>>> overnment agencies have paid for versions of encrypted messaging apps that also have archive abilities before. In 2021, Customs and Border Protection (CBP) paid encrypted app company Wickr $700,000.
This seems like a perfect use case to support Signal. Have large, corporate or govt entities, pay for a custom fork of the app, built by the app developers themselves.
Why is telemessage getting the money ? Does the Signal Foundation not make it easy to do paid fork implementations ?
steamrolled · 19h ago
If Signal becomes financially dependent on government contracts, the govt gains a lot of leverage over the app. I'm not sure that's a great position for this particular platform to be in.
Nifty3929 · 18h ago
This is a good point - but at some point we have to trust someone. I feel that the Signal folks are worth trusting. Plus it's open source, so the more technie among us can meaningfully audit what's going on. That's not foolproof, but it does seem better than most alternatives.
Certainly it's better for the gov't to pay Signal than to try to do it themselves.
Freak_NL · 16h ago
> I feel that the Signal folks are worth trusting.
The MobileCoin integration and the long standing refusal to support a way to use the messenger without using a phone number (or a smartphone at all) make me wary. To me they sit pretty much on the same level of trust as Meta's WhatsApp, which is a sad thing to have to conclude.
cantrecallmypwd · 16h ago
This. Session does desktop and mobile cheerfully without leaving metadata enabling government real-time location tracking.
Wickr is owned by AWS, and only has a government/enterprise product now. The personal version has been discontinued.
andrewinardeer · 15h ago
Pardon my ignorance here, does this mean that governments approach Wickr and buy licences to use their encrypted messenger? If so, what does Wickr do better than other encrypted messenger apps?
bigfatkitten · 15h ago
In short, paperwork.
Government has a ton of policy requirements around data retention, audit logging, where their data is stored, who can access it etc, as well as technical requirements for things like encryption algorithms. They also have a requirement to operate on isolated networks.
It is difficult for an ordinary consumer messaging app to meet these requirements. Matrix is really the only competitor.
No comments yet
dmix · 19h ago
90% of the work is probably compliance and gov contract hoop jumping, not the code.
inhumantsar · 18h ago
that seems optimistic tbh. I'd guess 70/30 lobbying/compliance.
mmooss · 16h ago
Maybe Signal needs to devote all their resources to develping the main app, which is their mission - secure communications for the general public.
bigfatkitten · 1h ago
They have ‘interesting’ priorities.
MobileCoin is prioritised ahead of allowing an iPad-like secondary device experience on Android tablets, for example.
photonthug · 17h ago
Katherine Maher, the CEO of NPR, chairs the board of the Signal Foundation.
mmastrac · 21h ago
> TM SGNL appears to refer to a piece of software from a company called TeleMessage which makes clones of popular messaging apps but adds an archiving capability to each of them
denkmoon · 20h ago
Crikey that's terrifying. Not even a US company either.
Titan2189 · 18h ago
TeleMessage is an Israeli software company based in Petah Tikva, Israel. Founded in 1999 by Guy Levit and Gil Shapira, it provides secure enterprise messaging, mobile communications archiving and high-volume text messaging services.
https://en.wikipedia.org/wiki/TeleMessage
bb88 · 18h ago
Even though Israel is our "Ally" -- we really shouldn't trust a foreign company with our sensitive messaging.
If you're in the government, you should treat Hegseth and anyone who uses Signal and TMSIGNL as compromised.
decimalenough · 17h ago
It's not like Israel would ever spy on the US right?
I'm pretty sure that the US is a high priority intelligence target for Israel. But then any of the big nations should be. Russia, US, China, etc.
xenator · 15h ago
US spy agencies are world famous weak and heavy relayed on UK and Israel communications.
EasyMark · 17h ago
Or the US spy on Israel.
huijzer · 17h ago
Please tell that to European governments too. The Netherlands military police was using Whatsapp (e.g., https://www.defensie.nl/actueel/nieuws/2022/06/15/maatregele...). Only Germany has the BwMessenger (Matrix) as far as I know. It makes me wonder what the other militaries are using.
tnolet · 16h ago
This is misleading bordering on rage bait. There were 11 dutch military police who created a WhatsApp group. This was not allowed and is also not sanctioned or any form of official Military Police communications channel.
The leader of those 11 was fired because of it.
