Hegseth had an unsecured internet line set up in his office to connect to Signal
152 comments
·April 25, 2025khaki54
tacon
Back in the day, I was an outside contractor installing a new storage system for the Livermore lab's secure computing facility. (Designing nuclear weapons) I had no security clearance. When I was present there was a rotating blue light, similar to a police car, warning people that an uncleared person was present. When I was in the facility, people would refer to the area being "dirty".
firesteelrain
I have never heard of anything being called dirty in those circles
tacon
I hardly paid much attention to "dirty", as the blue light was called "the leper light".
JeremyNT
> It's all documented and approved.
Where did you find the details on documentation and approval? Would you mind sharing this information?
firesteelrain
We don’t have a publicly released document, signed approval, or on-record statement confirming whether the line was approved or not. It’s all coming from “sources” which is rumor or conjecture. File a FOIA and report back. Investigative reporting is broken.
detourdog
Could be he went to the Verizon store and got a WiFi hotspot.
Great perspective and I thought your comment makes sense.
f38zf5vdt
[flagged]
firesteelrain
Just because you might be biased or disagree doesn’t make it AI
f38zf5vdt
It also doesn't make it true. As other people mentioned, there doesn't seem to be anything backing up the claim and others have contrary experience.
Craighead
[dead]
BrandoElFollito
> [Signal]’s encrypted, but can be hacked.
Kudos to the Pentagone to have technologies that cannot be hacked. As a security professional I hate these programs that put my job in danger.
Thankfully this is just the journalist's and their contact at the Pentagone's imagination.
tweakimp
I can't understand how someone like that got into such a position.
Tepix
Well, he has zero experience in administrative positions.
Here's a quote by Mitch McConnell (R-Ky), who voted against his nomination:
"Effective management of nearly 3 million military and civilian personnel, an annual budget of nearly $1 trillion, and alliances and partnerships around the world is a daily test with staggering consequences for the security of the American people and our global interests," the senator said. "Mr. Hegseth has failed, as yet, to demonstrate that he will pass this test. But as he assumes office, the consequences of failure are as high as they have ever been."
crispyambulance
I can't understand how someone like that got into such a position.
If Hegseth gets cut-out, someone equally ridiculous will be chosen to fill that role.
moomin
Well, to explain that properly, I’m going to need to explain the Southern Strategy and how that and subsequent efforts helped transform the party of Lincoln into the party of Pete Hegseth and Michael Brown.
TwoNineA
As a canuk, I was anxious a little bit when orange man kept blathering about annexing Canada, but now seeing how uttery incompetent this administration is, my anxiety died down.
exe34
sadly they haven't replaced all the competent people yet, so I'm afraid they can still do a lot of damage. but thankfully they're working their way through the list.
Cthulhu_
Failing checks and balances, and the wrong elected representatives given the power to put someone in that position. The current US administration was years in the making.
whizzter
That's what the rest of the world wondered in November 2016 and 2024.
nickdothutton
The entire UK is "governed" (and I use the term loosely) via a series of WhatsApp groups. This is where we are at.
breppp
Not the only country by the way. The issue here is classic shadow IT, the respective military/agencies are unable to supply anything as portable and usable as a mobile phone for classified communications.
Governments are simply run the same way businesses are now run
esseph
You misunderstand.
It's not because it's harder to use.
It's because it's recorded that they aren't using it.
petesergeant
Everything old is new again: https://www.theguardian.com/lifeandstyle/cartoon/2012/mar/16...
_heimdall
I'd be curious whether this is actually an outlier or the norm.
My understanding is that Signal is pretty common in DC, and that private email servers aren't exclusively a Hilary Clinton special.
Wouldn't others have to be similarly dodging network security protocol for their own non-secure communication tools of choice?
acdha
It’s a complete outlier. Prior to this administration, people took classified information rules and federal laws around records retention very seriously and while Clinton’s personal server used for non-classified material was a grey area back then the rules were strengthened to make that clearly off-limits.
_heimdall
But how do others in DC use Signal while in federal buildings, or is Signal use way less common than I've understood it to be?
I'm not asking because what Hegseth did is excusable, the first offence likely would have led to his termination and charges if he was enlisted.
It is still interesting, though, whether this actually is an outlier or just an article pointing out one case of an individual they want to single out.
acdha
People don’t use Signal for official business. The federal government is required to keep records of how it operates, which Signal is not compliant with (deletion), and classified material is not allowed on unapproved systems. Most people take that seriously because it is a career-ending offense for a merit-hire which would effectively end their ability to get any job with the government or a contractor which requires a background check.
null
null
firesteelrain
I don’t know how you can access Signal without a public Internet connection. It isn’t like Signal is setup on Azure US Government (as far as I am aware) or Amazon equivalent. Does anyone know?
