So one of their servers had a /heapdump endpoint that publicly served a heap dump of the server? This whole saga is out of control.
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
mingus88 · 32d ago
Can you imagine co-opting a trusted and secure (and free) bit of software and just making it worse at seemingly every turn?
And charging for it?!
I’m not sure what is more embarrassing: to be the company or to be a user.
miki123211 · 32d ago
This is why Signal is so opposed to third-party apps (or forks) that connect to their service.
If you want to keep the branding of Signal being the secure app, you need to make sure that all Signal users are actually using a secure version of Signal.
If an insecure fork (like this one) becomes too popular, most groups will have at least one member using it, and then the security is gone.
pchristensen · 31d ago
That was Apple's same reasoning for shutting down that iMessage client app. These leaks seem to justify their concerns.
xandrius · 31d ago
Nah, that was to keep their users hostage and force them to buy a iPhone.
fn-mote · 31d ago
This is a shallow dismissal of an argument that should be given more consideration.
Sure, this is HN, we know one of the effects of locking the ecosystem and coloring in-system messages differently is to encourage people to be in the ecosystem.
At the same time, you ALSO need to consider that obviously there will be leaks.
Malicious/advertising apps will target the new messaging interface to gain more data on their victims, etc.
smaudet · 31d ago
Safe encrypted group chat with stangers is an oxymoron.
Locking down a platform is not an acceptable solution to the above conundrum - it doesn't matter if the user is using an official device/app whatever if they are untrusted. They can always turn around and leak everything you say without any technical measures.
Should we have no security? No, if you want to color messages differently based on perceived platform, fine. This is just an illustration that no technical measures can replace the fundamental trust necessary in these types of situations.
aesh2Xa1 · 30d ago
Hm, my understanding is that TeleMessage archival works with iMessage in the same way it does with Signal.
The third-party federation problem is real, but the vulnerability caused by TeleMessage isn't solved by removing federation.
xorcist · 31d ago
If your product is a strong brand then that would make total sense.
I believe the main criticism against Signal is that they should focus on getting widespread traction of secure messaging, and that perhaps the brand can be a relatively distant concern.
calvinmorrison · 32d ago
That doesn't seem to be a problem for protocols and having a single implementation can lead to bugs that defy spec yet cause no issues obviously.
ctxc · 32d ago
But you're not branding or selling implementations
ctxc · 32d ago
*protocols
hypeatei · 32d ago
Why would the company be embarrassed? The users (i.e. high level U.S. officials) did no due diligence. Of course a private company is going to take the easiest and cheapest route. If it goes bad, just shut down and spin up a new entity.
Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
n2d4 · 32d ago
> Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
How does this make sense? If they were gathering data, why would they add a public download? Surely the Israeli officials would not want foreign powers to access this?
Per Hanlon's razor, I don't think this is attributable to anything other than incompetence.
barbazoo · 32d ago
Two things can be true at once. Them using their access to unencrypted messages for nefarious purposes and them being incompetent at the same time leaving that endpoint open.
jojohohanon · 32d ago
There’s room for both sides of the razor. The heapdumpz could be there maliciously, but incompetently made globally accessible.
pigbearpig · 32d ago
From the Wired article: "The archive server is programmed in Java and is built using Spring Boot, an open source framework for creating Java applications. Spring Boot includes a set of features called Actuator that helps developers monitor and debug their applications. One of these features is the heap dump endpoint,"
So the heapdumps being available is a Spring Boot feature so it does not appear to be malicious.
When the PR was created in 2016, endpoints were marked as "sensitive" and, for example, the heapdump endpoint would have to be explicitly enabled. However, Spring Boot has evolved over the years, and only the "shutdown" endpoint was made "restricted" in the later solutions. My recent PR will address that weakness in Spring Boot when users misconfigure or ignore security for a Spring Boot app so that heapdumps won't get exposed by default.
stackskipton · 31d ago
I don't get why 2+ years after Log4J we are still dealing with this from Java libraries developers.
Your end users are not security savvy, they will never be security savvy and you need to protect them from themselves instead of handing them loaded handgun. This language more than most is filled with people punching buttons for paycheck.
- Signed, Angry SRE who gets to deal with this crap.
testplzignore · 31d ago
In my opinion, the original sin of Spring Boot Actuator is allowing server.port and management.server.port to be the same. It makes it too convenient for developers to skip the security review that would be done for opening a non-standard port.
I think it would be wise to either disallow the ports being the same, or if they are the same, only enable the health endpoint.
smaudet · 31d ago
I'm more of the opinion that developers will make smart choices, when motivated.
Sure, punching buttons for money is a widespread issue in the industry, but devs also like convenience.
Security has the hard problem that it's infuriatingly difficult to troubleshoot (ever tried to write security policies for an app or figure out how to let an app through a firewall, or set of firewalls?), and there's a bit of a culture of "security by obscurity".
So it's kind of expected that this is the behavior...
Sure some people will really just not care, mistakes will be made, but secure defaults, easy to configure and simple to understand are features not often seen from security products generally. This is driven by poor motivations from security folk who want to protect their industry...
evrflx · 32d ago
This feature must be explicitly enabled, it is not on by default nor by accident.
bryanrasmussen · 32d ago
huh, I sure seem to be needing to debug this a lot, I guess I'll just leave it turned on all the time that way I can say a few seconds next time. Larry Wall says one of the virtues of being a great developer is laziness!
No comments yet
terom · 31d ago
Based on [1] it seems like one `management.endpoints.web.exposure.include=*` is enough to expose everything including the heapdump endpoint on the public HTTP API without authentication. It's even there in the docs as an example.
Looks like there is a change [2] coming to the `management.endpoint.heapdump.access` default value that would make this harder to expose by accident.
I mean, it could theoretically have been to provide plausible deniability, but it seems extremely more likely to have been incompetence and carelessness (and if they were also sending everything to Israel, it was probably through some unencrypted ftp upload).
michaelt · 31d ago
Imagine you ran a spy agency and you were infiltrating signal, Facebook, Google, aws, cloudflare, and so on.
Would you have them make a secure back door that could only be intentionally designed, and potentially traced back to you?
Or would you just have them be incompetent in plausible, deniable ways?
Nobody’s getting shot for espionage because they chose log4j and it had the shell shock bug.
notpushkin · 32d ago
I mean, one doesn’t preclude the other. This could be an incompetent intentional intelligence gathering.
aucisson_masque · 32d ago
The Israeli would have made it secure so only them can access the data because knowing someone else's secret is worth something only when it's still a secret, if china, Russia and everyone can read the log of the American government it's worth nothing.
dylan604 · 32d ago
>Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
Which does not bode well for the customers' counter intelligence abilities
donnachangstein · 32d ago
> The users (i.e. high level U.S. officials) did no due diligence.