It says it right there in the article. Stop making drama.
ahoef · 16h ago
I do not get the feeling that using WhatsApp was the source of the disciplinary measures here, but rather the racist contents they shared there. So to be fair to GP, this could be much more prevalent.
oaiey · 9h ago
The matrix development is carried by France a lot for their secure communication. The German affair hopped onto that.
hackernewds · 17h ago
trust me that's a feature not a bug
jmathai · 19h ago
FTA, fwiw: "404 Media found numerous U.S. government contracts that mention TeleMessage specifically. One for around $90,000 from December 2024 says “Telemessage (a Smarsh Co.) Licenses for Text Message Archiving, & WhatsApp and Signal Licenses.”"
Hobadee · 16h ago
Telemessage got bought out by Smarsh a couple years ago. (Which several other commenters are saying is a US company) Their service has gone way downhill since.
Source: use them for several of my clients.
diamondage · 15h ago
Distilx has a non publically advertised service
esafak · 20h ago
What is the point of using Signal if you are going to let a (foreign) company intercept your communications? I guess they wanted the UX of a commercial product instead of whatever clunky app that's approved for government. Does anyone know what the alternative was?
sorcerer-mar · 20h ago
It makes a lot more sense if you don't assume from the start these people have one iota of intellectual horsepower.
Signal is approved for government uses, just not non-public DOD information. They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
UnreachableCode · 16h ago
> They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
Guidance from CISA (an agency within the Department of Homeland Security) does not translate to an Approval for DOD.
The DOD memo does not supersede other DOD instructions referenced by the memo requiring RMF and NIAP things.
sorcerer-mar · 19h ago
We're saying the same thing, It's "use Signal for everything you'd use Whatsapp or SMS for, and use the standard secure channels for anything you'd typically need a secure channel for."
fiddlerwoaroof · 20h ago
From last year after Salt Typhoon became public:
> Adopt a free messaging application for secure communications that guarantees end-to-end
encryption, such as Signal or similar apps. CISA recommends an end-to-end encrypted messaging
app that is compatible with both iPhone and Android operating systems, allowing for text message
interoperability across platforms.
As Dev_VR said, that is a recommendation from CISA to private sector users, not an approval for DOD users.
fiddlerwoaroof · 16h ago
That’s only partially true: I know for a fact that people in government agencies were given permission to use Signal during the Salt Typhoon attacks. You might not be able to use Signal for certain DOD purposes, but non-DOD agencies do permit Signal.
pokstad · 18h ago
Traditionally you would use the plain old telephone system to communicate non-classified information. All of the major telcos services (voice and text) are no longer considered secure per CISA. CISA also recommended to instead use e2e encrypted services (specifically calling out Signal).
The alternative is not installing Signal on a phone with spy software on it. They aren't "intercepting" as in man-in-the-middle. They are intercepting by spying on the personal phone where signal is. signal is just another app on your phone. If you're using it for secrets comms you'd best have minimal or no software on the phone you're using and protect it every way you know how with passwords and encryption
coliveira · 18h ago
They need to let their foreign handlers know what they're doing... It is probably in the contract somewhere.
t0lo · 20h ago
I don't get it. Why risk secuity vulnerabilities to archive when you can just ask israel and pegasus for the archives anyway.
t0lo · 20h ago
Wait this is israeli. Lol.
No comments yet
cge · 20h ago
As some details:
TeleMessage is/was an Israeli company [1], but was acquired last year by Smarsh [2], itself a subsidiary of K1 Investment Management, both US companies. It me whether the company moved. While not necessarily related at all, their terms of service also seem to explain specific arrangements for messaging in China that appear to involve disclosures to the Chinese government.
It's unclear to me how the app works. It appears to be advertised as a fork of the Signal client which uploads all content to a remote server, thus, of course, breaking the E2E encryption, unless the archive is considered an end and the connection to it is secure. It also appears to be advertised as being the same interface as Signal.
However, both the iOS and Android Signal clients are AGPLv3. I can't find any indication that the TeleMessage clients are anything other than proprietary. So are they going the route of giving the software and source only to paying customers under AGPLv3 (with those customers then free to distribute it)? Did they completely reimplement the client? Or are they an illegal proprietary fork?
The first option seems unlikely, and the latter two seem rather ominous for the security of the app.
Smarsh is apparently a big deal in the compliance space. They're not randos. That doesn't take away the hilarity of using a Signal clone that defeats the whole purpose of Signal, though.
defen · 19h ago
Additional hilarity provided by their name being one letter different from the latinisation of a Soviet spy agency / Bond supervillain organization.
schoen · 19h ago
It looks like it was originally meant as a reference to the username of the founder (Stephen Marsh).
wisemang · 18h ago
Lousy smarsh weather
diamondage · 15h ago
Seems like an odd choice of name from an apparently low attack surface, cybersecurity aware company...
cwillu · 19h ago
> breaking the E2E encryption
E2E doesn't mean what I think you think it means; specifically, it has nothing to do with what the intended recipient (or their software) does with the message.
cge · 19h ago
That very much depends on who is running the archive system, and how it is implemented.
