So one of their servers had a /heapdump endpoint that publicly served a heap dump of the server? This whole saga is out of control.
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
mingus88 · 2h ago
Can you imagine co-opting a trusted and secure (and free) bit of software and just making it worse at seemingly every turn?
And charging for it?!
I’m not sure what is more embarrassing: to be the company or to be a user.
hypeatei · 2h ago
Why would the company be embarrassed? The users (i.e. high level U.S. officials) did no due diligence. Of course a private company is going to take the easiest and cheapest route. If it goes bad, just shut down and spin up a new entity.
Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
n2d4 · 1h ago
> Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
How does this make sense? If they were gathering data, why would they add a public download? Surely the Israeli officials would not want foreign powers to access this?
Per Hanlon's razor, I don't think this is attributable to anything other than incompetence.
jojohohanon · 51m ago
There’s room for both sides of the razor. The heapdumpz could be there maliciously, but incompetently made globally accessible.
pigbearpig · 37m ago
From the Wired article: "The archive server is programmed in Java and is built using Spring Boot, an open source framework for creating Java applications. Spring Boot includes a set of features called Actuator that helps developers monitor and debug their applications. One of these features is the heap dump endpoint,"
So the heapdumps being available is a Spring Boot feature so it does not appear to be malicious.
barbazoo · 53m ago
Two things can be true at once. Them using their access to unencrypted messages for nefarious purposes and them being incompetent at the same time leaving that endpoint open.
notpushkin · 51m ago
I mean, one doesn’t preclude the other. This could be an incompetent intentional intelligence gathering.
g-b-r · 1h ago
I mean, it could theoretically have been to provide plausible deniability, but it seems extremely more likely to have been incompetence and carelessness (and if they were also sending everything to Israel, it was probably through some unencrypted ftp upload).
dylan604 · 1h ago
>Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
Which does not bode well for the customers' counter intelligence abilities
kube-system · 1h ago
The changes to the application are intentional by all parties because message archiving was required by law.
brookst · 1h ago
Sure, but they were not required to be done incompetently and insecurely.
_kb · 1h ago
Well, I suppose technically this /heapdump endpoint does satisfy that archive requirement.
barbazoo · 2h ago
Aren’t those Israeli software companies all supposed to be top notch, ex Mossad, yadda yadda? Doesn’t sound like it.
I hope the message dump is juicy.
msy · 31m ago
And SBF of FTX fame was ex-Jane St so obviously was a serious finance professional. This is why using past employers as a shorthand for capability is unwise.
viraptor · 2h ago
That's not a great generalisation for the whole country. How many ex Mossad people interested in doing actual implementation in tech companies do you think there are? It's like "aren't those US software companies all supposed to be top notch, ex NSA yadda yadda?"
The US only has voluntary military service, so the dynamics are different
lysp · 35m ago
The CEO/Founder of TeleMessage Guy Levit was the head of the Planning and Development Department of an elite technical unit in the Intelligence Corps of the IDF according to bio.
oceanplexian · 35m ago
One problem that smart people tend to make is in thinking that being really smart in one area is generalizable to all others. Just because they're good at AppSec doesn't mean they're good at networking or operating a webserver.
gruez · 1h ago
I thought Israel has mandatory military service, so ex-mossad or ex-military signals intelligence doesn't really say much? Presumably they're directing people based on their skill set, so you'd expect most hackers to end up in mossad for their mandatory service.
Calwestjobs · 2h ago
MOSSAD is great, they wanted to hack Czech telecom company but accidentally disabled train security systems and switches were not switchin, in Czechia :
This article doesn't mention Mossad, though. Do you have any other sources?