But why would they? It's not their job. They have massive IT staff supporting them. "High level U.S. officials" are just executives; the pointy-haired bosses to the pointy-haired boss. Only difference is these wear little decorative pins over their breast pocket.
Every Fortune 500 company has dedicated IT staff for execs; someone you can call 24/7 and say "my shit's broke" and they respond "we just overnighted you a new phone".
These people couldn't even install an app on their MDM-controlled device, now the narrative has become we expect them to be making low-level IT decisions too?
Next week we'll be scrutinizing Pete Hegseth's lack of thoughts on rotating backup tapes.
Jedd · 32d ago
> ... narrative has become we expect them to be making low-level IT decisions too?
I think that's a misdirection.
The narrative is that:
a) they were using a compromised piece of software
b) they should not have been using that software - not (necessarily) because it was compromised, but because it wasn't US DoD accredited for that use case.
(I understand your point that these guys are not tech savvy, and do not need to be, but they should be regulation-savvy (clearly they either are not, or willingly broke those regulations), and they should be following organisational guidelines that presumably cover the selection and use of these tools types.)
da_chicken · 31d ago
Yeah, and the purchase approval process is in place specifically so that someone who knows what to look for has looked at it and verified that it's an acceptable configuration.
This is the exact same problem as Clinton's blackberry enterprise server. Doing it right was hard and time consuming, so they ignored that and did what they wanted.
Only we should be a lot more demanding that our officials in 2025 have a better basic understanding of the importance of computer security than in 2005.
nkrisc · 32d ago
> now the narrative has become we expect them to be making low-level IT decisions too?
If their staff makes bad decisions, that’s their failure too.
We expect them to be ultimately responsible for what happens on their watch.
Was it Truman who said, “Woah, don’t bring the buck anywhere near me, it stops with my assistant”.
danieldk · 32d ago
It is too early to tell, but given that these people openly attack scientists and other experts (they don’t agree with), I wouldn’t be surprised if they ignored advise of their IT experts.
input_sh · 32d ago
It's not too early to tell, we knew from the beginning that the use of Signal (let alone its clone) was not authorised to be used for such communications.
Yes, there's a fleet of people who are supposed to make such tech decisions. The people involved specifically went against those rules. The existence of a group chat using an authorised app is a violation on its own, adding a journalist to it is a violation on top of a violation.
Adding a journalist was accidental, but using such an app (despite it not being approved) is very intentional.
cornholio · 32d ago
IT staff that knew it was illegal to provide them tools for a conspiracy were fired or silenced. So the only people left were their cronies, who instantly complied with their illegal request, to the best of the cronies' abilities. For such national failures, the buck has to stop at the very top, not on some IT monkey.
This is typical for highly corrupt governments and autocracies, they crumble from within because the autocrats can't trust random, competent people so their inner circle becomes saturated with people who are selected on the basis of loyalty not competence, and these people end up making the most important decisions and running the country.
3rdDeviation · 32d ago
Would tend to agree with most of that, but I think the assertion is Petey needed to ask his IT leadership to do the due diligence before diving in, not that he needed to decide using his own depth of skills and experience.
I assume he did and they said it was a bad idea - the memo they'd released a few weeks prior about Signal vulnerabilities seems to suggest a lack of faith in that approach - but he was already banging away on his phone with all the grocery reminders and definitely not battle plans he needs to keep pushing out. Which is also how it feels in the enterprise space these days.
Strange thing to see our bureaucracy start to behave like a corporation instead of the other way around.
hristov · 32d ago
Their massive it staff provides them with a way to communicate securely and they ignore it deliberately so that their communications are not preserved for history or for future court cases.
TeMPOraL · 32d ago
One man's low Integrity (in the "CIA triad" sense) of communications is another man's improved plausible deniability.
kube-system · 32d ago
The changes to the application are intentional by all parties because message archiving was required by law.
brookst · 32d ago
Sure, but they were not required to be done incompetently and insecurely.
sneak · 32d ago
The fundamental concept of plaintext archiving (escrow) of messages from e2ee messaging apps is insecure by most definitions.
They could have used user-custody public key cryptography, where the end devices have the pubkey of the customer, and archive only re-encrypted messages to TM that they can’t read.
That is not, of course, what they did. They just archive them in plaintext.
kevincox · 32d ago
I don't think it is. I can archive my own messages and E2E security on the messaging layer means I don't have to trust the operator of the messaging service to not read my messages because they can't. The choice of how I archive the messages is completely orthogonal to the choice of messaging platform security. I could choose to use an E2EE approach if I want but in that case it probably wasn't even desired as the point was to have these be archived for audit purposes. (Of course they are more secure options such as archiving to an audit key, but this is still orthogonal to the concern of the messaging protocol)
_kb · 32d ago
Well, I suppose technically this /heapdump endpoint does satisfy that archive requirement.
yapyap · 32d ago
User for sure
HenryBemis · 32d ago
(read with sarcastic tone) But hey, this is a 'lite' version or a 'red' version (icon is red) or a 'purple' version (icon is purple), so I am cooler that then others that have the standard.
I haven't used WhatsApp for 'a very long time' as I have exited the FB ecosystem, but back in the day I remember seeing "lite" or "WhatsApp+" or other variations of the software. I wouldn't be surprised that those "lite" or "+" come with baggage.
BearOso · 31d ago
> They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
That's very important to say. I went through one of these massive data dumps recently and it was literally all cached operating system package updates and routine logs. Nothing at all of interest.
It's easy to cut the size on a heap dump. When it's not done it seems sketchy. But it could be a 512GB dump and already pruned, so I could be wrong.
harrall · 31d ago
Most of the the heap dump will be filled with stuff like java.util.String!blahjava.util.ArrayList!
Though the heap dump would have messages in flight at the time. It's obviously not as useful if you are just trying to grab messages for a specific person.
Frankly the most useful part might be any in-memory secret keys, which could be useful for breaking deeper into the system.
aorloff · 25d ago
Plenty of info from a live heap dump if you know what you are doing.
But these guys are only interested in "journalists" not people who spent decades digging into ad server heap dumps
barbazoo · 32d ago
Aren’t those Israeli software companies all supposed to be top notch, ex Mossad, yadda yadda? Doesn’t sound like it.