But more generally, your point is why I mentioned "unless the archive is considered an end and the connection to it is secure."
IgorPartola · 17h ago
The point of E2E is only to make sure that Alice is talking to Bob and nobody else can pretend to be either of them or eavesdrop. There is no reason whatsoever to include where else the message may be sent, encrypted or not.
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.
cge · 7h ago
>You are confusing Snapchat mechanics for encryption.
I think we're talking about this from two different perspectives. You're considering a user in someone's conversation with a modified, archiving client. Yes, you obviously can't prevent that from a technical side, and it doesn't break Signal's E2E. It would be even simpler to do this with the unmodified Android Signal client, which essentially allows message exports.
I was assuming (possibly incorrectly) that TM's client was being used as an overall messaging system by the government groups involved here, which is how TM seems to advertise it: not a single user running their client, but every (or every internal) user communicating with each other using their client. In that case each user's client would be sending each message to some recipients by Signal Protocol and other recipients by, if other comments and some parts of TM's advertising are correct, SMTP. Yes, some sender-recipient pairs are E2E in that case, but that seems a bit besides the point, as there are others that aren't, and those could be vulnerable to eavesdropping and modification.
I do realize that what I wrote in the initial comment could easily be read as something other than what I meant (it isn't E2E for the messages through Signal that is broken, but separate likely non-E2E messages); I suppose I should have expected here that doing so would result in replies focusing on that interpretation.
IgorPartola · 1h ago
Yeah I mean clients that auto-delete messages are a very useful tool in communicating between people. It’s that they aren’t really meant for anything actually sensitive because (regardless of if they have E2E or not) they can’t guarantee that someone isn’t archiving or exporting the messages. It is the wrong mechanic for anything sensitive.
If you want to make sure nothing is ever archived, there is no software-only solution. If you control the hardware, in theory you can mandate that everything from the OS level-up is a reproducible build and you know for a fact that the messaging client does not allow any export feature. But also, you still have the problem of someone taking a picture of the screen. The real way to do this would be to control the software, hardware, and environment, aka a SCIF. If you want me to see classified war plans, confiscate all my electronics then show me what I need to see in a controlled environment where I can’t make copies. Messaging apps just simply can’t do any of that.
cwillu · 16h ago
Precisely. The security of a message endpoint ends at the point that the opposite party's leverage runs out.
If I care more about my snapchat account than I do about saving your disappearing message minus your ability to leverage snapchat into banning my account or apply outside social pressure, then your disappearing message may actually disappear. As the stakes go up, so does the leverage required for “endpoint security” to be a meaningful security boundary.
UnreachableCode · 16h ago
Is there a term for any application which offers full control of your messages then, ie, I send you messages on Signal, but I can make them self destruct and you cannot screenshot them? (Pretty sure Signal allows this?). Nothing stopping a user from taking photos of the screen using another device, of course. Or running their own fork of Signal (which, when run from the open source for Android at least, runs on production).
IgorPartola · 12h ago
Taking photos of your phone screen is the main loophole and is completely undetectable. Exactly what happened to Waltz and what caused TFA.
If you really need to, you can combine this with a rig that holds the phone and the camera just right, controls the lighting, and interacts with the phone via a hotdog mounted on a gantry. Come to think of it, any 3D printer can be adapted to archive Signal/Snapchat/etc. messages in a completely undetectable way. Could even reply if you rig up another phone to talk to your hot dog finger + camera robot.
cwillu · 15h ago
Dunno. Like I said, there's no way to do this effectively without some form of leverage over the counter-party. This sort of thing is why SCIF's exist, and is an example of the more extreme ends of leverage, but it still ultimately comes down to leverage: they can make you delete the message and will throw you in jail if you figure out a way to evade it.
