HN Reader

I'm an external individual to the US, but I must admit that some of the sentiments being expressed here in this thread and elsewhere about the lack of accountability deeply concern me, it reminds me of many things I saw growing up and still see today in south asia.

Independent of anything else, I do see the overton window shifting in the US, the most subtle of which are norms and expectations around acts of corruption.

Every nation has it's minor acts of corruption, small favours between friends, which I've always thought of as being functionally impossible to remove as they also allow for a flexible environment which allows things to get done.

However the norms seem to be shifting more towards the idea that those in power can act as they will, and in fact the expected thing is they will act to enrich themselves. I hope this does not happen, because this is death to entrepreneurship, this is one of those things that will poison the economy, when people no longer trust that what they make can be theirs, that others can look on in envy at the work they have built on their blood and sweat and can take it as their due because they have power.

That will create a chilling effect for anyone who wishes to create and will make them wonder as myself and many others have considered, whether it's better to create their life's work elsewhere.

I sincerely hope this doesn't happen here, once this mindset becomes a norm, it's incredibly hard thing to stamp out.

I began my career in a classified environment working on government satellite programs.

In my first week on the job, I was told, explicitly, that if I shared Classified or Controlled Unclassified information over unapproved channels, I would be reprimanded—likely fired, or less likely, prosecuted.

It was also made clear that safeguarding the nation's secrets from the carelessness of others was my responsibility, too.

It is mind-boggling that 18 people were on this thread, and none of them ever suggested that this discussion would be better served in a SCIF. To say nothing of SecDef starting the thread on Signal in the first place.

How many other such threads are active at the highest levels of government right now?

Does Chinese intelligence know?

I'm not suggesting punishment, or even prosecution, for the people involved. But the idea that this breach can occur with no accountability, consequences, or operational changes is unacceptable.

If anything, I'm a bit surprised that Jeff Goldberg burned this source.

If anything, I'd suspect that he'd keep the channel open as long as he could.

Or, he's got other channels that work better.

All the same, I mean, wow. These guys are just morons here, there's really no other way around it. I'm trying to think of a charitable way to spin this and I've got nothing.

Like, very clearly, these people are going to get service-members killed due to their idiocy

Setting aside the obvious shock of the actual subject, I'm going to try the herculean task of bringing this back to being a HN-related topic...

My guess is that there is someone named Jeffrey Goldberg in the NatSec team (or high up, it seems like a common combination of first and last name at least), and likely that they meant to add him, rather than the EDITOR IN CHIEF of the Atlantic of all people. Could this be a UI/UX thing with Signal? (not differentiating between two Jeffrey Goldbergs on your contact list?).

Steve Witkoff was on the chat while he was in Russia.

There’s a vulnerability in Signal where you can set up linked devices that replicate your signal messages. You can do this by just scanning a QRcode. This is known to be used by Russian hackers.

What are the chances the Russians duped Witkoff into scanning a QR code while he was in Moscow?

This hypocrisy reminds me of one of my former lead developers. He required everyone on the team to go through multi-person code reviews and pass an extensive CI suite before merging changes into our mainline.

But him? Half that time he'd approve his own changes without review, the other half he would force-push and bypass the CI system entirely.

He knew the system well and seemed to do enough local testing to avoid major breakage but still. Why have a bunch of rules and policies that you do not follow yourself?

In my opinion there are at least two ways to interpret this:

a) It's an unintentional opsec failure. Perhaps there was an address book collision with another intended user. Perhaps it was fat-fingered. This seems likely.

b) It was an intentional leak. Perhaps overtly, perhaps covertly, by one or more of the channel members for unknown purposes. This seems less likely as there are better ways to leak with less blowback risk.

Regarding using Signal in the first place. Yes, this seems like bad opsec, but it's possible that the current admin working groups don't trust the official secure channels and assume they are compromised and they are being spied upon by their own or foreign agencies. That seems very likely, given the circumstances. In which case, it is still a possible opsec failure, but perhaps a less bad risk than trusting operational security to known adverse agencies. This is the more interesting case, imho, since the assumption on here is largely that these types of coordination should be happening on official government channels. But "government" is not necessarily a unified collective working towards the same goals. If you have a strong suspicion that agents within your own team are acting against your goals, then of course, you have to consider communicating on alternative channels. Whether that's to evade legal restrictions or transparency, like with the Clinton email servers, or to evade sabotage, I'm not judging the ethics, just considering the necessity of truly secure communication.