I hope the message dump is juicy.
msy · 32d ago
And SBF of FTX fame was ex-Jane St so obviously was a serious finance professional. This is why using past employers as a shorthand for capability is unwise.
sillystu04 · 32d ago
In fairness, FTX had a profitable bankruptcy [1]. So it's still better to be scammed by Jane Street alumni than to be scammed by the usual alumni of Goldman Sachs, JP Morgan etc
It's not profitable. They are getting their money back from value of the assets in 2022 when they went bankrupt but most of crypto assets have gone up significantly in value so it's 2.5 years of lost profit.
coolcase · 32d ago
How is that fair? It was luck from the AI investment. Pure luck.
fredoliveira · 31d ago
Regardless of how you feel about SBF and FTX, claiming an early investment into Anthropic is "luck" rather than being ahead of the curve feels off the mark.
coolcase · 31d ago
That is dodging the point. The guy ripped people off. By luck they got the fiat value of their investment at some past date back. Yes if a single investment pays off well enough to negate fraud losses on that scale over a short time scale. It's fucking luck.
bn-l · 32d ago
It wasn’t the only smart investment
gruez · 32d ago
I thought Israel has mandatory military service, so ex-mossad or ex-military signals intelligence doesn't really say much? Presumably they're directing people based on their skill set, so you'd expect most hackers to end up in mossad for their mandatory service.
kennywinker · 32d ago
> Presumably they're directing people based on their skill set
Big presumption.
If I were israeli, there’s no way in hell anybody with half a brain would want me near their spy agency.
When a gov is committing a genocide, their decisions are based on control and fear, not getting the best out of people.
Edit: downvote all you want. Israel is still committing a genocide. No hospitals left standing. Killing aid workers, journalists, and doctors. A million people on the brink of starvation. Literally salting the earth to prevent crops from being grown. That is war crimes, ghettoization, and genocide.
viraptor · 32d ago
That's not a great generalisation for the whole country. How many ex Mossad people interested in doing actual implementation in tech companies do you think there are? It's like "aren't those US software companies all supposed to be top notch, ex NSA yadda yadda?"
The US only has voluntary military service, so the dynamics are different
lysp · 32d ago
The CEO/Founder of TeleMessage Guy Levit was the head of the Planning and Development Department of an elite technical unit in the Intelligence Corps of the IDF according to bio.
aorloff · 25d ago
I guess we could say that in many ways, he never left
oceanplexian · 32d ago
One problem that smart people tend to make is in thinking that being really smart in one area is generalizable to all others. Just because they're good at AppSec doesn't mean they're good at networking or operating a webserver.
ripley12 · 32d ago
I agree with this. It's surprising how often I encounter people with that belief, because I was disabused of it very early on in my career; this industry is chockablock with people who are brilliant in 1 area and deficient in others.
coolcase · 32d ago
That's why you need teams. Red team for example! Security team. App developers. Code reviews. You need all the process too. Security that relies on one genius is fragile.
czl · 32d ago
Aka "halo effect"
karn97 · 32d ago
That sounds more like a stupid person than smart lol
stefs · 32d ago
you can be smart in one area and stupid in others. the "not knowing you're stupid in others" is part of the "stupid in others".
rsynnott · 32d ago
I'm not sure why you'd expect intelligence agency types to be particularly good at engineering, tbh.
rainworld · 32d ago
Spooks in general like to project a veneer of competence, downright invincibility. Entertainment media, journalists, experts play a big role in this. And by and large it works.
It’s especially true for spooks of a certain entity. Also, it’s easy to confuse brazenness, being protected from consequences, and usually downplayed or secret Western complicity with competence.
rsynnott · 32d ago
I mean, I'm sure they're competent in some stuff, but being competent in one field doesn't generally mean being magically competent in _all_ fields.
keeda · 31d ago
I'm not sure about this case, but maybe the assumption here is that these are people from a technical branch of Mossad, such as Unit 8200, which does SIGINT. I've interviewed 3 of them for your typical Big Tech SWE position, and to a candidate, they were very strong engineers. I never got to work with them, however, because they always got better counteroffers...
ExoticPearTree · 32d ago
> Aren’t those Israeli software companies all supposed to be top notch, ex Mossad, yadda yadda?
Working with a few companies like these, I can tell you that the marketing is top-notch, and very aggressive. The products not so. Most get better with time.
underdeserver · 32d ago
"All supposed to be".
This is a country of 10 million people, a rather heterogeneous one at that. There are going to be better and worse companies.
H8crilA · 32d ago
They are top notch - at working for profit and for the interests of their country.
treebeard901 · 32d ago
After all the concern over China and TikTok, why is the USG using a foreign chat program at all?
coolcase · 32d ago
SuperPAC and other corruption
coolcase · 32d ago
Yeah the /leakitbaby endpoint was meant for just them, not the world! Doh!
elzbardico · 31d ago
It only takes one guy doing one stupid thing to have a security incident. Yeah, processes should be in place, but no process is perfect.
jfim · 32d ago
Sounds like someone had a Java app and mistakenly exposed all of the JMX endpoints over HTTP. It's not the default configuration, and likely done out of carelessness.
pigbearpig · 32d ago
From the Wired article, it may not have even been a mistake, depending on the version of Spring Boot.
"Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default."
davedx · 32d ago
This sounds utterly insane. Is Actuator a standard part of Spring Boot or is it an optional package of some kind?
teekert · 32d ago
Imaging putting up a firewall to mitigate this, then docker compose helpfully opening the ports for you. Security comes in layers.
callamdelaney · 31d ago
This feature of docker compose is insane.
teekert · 31d ago
Right!? I learned with a colleague: Didn’t you restrict everything to the Tailnet? Yes, feel free to check UFW. Hmm, then why does nmap show all this stuff when scanning from the lan? Wtf??
callamdelaney · 30d ago
Similar here, UFW setup to only enable access via Caddy to our http services - wait, why can I connect directly to our redis instance?
Took a while to workout that for some reason docker-compose is messing directly with iptables to shoot holes in the firewall we'd configured. Figured out you have to write your compose in some super special way to disable that functionality. Compose should never ever open network ports, ever in my book - to do so without a warning or anything though is like I said, insane!
formerly_proven · 32d ago
This was also part of the exploit chain in the "Volksdaten" incident.
0xbadcafebee · 32d ago
Or intentionally. There could be an APM agent which just lets you run heap dumps any time you want, or they enabled heap-dump-on-crash, or had a heap dump shutdown hook, etc. There's a lot of ways to trigger dumps. If we're talking about a full dump, and the apps were using most of the memory allocated to their container/VM/etc, 410GB is actually not that many dumps (we're probably talking uncompressed). At 4GB/dump, that's around 100, over possibly several years.