One-time secret, maybe?
guappa · 12h ago
How can this exist?
cwillu · 9m ago
While I'm sympathetic, the possibility of existence is not a prerequisite for having a name of it.
fluidcruft · 20h ago
Just wondering... if you work for a company and your employer provides you with modified GPL software, it's not considered distributed to you in ways that GPL would apply (so you are not free to further distribute it). At least that's how GPLv2 used to be explained as as business friendly--"private" modifications remain private and employees are not considered exterbal distribution. I'm not familiar with AGPL though.
giancarlostoro · 20h ago
AGPL is essentially GPL but over the network, if you can reach the service (be it website, or any other protocol) you should be able to receive a copy of the source code. TruthSocial was based on AGPL'd code, they had to comply.
sterlind · 19h ago
if your company itself modified the GPL software, you can't demand the modified source code from your boss. if your company purchased modified GPL software from a third party vendor, your company's legal department could force the vendor to cough up the source code.
wmf · 19h ago
The realpolitik here is that you can get fired if you leak the code, legal or not.
giancarlostoro · 20h ago
> Or are they an illegal proprietary fork?
As long as their clients can redistribute it, its not illegal, especially if their clients have 0 interest in leaking the source code, the real trick is, has anyone who is NOT using that client hit any of the AGPL relay servers?
For context, I worked for an employer that sold a custom software solution, which used GPL'd software, client was in the military space, so I guess DOD, anyway, for over a decade nobody asked for any of the code, till some years back. I am guessing they just wanted to have it evaluated, but it was a workhorse of many many things, good luck trying to fork it, LOTS of moving pieces involved.
Nothing illegal unless someone who touches a TM SGNL server (somehow) requests the source and they reject you from having it.
cge · 8h ago
Yes, that's what I meant by the possibility of them only offering source under AGPL to paying customers. Oddly enough, I'm familiar with that in the completely different context of davisr's reMarkable Connection Utility, and the model can work reasonably.
But from their website, which has terms of service for each app, it really seems that they are presenting them as standard proprietary closed-source offerings.
Hobadee · 16h ago
> unless the archive is considered an end and the connection to it is secure
LMAO NO! I have quite a few clients using Telemeasage, and most of them use Global Relay on the backend. It's a little terrifying actually, as Global Relay just ingests everything via SMTP. I haven't checked if they have DNSSEC or MTA-STS set up, but with how Global Relay operates I would be surprised if they did. I suspect a well-placed proxy or DNS poisoning could siphon off a good chunk of sensitive emails being sent to Global Relay.
Christ. Install it using an App Centre distribution
qingcharles · 18h ago
Would love to know what the message from JD means: "I have confirmation from my counterpart it's turned off."
brewdad · 17h ago
OMG. He turned off the Pope!
cryptonector · 18h ago
At least this takes care of the open records issues, no?
mdhb · 15h ago
So wait…
They are using a Signal clone that is run by a group of Israeli intelligence officers??
I don’t think that part of the story has broken yet properly.
When you go to google maps for the address listed for that company you actually get a company called “Cyberint” which seems extremely not good.
Worse.. when you take a look at the bios for the company on their website I see that it’s filled with supposedly “ex” Israeli intelligence officers including the CEO among others.
https://www.telemessage.com/team/
That seems like a MUCH MUCH bigger deal than they currently known story.
Like several orders of magnitude bigger than the original signalgate story.
The implication here is that a bunch of Israeli intelligence officers have maybe the best access of anyone in the world right now in that they have a real time feed of every conversation that the US national security advisor is a part of.
sagarpatil · 17h ago
So is signal safe or not?
EasyMark · 16h ago
Signal is fine, what's not fine is using it for top secret messages on your average everyday phone which is apt to get hacked by state actors and their mercenaries if you're important enough to be on their radar.
mmooss · 16h ago
Also it's not secure to share info in Signal chats with people who lack clearance.
brewdad · 17h ago
There's nothing to suggest Signal is compromised. Once you are passing your Signal data through a third party...who knows?
JumpCrisscross · 20h ago
“On Thursday Reuters published a photograph of Waltz checking his mobile phone during a cabinet meeting held by Donald Trump. The screen appears to show messages from various top level government officials, including JD Vance, Tulsi Gabbard, and Marco Rubio.”
Head of NatSec, ladies and gentlemen. Once the domain of Kissinger, Brzezinski, Powell and Rice. Now with the opsec of a brain-damaged cocaine dealer.
grg0 · 19h ago
Pin is 1234.
stateofinquiry · 18h ago
"That's amazing! I've got the same combination on my luggage!"
cantrecallmypwd · 15h ago
Looks at each other disapprovingly.
