The point of the article is that he accidentally updated his contact on his personal phone (from the campaign, when he was not a government official and did not have a government-issued phone) with the wrong number because he clicked on an iOS suggested contact update generated by receiving a text message. Then, he imported that contact into Signal and then added it to the group chat.
So there are three explanations:
1. Everything happened on his personal phone
2. He was logged into Signal on his personal phone to update the contact, and was also logged into the same Signal account on his government-issued phone. He imported the contact on his personal phone and then added it to the chat on his government-issued phone. From an infosec standpoint, this is not much better than #1 because he still has an unsecured device logged into the same Signal account that he's using for secure comms.
3. He was only logged into Signal on his government-issued phone and then manually copied the number into his government phone from his personal phone, not noticing that it was the wrong number. For anyone who has worked with users, this doesn't seem realistic. These guys have huge numbers of contacts, are very busy, and they do the most convenient thing possible for them. They do not sit around for hours copying information from one phone to another.
Let's assume that Waltz only used Signal from his government-issued phone and manually copied the number from his personal phone. He thought that the number he was copying was from Hughes' personal phone - it was in his personal contacts and he had been using it before either of them were in government. So even if Waltz himself was using a government-issued phone, which seems unlikely, he was simultaneously assuming that his subordinate was using a personal phone.
Even if you take the most generous interpretations you end up with the conclusion that NSC personnel were routinely using personal devices and accounts for secure comms.
The whole point of the Senate testimony from the DNI was that Signal was an approved application that comes pre installed on Government issued devices - and yes indeed, for secure comms.
Even Teams flags external participants to a chat. How was a phone number not known to be within the government perimeter allowed to be added with no alarm to a chat thread in an app pre installed and approved by the agency ?
There are more questions than answers here and its clearly suspicious to say the least that a prominent threat vector such as a mistaken phone number could go unnoticed and not trip a single flag. We're not talking about compromised sim cards or anything, a simple fat finger could expose a secure messaging app thread to an external participant and this is approved by the department for years? How many "Mistakes" over the years have gone unreported ?
Waltz or anyone on that thread isn't responsible for IT, so who ultimately didn't secure this vector?
apical_dendrite|11 months ago
So there are three explanations:
1. Everything happened on his personal phone
2. He was logged into Signal on his personal phone to update the contact, and was also logged into the same Signal account on his government-issued phone. He imported the contact on his personal phone and then added it to the chat on his government-issued phone. From an infosec standpoint, this is not much better than #1 because he still has an unsecured device logged into the same Signal account that he's using for secure comms.
3. He was only logged into Signal on his government-issued phone and then manually copied the number into his government phone from his personal phone, not noticing that it was the wrong number. For anyone who has worked with users, this doesn't seem realistic. These guys have huge numbers of contacts, are very busy, and they do the most convenient thing possible for them. They do not sit around for hours copying information from one phone to another.
Let's assume that Waltz only used Signal from his government-issued phone and manually copied the number from his personal phone. He thought that the number he was copying was from Hughes' personal phone - it was in his personal contacts and he had been using it before either of them were in government. So even if Waltz himself was using a government-issued phone, which seems unlikely, he was simultaneously assuming that his subordinate was using a personal phone.
Even if you take the most generous interpretations you end up with the conclusion that NSC personnel were routinely using personal devices and accounts for secure comms.
DisjointedHunt|11 months ago
Even Teams flags external participants to a chat. How was a phone number not known to be within the government perimeter allowed to be added with no alarm to a chat thread in an app pre installed and approved by the agency ?
There are more questions than answers here and its clearly suspicious to say the least that a prominent threat vector such as a mistaken phone number could go unnoticed and not trip a single flag. We're not talking about compromised sim cards or anything, a simple fat finger could expose a secure messaging app thread to an external participant and this is approved by the department for years? How many "Mistakes" over the years have gone unreported ?
Waltz or anyone on that thread isn't responsible for IT, so who ultimately didn't secure this vector?