Signal uses HTTPS for contact discovery and account registration. Then, it switches to its own Signal protocol to provide end-to-end encryption.
There would have to be some egress rule to allow Signal access from Azure. Signal is a commercial app.
Even if access was allowed from Cloud or some other Defense network, it would still be considered “dirty” as the article says because it’s still going over the Public Internet to a commercial software provider.
Communications are encrypted barring some MiTM attack.
Not a good idea to discuss secret things on an app that isn’t approved for it but is this article reaching a bit?
I think the article is pointing out the obvious. The only way to access Signal is over the public Internet with HTTPS and end to end encryption provided by Signal.
Cthulhu_
> is this article reaching a bit?
Is it? This circumented the Pentagon's security protocols, presumably disrupting its air gap. This is a national security breach on the highest level, I'd say it's pretty serious and I don't understand why anyone is in the comment section trying to downplay or defend it.
diego898
Not downplaying or defending - but I don’t understand the failure mode here - presumably hegseth had to ask someone in pentagon IT to set this up? Submit a form etc. sure he asked for something illegal* but someone actually following a set of rules had to enable this, no?
(* or against protocols, etc)
lukev
The failure mode is that the Secretary of Defense unilaterally bypassed security protocols to use technology that had not been evaluated for that use case in a national security context by the appropriate experts.
It doesn't matter if he happened to use something that has a solid security model. The problem isn't Signal, it's that he ignored all the rules.
And it does have an impact, as we see in other news, because one failure mode of Signal is that it's super easy to add the wrong people to a group. Which has actually happened. Twice (at least.)
CamperBob2
Not downplaying or defending - but I don’t understand the failure mode here
Like so many others, this particular 'failure mode' doesn't exist if you're a Republican. What if Hillary Clinton did it? Now that would be a democracy-threatening 'failure mode.'
DonHopkins
>[Something you don't actually mean and isn't true] but [something that you actually do mean that directly contradicts the words before "but" and isn't true].
Pretty "presumptuous" of you and Hegseth, to try to shift the blame from the Secretary of Defense in the leadership position to someone else.
What about the way Hegseth asked someone at the Pentagon to set up and pay for his own personal makeup studio?
Even though Trump slathers on buckets of orange makeup himself, and Vance wears enough voluptuous smokey eyeliner to give the most progressive Pope a heart attack, Hegseth is breaking the military rules about wearing makeup himself, when the only makeup he deserves to wear is CLOWN MAKEUP.
Excerpts from Army Regulation 670–1: Wear and Appearance of Army Uniforms and Insignia. Headquarters, Department of the Army, Washington, DC:
https://aele.org/law/2005FPAPR/ar-670-1.pdf
>b. Cosmetics.
>(1) General. As with hairstyles, the requirement for standards regarding cosmetics is necessary to maintain uniformity and to avoid an extreme or unmilitary appearance. Males are prohibited from wearing cosmetics, to include nail polish. Females are authorized to wear cosmetics with all uniforms, provided they are applied conservatively and in good taste and complement the uniform. Leaders at all levels must exercise good judgment in the enforcement of this policy.
U.S. Army: According to Army Regulation 670-1, male soldiers are not authorized to wear cosmetics unless medically necessary. The regulation specifies that "males may not wear cosmetics (makeup or perfume) of any kind" while in uniform . This policy is designed to ensure a consistent and professional military image.
U.S. Navy: The U.S. Navy's grooming standards emphasize a neat and professional appearance. While the regulations do not explicitly mention makeup for male sailors, they state that personal appearance should be free of distractions and that the use of cosmetics should not detract from a professional military image. This implies that makeup is generally not permitted for male service members.
U.S. Air Force and Space Force: The Air Force and Space Force have updated their grooming policies to allow more flexibility. However, these updates primarily pertain to female service members. Male airmen are still prohibited from wearing makeup while in uniform. The policies focus on maintaining a conservative and professional appearance.
U.S. Marine Corps: The Marine Corps maintains strict grooming standards, prohibiting male Marines from wearing makeup. The regulations emphasize that personal appearance must reflect the highest level of military image and professionalism.
firesteelrain
How did it disrupt its air gap? Thats presumably still in tact. If the article is true then he has an Internet connection in his office. He also has one on his personal cell, and probably his home. He could use Signal anywhere.