I just wonder where they were storing them all? At one place I worked, we jiggered up an auto shutdown dump that then automatically copied the compressed dump to an S3 bucket (it was an ephemeral container with no persistent storage). Wonder if they got in through excessive cloud storage policies and this was just the easiest way to exfiltrate data without full access to a DB.
trebligdivad · 31d ago
Is this a heapdump of servers or of clients? I can imagine that might have been intended as a place for crashing clients to log
kleton · 31d ago
TeleMessage is most likely an intelligence asset, and a burned one now that Trump's people stopped using it. A fake hack is the safest way for the agency responsible to leak the messages collected.
aorloff · 23d ago
and provide a plausible reason for the shutdown
kbouck · 32d ago
if a heap dump is a copy of all the bytes in memory, then wouldn't "thousands of heap dumps" likely be larger than 410GB?
napkin math:
410GB/1000 dumps = 410MB per dump?
410GB/2000 dumps = 205MB per dump
diggan · 32d ago
Might be filtered somewhat, like extracted all ASCII text then compile that into the dump, rather than just the raw dump files.
Edit: reading the description on the dump again, seems exactly what they did:
> Some of the archived data includes plaintext messages while other portions only include metadata, including sender and recipient information, timestamps, and group names. To facilitate research, Distributed Denial of Secrets has extracted the text from the original heap dumps.
TeleMessage CEO LinkedIn bio - reads like a terrible AI hatchet job:
"At the helm of TeleMessage, my leadership is defined by strategic innovation and a steadfast commitment to advancing telecommunications solutions. With a focus on SaaS products, our team has successfully navigated the industry's evolution, ensuring that we remain at the forefront of technological advancements. My role encompasses not only the oversight of our direction but also the cultivation of a culture that values ethical standards and collaborative success.
Our achievements are anchored in a proven track record of delivering results and solving complex problems with efficiency. Spearheading business development and marketing initiatives, we have established a reputation for excellence within the telecom sector. The acquisition of TeleMessage by Smarsh in 2024 stands as a testament to our team's dedication and my leadership in driving growth and fostering a united vision."
notpushkin · 32d ago
This just reads like a terrible LinkedIn-speak to me.
walrus01 · 32d ago
Sufficiently advanced human written linkedin-speak is indistinguishable from a barely coherent chatgpt 3.5 that's been instructed to speak in business buzzwords.
teekert · 32d ago
Hahaha, I was thinking the exact same thing! I can imagine myself reading this 10 years ago and think: Wow this guy is on top of his CV game, how concise and elegant. But now, everybody has this ultra condensed LinkedIn speak, it has become so cringe, so meaningless.
CGMthrowaway · 31d ago
Overly polished language, abstract phrasing, and a focus on generalities over specifics.
ulrikrasmussen · 32d ago
"I'm a CEO. We're SaaS. I'm a CEO."
aubanel · 31d ago
Don't be too harsh, he added "we're telecom" somewhere
greyface- · 32d ago
It's been weeks since the initial TeleMessage revelation... has the Signal Foundation responded in any way to the news? They condemn open source third-party clients and threaten trademark litigation when people use the "Signal" name in interop projects. Meanwhile, total silence when a defense contractor does the same thing.
ethersteeds · 32d ago
The charitable answer is that organizations across US society are currently all trying to be very still and quiet and not do anything to provoke a vindictive assault by this administration.
The less charitable one is that Moxie was the opinionated and uncompromising core of the Signal Foundation and has been removed from the board and completely vanished from the public eye. What it stands for now is a touch less clear.
Ey7NFZ3P0nzAe · 32d ago
Meredith Whittaker seems kinda fearless though
decimalenough · 32d ago
Signal has done nothing wrong here. There's nothing they could meaningfully say that would do anything except draw heat from people looking for a scapegoat.
This mess is entirely the fault of Telemessage and the people who chose to use it for top-secret comms.
h4ck_th3_pl4n3t · 32d ago
Remember Signal FOSS fork that got cease and desisted?
How is Molly doing these days? Is there an alternative server you could selfhost?
Anamon · 29d ago
I recall Whittaker talking about it in an interview, mainly complaining about how mainstream media kept referring to Signal as an "insecure messenger" when that was not at all the issue. Can't seem to find that interview now, though.
Probably not much they could do, because I'm sure that's why TeleMessage didn't call their app "Signal", but "SGNL".
asdffdasy · 32d ago
I'm annoyed by moxie vs fdroid as the next guy, but this is way above his desire to make a buck from his honest work.
this is about an overseas elite who profited from US war aid for decades holding the US presidency by the balls, and everyone think this is just incopetence.
think for a second, if any other administration was using a telephone or a communication software made by a never heard before company overseas, would you think it was just incompetence? why these traitors clowns get a pass?
troyvit · 31d ago
> if any other administration was using a telephone or a communication software made by a never heard before company overseas, would you think it was just incompetence?
One interesting thing I saw in the original article was that the US was using TeleMessage since February 2023. If that's true, it means we have two administrations who are responsible for this choice.
bstsb · 31d ago
very true, but i don't imagine the previous administration was discussing tactical plans on said modified client
TheRealPomax · 31d ago
Protecting your name is perfectly fine. You're allowed to make a fork of Firefox, you just can't call it Firefox or use any of Mozilla's branding. You're allowed to fork the open source part of VS Code, you just can't call it that or use Microsoft's branding. etc. etc. - you're free to do with open source whatever the license allows, but you're not allowed to use the original name or branding because you have zero rights to those unless the license explicitly stipulates how the name may be used by forks (like how tons of folks use the "Linux" name, and all of them do so with explicit written permission from the Linux foundation, as they own that name as a trademark)
baobun · 31d ago
That's not the issue here. VSCode and FireFox are false equivalents. Even if you'd rebrand the fork, Signal forbids non-official clients/builds from connecting to their servers. Enforcement has been selective but the last official word AFAIK is that you are not allowed to fork, rebrand, and distribute a client which alllows you to chat with Signal users.
Mozilla still allows you to install and download add-ons and use other Mozilla services like VPN and Relay from your LibreWolf build.
