This blog post is from March. They later figured out what happened and it’s more mundane: Waltz accidentally saved the reporter’s email to his iPhone contacts [1].
That’s a vulnerability all right, but not a security bug in Signal itself. Having every employee manage their own contacts is bad for an organization’s security.
Maybe Signal having UI to distinguish between organization members and outsiders might help make it more suitable for work use? It might require OS support, though.
Lots of valid points but to me the premise is flawed. Seems more plausible this is CYA blame shifting - “I didn’t make a mistake, the journalist hacked signal”. Think about that premise - a journalist is now obtaining vulnerabilities to Signal? [1] suggests that the price of a 0-day is $1M. I don’t believe journalists have that kind of cash and definitely not the skill to discover this themselves, not to mention the dangers of treason hacking into government war planning would land you. I’m disappointed that Schneier didn’t challenge the premise even a little
There are also the larger flawed premises that this autocratic administration actually cares about digital security or is working for the larger interests of the United States. I certainly understand Schneier's desire to push for more secure systems, and hoping to use the current political winds to do that. But autocrats only reference higher ideals as a cover for their actual agenda of power and subjugation - they're frustrated they can't (yet) just pull this journalist's fingernails out for having embarrassed them. Treating their announcements as if they contain earnest statements of universal values we can work with is actually just validating their propaganda and supporting them.
What we need to be doing is mocking them instead. Like, really, "I didn’t see this loser in the group" ? Maybe the problem was that he was only expecting to see a list of fellow losers like himself? And maybe this loser who failed upwards needs to listen to his grandkids when they try to tell him that a cell phone works a little differently than TV remote?
jokoon · 2h ago
Interesting how they might think about trade offs.
I also suspect the NSA has automated how they find vulnerabilities in source code.
But yeah, so far it seems we let security be an open party, instead of requiring companies to audit a software or face penalties.
That’s a vulnerability all right, but not a security bug in Signal itself. Having every employee manage their own contacts is bad for an organization’s security.
Maybe Signal having UI to distinguish between organization members and outsiders might help make it more suitable for work use? It might require OS support, though.
[1] https://www.theguardian.com/us-news/2025/apr/06/signal-group...
[1] https://heimdalsecurity.com/blog/zero-day-exploit-prices-sig...
What we need to be doing is mocking them instead. Like, really, "I didn’t see this loser in the group" ? Maybe the problem was that he was only expecting to see a list of fellow losers like himself? And maybe this loser who failed upwards needs to listen to his grandkids when they try to tell him that a cell phone works a little differently than TV remote?
I also suspect the NSA has automated how they find vulnerabilities in source code.
But yeah, so far it seems we let security be an open party, instead of requiring companies to audit a software or face penalties.