And no we don't call these a "dirty" line that's something someone made up for the purposes of the article. We call it "unattrib" and it's quite common, serving many useful legitimate purposes.
One thing that I find surprising about the Hegseth case is that most SecDef do not use the computer in their office it all. A couple recent ones still don't even have a computer in there. Normally staff handle 100% of communication and briefing outside of phone calls and video calls. He's clearly still adjusting to the reality of operating within the _confines_ of DoD headquarters.
Also the article's mention of using Wi-fi in the back of his office doesn't make sense to me, there isn't any Wi-fi available in the suite or anywhere nearby.
Where did you find the details on documentation and approval? Would you mind sharing this information?
Great perspective and I thought your comment makes sense.
My understanding is that Signal is pretty common in DC, and that private email servers aren't exclusively a Hilary Clinton special.
Wouldn't others have to be similarly dodging network security protocol for their own non-secure communication tools of choice?
I'm not asking because what Hegseth did is excusable, the first offence likely would have led to his termination and charges if he was enlisted.
It is still interesting, though, whether this actually is an outlier or just an article pointing out one case of an individual they want to single out.
“ According to the National Archives and Records Administration: “Agencies that allow employees to send and receive official electronic mail messages using a system not operated by the agency must ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system.” Guidance from NARA in 2015 stated, “Employees create Federal records when they conduct agency business using personal electronic messaging accounts or devices. This is the case whether or not agencies allow employees to use personal accounts or devices to conduct agency business. This is true for all Federal employees regardless of status.”
An update of the federal records laws in 2014 allows federal employees “using a non-official electronic messaging account” to provide records of those communications to federal archivists within 20 days. So as Josh Gerstein wrote for Politico on March 25, “That means the officials involved in these discussions on Signal still have time to comply since these messages came about 10 days ago.””
https://www.factcheck.org/2025/03/was-the-signal-chat-illega...
Even if that defense-specific law is determined not to apply, as that article explains this is still at least borderline illegal. It links to the relevant law:
> (Sec. 10) Prohibits an officer or employee of an executive agency from creating or sending a record using a non-official electronic messaging account unless such officer or employee: (1) copies an official electronic messaging account of the officer or employee in the original creation or transmission of the record, or (2) forwards a complete copy of the record to an official electronic messaging account of the officer or employee not later than 20 days after the original creation or transmission of the record. Provides for disciplinary action against an agency officer or employee for an intentional violation of such prohibition.
https://www.congress.gov/bill/113th-congress/house-bill/1233
I haven’t seen even his most devoted defenders claim that he officially set up a process to archive all of their Signal messages at all, and the fact that the chats were set up to delete messages after 7 days certainly doesn’t suggest an intention in following it. Moreover, even if they didn’t have messages deleted automatically Signal allows people to manually edit or delete messages so they’d be placed in the difficult position of proving the negative that they hadn’t removed official records.
Not saying any one of them is perfect, just trying to be reasonable that he probably used Signal and maybe still does but it’s not this blazing fire that it’s made out to be.
Plus, the President is the ultimate classification authority. He can make the rules.
While it’s true that the president can set policy, there’s no evidence that he’s done so in this case. You’ve made a really concerted effort to try to imagine scenarios where this wouldn’t be a big deal but there’s no evidence that they’re real. For example, if Trump had decreed that personal devices were approved for classified messages, you’d expect that Hegseth would have defended himself by pointing to that memo.
Here's a quote by Mitch McConnell (R-Ky), who voted against his nomination:
"Effective management of nearly 3 million military and civilian personnel, an annual budget of nearly $1 trillion, and alliances and partnerships around the world is a daily test with staggering consequences for the security of the American people and our global interests," the senator said. "Mr. Hegseth has failed, as yet, to demonstrate that he will pass this test. But as he assumes office, the consequences of failure are as high as they have ever been."
I can't understand how someone like that got into such a position.