MPSFounder · 1h ago
Israelis could murder americans in broad daylight and live stream it, and our representatives would apologize on their behalf. Never forget everything NSA does HAS to be shared with Israel [1]. As an American, I always wince at how weak our people are because of their fear of our masters. We shit on our first amendment on their behalf, and excuse their genocide of children and women, and their murder of American navymen [USS Liberty], because of the power they hold over us through AIPAC. Very despicable
Sounds like someone had a Java app and mistakenly exposed all of the JMX endpoints over HTTP. It's not the default configuration, and likely done out of carelessness.
pigbearpig · 34m ago
From the Wired article, it may not have even been a mistake, depending on the version of Spring Boot.
"Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default."
0xbadcafebee · 1h ago
Or intentionally. There could be an APM agent which just lets you run heap dumps any time you want, or they enabled heap-dump-on-crash, or had a heap dump shutdown hook, etc. There's a lot of ways to trigger dumps. If we're talking about a full dump, and the apps were using most of the memory allocated to their container/VM/etc, 410GB is actually not that many dumps (we're probably talking uncompressed). At 4GB/dump, that's around 100, over possibly several years.
I just wonder where they were storing them all? At one place I worked, we jiggered up an auto shutdown dump that then automatically copied the compressed dump to an S3 bucket (it was an ephemeral container with no persistent storage). Wonder if they got in through excessive cloud storage policies and this was just the easiest way to exfiltrate data without full access to a DB.
greyface- · 32m ago
It's been weeks since the initial TeleMessage revelation... has the Signal Foundation responded in any way to the news? They condemn open source third-party clients and threaten trademark litigation when people use the "Signal" name in interop projects. Meanwhile, total silence when a defense contractor does the same thing.
th0ma5 · 26m ago
You're making me wonder if Signal is the customer of the third party and not the government.
goalieca · 45m ago
Security standards need to start banning heap dumps.
GuinansEyebrows · 39m ago
Something tells me that wouldn’t make a huge difference in some of these companies opsec.
bob_theslob646 · 15m ago
Isn't it against the law in the United States to use outside channels for government communications? Wasn't this the whole scandal about Clinton? Please correct me if I am wrong.
afavour · 11m ago
Amazingly the app is on the governments list of approved apps. The scandal is what they’re discussing on there: highly sensitive information you normally go to very secure channels to talk about.
0xbadcafebee · 1h ago
> Because the data is sensitive and full of PII, DDoSecrets is only sharing it with journalists and researchers.
Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
afavour · 8m ago
> The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions.
The consequences likely wouldn’t be felt by those leaders though. Who knows what info is in those logs about informants, agents etc etc. Leak it openly and they’re dead.
CobrastanJorji · 1h ago
> The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions.
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have to get Americans to really feel the pain, and to do that I need to <horrible violence> to them to wake them up and make them see how things are bad."
Hurting people in order to make them see how they are being hurt is almost never the right call.
fumeux_fume · 26m ago
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have lie and cover up the truth of the <horrible violence> being done to them so they'll never see how bad things have gotten."
Lying to people in order to make them never see how they are being hurt is almost never the right call.
scheeseman486 · 53m ago
You're describing accelerationism and while the ethics behind it are iffy at best, history contends that it does work to help spur revolution.
The national broadcaster picked 2 things to report on, then gave the rest of it back to the government.
The act of helping cover this shit up likely changed the course of politics in this country for decades. Theres likely stuff in that cabinet that was well in the public interest and needed disclosure.
Signalgate or whatever is likely the same. And I dont care which party it harms or whatever. It seems relevant that people should have more information, not less considering everything that is happening.
yieldcrv · 1h ago
beautiful, any prediction markets tied to this? I need to stop betting on those things, I’m so bad at it
loeg · 32m ago
> I'm a member of the DDoSecrets collective.
Oof, you couldn't torture that out of me. Good luck, buddy.
guluarte · 37m ago
cannot the pentagon with their billions in funding make a secure app?
hn_throwaway_99 · 30m ago
Yes, and they do. The fact that the leaders of our present kakistocracy don't use it should not be an indictment of the civil and military workers in the US military.
pigbearpig · 29m ago
Not when "off the shelf" is the motto. They'd still have to outsource the development and at that point would be questioned why spending that much money when Telemessage sells the product.