TheRealPomax · 31d ago
Two wrote a two-part complaint, one part about clients, and the other part about Signal going after people using the Signal name. My comment was only about that second part (hence why it starts the way it starts).
th0ma5 · 32d ago
You're making me wonder if Signal is the customer of the third party and not the government.
namdnay · 32d ago
However bad their Signal fork was, at least it was legal. What's crazy is that this very company was also selling a cracked WhatsApp, which is a whole different kettle of fish... and people were buying it! real corporations and governments were buying this crap - it's insane
Why would that be illegal? In the Beeper case, the DOJ has not been sympathetic to companies attempting to ban third-party messaging clients of proprietary protocols [0] — is WhatsApp different?
The WhatsApp archiver, from what I can tell, seems to install a patch on the user's WhatsApp installation. Probably a security nightmare, sure, but I don't think it would be illegal.
They are actually distributing a rebuilt client binary, complete with the Meta branding. That’s a clear breach of both the licensing of the software (I’m pretty sure it’s not open source) as well as the trademarks of Meta
It’s not the same thing as providing a compatible app with their own branding
pid-1 · 32d ago
> and people were buying it! real corporations and governments were buying this crap - it's insane
Anedote: in Wall Street, Global Relay and TeleMessage are the major players when it comes to achieving communication for compliance.
asdffdasy · 32d ago
before that wallstreet ran on yahoo messenger! they only stopped because new yahoo brand owners didn't understood the value of this and shut it down because there weren't enough teens signing up.
jfritsch1984 · 32d ago
We‘re doing something way less critical at my job. But we have two pentests per year by external companies. How on earth is this level of incompetence even legal.
mmooss · 32d ago
Because software engineering is not taken seriously as engineering. What liability is there, for example?
namdnay · 32d ago
I don't think it was. Apparently they faked their SOC2 as well
eskibars · 32d ago
It's not
lubesGordi · 31d ago
'Heapdump' is a term I learned from debugging android applications 15 years ago. Its just a snapshot of the java processes memory. Its going to contain plaintext. Now why those heaps are available at an open http endpoint is another matter, and is the interesting point. I'm guessing the client code had that endpoint hardcoded somewhere or they saw a request to it. I'm not seeing how they could know anything about the back end or how the messages are stored from this. Did I miss something?
trallnag · 31d ago
The observability endpoints have defaults in Sprint Boot and are usually not customized. So if you know the path to the API, you also know the path to the heap dump endpoint
JohnMakin · 31d ago
It's just /actuator/heapdump and usually isn't hard to find. It's off by default in more modern versions but used to be default enabled.
willmarquis · 32d ago
Exposing unauthenticated /heapdump endpoints in production is a rookie mistake-especially for a service handling sensitive government comms. The presence of MD5 hashes and legacy tech like JSP just adds to the picture of poor security hygiene. This breach is a textbook case of why defense-in-depth and regular audits are non-negotiable.
Traubenfuchs · 32d ago
Don't hate on JSP.
Java Server Pages is now Jakarta Server Pages, part of Java EE (Jakarta EE) and it's latest version 11 was released just a year ago. Spring Framework 7 will be released by the end of 2025 and be based on it. Tomcat 11 is already based on it as well.
And all of this is based on the thriving Java ecosystem.
Version 12 is under development.
If they kept their stuff updated, nothing about this is legacy. It just declined in popularity.
You can build insecure trash and expose unprotected endpoints with next.js, or whatever is currently considered state of the art, as well.
WatchDog · 32d ago
Great example to use whenever legislators want to ban or add backdoors to e2e encryption.
udev4096 · 32d ago
The title is outright wrong and should be criticized for spreading false information. They have NOT published anything, it's only for "researchers", which is a way of saying "we will write false title of this article just so we can get a lot of attention"
0xbadcafebee · 32d ago
> Because the data is sensitive and full of PII, DDoSecrets is only sharing it with journalists and researchers.
Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
3036e4 · 32d ago
They don't need to "silence journalists", since a large number of people were duped to think real truth comes from random anonymous accounts on social media or from some charismatic political influencer they follow. It doesn't matter what leaks are exposed when it can just be handwaved as "fake news" and enough voters will buy that.
megous · 31d ago
Journalists being a "check on the government" is a tale for the gullible. That's why there doesn't need to be any silencing of them. Glory to the exceptions, of course.
Ray20 · 32d ago
>It doesn't matter what leaks are exposed when it can just be handwaved as "fake news" and enough voters will buy that.
Especially in conditions when you don't have to lie at that.
It's not because voters are so gullible that they are ready to believe any word of a charismatic leader. The loss of trust to the mainstream media and to the scientific community is a natural phenomenon in environment when they only tell lies to push their political agenda.
CobrastanJorji · 32d ago
> The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions.
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have to get Americans to really feel the pain, and to do that I need to <horrible violence> to them to wake them up and make them see how things are bad."
Hurting people in order to make them see how they are being hurt is almost never the right call.
fumeux_fume · 32d ago
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have lie and cover up the truth of the <horrible violence> being done to them so they'll never see how bad things have gotten."
Lying to people in order to make them never see how they are being hurt is almost never the right call.
scheeseman486 · 32d ago
You're describing accelerationism and while the ethics behind it are iffy at best, history contends that it does work to help spur revolution.
CobrastanJorji · 31d ago
Lots of shitty, evil things work really well. Most people don't do evil just because they love evil. They do it because it works best.
Lying, propaganda, and shooting a bunch of people are also really effective techniques to spur revolution, but that doesn't mean they're good ideas.
Yizahi · 32d ago
If we really think about the issue, then it is clear that 99.99% of the government information can be public with zero consequences to the citizens. I'm guessing the only few exceptions are active military ops, active spy ops and ways to access secure systems (passwords etc.). Everything else is more or less safe. Embarrassing to the politicians, but safe.
vharuck · 31d ago
You need to account for the risk of blackmail, persecution, and embarrassment (e.g., evidence of infidelity, refugee status, medical condition). Most of the time, citizens have the right to keep secrets or lie.
Yizahi · 31d ago
Citizens - yes. Politicians outside of the job, using whatever comms they wish - also yes. Politicians on the job - no. All their job communications can be public, and humanity and citizens of the country would be actually much safer than now. Outside of the military/intel ones, of course.
vharuck · 31d ago
I imagine that any dump of government communications will contain sensitive information about citizens or government employees who didn't directly engage in the chats. Soldiers, contractors, patients in a database. Especially if Congressional Representatives have their chats leaked. One of their roles is helping constituents work through red tape. Mine sends a weekly email tooting his own horn, including how many people he helped with social security or getting VA benefits.