If Hegseth gets cut-out, someone equally ridiculous will be chosen to fill that role.
Governments are simply run the same way businesses are now run
It's not because it's harder to use.
It's because it's recorded that they aren't using it.
The signal chat did not have anything that someone would try to hide. People want easy things, they want to manage an air strike using their mobile phone from their bedroom. They don't want to sit in their office for that or use some hardened government issued device that is older, uglier and an extra brick to take along, with no real support of IM (my assumptions on DoD devices)
This is a fucking job with requirements.
It's like being a doctor and ignoring the "do no harm" part.
This is a job where people get killed, sometimes in large numbers.
If a clown is at the helm, they are liability to them self and others and should be... forcibly removed.
In any case the same issues you have in a regular company also exists in the upper echelons, no reason you can't give them technology that is encrypted and easy to use. That doesn't mean they are supposed to use Signal though
The EU has it's own agency and it is a perfectly good thing for us to 'take over'.
And that guy is a cable show host.
Yes, Germany supplied moderate amounts of weapons in the beginning, so they were involved from the start if you like. Then Nordstream happened, then the previous US administration repeatedly put pressure on Germany and other EU countries to do more:
https://www.cbsnews.com/news/ukraine-tanks-germany-pressure-...
The US policy that the EU should get more involved has been a recurring theme during the Biden administration. Now the EU is begging the US to continue. We do not know if all this is political theater or if Trump really wants to end the war. We might know by the end of this year.
We expended much energy internally consumed by internal debates and arguments about who is supplying what, how much, through which channel. As EU member states we're not always aligned and we are different cultures speaking different languages. This has been used against us in the information warfare layer.
I really don't believe you can simplify the entire EU and say we're begging. There are certain capacities that we can't replace, and for decades member states prioritized dismantling our military industrial complex (in perfectly good faith!). Winding up heavy military industrial supply chains can't be an over-night process. And yeah, I believe you're absolutely correct - a lot of this is political theater.
My own personal view: the war won't be over anytime soon. The other side has gone all in on it. Even if they were to slam the brakes it would take years to reduce that momentum. They've had their own internal wars and purges fueling this thing and whatever they do, they would need to have a solid explanation. It's basically a sacred crusade to them.
Now, this might be controversial, but my personal belief is that on some level, we too prefer that the war grinds on. Only as long as it does not escalate into nuclear. It might be a cynical belief, but at this point it's the Ukrainians who are going to have years of real-life warfare experience and the EU wants access to this to learn from.
Anyways, there's a fucking TV host running the US DoD. These aren't serious people. Trump doesn't have nuanced ideas to read into on any of this - he wants to end the war as much as he wants to eat cheeseburgers and have crowds cheer for him. Maybe he'll get that headline, maybe he won't.
That's my two euro-cents ;)
Its a conventional war,russia is loosing it and presses all the keys on the propaganda organ because panic.
The utterly confused picture of what the president is thinking is itself a considerable problem. Political theater would be unconscionable, yet that is mostly what we get.
The fact that the figures are polarizing helps, because everyone focuses on the person and not on what is actually happening.
Note that this is speculation, because we do not have full information.
What are you talking about, most EU member states have been a part of it from day 1.
Per capita and per GDP some of them have contributed more than the US.
I'm not sure why you mention Fox News, which does not raise the points that were made in the deleted comment at all.
Signal uses HTTPS for contact discovery and account registration. Then, it switches to its own Signal protocol to provide end-to-end encryption.
There would have to be some egress rule to allow Signal access from Azure. Signal is a commercial app.
Even if access was allowed from Cloud or some other Defense network, it would still be considered “dirty” as the article says because it’s still going over the Public Internet to a commercial software provider.
Communications are encrypted barring some MiTM attack.
Not a good idea to discuss secret things on an app that isn’t approved for it but is this article reaching a bit?
I think the article is pointing out the obvious. The only way to access Signal is over the public Internet with HTTPS and end to end encryption provided by Signal.
