Trump’s “Best Security People” Can’t Figure Out Basic Security
from the only-the-best dept
This hasn’t been a good week for those who believed that Donald Trump would bring in the “best, most competent” people around. Fresh off the revelation that a bunch of the top cabinet and security officials were accidentally sharing classified info with a journalist using Signal on their private phones (rather than, you know, secure government systems), the hits just keep coming.
Next, it came out that Mike Waltz, Trump’s National Security Advisor and the person who had added the journalist Jeffrey Goldberg to the illegal Signal group chat, had also left his Venmo friends list wide open:
A Venmo account under the name “Michael Waltz,” carrying a profile photo of the national security adviser and connected to accounts bearing the names of people closely associated with him, was left open to the public until Wednesday afternoon. A WIRED analysis shows that the account revealed the names of hundreds of Waltz’s personal and professional associates, including journalists, military officers, lobbyists, and others—information a foreign intelligence service or other actors could exploit for any number of ends, experts say.
Among the accounts linked to “Michael Waltz” are ones that appear to belong to Susie Wiles, the White House chief of staff, and Walker Barrett, a staffer on the United States National Security Council. Both were fellow participants in a now-infamous Signal group chat called “Houthi PC small group.”
Oopsie.
While this is hardly the first time a politician left their Venmo info exposed, we’re not talking about some random congressman’s late-night pizza orders — this is the National Security Advisor, whose entire job revolves around protecting sensitive information. You’d think having even basic operational security would be, you know, a job requirement.
Hell, you might think that the National Security Advisor, of all people, would have someone on staff whose job includes making sure his digital pants are zipped. But that would require caring about security basics in the first place.
- Last month, it was revealed that Defense Secretary Pete Hegseth left his Venmo exposed as well.
- And on Thursday, Wired found that many others in the “bomb the Houthis” Signal chat group have been walking around with their digital pants down – more members had left their Venmo info exposed in ways that created massive security risks.
A number of top Trump administration officials—including four who were on a now-infamous Signal group chat—appear to have Venmo accounts that have been leaking data, including contacts and in some cases transactions, to the public. Experts say this is a potentially serious counterintelligence problem that could allow foreign intelligence services to gain insight into a target’s social network or even identify individuals who could be paid or coerced to act against them.
The officials in question include Dan Katz, chief of staff at the US Treasury; Joe Kent, President Donald Trump’s nominee for director of the National Counterterrorism Center; and Mike Needham, counselor and chief of staff to the secretary of State. All three were participants in the “Houthi PC small group” chat in which sensitive attack plans were discussed and to which Jeffrey Goldberg, editor in chief of The Atlantic, was accidentally invited. Katz was named in it as a point of contact by Scott Bessent, the Treasury secretary; Kent by Tulsi Gabbard, the director of national intelligence, to whom Kent serves as acting chief of staff; and Needham by Marco Rubio, the secretary of State.
It gets worse.
As if the Venmo exposure wasn’t bad enough, the German newspaper Spiegel dropped another bombshell this week: they found private data — including actual passwords — for these same officials just sitting exposed on the internet. And we’re not talking about old, abandoned accounts.
Private contact details of the most important security advisers to U.S. President Donald Trump can be found on the internet. DER SPIEGEL reporters were able to find mobile phone numbers, email addresses and even some passwords belonging to the top officials.
To do so, the reporters used commercial people search engines along with hacked customer data that has been published on the web. Those affected by the leaks include National Security Adviser Mike Waltz, Director of National Intelligence Tulsi Gabbard and Secretary of Defense Pete Hegseth.
- But there’s a world of difference between your average person’s old MySpace password getting exposed and what we’re seeing here.
- These are our top national security officials, using current credentials that provide access to their most sensitive communications — including, as the Spiegel report notes, their Signal phone numbers:
Most of these numbers and email addresses are apparently still in use, with some of them linked to profiles on social media platforms like Instagram and LinkedIn. They were used to create Dropbox accounts and profiles in apps that track running data. There are also WhatsApp profiles for the respective phone numbers and even Signal accounts in some cases.
This matters a lot. While Signal’s encryption remains secure, foreign adversaries (particularly the Russians) have found a much simpler way in: exploiting Signal’s “linked devices” feature. It’s not a technological hack — it’s old-fashioned social engineering that preys on user carelessness. The feature lets you use Signal on multiple devices (like your phone and computer), but if attackers can trick someone into “linking” a device they control, they can read all of that person’s messages. With the phone numbers and other data now exposed, staging such attacks becomes dramatically easier.
Indeed, just days before the “bomb the Houthis” Signal chat happened, the Defense Department had warned everyone to beware of this kind of attack on those who use Signal.
Whoops.
Spiegel found that both Waltz and Director of National Intelligence Tulsi Gabbard (yes, that’s right — the person in charge of coordinating all US intelligence activities) had active Signal accounts linked to their exposed phone numbers:
Tulsi Gabbard has declined to comment. DER SPIEGEL reporting has demonstrated, though, that privately used and publicly accessible telephone numbers belonging to her and Waltz are, in fact, linked to Signal accounts.
Let’s break this down: The two officials most responsible for America’s intelligence security (1) were using Signal to illegally discuss information that should have been classified, (2) had their phone numbers and other personal data exposed online, including in Waltz’s case, about his social circle, and (3) kept using those same compromised accounts even after being warned about potential attacks.