I'm not saying these chats shouldn't be released. But I'd hope the names and other identifying info of people who weren't uninvolved would be redacted, just keeping the context to show what kind of information was being carelessly shared. Of course, given the admin's shamelessness, they'd claim anything with redacted info was faked. It might be better to leave it verifiable.
rtpg · 32d ago
I feel like it's valuable to not flatten the context here. We are talking about leaking texts by the Trump admin (and I guess some law enforcement agencies using this?).
There is a lot of daylight between dropping a bunch of texts for government officials and committing horrible violence against people as a whole! These are not the same thing! One could be good/fine while the other is bad!
Having said that I would worry for a WikiLeaks-style "oh now this random person's info is out there because it was in one of these e-mails".
I just want to see the gossip
oivey · 32d ago
That quote does not say anything about citizens inflicting pain on others. That’s such a strange way to read it. It’s saying to vote shitty leaders out. I’m not sure what you think any other possible alternative there could be.
TechDebtDevin · 32d ago
What if you're hurting people to prevent them from hurting people...
afavour · 32d ago
> The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions.
The consequences likely wouldn’t be felt by those leaders though. Who knows what info is in those logs about informants, agents etc etc. Leak it openly and they’re dead.
The national broadcaster picked 2 things to report on, then gave the rest of it back to the government.
The act of helping cover this shit up likely changed the course of politics in this country for decades. Theres likely stuff in that cabinet that was well in the public interest and needed disclosure.
Signalgate or whatever is likely the same. And I dont care which party it harms or whatever. It seems relevant that people should have more information, not less considering everything that is happening.
bob_theslob646 · 32d ago
Isn't it against the law in the United States to use outside channels for government communications? Wasn't this the whole scandal about Clinton? Please correct me if I am wrong.
afavour · 32d ago
Amazingly the app is on the governments list of approved apps. The scandal is what they’re discussing on there: highly sensitive information you normally go to very secure channels to talk about.
rtpg · 32d ago
My understanding is that it was added fairly recently at that, and already this has happened. This must be a record time in "change of policy leading to the most embarassing result". Only a couple of months!
ensignavenger · 31d ago
According to the article: "TeleMessage has been used by the federal government since at least February 2023"
I don't know if that use was authorized or not.
ok123456 · 31d ago
This is a pitfall of having an approved software list (whitelist).
Malfeasance or misfeasance could include flat-out spyware versions of software, often made available in internal "software stores," instead of legitimate software distributed from the developer or through official channels.
floam · 32d ago
The app exists to comply with the regulations, was my understanding.
FerretFred · 31d ago
Based on pure guesswork I'd say that you higher up the person, the less the rules apply.
Yizahi · 32d ago
I love when politicians, lobbying for the backdooring all communication software are getting pwned in the same way. Too bad they lack either brain cells or basic human empathy to make a connection between these events.
diggan · 32d ago
> Too bad they lack either brain cells or basic human empathy to make a connection between these events.
I think that's giving them too much benefits. They know what they're doing, it's clear they want "security for me, but not for you", and claiming they're too dumb to know exactly what they're doing is playing it exactly like how they want it.
Yizahi · 32d ago
Yeah, that the "lacking empathy part". Most of them are sociopaths and psychopaths, in the medical sense. They only want power for themselves at any cost to others.
halfmatthalfcat · 31d ago
I don’t think it’s that extreme. They probably view themselves as the arbiters of society and are inherently granted more privilege than a normal citizen. Paternalistic more than sociopathic. Issue is our parents, while have the benefit of experience, don’t know shit about shit really. Especially when it comes to tech.
nlitsme · 32d ago
I think this is abuse of the word 'publish'
runlevel1 · 32d ago
"clean on OPSEC"
- Pete Hegseth
That line simultaneously becomes funnier and more depressing.
throw7 · 31d ago
Does TM's SGNL still work on Signal's servers? Has Signal said that they do allow Telemessage's custom signal client use on their servers?
pawanjswal · 32d ago
Wow, this whole TeleMessage leak feels like a spy thriller.
asdffdasy · 32d ago
if you get your spy thrillers from Mexican day time tv soap opera script writers, yes.
halfmatthalfcat · 31d ago
Telenovella about spy’s? Sign me up.
zombiwoof · 32d ago
If no one will persecute criminals they will keep breaking all laws
goalieca · 32d ago
Security standards need to start banning heap dumps.
GuinansEyebrows · 32d ago
Something tells me that wouldn’t make a huge difference in some of these companies opsec.
sneak · 32d ago
I’m pretty sure they already do, especially endpoints open to the whole internet that are unauthenticated.
lionkor · 32d ago
If only there was a rule saying "don't do that, this would not have happened
treebeard901 · 32d ago
"We are currently clean on OPSEC"
ianhawes · 31d ago
> Because the data is sensitive and full of PII, DDoSecrets is only sharing it with journalists and researchers.
Sorry, but no, journalists and researchers have implicit bias.
guluarte · 32d ago
cannot the pentagon with their billions in funding make a secure app?
hn_throwaway_99 · 32d ago
Yes, and they do. The fact that the leaders of our present kakistocracy don't use it should not be an indictment of the civil and military workers in the US military.
sneak · 32d ago
No, the fact that they still work for the US government given “our present kakistocracy” is a sufficient indictment.
pigbearpig · 32d ago
Not when "off the shelf" is the motto. They'd still have to outsource the development and at that point would be questioned why spending that much money when Telemessage sells the product.
Unfortunately, the financial structure doesn't really make it easy for custom DoD software.
yieldcrv · 32d ago
beautiful, any prediction markets tied to this? I need to stop betting on those things, I’m so bad at it
labadal · 31d ago
I'm someone who is building a messaging app, and I make sure we subscribe to the "nothing to hide, nothing to fear" philosophy. But in our case it's collect nothing so there's no data to steal even if we get hacked.
TechDebtDevin · 32d ago
Yeah no thanks, not donating to gate keepers who want to maintain the status quo. I'll give my coin to wiki leaks and groups with balls.
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
And charging for it?!
I’m not sure what is more embarrassing: to be the company or to be a user.
If you want to keep the branding of Signal being the secure app, you need to make sure that all Signal users are actually using a secure version of Signal.
If an insecure fork (like this one) becomes too popular, most groups will have at least one member using it, and then the security is gone.
Sure, this is HN, we know one of the effects of locking the ecosystem and coloring in-system messages differently is to encourage people to be in the ecosystem.
At the same time, you ALSO need to consider that obviously there will be leaks.
Malicious/advertising apps will target the new messaging interface to gain more data on their victims, etc.
Locking down a platform is not an acceptable solution to the above conundrum - it doesn't matter if the user is using an official device/app whatever if they are untrusted. They can always turn around and leak everything you say without any technical measures.