Is it? This circumented the Pentagon's security protocols, presumably disrupting its air gap. This is a national security breach on the highest level, I'd say it's pretty serious and I don't understand why anyone is in the comment section trying to downplay or defend it.
(* or against protocols, etc)
It doesn't matter if he happened to use something that has a solid security model. The problem isn't Signal, it's that he ignored all the rules.
And it does have an impact, as we see in other news, because one failure mode of Signal is that it's super easy to add the wrong people to a group. Which has actually happened. Twice (at least.)
I'm curious what technology has been evaluated for secure communications. Are there better option?
Is MS Teams approved?
https://www.cisa.gov/sites/default/files/2024-12/guidance-mo...
Approval for classified or military use is a completely different ballgame.
Why beclown yourself like this? Just say you don’t care.
Even Trump can’t manage denial mode for this one. https://www.nbcnews.com/news/amp/rcna197944
> "Michael Waltz has learned a lesson, and he’s a good man," Trump said Tuesday in a phone interview with NBC News.
> Asked what he was told about how Goldberg came to be added to the Signal chat, Trump said: “It was one of Michael’s people on the phone. A staffer had his number on there.”
Article regarding the CIA director you mentioned.
https://www.texastribune.org/2025/03/25/texas-cia-director-g...
—- “The Secretary of Defense is the original classification authority," Ratcliffe said, "and my understanding is that um his comments are that any information that he shared was not classified.”
—-
So, I am back to what I have been saying from the beginning.
This is an AP hit piece via corrupt MSM and until someone can point to further evidence from these unknown “sources” then this story can’t be trusted.
Why didn’t some automated system say “installation of unsecured lines in this building is not possible” or similar
To be course : I didn’t think something so obviously wrong would have been allowed and enabled by several people who made this possible - removing absolutely no accountability from the person who asked for this to happen
I suspect this is a case of being more afraid of saying "no" to the boss than of facing consequences for violating policy. Policies are unfortunately not self-enforcing.
Trump's been firing Inspectors General and dismantling mechanisms of internal accountability across the government, so perhaps that's a correct calculus in this case.
Like so many others, this particular 'failure mode' doesn't exist if you're a Republican. What if Hillary Clinton did it? Now that would be a democracy-threatening 'failure mode.'
I'd note that he's not subject to them. It's a civilian position, and he's no longer serving in the military. You're obviously allowed to wear makeup as a former soldier.
I agree he's a clown, but not for this. Politicians frequently wear makeup. It's part of the job.
I am also not suggesting we hold an IT person accountable-
I am only saying there should be rules/systems in place so that if someone else asks for something obviously wrong like this again, there’s a clear stop gap to say “that’s not possible”
Maybe there already is one(several) - if so, then of course the chain of accountability continues to ensnare…
No software—whether on a secure or non-secure (dirty-line) government computer—can be installed without IT being alerted within milliseconds. Likewise, absolutely no unauthorized hardware can be connected to a military system without immediate detection.
There is simply no realistic scenario in which PH could have operated an unknown system with unapproved software inside one of the most secure facilities in the United States without it being known and approved. If I’m proven wrong, I’ll gladly apologize for doubting. But when it’s confirmed I’m right, I hope you’ll extend the same courtesy to those your post may have misled or unfairly accused.
https://en.wikipedia.org/wiki/2020_United_States_federal_gov...
Malware operated for months within US government infrastructure undetected.
Via the monitoring software, in fact!
What’s the difference between a breach, a leak, and a spill? It seems like you’re the one reaching here.
A breach is when security measures are bypassed and a leak is when information is given to someone who should not have it (a spill is a leak). If he was using an insecure connection for sensitive communications, then the “breach” would be his decision to do that while accidentally including the wrong people in the chat and the “leak” would be Jeffrey Goldberg receiving the messages.