(It was 1-2-3-4-5.)
pseudo0 · 17h ago
They are shuffling him off to be UN ambassador per recent reporting. Better late than never, I suppose.
timmytokyo · 16h ago
I'm sure his replacement will be so much better. /s
KerrAvon · 18h ago
Kissinger and Rice are war criminals who should have gone to jail for the rest of their respective lives. Trump’s guy can’t even manage that level of evil.
wiseowise · 18h ago
War criminals or not, you can’t deny they were smart. Unlike current administration.
cantrecallmypwd · 15h ago
Intelligence isn't a respectable quality in the face of illegal (allegedly), unethical, and/or immoral behavior.
Kissinger shared culpability for what happened in Cambodia, Laos, and Vietnam.
Rice shares culpability for what happened in Afghanistan and Iraq.
Hegseth may still participate in war crimes regardless of being a dim bulb. One can only hope his disability makes him less effective in causing harm deliberately, but he still may cause great harm inadvertently as well.
America needs to acknowledge that it has a multitiered system of selective criminal prosecution where some people get away with crimes because of who they are.
MaxPock · 17h ago
Wouldn’t it be more effective for the government to develop a highly secure communication app, known only to individuals in top-level positions?
This app would be discreetly installed upon appointment to a senior government role and automatically removed upon departure from office.
kristjansson · 17h ago
That's ... that's the communication network they're avoiding? Because the problem is not _which_ app, it's that it's _an_ app, on standard hardware, on the public internet?
UnreachableCode · 16h ago
Only, made by an Israeli company that presumably doesn’t make their version of Signal open source
aorloff · 17h ago
A lot more legal too.
cantrecallmypwd · 15h ago
Yes and no.
No, not for classified comms. They already have secure comms and SCIFs but they're not using them. This is what they should be using. And they should be following sterile opsec so they don't carry tracking and listening devices into classified meetings or strategy discussions with decision makers.
They do need better opsec for unclassified and personal comms. It would be nice™ for them to have a Signal-like app controlled by the NSA because depending on Signal or WhatsApp is vulnerable to a malicious insider. Few Meta employees have security clearances, while I don't know about Signal.
whimsicalism · 18h ago
> 404 Media found numerous U.S. government contracts that mention TeleMessage specifically. One for around $90,000 from December 2024 says “Telemessage (a Smarsh Co.) Licenses for Text Message Archiving, & WhatsApp and Signal Licenses.”
A blatant AGPL violation, no? Were they using Signal in the Biden admin or do these contracts get setup in prep for the new team?
janalsncm · 20h ago
It’s possible Mike Waltz didn’t think the archiving capability was reliable enough, so he added a journalist to the group chat.
pokstad · 18h ago
That’s like in the old days when you needed to get married and grabbed a random nearby person to be the witness.
onionisafruit · 17h ago
I doubt that’s happened more than twice in the history of marriage
joecool1029 · 16h ago
I was the random person asked once before, didn't work though as my state requires a 72hour wait from filling out marriage application before you can be legally married. (Couple was eloping from another state and wanted to get married same day, were told it would have to be a different state)
incanus77 · 16h ago
My parents got married in 1975 in this way.
mattl · 17h ago
It's happened more than once to me!
bamboozled · 19h ago
"He's just joking"
michaelteter · 16h ago
Clown car.
_heimdall · 21h ago
It seems reasonable enough that the government may have built a forked version of signal with message archiving that meets documentation requirements.
If its an app they wanted kept under wraps, it will make the while Hegseth situation seem a lot more benign.
I use Molly Messenger on a secondary phone that doesn't have a SIM, its a fork of Signal with a few differences related to encryption at rest. It still works with normal signal users just fine, on the other end you can't tell I have a different client. If the government has a similarly forked version you could likely still accidentally invite the wrong user in from their normal Signal app and they wouldn't know you're on a forked version with government archiving features.
davidcbc · 20h ago
It was not built by the government and it's not some secret software, it's off the shelf software by an Israeli company.
_heimdall · 20h ago
I didn't catch this in the article here. Is that well known elsewhere?
davidcbc · 20h ago
> But the message is slightly different: it asks Waltz to verify his “TM SGNL PIN.” This is not the message that is displayed on an official version of Signal.
> Instead TM SGNL appears to refer to a piece of software from a company called TeleMessage which makes clones of popular messaging apps but adds an archiving capability to each of them.
Acquired by a US company, Smarsh, according to other comments
poink · 20h ago
It's not only reasonable the US government should be archiving communications between officials, it should be compulsory. We've already had problems with this re: agents of government agencies like CBP and big bankers using E2EE messaging apps to skirt regulatory requirements.