Is that trust in Signal justified? It suggests members at the highest security clearances believe Signal is not compromised. Are they correct? In any case, clearly there are more ways to fail opsec than backdoors.

Reminds me of https://en.wikipedia.org/wiki/German_Taurus_leak

„Among the topics the officials discussed in their conversation, conducted using standard commercial Cisco Webex video conferencing software, were the presence of UK and US military personnel in Ukraine and the potential use of Taurus missiles to blow up the Crimean Bridge.“

The behavior will continue until an effective negative stimulus is introduced.

Here's how Eisenhower dealt with a similar leak.[1]

General Henry Miller made public comments about the secret date of the Allied invasion of Normandy in May 1944. He was a personal friend of Eisenhower. Eisenhower demoted him and sent him back to the US in disgrace. He wasn't court-martialed.

[1] https://youtu.be/fD0IlFPTopA?t=269

Without commenting on the (important) political or reputational considerations here, I want to talk a bit about the operational risk presented by this practice. There is a somewhat sizable "So what? Signal is e2e encrypted. Nothing bad happened and you're all overreacting." narrative floating around. (not so much in this thread, but in the general discourse)

If this operation was planned in Signal, then so were countless others (and presumably so would countless others be in the future).

If not for this journalist, this would likely have continued indefinitely. We have high confidence that at least some of the officials were doing this on their personal phones. (Gabbard refused to deny this in the congressional hearing -- it does not stand to reason that she'd do that unless she was, in fact using her personal phone).

At some point in the administration, it's likely that at least one of their personal phones will be compromised (Pegasus, etc). E2E encryption isn't much use if the phone itself is compromised. This is why we have SCIFs.

There was no operational fallout of this particular screwup, but if this practice were to continue, it's likely certain that an adversary would, at some point, compromise these communications. Not through being accidentally invited to the chat rooms, but through compromise of the participants' hardware. An APT could have advance notice of all manner of confidential and natsec-critical plans.

In all likelihood this would lead to failed operations and casualties. The criticism/pushback on this is absolutely justified.

How is trump staff using signal for classified military actions different from Clinton use of private email account ?

Back then he said she should be put in jail but now he is downplaying it. How can Americans take this guy seriously is beyond my mind.

In 2023, Hegseth had his own critique of the Biden administration handling classified documents “flippantly”, remarking on Fox News that “If at the very top there’s no accountability”, then we have “two tiers of justice”.

https://x.com/MattGertz/status/1904228588414464167

https://www.theguardian.com/us-news/2025/mar/24/journalist-t...

Everyone crying about the opsec failure and not that these people were cheering murdering women and children in one of the world's poorest country.

I guess Signal is pretty safe, but the phone you are using it on is far from safe. Then there is the issue of being able to accidently add unvetted people to the chat. Is that pretty much the size of the technological issue here?

And these guys have been in power for only a few months, they're still finding out about their new tools. What will happen in the next 4 years? will they even leave power peacefully?

What are the odds that Goldberg was included in the Signal chat intentionally by a whistleblower? I.e., someone who had reservations about what was about to take place (either the bombing action itself, or the intentional avoidance of government recordkeeping) and so included him as a witness?

The reason?

I would put my chips on (an attempt at) avoiding the duty to keep records.

Great take from Timothy Snyder, including…

“Signal is attractive not because it is secure with respect to foreign adversaries, which it is not, but because it is secure with respect to American citizens and American judges.”

https://open.substack.com/pub/snyder/p/signalgate-violating-...

(…maybe his article should be a top level HN post)

The whole thread is WILD, and the fact that it was verified is crazy. But the actual text of the thread is horrifying:

On one hand, they say they complain about "bailing out Europe". But on the other hand, they explicitly moved up the timeline so they could move before other actors and take credit.

> "If the US successfully restores freedom of navigation at great cost there needs to be some further economic gain extracted in return."

So to be clear, when presented with the option to wait a month, they instead explicitly choose to act decisively for political reasons. And then they want to turn around and extort European allies over it.