Seems… not great.
There’s a particular irony in watching an administration that campaigned against the “deep state” bureaucracy and “DEI hires” while promising to bring in only the “best people” install national security officials who can’t figure out basic privacy settings. The “deep state” types, whatever their faults, at least knew how to use secure government communication systems. (And probably knew better than to add journalists to their classified chat groups.)
These aren’t just embarrassing gaffes or fodder for tech journalists. They’re potentially devastating vulnerabilities in our national security apparatus, created by the very people tasked with protecting it. When your National Security Advisor and Director of National Intelligence are ignoring basic security practices that every corporate IT department requires of entry-level employees, something has gone deeply wrong with your hiring practices.
Perhaps we should consider bringing back DEI, since the people in charge sure seemed a lot more competent back then. At the very least, they knew how to lock down their Venmo accounts.
Filed Under: dan katz, joe kent, mike needham, mike waltz, national security, pete hegseth, security, signal chat, tulsi gabbard
Companies: signal, venmo
Not Content With Its Billions Of Web Scrapings, Clearview Tried To Buy Millions Of Mugshots And SSNs
from the everything-everywhere-all-at-once dept
Clearview saw an opening in the facial recognition market and took full advantage of it. While most tech firms offered face-matching tech of dubious accuracy, Clearview went further, matching its AI to the billions of records it has harvested for free from the open internet. (And while this effort certainly wasn’t free, it definitely was cheaper than hiring a third party to do its web scraping for it.)
Not satisfied with its 10 billion+ stack of scraped photos and personal data, Clearview turned to other companies to help it continue to build a database none of its competitors would be able to compete with. (Not that any of them wanted to compete with Clearview. In fact, other facial recognition tech companies have taken care to distance themselves from Clearview and its web scraping-based business model.)
As Freddy Martinez reports for 404 Media, newly obtained documents show Clearview was willing to spend some of its own money to obtain (or at least access) more than a billion additional data points from a third party “intelligence firm.”
New documents obtained by 404 Media reveal that Clearview AI spent nearly a million dollars in a bid to purchase “690 million arrest records and 390 million arrest photos” from all 50 states from an intelligence firm. The contract further describes the records as including current and former home addresses, dates of birth, arrest photos, social security and cell phone numbers, and email addresses. Clearview attempted to purchase this data from Investigative Consultant, Inc. (ICI) which billed itself as an intelligence company with access to tens of thousands of databases and the ability to create unique data streams for its clients. The contract was signed in mid-2019, at a time when Clearview AI was quietly collecting billions of photos off the internet and was relatively unknown at the time.
As the report notes, this happened before Clearview began racking up negative headlines all over the world, thanks mostly to Kashmir Hill’s expose of the company and it tactics (and its miserable set of financial backers) for the New York Times. This was prior to the numerous lawsuits, fines, fees, and expulsions from foreign countries that initial reporting led to.
That also means this happened back when Clearview still had money to spend. At this point, Clearview still has tens of billions of data points and an unknown number of paying customers, but it hardly seems like a tech firm that’s likely to survive much longer now that its largest revenue stream is considered so toxic most potential customers are look at other options. In fact, Clearview is so cash poor it has been trying to hand out stock options instead of actual money in lawsuit settlements.
Clearview — especially as portrayed by its founder, Hoan Ton-That — depicts itself as the fastest mover in the breaking things tech market, a company so smart and self-assured that it can’t possibly be overtaken by its competitors and/or forced out of the market by the numerous laws around the world that make its data collection efforts illegal.
But the evidence shows Clearview isn’t all that smart, actually. This contract fell through and both parties sued each other for breach of contract. This ended up being one of the rare cases where Clearview came out ahead in litigation. But if it had any hope of clawing back the ~$1 million it paid to ICI, those hopes were extinguished more than five years ago when Clearview first entered this contract.
Clearview AI may also never recover the over one million dollars from ICI or its president: instead of wiring the money to an escrow service, Clearview instead deposited it directly into Berlin’s personal checking account.
Nice. This makes Clearview look like someone’s grandparent. Maybe Clearview was told things would move faster if it just cut a check to cash and sent it to ICI’s owner directly. Or maybe ICI managed to nullify the contractual prenup by convincing Clearview no escrow would be necessary. Either way, Clearview got played and the money it wants back from the company was never paid directly to this data broker/”intelligence firm.” Instead, it went directly into the pocket of the company’s president (Donald Berlin) who may not have any legal, much less moral, compunction to return the funds.
This feels like another mileage marker on the road to Clearview’s ultimate exit from the marketplace of… um… marketplaces. At this point, it’s just limping along, selling access to entities that don’t mind doing business with a business on the precipice of bankruptcy and don’t really care where the data come from or the accuracy of the algorithm used to generate matches. And while I sincerely continue to cheer on what looks like a slow-moving demise of a truly terrible AI firm, I’m not so optimistic some other tech bro with even worse ideas won’t buy what’s left of this mess for pennies on the dollar and turn into something far worse than what it already is.
Filed Under: facial recognition tech, privacy, surveillance, web scraping
Companies: clearview, clearview ai, investigative consultant inc.
No comments:
Post a Comment