Scarblac
The secretary of defense was talking about military secrets on a device that does not have an air gap with the internet, so it was breached.
kasey_junk
And did!
afpx
Wouldn't MiTM be relatively easy for a state actor or even well-coordinated non-state actors? At least, if I was a state, I'd have backdoors in as many open source projects as I could and agents in the orginzations in the supply chain.
It's a crazy world when the person in charge of the US military is more paranoid about their own government than random people they don't even know.
If you go back far enough in the Twitter archives, you can see where Jack Dorsey basically tells everyone to switch to Signal to communicate with him. Was that the point when they all started colluding on Signal?
klabb3
Or even the infamous and highly sophisticated reporter-in-the-middle attack, where the victim is drunk and rambling, has no idea how to verify public keys in order to actually use the e2ee correctly, then fat-finger adds people by nickname from a contact list that’s full of personal connections.
XorNot
With Signal? Sort of.
Signal has countermeasures for this but no one knows how to use them - it's very much a trust on first use system.
Fine for regular people, not at all fine when you're target number one for every foreign intelligence service on the planet.
victorbjorklund
which countermeasures require active involvement from the user? (honest question because I am curious)
aqme28
I'm not following your logic here. He is not allowed to use Signal for his work. It sounds like there were some measures in place to block lots of "normal internet" (for any number of good reasons), which would include Signal. He then deliberately circumvented those measures so he could use Signal.
Deliberately circumventing security and policy protocols is a bad thing in itself.
firesteelrain
The article premise is that he used dirty Internet connection to access Signal. My argument is that is the only known way to access Signal as far as we are all aware. Because as has already been stated, it’s only approved for unclassified communications only per DoD policy. I don’t know what’s secret in his communications because we don’t know what the government has designated as such.
https://dodcio.defense.gov/Portals/0/Documents/Library/Memo-...
null
josefritzishere
I am reminded of the George Carlin quote "Think of how stupid the average person is, and realize half of them are stupider than that."
gonzo41
I just want to say, as someone who was in the military at a point in time, if a private (lowest rank) did anything like this, they'd be burned at the stake. Actually if most officers did this the same would happen.
mosura
The all time stupidest episode of this type was https://www.cfr.org/cyber-operations/compromise-mobile-app-u...
“A threat actor compromised a mobile app that Ukrainian artillery units used to assist with targeting. The compromise of the app is believed to have allowed the threat actor to monitor the movements of Ukrainian units in order to facilitate military targeting by Russian-backed rebels in eastern Ukraine”
More details https://www.theregister.com/2016/12/22/android_malware_track...
misja111
Well, it's not that long ago that German officers did something similar. As far as I know nobody was punished.
https://spyscape.com/article/webex-espionage-kremlin-leaks-g...
noja
Why would he do that? Is this guy compromised?
misja111
Never attribute to malice that which is adequately explained by stupidity.
Loughla
That rule doesn't apply to this administration anymore. Once is incompetence. Every single thing is a coordinated effort to gut every government service for personal gain.
exe34
unless of course there's a lot of evidence that the whole administration is rotten to the core. it can be both malice and stupidity. it doesn't need to be one or the other.
FranzFerdiNaN
In the case of Trump and co you can definitely attribute things to malice and bring compromised.
woodpanel
> unsecured internet line
Is this a euphemism for „VPN“ or is AP going to elaborate what they mean by this „industry standard“
lcnPylGDnU4H9OF
> it connects directly to the public internet where the user’s information and the websites accessed do not have the same security filters or protocols that the Pentagon’s secured connections maintain
(I’m not able to find the phrase “industry standard”. Where does the article use that?)
Swoerd123
Republicans have got to be some of the dumbest motherfuckers roaming this planet.
Trump is the Milli Vanilli of negotiations. "Russia not taking over Ukraine is a concession". He really said it. What a stupid fucking retard.
null
It's not like he called Comcast and had them run a line on the weekend and they snuck it in there with no one noticing. He told Comms what he needed and they gave security a business justification to set it up in a way that had an acceptable amount of risk. It's all documented and approved.
And no we don't call these a "dirty" line that's something someone made up for the purposes of the article. We call it "unattrib" and it's quite common, serving many useful legitimate purposes.
One thing that I find surprising about the Hegseth case is that most SecDef do not use the computer in their office it all. A couple recent ones still don't even have a computer in there. Normally staff handle 100% of communication and briefing outside of phone calls and video calls. He's clearly still adjusting to the reality of operating within the _confines_ of DoD headquarters.
Also the article's mention of using Wi-fi in the back of his office doesn't make sense to me, there isn't any Wi-fi available in the suite or anywhere nearby.