(Just answering the question. They were correct in a very literal way but it seems a bit pedantic. The overall point is moot given what we know.)
https://csrc.nist.rip/glossary/term/classified_information_s...
“ An air gap involves physically isolating a computer or network from other networks to prevent unauthorized access and data breaches. This method creates a literal "air gap" between the secured network and any other unsecured networks. Air gaps are an isolation method crucial for data integrity and security and can be deployed across various industries.”
https://www.fortinet.com/resources/cyberglossary/what-is-air...
What part of what he communicated is classified and what is everyone basing that on? What says it is ?
Not a fan of using Signal, but we have to accurate about what happened
Hegseth was confirmed Jan 24. https://apnews.com/article/pete-hegseth-defense-secretary-tr...
The attack on Yemen and the group chat was in March. https://www.theatlantic.com/politics/archive/2025/03/signal-...
Its contents were undoubtedly classified.
Everyone here is confusing classified and op sec which can overlap but also cannot. No one here can point me to say what he reportedly did was release classified info. We also don’t know if the President who has the ultimate classification authority will allow it either.
Page 36 indicates "General information or assessments regarding the military plans, intentions, capabilities, or activities of the US, its allies, coalition partners or foreign adversaries" would be classified CONFIDENTIAL, "Specific information" as SECRET, and "Information providing indication or advance warning that the US or its allies are preparing an attack" as TOP SECRET.
These texts included the location (Yemen), the equipment (F-18s, Tomahawks, MQ-9s), and down-to-the-minute timing, in advance. That would very clearly fall under TS for the DNI, and that's pretty solid evidence it'd be TS for the DOD.
> Unless you can point me at a security classification guide… I can’t evaluate something objectively without a security classification guide.
Yeah, I see someone else clued you in to their existence upthread. Here's an example of one:
https://www.nsa.gov/portals/75/documents/news-features/decla...
It's not a "laundry list of what's classified". It's how you determine what needs to be classified. The DOD's classification guides will absolutely deem information of this nature - attack timing, specific aircraft, intelligence details indicating tracking and confirmation of specific targets, etc. - to be classified.
(They are also, themselves, classified information. For you to get access to the specific one here, it'd have to be voluntarily declassified... by the folks currently trying to cover their asses. Example here: https://www.dni.gov/files/documents/FOIA/DF-2015-00044%20(Do... - note the SECRET//NOFORN original classification of it, and "The public release of the Guide or any portion of the Guide is prohibited." on page 7.)
> These are all hit pieces.
How did you evaluate that objectively without a guide?
In what world would "1345: 'Trigger Based' F-18 1st Strike Window Starts (Target Terrorist is @ his Known Location so SHOULD BE ON TIME — also, Strike Drones Launch (MQ-9s)" not be a piece of classified information? If revealed, every likely target in Yemen would be potentially forewarned.
https://apnews.com/article/hegseth-leaks-signal-trump-classi...
"NBC News first reported that the launch times and bomb drop times of U.S. warplanes about to strike Houthi targets in Yemen — details multiple officials have said are highly classified — came from the secure channel."
https://www.militarytimes.com/news/pentagon-congress/2025/03...
"'This information was clearly taken from the real time order of battle sequence of an ongoing operation. It is highly classified and protected,' said Mick Mulroy, a former Marine who was the Pentagon’s top official for Middle East policy during the first Trump administration."
Again, it’s all opinions until someone can show me it’s classified and not just someone’s uninformed opinion.
I don’t speak for them but one might guess that it’s because this is a public forum and they find the topic interesting. Why are you here?
'secret' means disclosure will 'damage the national security.
'top secret means disclosure will 'cause exceptionally grave damage to the national security'.
political discussions about dealing with world events is probably 'top secret', especially during the deliberation stage. operational information like 'TOT is 1pm local, 4 F18's with LGB's are inbound' is probably considered Secret until the crews return; in which case it is probably considered lower in criticality.
It's a crazy world when the person in charge of the US military is more paranoid about their own government than random people they don't even know.