That said, whether this makes the situation better or worse depends on who can actually see these archives. "Smarsh" is a US-based company, but they acquired TeleMessage, which was (is?) based in Israel.
dmix · 19h ago
Some of the top US government IT contractors are British, Canadian, and Italian owned companies. Running servers in the US for a government contract isn’t a big deal at a technical level.
UnreachableCode · 15h ago
> If the government has a similarly forked version you could likely still accidentally invite the wrong user in from their normal Signal app and they wouldn't know you're on a forked version with government archiving features.
Is there no way Signal can prevent this in the official app?
FreakyT · 20h ago
Molly is great; I use it for the same purpose.
I find the Signal devs' attitude so frustrating; they deliberately disable the ability to use Signal in secondary device mode for phone-sized-devices, because they know the Correct Way To Use Signal™ is to only use it on one phone-sized-device.
firesteelrain · 20h ago
6 days ago there was the Hegseth article regarding this being hotly debated in here and it’s a great example of not having all the facts before jumping to conclusions. Part of the debate was regarding archiving of messages which now apparently there is a way to archive Signal messages automatically. Huh who would have figured
ceejayoz · 20h ago
Great motivated thinking, but wrong.
It would appear they're using this app now, post-incident, because they got in trouble. (And having messages with Vance, Gabbard, etc. be visible to the press pool camera is... not a great look for the guy who accidentally added a reporter.)
> All of the messages from a leaked group chat have been deleted from the phone of John Ratcliffe, the C.I.A. director, the agency said in a court filing.
chrisco255 · 19h ago
Those are just accusations from a 3rd party agency. They have no way of knowing if Ratcliffe archived the messages before deleting. Signal has been approved since the Biden admin. It was most likely already distributed with the Telemessage feature.
ceejayoz · 12h ago
“the agency said in a court filing”
The agency is the CIA, to a court, saying the messages are gone.
UnreachableCode · 15h ago
> Signal has been approved since the Biden admin. It was most likely already distributed with the Telemessage feature.
How do you know this? Also I would not consider this a “feature”. We should assume they’re different apps, insofar as Telemessage can add whatever they please to the source
firesteelrain · 12h ago
"One of the things I was briefed on very early … was by the CIA records management folks about the use of Signal as a permissible work use," Ratcliffe said during a March 25 Senate Intelligence Committee hearing (see 45:05). "It is. That is a practice that preceded the current administration to the Biden administration."
Exhaling air through flappy mouth and throat parts is also permissible in the CIA.
That doesn’t mean you won’t get in trouble if you flap them in a way that says “we bomb x at y o’clock” where uncleared people can hear.
firesteelrain · 37m ago
Sure, but that’s the point—Signal is permitted; it’s the content that matters, not the medium. Ratcliffe's testimony confirms it’s been standard practice across administrations. It’s already approved in IC circles despite your claims it harms national security.
This seems like a perfect use case to support Signal. Have large, corporate or govt entities, pay for a custom fork of the app, built by the app developers themselves.
Why is telemessage getting the money ? Does the Signal Foundation not make it easy to do paid fork implementations ?
Certainly it's better for the gov't to pay Signal than to try to do it themselves.
The MobileCoin integration and the long standing refusal to support a way to use the messenger without using a phone number (or a smartphone at all) make me wary. To me they sit pretty much on the same level of trust as Meta's WhatsApp, which is a sad thing to have to conclude.
Government has a ton of policy requirements around data retention, audit logging, where their data is stored, who can access it etc, as well as technical requirements for things like encryption algorithms. They also have a requirement to operate on isolated networks.
It is difficult for an ordinary consumer messaging app to meet these requirements. Matrix is really the only competitor.
No comments yet
MobileCoin is prioritised ahead of allowing an iPad-like secondary device experience on Android tablets, for example.
If you're in the government, you should treat Hegseth and anyone who uses Signal and TMSIGNL as compromised.
https://en.wikipedia.org/wiki/Jonathan_Pollard
The leader of those 11 was fired because of it.
It says it right there in the article. Stop making drama.
Source: use them for several of my clients.
Signal is approved for government uses, just not non-public DOD information. They're supposed to use Signal for something like "hey, get to a SCIF so we can discuss details," then they discuss the details in a secure environment.
Sort of like the drug dealers from The Wire
[Ref. needed]
Not approved for non-public DOD information: https://dodcio.defense.gov/Portals/0/Documents/Library/Memo-...
The DOD memo does not supersede other DOD instructions referenced by the memo requiring RMF and NIAP things.
