TeleMessage, used by Trump officials, can access plaintext chat logs
30 comments
·May 6, 2025dang
ChrisArchitect
Mike Waltz Accidentally Reveals App Govt Uses to Archive Signal Messages
tptacek
Isn't that the point?
Aurornis
No, the point is for the government to have access the plaintext after it is securely delivered to an approved archive location, not TeleMessage having access on AWS-hosted servers exposed to the public internet.
TeleMessage pitched their service as using end-to-end encryption of the message into the corporate archive.
> End-to-End encryption from the mobile phone through to the corporate archive
Apparently the plaintext messages were going to a TeleMessage server on AWS (not an approved government archive location) that was publicly accessible. Naturally it was hacked.
fnordpiglet
I doubt that’s the point either. The government should have cipher text they are able to decrypt in an approved archive location with rigorously managed key material and a careful cryptographically variable chain of custody from its inception. Plain text should never factor into this.
iAMkenough
Why would they need to hire a foreign Israeli firm for that?
Through this procurement decision, the government has displayed gross incompetence.
hedora
Presumably, in the spectrum of secure network protocols, something exists between "delete the message before it can leave this machine" and "send this message to a cloud provider and have them email it in plain text to another cloud provider".
pvg
If you're sending plaintext of out of an ostensible e2ee system, it's not an e2ee system. You have an 'end' that's not, you know, end-to-end.
JumpCrisscross
> Isn't that the point?
The point is making SecDef's communications, including scramble orders, available to whoever can find a TeleMessage employee who will cave to a bribe or blackmail?
ziddoap
It's supposed to be available in plaintext to the end customer (government), at their secured archive, but not available in plaintext to TeleMessage.
>TeleMessage lies about this in their marketing material, claiming that TM SGNL supports "End-to-End encryption from the mobile phone through to the corporate archive."
Surely someone of your expertise and renown recognizes this difference, so I'm not sure why you made the comment.
fnordpiglet
These are the guys trying to jail Krebs for being honest. They earned the “experts” they deserve.
null
proactivesvcs
I'd find it useful if I could access my Signal chat logs in plaintext. The software offers no facility to do this on any platform, and on Desktop the programs that have allowed me to take proper backups are (by necessity) a moving target because of changes to the database, so I am constantly having to get around to updating them and occasionally even that's a pain.
JumpCrisscross
> I'd find it useful if I could access my Signal chat logs in plaintext
I'd probably also find it useful if I could access your Signal chat logs in plaintext. That's the problem.
XorNot
It'd also be useful if backups on Android actually streamed somewhere off the phone so they could be meaningfully appended to, kept. Or handled per channel (i.e. my baby pictures channel with family).
walterbell
PhotoSync can incrementally backup iOS/Android photos to self-hosted or cloud storage targets, with optional encryption, https://www.photosync-app.com/support/encryption
nicce
That would hit the Google One revenue if people would use alternatives…
But also, it must have something to do with law enforcement. On the other hand, Google may say that forensic investigation of phone is harder (if no jailbreak), but on the otherhand it is easier to hand over the data behind the scenes from the remote cloud.
Backups are not E2EE by default (user can enable, so they have an argument), so in most cases law enforcement can access WhatsApp messages, SMS messages and anything else without a problem. Many people don’t think about this, and defaults matter.
proactivesvcs
...and if the restore process wasn't so fragile. The only time I needed to backup and restore it just crashed part-way through, so the backup process wasn't even doing any validation.
hedora
The lack of encrypted (and cross platform) backups is the biggest security hole I know of in Signal.
People inevitably end up working around it, which can mean using SMS, copying the threads / screenshots / attachments to arbitrary other storage, or switching to things like TeleMessage because of record keeping requirements.
I wish Signal were less hostile towards forks. I'd happily switch to a client that uses their network, but that's compatible with iCloud backup.
null
null
theyknowitsxmas
Anyone can change the client name and build it to mislead baddies when photographed in public.
woah
This is simply a 4d chess move by a team of geniuses
null
Recent and related:
Technical analysis of the Signal clone used by Trump officials - https://news.ycombinator.com/item?id=43875476 - May 2025 (313 comments)