Should we have no security? No, if you want to color messages differently based on perceived platform, fine. This is just an illustration that no technical measures can replace the fundamental trust necessary in these types of situations.
The third-party federation problem is real, but the vulnerability caused by TeleMessage isn't solved by removing federation.
I believe the main criticism against Signal is that they should focus on getting widespread traction of secure messaging, and that perhaps the brand can be a relatively distant concern.
Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
How does this make sense? If they were gathering data, why would they add a public download? Surely the Israeli officials would not want foreign powers to access this?
Per Hanlon's razor, I don't think this is attributable to anything other than incompetence.
So the heapdumps being available is a Spring Boot feature so it does not appear to be malicious.
It seems that users commonly misconfigure Spring Boot security or ignore it completely. To improve the situation, I made this PR: https://github.com/spring-projects/spring-boot/pull/45624.
When the PR was created in 2016, endpoints were marked as "sensitive" and, for example, the heapdump endpoint would have to be explicitly enabled. However, Spring Boot has evolved over the years, and only the "shutdown" endpoint was made "restricted" in the later solutions. My recent PR will address that weakness in Spring Boot when users misconfigure or ignore security for a Spring Boot app so that heapdumps won't get exposed by default.
Your end users are not security savvy, they will never be security savvy and you need to protect them from themselves instead of handing them loaded handgun. This language more than most is filled with people punching buttons for paycheck.
- Signed, Angry SRE who gets to deal with this crap.
I think it would be wise to either disallow the ports being the same, or if they are the same, only enable the health endpoint.
Sure, punching buttons for money is a widespread issue in the industry, but devs also like convenience.
Security has the hard problem that it's infuriatingly difficult to troubleshoot (ever tried to write security policies for an app or figure out how to let an app through a firewall, or set of firewalls?), and there's a bit of a culture of "security by obscurity".
So it's kind of expected that this is the behavior...
Sure some people will really just not care, mistakes will be made, but secure defaults, easy to configure and simple to understand are features not often seen from security products generally. This is driven by poor motivations from security folk who want to protect their industry...
No comments yet
Looks like there is a change [2] coming to the `management.endpoint.heapdump.access` default value that would make this harder to expose by accident.
Let's look for `env` next...
[1] https://docs.spring.io/spring-boot/reference/actuator/endpoi...
[2] https://github.com/spring-projects/spring-boot/pull/45624
Would you have them make a secure back door that could only be intentionally designed, and potentially traced back to you?
Or would you just have them be incompetent in plausible, deniable ways?
Nobody’s getting shot for espionage because they chose log4j and it had the shell shock bug.
Which does not bode well for the customers' counter intelligence abilities
But why would they? It's not their job. They have massive IT staff supporting them. "High level U.S. officials" are just executives; the pointy-haired bosses to the pointy-haired boss. Only difference is these wear little decorative pins over their breast pocket.
Every Fortune 500 company has dedicated IT staff for execs; someone you can call 24/7 and say "my shit's broke" and they respond "we just overnighted you a new phone".
These people couldn't even install an app on their MDM-controlled device, now the narrative has become we expect them to be making low-level IT decisions too?
Next week we'll be scrutinizing Pete Hegseth's lack of thoughts on rotating backup tapes.
I think that's a misdirection.
The narrative is that:
a) they were using a compromised piece of software
b) they should not have been using that software - not (necessarily) because it was compromised, but because it wasn't US DoD accredited for that use case.
(I understand your point that these guys are not tech savvy, and do not need to be, but they should be regulation-savvy (clearly they either are not, or willingly broke those regulations), and they should be following organisational guidelines that presumably cover the selection and use of these tools types.)
This is the exact same problem as Clinton's blackberry enterprise server. Doing it right was hard and time consuming, so they ignored that and did what they wanted.
Only we should be a lot more demanding that our officials in 2025 have a better basic understanding of the importance of computer security than in 2005.
If their staff makes bad decisions, that’s their failure too.
We expect them to be ultimately responsible for what happens on their watch.
Was it Truman who said, “Woah, don’t bring the buck anywhere near me, it stops with my assistant”.
Yes, there's a fleet of people who are supposed to make such tech decisions. The people involved specifically went against those rules. The existence of a group chat using an authorised app is a violation on its own, adding a journalist to it is a violation on top of a violation.
Adding a journalist was accidental, but using such an app (despite it not being approved) is very intentional.
This is typical for highly corrupt governments and autocracies, they crumble from within because the autocrats can't trust random, competent people so their inner circle becomes saturated with people who are selected on the basis of loyalty not competence, and these people end up making the most important decisions and running the country.
I assume he did and they said it was a bad idea - the memo they'd released a few weeks prior about Signal vulnerabilities seems to suggest a lack of faith in that approach - but he was already banging away on his phone with all the grocery reminders and definitely not battle plans he needs to keep pushing out. Which is also how it feels in the enterprise space these days.
Strange thing to see our bureaucracy start to behave like a corporation instead of the other way around.
They could have used user-custody public key cryptography, where the end devices have the pubkey of the customer, and archive only re-encrypted messages to TM that they can’t read.
That is not, of course, what they did. They just archive them in plaintext.
I haven't used WhatsApp for 'a very long time' as I have exited the FB ecosystem, but back in the day I remember seeing "lite" or "WhatsApp+" or other variations of the software. I wouldn't be surprised that those "lite" or "+" come with baggage.
That's very important to say. I went through one of these massive data dumps recently and it was literally all cached operating system package updates and routine logs. Nothing at all of interest.
It's easy to cut the size on a heap dump. When it's not done it seems sketchy. But it could be a 512GB dump and already pruned, so I could be wrong.
Though the heap dump would have messages in flight at the time. It's obviously not as useful if you are just trying to grab messages for a specific person.
Frankly the most useful part might be any in-memory secret keys, which could be useful for breaking deeper into the system.
But these guys are only interested in "journalists" not people who spent decades digging into ad server heap dumps
I hope the message dump is juicy.
[1] https://www.bloomberg.com/news/articles/2024-05-15/ftx-bankr...
Big presumption.
If I were israeli, there’s no way in hell anybody with half a brain would want me near their spy agency.
When a gov is committing a genocide, their decisions are based on control and fear, not getting the best out of people.
Edit: downvote all you want. Israel is still committing a genocide. No hospitals left standing. Killing aid workers, journalists, and doctors. A million people on the brink of starvation. Literally salting the earth to prevent crops from being grown. That is war crimes, ghettoization, and genocide.