> Adopt a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps. CISA recommends an end-to-end encrypted messaging app that is compatible with both iPhone and Android operating systems, allowing for text message interoperability across platforms.
https://www.cisa.gov/sites/default/files/2024-12/guidance-mo...
https://investigations.cooley.com/2025/01/15/federal-law-enf...
No comments yet
TeleMessage is/was an Israeli company [1], but was acquired last year by Smarsh [2], itself a subsidiary of K1 Investment Management, both US companies. It me whether the company moved. While not necessarily related at all, their terms of service also seem to explain specific arrangements for messaging in China that appear to involve disclosures to the Chinese government.
It's unclear to me how the app works. It appears to be advertised as a fork of the Signal client which uploads all content to a remote server, thus, of course, breaking the E2E encryption, unless the archive is considered an end and the connection to it is secure. It also appears to be advertised as being the same interface as Signal.
However, both the iOS and Android Signal clients are AGPLv3. I can't find any indication that the TeleMessage clients are anything other than proprietary. So are they going the route of giving the software and source only to paying customers under AGPLv3 (with those customers then free to distribute it)? Did they completely reimplement the client? Or are they an illegal proprietary fork?
The first option seems unlikely, and the latter two seem rather ominous for the security of the app.
[1]: https://en.wikipedia.org/wiki/TeleMessage [2]: https://en.wikipedia.org/wiki/Smarsh
E2E doesn't mean what I think you think it means; specifically, it has nothing to do with what the intended recipient (or their software) does with the message.
But more generally, your point is why I mentioned "unless the archive is considered an end and the connection to it is secure."
Consider E2E protected email service. You send me the final designs over this encrypted channel. Then I put the designs onto a USB drive and give them to my printer to print. Then I hang them as billboards all over town. This is a valid use case for E2E. Yet the contents of the message ends up visible from the freeway.
You are confusing Snapchat mechanics for encryption.
I think we're talking about this from two different perspectives. You're considering a user in someone's conversation with a modified, archiving client. Yes, you obviously can't prevent that from a technical side, and it doesn't break Signal's E2E. It would be even simpler to do this with the unmodified Android Signal client, which essentially allows message exports.
I was assuming (possibly incorrectly) that TM's client was being used as an overall messaging system by the government groups involved here, which is how TM seems to advertise it: not a single user running their client, but every (or every internal) user communicating with each other using their client. In that case each user's client would be sending each message to some recipients by Signal Protocol and other recipients by, if other comments and some parts of TM's advertising are correct, SMTP. Yes, some sender-recipient pairs are E2E in that case, but that seems a bit besides the point, as there are others that aren't, and those could be vulnerable to eavesdropping and modification.
I do realize that what I wrote in the initial comment could easily be read as something other than what I meant (it isn't E2E for the messages through Signal that is broken, but separate likely non-E2E messages); I suppose I should have expected here that doing so would result in replies focusing on that interpretation.
If you want to make sure nothing is ever archived, there is no software-only solution. If you control the hardware, in theory you can mandate that everything from the OS level-up is a reproducible build and you know for a fact that the messaging client does not allow any export feature. But also, you still have the problem of someone taking a picture of the screen. The real way to do this would be to control the software, hardware, and environment, aka a SCIF. If you want me to see classified war plans, confiscate all my electronics then show me what I need to see in a controlled environment where I can’t make copies. Messaging apps just simply can’t do any of that.
If I care more about my snapchat account than I do about saving your disappearing message minus your ability to leverage snapchat into banning my account or apply outside social pressure, then your disappearing message may actually disappear. As the stakes go up, so does the leverage required for “endpoint security” to be a meaningful security boundary.
If you really need to, you can combine this with a rig that holds the phone and the camera just right, controls the lighting, and interacts with the phone via a hotdog mounted on a gantry. Come to think of it, any 3D printer can be adapted to archive Signal/Snapchat/etc. messages in a completely undetectable way. Could even reply if you rig up another phone to talk to your hot dog finger + camera robot.
One-time secret, maybe?
As long as their clients can redistribute it, its not illegal, especially if their clients have 0 interest in leaking the source code, the real trick is, has anyone who is NOT using that client hit any of the AGPL relay servers?
For context, I worked for an employer that sold a custom software solution, which used GPL'd software, client was in the military space, so I guess DOD, anyway, for over a decade nobody asked for any of the code, till some years back. I am guessing they just wanted to have it evaluated, but it was a workhorse of many many things, good luck trying to fork it, LOTS of moving pieces involved.