Well, this is distressing.

Question: how many people here who are concerned about this behavior have actually contacted their senators or representatives to voice an opinion on this?

I wonder whether the phones and software used were certified for discussing such sensitive issues and if there are risks of leaking the data because of this.

304 votes, 75 comments 3 hours after posting and this is already being thrown all the way back to 134 rank on the front page with some 2-3 day old posts. This is very clearly hacker news: a case of opsec slipup in easily the worst fashion coming straight from the SecDef (or one representing the SecDef). A shame it is probably getting flamed and downvoted over partisan reasons, although I know there are many conservatives here who probably don't enjoy these constant leopards eating face moments they've unleashed and am not surprised they'd be acting out and flagging embarrassing posts.

If anything, this is a hell of a "social proof" for Signal :)

easier to read as rendered here https://mimoo.github.io/houthi_signal/

It just came out one of the chat members was in Russia at the time.

I mean im not shocked by neither the fact this happend nor the content. it portraits the staff exactly as i would imagine them.

Tho i still find it kinda amusing that this is the finally proofs that the average security invested joe has a better opsec than the highest ranking us gov officials.

>"The Houthi-run Yemeni health ministry reported that at least 53 people were killed in the strikes, a number that has not been independently verified."

weird chat, surprised Waltz was active in planning strikes. 18 confidantes - closer knit cabinet from internal coms. was under the impression that signal log was leaked to emulate Spinoza's excommunication decree.

How exactly do you accidentally add a reporter to a signal group chat ...? That's a pretty bizarre sequence of events if it's actually what happened isn't it?

Relatively minor side point, but still: for people who chastise "European freeloading", it's interesting to note that none of Signal group's members' usernames have the badge Signal gives users who pay for the service. Users like me, from Europe. Sure, they might all be paying but have opted out, but let's be honest that's unlikely.

Jeffrey Goldberg mentioned in an interview with MSNBC his Signal Alias was "JG." I wonder if JD Vance goes by JD?

More:

https://www.theatlantic.com/newsletters/archive/2025/03/jeff...

Who really believes this isn't an intentional "leak".

but her emails

Seems a bit unlikely. Seems more like a deliberate "leak".

The level of incompetence and lack of accountability is mind-boggling.

Colossal fuckup on many levels. Heads should roll. This kind of thing puts people in our military service at undue risk.

Isn't there some new agency offering tech support? Can't they focus on helping the Pentagon to sort out some internal secure messaging with strict ACL?

Is it wild that a 3rd party app like Signal is used for this type of communication? I feel like that's crazy.

Who is that theater for? Coulnd't he have been deliberately included in a chat?

Indirect strong hint:

Signal is uncompromised.

…at least at the moment.

Or of course, that’s what they want you to think :D

Staggering display of incompetence and carelessness. And unfortunately, one that we’re unlikely to get much transparency about, in terms of how such an operational screwup was allowed to happen.

> At 11:44 a.m., the account labeled “Pete Hegseth” posted in Signal a “TEAM UPDATE.” I will not quote from this update, or from certain other subsequent texts. The information contained in them, if they had been read by an adversary of the United States, could conceivably have been used to harm American military and intelligence personnel, particularly in the broader Middle East, Central Command’s area of responsibility. What I will say, in order to illustrate the shocking recklessness of this Signal conversation, is that the Hegseth post contained operational details of forthcoming strikes on Yemen, including information about targets, weapons the U.S. would be deploying, and attack sequencing.

> …The Signal chat group, I concluded, was almost certainly real. Having come to this realization, one that seemed nearly impossible only hours before, I removed myself from the Signal group, understanding that this would trigger an automatic notification to the group’s creator, “Michael Waltz,” that I had left. No one in the chat had seemed to notice that I was there. And I received no subsequent questions about why I left—or, more to the point, who I was

Why don't we see appropriate questions? Like how was the number added accidentally? It would have had to be in the contacts already? Was it? That seems highly unlikely. It's the ATLANTIC! Why would they have the Atlantic in their contacts.

And Signal is not an approved app afaik.

The whole thing just seems like it is highly likely it is fake/engineered.

