarkable story. I'm gassing you up a lot, but I was. I was. My jaw was on the floor. All right, thanks, everybody, and we'll see you next time.