The US only has voluntary military service, so the dynamics are different
It’s especially true for spooks of a certain entity. Also, it’s easy to confuse brazenness, being protected from consequences, and usually downplayed or secret Western complicity with competence.
Working with a few companies like these, I can tell you that the marketing is top-notch, and very aggressive. The products not so. Most get better with time.
This is a country of 10 million people, a rather heterogeneous one at that. There are going to be better and worse companies.
"Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default."
Took a while to workout that for some reason docker-compose is messing directly with iptables to shoot holes in the firewall we'd configured. Figured out you have to write your compose in some super special way to disable that functionality. Compose should never ever open network ports, ever in my book - to do so without a warning or anything though is like I said, insane!
I just wonder where they were storing them all? At one place I worked, we jiggered up an auto shutdown dump that then automatically copied the compressed dump to an S3 bucket (it was an ephemeral container with no persistent storage). Wonder if they got in through excessive cloud storage policies and this was just the easiest way to exfiltrate data without full access to a DB.
napkin math:
Edit: reading the description on the dump again, seems exactly what they did:
> Some of the archived data includes plaintext messages while other portions only include metadata, including sender and recipient information, timestamps, and group names. To facilitate research, Distributed Denial of Secrets has extracted the text from the original heap dumps.
https://ddosecrets.com/article/telemessage
"At the helm of TeleMessage, my leadership is defined by strategic innovation and a steadfast commitment to advancing telecommunications solutions. With a focus on SaaS products, our team has successfully navigated the industry's evolution, ensuring that we remain at the forefront of technological advancements. My role encompasses not only the oversight of our direction but also the cultivation of a culture that values ethical standards and collaborative success.
Our achievements are anchored in a proven track record of delivering results and solving complex problems with efficiency. Spearheading business development and marketing initiatives, we have established a reputation for excellence within the telecom sector. The acquisition of TeleMessage by Smarsh in 2024 stands as a testament to our team's dedication and my leadership in driving growth and fostering a united vision."
The less charitable one is that Moxie was the opinionated and uncompromising core of the Signal Foundation and has been removed from the board and completely vanished from the public eye. What it stands for now is a touch less clear.
This mess is entirely the fault of Telemessage and the people who chose to use it for top-secret comms.
How is Molly doing these days? Is there an alternative server you could selfhost?
Probably not much they could do, because I'm sure that's why TeleMessage didn't call their app "Signal", but "SGNL".
this is about an overseas elite who profited from US war aid for decades holding the US presidency by the balls, and everyone think this is just incopetence.
think for a second, if any other administration was using a telephone or a communication software made by a never heard before company overseas, would you think it was just incompetence? why these traitors clowns get a pass?
One interesting thing I saw in the original article was that the US was using TeleMessage since February 2023. If that's true, it means we have two administrations who are responsible for this choice.
Mozilla still allows you to install and download add-ons and use other Mozilla services like VPN and Relay from your LibreWolf build.
https://smarsh.my.salesforce.com/sfc/p/#30000001FgxH/a/Pb000...
The WhatsApp archiver, from what I can tell, seems to install a patch on the user's WhatsApp installation. Probably a security nightmare, sure, but I don't think it would be illegal.
https://techcrunch.com/2024/03/21/doj-calls-out-apple-for-br...
It’s not the same thing as providing a compatible app with their own branding
Anedote: in Wall Street, Global Relay and TeleMessage are the major players when it comes to achieving communication for compliance.
Java Server Pages is now Jakarta Server Pages, part of Java EE (Jakarta EE) and it's latest version 11 was released just a year ago. Spring Framework 7 will be released by the end of 2025 and be based on it. Tomcat 11 is already based on it as well.
And all of this is based on the thriving Java ecosystem.
Version 12 is under development.
If they kept their stuff updated, nothing about this is legacy. It just declined in popularity.
You can build insecure trash and expose unprotected endpoints with next.js, or whatever is currently considered state of the art, as well.
Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
Especially in conditions when you don't have to lie at that.
It's not because voters are so gullible that they are ready to believe any word of a charismatic leader. The loss of trust to the mainstream media and to the scientific community is a natural phenomenon in environment when they only tell lies to push their political agenda.
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have to get Americans to really feel the pain, and to do that I need to <horrible violence> to them to wake them up and make them see how things are bad."
Hurting people in order to make them see how they are being hurt is almost never the right call.
Lying to people in order to make them never see how they are being hurt is almost never the right call.
Lying, propaganda, and shooting a bunch of people are also really effective techniques to spur revolution, but that doesn't mean they're good ideas.
I'm not saying these chats shouldn't be released. But I'd hope the names and other identifying info of people who weren't uninvolved would be redacted, just keeping the context to show what kind of information was being carelessly shared. Of course, given the admin's shamelessness, they'd claim anything with redacted info was faked. It might be better to leave it verifiable.
There is a lot of daylight between dropping a bunch of texts for government officials and committing horrible violence against people as a whole! These are not the same thing! One could be good/fine while the other is bad!
Having said that I would worry for a WikiLeaks-style "oh now this random person's info is out there because it was in one of these e-mails".
I just want to see the gossip
The consequences likely wouldn’t be felt by those leaders though. Who knows what info is in those logs about informants, agents etc etc. Leak it openly and they’re dead.
We had the Cabinet Leaks in Aus https://www.abc.net.au/news/2018-01-31/cabinet-files-reveal-...
The national broadcaster picked 2 things to report on, then gave the rest of it back to the government.
The act of helping cover this shit up likely changed the course of politics in this country for decades. Theres likely stuff in that cabinet that was well in the public interest and needed disclosure.
Signalgate or whatever is likely the same. And I dont care which party it harms or whatever. It seems relevant that people should have more information, not less considering everything that is happening.
I don't know if that use was authorized or not.
Malfeasance or misfeasance could include flat-out spyware versions of software, often made available in internal "software stores," instead of legitimate software distributed from the developer or through official channels.
I think that's giving them too much benefits. They know what they're doing, it's clear they want "security for me, but not for you", and claiming they're too dumb to know exactly what they're doing is playing it exactly like how they want it.
- Pete Hegseth
That line simultaneously becomes funnier and more depressing.
Sorry, but no, journalists and researchers have implicit bias.
Unfortunately, the financial structure doesn't really make it easy for custom DoD software.
Is this group not very seriously discredited, with ties to FBI, convicted child porn criminals, etc? Or am I getting something mixed up?
This could still be a legitimate leak, of course. I'm just wondering if this info is publically known, or if I'm conflating things