> The Signal chat group, I concluded, was almost certainly real. Having come to this realization, one that seemed nearly impossible only hours before, I removed myself from the Signal group

Why? Why not stay in the group indefinitely (or until found) and write stories sourced from a mysterious individual deep in the entrails of the Trump administration? That would have been absolutely specacular and could have resulted in a hilarious purge while the culprits searched in vain for a traitor in their ranks.

Legality is certainly not just to do with breaking rules; this is more true the further up in the hierarchy you are.

How much of a bump is signal seeing as a result of this?

This is just unreal. Ridiculous!

This story lacks substance and is a perfect of example of medias complacency to the state in the name of “national security”… total BS. Ken Klippenstein has a great take on this reporting.

https://open.substack.com/pub/kenklippenstein/p/trump-admin-...

> In his text detailing aspects of the forthcoming attack on Houthi targets, Hegseth wrote to the group—which, at the time, included me—“We are currently clean on OPSEC.”

Simply incredible. This is wild.

Normalizing war. With emojis and all. Cool.

Having people preaching the glorious benefits of a meritocracy and how this white house is gonna spear head it all while these geniuses break the law and operational security the dumbest way possible is simply amazing.

So can we now stop hearing "lock her up" and "what about her email server?!".

This is bad news for entire genres of books, TV shows and movies that are based on the supreme competence, sophistication and wealth of the Pentagon, NSA and CIA.

Turns out US military strategy is the same as me and my mates setting up a bar date.

It's a disturbing leak in itself but i take issue with the journalist obsessing over the tool of choice whilst ignoring the actual strategizing.

The casual way in which a mass murder is planned. The emphasis on "messaging" and how to spin this on Biden and Europe. The teenage-like emojis to celebrate acts of war.

This administration looks bad from the outside but through this leak we can see that their shocking press moments are still the polished and spun versions of a reality that is far more sick.

<tangent opening line of my comment> From people on Reddit: Something that blows my mind- but is fully true "Hell, I've been in fucking EVE Online alliances that had better opsec than this." "I'll raise you one: I've never been in any EVE alliance that didn't have better opsec than this."

..I noted Board Games(Secret Hitler, for example) require better opsec. So do card games- it's mindblowing to note this too...

[Main comment by me - technical outlook] This is not a surprise at all- there were reports that the first Trump administration was using Signal to communicate, and that it was a a risk as messages can be totally wiped and not kept for records keeping.

-From an infosec standpoint- this is more notable than I think people are giving it credit- the fact that the Vice President(Well, maybe not him, he notably admittted in interviews during the presidential campaign, that he'd been briefed by three letter agencies on Salt Typhoon tageting him, but that he was secure because he used Signal) - the director of national intelligence- and several others- use Signal.

it's one thing for Congress, Sweden's Military, and apparently our own military branches to push Signal heavily for non-sensitive stuff-

But when those around three letter agencies -and the groups that would be interested in finding compromises- are using it, that screams to me that it's considered not that easy to attack- which is a point towards Signal

So then the final thing to secure are the endpoints- and of course the risk is a zero day exploit targeting someone. As for subtle push app updates by Signal themselves being a vector- i'd think the Open Source nature of the app prevent that - if the infrastructure for pushing updates is open source as well especially.

Again though- if the White House is using Signal- they likely KNOW most of what their own Three Letter agencies can and can't do(to a point)- so when people in the know are using it- that is telling.

A lot of it may be for the auto disappearing messages, admittedly- but that's notable. And yes, I'm aware Mark Zuckerberg has been known to move conversations off of WhatsApp, to Signal - again, maybe for the disappearing messages(and lack of a report function which would send part of a convo to FB/Meta to my understanding)- but possibly, for the security and lack of meta data being better from a attack surface standpoint

The nickname Stupid Watergate will never die

It’s actually kind of a relief to at least confirm that these cronies would work like this. I.e. whatever they have in store they will probably end up shooting themselves in the foot.

Well, themselves and the 53 humans who were blown up in a distant country by Star War technology.

Actually, now that I think about it, no - this is terrifying and awful and just so so so stupid.

This would be unbelievable in a normal administration. The combination of flagrant lawbreaking and incompetence is just so characteristic of these clowns.

No, nothing in the Clinton email scandal comes close to cabinet secretaries accidentally real-time texting imminent war plans to journalists using a non-governmental system with auto-deleting messages.

