Recent searches
Search options
Administered by:
@jwildeboer@social.wildeboer.netAh, it seems #TeleMessage (the company behind that Signal fork called TM SGNL, used by Mike Waltz and possibly more members of the Trump administration) has woken up and blocked access to the source zips for their iOS and Android apps. Until yesterday they were publicly available at https://www.telemessage.com/developer/api-libraries/# now that page is gone. (it looked like this: https://archive.is/CLQLT)
Signal is AGPLv3 licensed, so hiding the sources could very well be a license violation. Oops.
cc @micahflee @ljrk FYI
Their homepage at https://www.telemessage.com/# is now more or less non-functional and they have removed every mention of Signal (and their Signal Archiver product).
The YouTube channel with their (rather cringy) demos and explanation videos is still up at https://www.youtube.com/@Telemessage though ;) Feel free to back the clips up before they also disappear ...
(and yes, I now have a local backup of their "TeleMessage Signal Archiver" demo video which is publicly available at https://www.youtube.com/watch?v=roY24VAX6E4 ;)
If you want to install their unlisted app (I wouldn’t, but maybe someone out there wants to see what’s happening on the network when you use it?) https://apps.apple.com/de/app/tm-sgnl-unlisted/id6462195303?l=en-GB is still up ;)
Oh. #WhereIsMySurprisedFace Someone used The Source (pun intended) and freed quite some data from TeleMessage users and conversations going through their servers using their TM SGNL app which is a modified Signal app that captures and records all messages and attachments. It wasn't me :) https://www.404media.co/the-signal-clone-the-trump-admin-uses-was-hacked/
That's less than 72 hours from finding the sources to analysing to identifying security flaws to extract data. #Oops, indeed.
The article also confirms my suspicion that this modified Signal app called TM SGNL sends at least parts, if not all intercepted traffic to a central server/service run by TeleMessage before sending it onwards, where they are accessible seemingly unencrypted, which by itself is a huge breach of confidentiality, IMHO. I really hope that the Signal developers add a feature VERY soon that warns users when their chat partners use such a non-official app.
If you are a journalist or blogger and want to also write about this, and you need some more input, feel free to catch the https://sciop.net/datasets/tm-signal dataset which contains more screenshots from TeleMessage webpages that have been deleted since yesterday, their commercials, source code, documentation and more. You're welcome :) Again, that also wasn't me :)
@jwildeboer why are they using a fork of it rather than the actual product?
@aarRJaay The TM SGNL fork promises to work just like "normal" Signal but it is able to copy all messages and attachments sent and received to an external backup storage. Including deleted messages and those set to auto-disappear.
@jwildeboer can see why they might want that. I ASSume the server is owned, run, maintained and totally locked down by them?
@aarRJaay Yes. And according to some first code analysis, the server(s) used to store those intercepted messages and attachments is in Israel ;) (or more precise: it currently seems that the intercepted messages go through a kind of proxy, operated by TeleMessage that in turn sends the messages to a final destination which can very well be outside of their premises, they offer for example to send it all to gmail for final storage)
@jwildeboer insert Picard facepalm here
@aarRJaay @jwildeboer US Law requires all government communications to be archived. During Signalgate it was mentioned several times that because of this using Signal was in fact illegal for government officials. But if they use a fork that does record and archives messages then it would appear that at least they did try to be compliant.
@krist @jwildeboer thank you for your eloqutent and compelte reply - I didn't think about the regulations they'd need to follow - I just hope the server is hardend and secure for the US's sake. I still hate how the reporting made it sound like a 'Signal' issue rather than human error.
@aarRJaay @krist It’s not enough to try, though. It remains to be seen if and which certifications TeleMessage has received for their solution. And even if, consumer, non-hardened devices simply will never qualify to be used for sharing top secret level information under the current rules anyway, as far as I can see. It’ll be an interesting story to watch :)
@jwildeboer @aarRJaay yeah, but it juts means that in stead of grossly incompetent they were just normal government level incompetent...
Also, according to https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/ the source has been made available on github by a third party.
@wonka Yes, until yesterday you could download the Android sources directly from their website at https://www.telemessage.com/developer/api-libraries/ a page that is now gone but was archived at https://archive.is/CLQLT ;) The iOS sources on that page did not contain the modifications that TeleMessage made, it was just a plain dump from Signal sources.
@jwildeboer they may not be able to because your chat partner is one of the endpoints. I'm no expert but I wouldn't think Signal can control the message once it arrives at the other end.
@jmcrookston @jwildeboer yeah making sure a computer you don't control is running specific software is sort of a known difficult problem.
It's equivalent to drm, you either buy time with software obscurity or use a treacherous platform module that you control inside the other computer. Signal is open and has to run on vanilla phones so neither solution is practical
@jwildeboer This is why they (try to?) shut down custom clients. This is why we can't have nice things 
@jwildeboer and certain that this was not the first to siphon data out of those chats....
@jwildeboer@social.wildeboer.net
It looks like someone already grabbed the source code and put it on their github.
https://github.com/micahflee/TM-SGNL-iOS
https://github.com/micahflee/TM-SGNL-Android
https://micahflee.com/heres-the-source-code-for-the-unofficial-signal-app-used-by-trump-officials/
@hazel Yep, I posted about that yesterday too :) https://social.wildeboer.net/@jwildeboer/114446092485438265
@jwildeboer@social.wildeboer.net
Oops, yep! Glad you got it
@hazel I also have a bunch of screenshots from the now deleted pages on their website ;) I'm just that kind of a hoarder, I really don't know why ;)
@jwildeboer i for one applaud your hording efforts in this respect. it's not clear exactly what has happened, but i find it highly suspicious that as attention starts to focus on this organization they are moving to erase their digital history.
@jwildeboer @micahflee lol, thanks for the pointer! interesting... maneuver, since they explicitly mentioned licensing in the page for the source link so they are aware of the issue and at some point "cares enough" to somewhat address it.