Minutes before the United States launched a deadly missile campaign in Yemen that reportedly killed 53 people and wounded 89, including multiple children, on March 15, the Atlantic’s Editor-in-Chief Jeffrey Goldberg was sitting in his car in a grocery store parking lot waiting for the attack.
The story is now well-known and well-memed: Days before the missile barrage, Goldberg was added to a Signal group chat called “Houthi PC small group” after President Donald Trump’s national security advisor, Michael Waltz, invited him to connect on the encrypted message application. The editor was included in the discussion inadvertently, a spokesperson for the National Security Council acknowledged to the Atlantic.
Tbf, Signal, and most modern chat clients with multi-device syncing are not great for opsec.
When it comes to privacy from mass surveillance or using your metadata to mine demographic preferences who you are talking to etc Signal sits at the top of generally available chat clients.
But it’s geared for the convenience and privacy of the average user not military security.
Eg: when it comes to group chats you just have to get one of the members of the chat to fall for a device syncing link, for then the whole group chat future messages to become available to the attacker. What’s more, no admin or other user of the chat gets to have approval or visibility privileges or notification of a new synced device for that chat or any info about the status of each of the devices on that chat.
For most normal users, Signal is pretty much as good as it gets. Sure, I can set up a similar bespoke e2e protocol for myself, but I’m also a software engineer with near on two decades of experience. That’s not a reasonable or feasible expectation for the vast majority of the population.