How to avoid the Signal mistakes the Trump administration made

Daily Dot – Mikael Thalen: The other week, Jeffrey Goldberg, the editor-in-chief of the Atlantic, was accidentally added to a Signal group chat where everyone from Secretary of Defense Pete Hegseth to Vice President JD Vance discussed an impending attack on Yemen’s Houthi rebels. Long story short, the administration responded to the unprecedented blunder by simultaneously confirming and denying it, before ultimately concluding that it wasn’t a big deal. In reality, the information shared in the chat would have been classified, making the accidental inclusion of an outside party a major security disaster. So what could the administration have done to avoid such an issue? For starters, they should not have used Signal. Yes, Signal is the gold standard for end-to-end encrypted communications, so don’t buy the claims that it’s vulnerable. How to avoid the Trump administration’s Signal mistakes = But Signal is designed to protect your messages from being intercepted when they travel from your phone to a recipient. If your phone gets hacked, a very likely possibility for the people in that chat group, then the unencrypted chats on your phone will be available to the attackers. And if you add someone to a group that isn’t supposed to be there, encryption won’t help you either. But the administration could have done one thing to avoid this mess: Use compartmentalization, which involves dividing information and access into distinct segments to minimize the risk of unauthorized disclosure. Reporting suggests that some members in the group were using both their personal phones and work phones to access the chat. By doing so, they’ve made their attack surface even larger. Had members of the group used multiple Signal accounts, like one for discussing with other admin officials, another for communicating with journalists, and another for personal use, this never would have happened. Granted, setting up multiple Signal accounts or using multiple devices isn’t always practical or fun (believe me, I know). And as we stated before, they shouldn’t have been using a commercial phone app to chat about war plans regardless. To be fair, there are phones that will let you run multiple profiles and Signal accounts at once, all with different usernames and phone numbers. But that’s a discussion for another day (feel free to ask if you’d like to learn more in a future column!) But in this scenario, relying on the same phone you use to gossip with friends to discuss classified kinetic action by the most powerful military in world history, isn’t smart.  Another Signal feature – One other feature worth mentioning––although it may not have helped in this case––is the feature known as safety numbers, or codes that are unique to your Signal conversations. On Signal, if you click on a user’s profile picture in your inbox, you should see an option that says “View safety number.” When you click it, you’ll see a QR code with 12 rows of 5 digit numbers below. Essentially, you want to confirm with the recipient that the collection of numbers on their screen matches what’s shown on yours. The easiest way to do this is in person by scanning the QR code on your recipient’s phone. And if you can’t do it in person, have the person reach out with a copy-and-pasted version of their safety number, or a screenshot, from an account that you know they have control of. Once you both confirm that you’re seeing the same codes, you and the recipient will have a “Verified” check mark badge under your names in your conversation. If you or the person changes your phone number or begins messaging from a new device, you’ll get an alert that their safety number has changed. If that happens, you’ll want to confirm it’s them and re-verify the new safety numbers. Had Trump’s advisors practiced compartmentalization, the journalist wouldn’t have been in the chat. And by verifying everyone’s safety numbers, they would have seen, had they checked, whether everyone in the chat was legit.”