Nothing illegal unless someone who touches a TM SGNL server (somehow) requests the source and they reject you from having it.
But from their website, which has terms of service for each app, it really seems that they are presenting them as standard proprietary closed-source offerings.
LMAO NO! I have quite a few clients using Telemeasage, and most of them use Global Relay on the backend. It's a little terrifying actually, as Global Relay just ingests everything via SMTP. I haven't checked if they have DNSSEC or MTA-STS set up, but with how Global Relay operates I would be surprised if they did. I suspect a well-placed proxy or DNS poisoning could siphon off a good chunk of sensitive emails being sent to Global Relay.
https://www.telemessage.com/how-to-install-and-register-sign...
They are using a Signal clone that is run by a group of Israeli intelligence officers??
I don’t think that part of the story has broken yet properly. When you go to google maps for the address listed for that company you actually get a company called “Cyberint” which seems extremely not good.
https://maps.app.goo.gl/L7vVHw5x4VdgS8859?g_st=com.google.ma...
Worse.. when you take a look at the bios for the company on their website I see that it’s filled with supposedly “ex” Israeli intelligence officers including the CEO among others. https://www.telemessage.com/team/
That seems like a MUCH MUCH bigger deal than they currently known story.
Like several orders of magnitude bigger than the original signalgate story.
The implication here is that a bunch of Israeli intelligence officers have maybe the best access of anyone in the world right now in that they have a real time feed of every conversation that the US national security advisor is a part of.
Head of NatSec, ladies and gentlemen. Once the domain of Kissinger, Brzezinski, Powell and Rice. Now with the opsec of a brain-damaged cocaine dealer.
(It was 1-2-3-4-5.)
Kissinger shared culpability for what happened in Cambodia, Laos, and Vietnam.
Rice shares culpability for what happened in Afghanistan and Iraq.
Hegseth may still participate in war crimes regardless of being a dim bulb. One can only hope his disability makes him less effective in causing harm deliberately, but he still may cause great harm inadvertently as well.
America needs to acknowledge that it has a multitiered system of selective criminal prosecution where some people get away with crimes because of who they are.
No, not for classified comms. They already have secure comms and SCIFs but they're not using them. This is what they should be using. And they should be following sterile opsec so they don't carry tracking and listening devices into classified meetings or strategy discussions with decision makers.
They do need better opsec for unclassified and personal comms. It would be nice™ for them to have a Signal-like app controlled by the NSA because depending on Signal or WhatsApp is vulnerable to a malicious insider. Few Meta employees have security clearances, while I don't know about Signal.
A blatant AGPL violation, no? Were they using Signal in the Biden admin or do these contracts get setup in prep for the new team?
If its an app they wanted kept under wraps, it will make the while Hegseth situation seem a lot more benign.
I use Molly Messenger on a secondary phone that doesn't have a SIM, its a fork of Signal with a few differences related to encryption at rest. It still works with normal signal users just fine, on the other end you can't tell I have a different client. If the government has a similarly forked version you could likely still accidentally invite the wrong user in from their normal Signal app and they wouldn't know you're on a forked version with government archiving features.
> Instead TM SGNL appears to refer to a piece of software from a company called TeleMessage which makes clones of popular messaging apps but adds an archiving capability to each of them.
https://en.wikipedia.org/wiki/TeleMessage
That said, whether this makes the situation better or worse depends on who can actually see these archives. "Smarsh" is a US-based company, but they acquired TeleMessage, which was (is?) based in Israel.
Is there no way Signal can prevent this in the official app?
I find the Signal devs' attitude so frustrating; they deliberately disable the ability to use Signal in secondary device mode for phone-sized-devices, because they know the Correct Way To Use Signal™ is to only use it on one phone-sized-device.
It would appear they're using this app now, post-incident, because they got in trouble. (And having messages with Vance, Gabbard, etc. be visible to the press pool camera is... not a great look for the guy who accidentally added a reporter.)
https://www.nytimes.com/2025/04/15/us/politics/cia-director-...
> All of the messages from a leaked group chat have been deleted from the phone of John Ratcliffe, the C.I.A. director, the agency said in a court filing.
The agency is the CIA, to a court, saying the messages are gone.
How do you know this? Also I would not consider this a “feature”. We should assume they’re different apps, insofar as Telemessage can add whatever they please to the source
https://www.c-span.org/program/senate-committee/dni-director...
That doesn’t mean you won’t get in trouble if you flap them in a way that says “we bomb x at y o’clock” where uncleared people can hear.