Unfortunately, the financial structure doesn't really make it easy for custom DoD software.
This group didn’t really “publish” anything, though. They’re offering access to journalists through a request form. They’re also not saying how much actual message content they have because the 410GB of heap dumps makes for a bigger headline number.
And charging for it?!
I’m not sure what is more embarrassing: to be the company or to be a user.
Some speculate this was intentional intelligence gathering by the Israelis which is plausible too.
How does this make sense? If they were gathering data, why would they add a public download? Surely the Israeli officials would not want foreign powers to access this?
Per Hanlon's razor, I don't think this is attributable to anything other than incompetence.
So the heapdumps being available is a Spring Boot feature so it does not appear to be malicious.
Which does not bode well for the customers' counter intelligence abilities
I hope the message dump is juicy.
The US only has voluntary military service, so the dynamics are different
https://www.bbc.com/news/articles/ce982zpz1k3o
[1] https://www.theguardian.com/world/2013/sep/11/nsa-americans-...
"Spring Boot Actuator. “Up until version 1.5 (released in 2017), the /heapdump endpoint was configured as publicly exposed and accessible without authentication by default."
I just wonder where they were storing them all? At one place I worked, we jiggered up an auto shutdown dump that then automatically copied the compressed dump to an S3 bucket (it was an ephemeral container with no persistent storage). Wonder if they got in through excessive cloud storage policies and this was just the easiest way to exfiltrate data without full access to a DB.
Yeah I'm normally a big proponent of responsible disclosure, but in this case, I think the more painful, damaging leak is required.
Firstly, autocrats, fascists & oligarchs don't care that much if you hack them. They will just keep using these tools (or another one just like it) ignoring the correct procedure their government already wants them to use. The citizens of affected nations need to be made angry by their leaders' failure to do their jobs correctly, and that's only gonna happen when there are consequences for their actions. Their incompetence put their nations at risk, and now it's clear they have failed to keep their intel safe. They have failed hard, let them fail hard.
Second, journalists and researchers have almost completely lost their power. In a non-democratic world (we're nearly there, just give them a little more time), when a journalist exposes corruption or incompetency, that journalist/researcher is simply silenced by the government. Silence the journalists and nobody knows what's going on so oppression can continue unchecked. Every person who gets silenced has a greater chilling effect on the whole society; nobody wants to be next. This is how authoritarians gain power. Oppression with no resistance or consequence legitimizes the oppression.
If we were just talking about typical corporate incompetence re: security, and the only thing at stake is a single stock or individuals' data, I would say disclose responsibly. But when it comes to stopping autocracy, the gloves have to come off. They sure as shit aren't gonna play by any rules, so neither should we.
The consequences likely wouldn’t be felt by those leaders though. Who knows what info is in those logs about informants, agents etc etc. Leak it openly and they’re dead.
This is a really dangerous line of thinking. It's the line of thought that slides forwards to "I love America so much, but to save America I have to get Americans to really feel the pain, and to do that I need to <horrible violence> to them to wake them up and make them see how things are bad."
Hurting people in order to make them see how they are being hurt is almost never the right call.
Lying to people in order to make them never see how they are being hurt is almost never the right call.
We had the Cabinet Leaks in Aus https://www.abc.net.au/news/2018-01-31/cabinet-files-reveal-...
The national broadcaster picked 2 things to report on, then gave the rest of it back to the government.
The act of helping cover this shit up likely changed the course of politics in this country for decades. Theres likely stuff in that cabinet that was well in the public interest and needed disclosure.
Signalgate or whatever is likely the same. And I dont care which party it harms or whatever. It seems relevant that people should have more information, not less considering everything that is happening.
Oof, you couldn't torture that out of me. Good luck, buddy.
Unfortunately, the financial structure doesn't really make it easy for custom DoD software.