If you go back far enough in the Twitter archives, you can see where Jack Dorsey basically tells everyone to switch to Signal to communicate with him. Was that the point when they all started colluding on Signal?
Signal has countermeasures for this but no one knows how to use them - it's very much a trust on first use system.
Fine for regular people, not at all fine when you're target number one for every foreign intelligence service on the planet.
Deliberately circumventing security and policy protocols is a bad thing in itself.
https://dodcio.defense.gov/Portals/0/Documents/Library/Memo-...
“A threat actor compromised a mobile app that Ukrainian artillery units used to assist with targeting. The compromise of the app is believed to have allowed the threat actor to monitor the movements of Ukrainian units in order to facilitate military targeting by Russian-backed rebels in eastern Ukraine”
More details https://www.theregister.com/2016/12/22/android_malware_track...
https://spyscape.com/article/webex-espionage-kremlin-leaks-g...
Kudos to the Pentagone to have technologies that cannot be hacked. As a security professional I hate these programs that put my job in danger.
Thankfully this is just the journalist's and their contact at the Pentagone's imagination.
Is this a euphemism for „VPN“ or is AP going to elaborate what they mean by this „industry standard“
(I’m not able to find the phrase “industry standard”. Where does the article use that?)
Trump is the Milli Vanilli of negotiations. "Russia not taking over Ukraine is a concession". He really said it. What a stupid fucking retard.
[1] https://www.hsgac.senate.gov/wp-content/uploads/imo/media/do...
[2] https://www.cbsnews.com/news/trump-team-transition-agreement...
It would be mighty silly of them NOT to take precautions against their efforts being undermined. Of course this effort of theirs will face attempts to undermine it: it's entirely hostile effort on every level, obviously in service of a hostile foreign power.
Why would they trust they won't be resisted? Not everybody is foolish.
(Maybe the military likes being disconnected from politics, but that's not the setup that political philosophers recommend to preserve democracy.)
If the DOD managed dedicated phones with no apps except Signal, that might be better than whatever they do between SCIFs.
I suppose that ship has sailed. The powerful just discuss at golf clubs and such, no public records. There are public records of the things the powerful decided should be public.
It is much much much more than that.
Maybe if the DoD forked signal, added a way for signal to piggyback off of an existing trust system, then sure.
But I would bet a lot of money that the folks in this signal chat never did the out of band verification.
If you do not do the verification, you’re not in fact e2ee.
There’s a lot wrong with that for discussing classified information but for normal people it’s fine because in most cases you’re going to notice when your friend doesn’t respond or shows no sign of awareness of your past conversations. “Literally useless” isn’t true in any scenario but it’s bad advice for anyone outside of such sensitive situations because it encourages use of apps which aren’t any better or are actually worse (WhatsApp, Telegram, Facebook, etc.).
When someone says e2ee in this context they two “ends” clearly matter here.
Trusting signal, without the out of band verification, does make its primary property useless yes. And for classified information that’s actually dangerous.
The reason I use strong language here is that your comment clearly demonstrates the powers of marketing. People think just because they’re using signal now, everything is a-ok.
Signal always provides E2EE and that is always useful because it reduces the problem to worrying about the other end of the conversation, not all of the intermediaries. That doesn’t mean that you can blindly trust the other end, but that’s always true to varying extent - just because they’re using Signal doesn’t mean that their device hasn’t been compromised or that they are not forwarding messages or blabbing about something you expected to be secret. Signal doesn’t promise anything other than that your messages are secure between you and the other party.
That’s the point to focus on rather than trying to redefine end-to-end encryption. It’s why you want to talk about security in the context of a threat model: Signal is designed for normal people, not high-level government officials working with classified information, where they have entire professions because the problem is fundamentally harder and mistakes can have significant consequences.
Cool, the web is also e2ee, because of TLS. See how silly it is?
So no, forking the client would be necessary.