Is that a SCIF in your pocket or are you just displeased to see me

After reflecting on this for a day, it seems the best case scenario is Waltz decided to blow the whistle on a bunch of useful idiots.

Most likely scenario he decided to blow the whistle on a bunch of traitors.

It seems least likely that the journalist was accidentally included. The question is why? Seems like our defense personnel are now foreign agents acting against the US.

That is absolutely wild. How is this not on the front page?

This is an insane story demonstrating extraordinary incompetence, not to mention revealing some rather comical beliefs about American exceptionalism.

It's on the bottom of the third page, pushed down by flags. During any other administration, such a disastrously, criminally incompetent use of technology would have been top of the front page for days, but this administration is so cosmically incompetent that pointing it out is "partisan" now. Everyone is just tired of people commenting on the fact that this criminal bunch of Fox News host miscreants clearly have zero idea what they're doing.

Also...but her emails!

Who do you think will sponsor the Egg roll? They just need to move the Tesla infomercial out of the way, and maybe Trump can feature some of his garbage shitcoin crypto.

Jesus Christ. What a fallen idiocracy.

In the banking world, employees have been fined significant sums, or even forced from their jobs [0], for unauthorized use of messaging platforms. And here, it's barely a shrug. Unbelievable.

[0] https://www.reuters.com/business/finance/morgan-stanley-hit-...

Even worse, Trump wasn't aware of this leak (or denies knowledge of it) until questioned at a press conference earlier today. And instead of promising an investigation, the best he can do is throw some weak insults at The Atlantic.

BUTTERY MALES indeed.

A normal govvie sending cleared materials to unapproved recipients over unapproved channels? 20 years in federal prison.

A govvie with status doing the same? A slap on the wrist.

Embarrassing.

When they say VP do they mean Vice President or Vladimir Putin?

Sounds almost too good to be true.

Mr. Trump's return into White House made news about America interesting again.

He may have just received screenshots from a compromised phone and wrapped himself into the story.

seems like a UI design failure

Paywall

It would be interesting and valuable to have additional security controls in Signal group chats. It's frustrating that the platform is so feature limited.

The level of incompetence in this administration is laughable — well it would be if it wasn’t so sad

This Yemen situation is quite interesting. In 1948 nobody could have conceived a situation in which white people wouldn't be running the world, Dutch people were still religious and public opinion was pro Israel. Hopefully when the last boomers die we can finally extricate ourselves from this self imposed fuck up.

> Waltz set some of the messages in the Signal group to disappear after one week, and some after four. That raises questions about whether the officials may have violated federal records law: Text messages about official acts are considered records that should be preserved.

I suspect that this was the point of their using Signal, to avoid preservation of records.

The funny thing is I heard the head of the CIA testify today and say they use Signal because it is E2E encrypted. Are they that confident that no other country like China can crack those? I sure hope our intelligence officers are using better systems than effing Signal

Related: https://www.politico.eu/article/russian-hackers-snoop-ukrain...

False Flag, perchance?

Could've been a setup to get The Atlantic to leak government secrets...

Who is surprised the US is planning on military action in Yemen?

How can we know this group chat was really comprised of government officials and not some bored teenagers? Signal allows you to set your profile name to anything you like.

This was such a weird news story to read. At least they used Signal? That's gotta be a plus at some level.

Unrelated, but I wonder how the gray hat market for Signal vulns is doing now?

Amazing that with H.N.'s doctrinaire application of the exact original title rule, this is the title that the mods chose to editorialize.

One of my takeaways is that "national security secrets" really aren't that important. The Secretary of Defense was in on this. Whatever was in that chat just doesn't matter, except to manage the reporting on it.

I call on Bart Gellman to dump the Snowden document repository he's got. Clearly nothing in it matters, if this was so casually compromised.

Excuse me folks but is there any evidence that he was really in the group?

Going through the reporting a couple of times it could very well be that he was never part of the group. Screenshots of the group members including him or a screen recording nowhere to see. He didn’t write anything in the group but immediately wrote each individual after he left the group.

If he never was in the group and only received intel about it, the people which provided him with the intel would be able to tell him that critical information was posted in the group, which was accurate, but he wouldn’t have seen it.