Trump’s “Best Security People” Can’t Figure Out Basic Security
from the only-the-best dept
This hasn’t been a good week for those who believed that Donald Trump would bring in the “best, most competent” people around. Fresh off the revelation that a bunch of the top cabinet and security officials were accidentally sharing classified info with a journalist using Signal on their private phones (rather than, you know, secure government systems), the hits just keep coming.
Next, it came out that Mike Waltz, Trump’s National Security Advisor and the person who had added the journalist Jeffrey Goldberg to the illegal Signal group chat, had also left his Venmo friends list wide open:
A Venmo account under the name “Michael Waltz,” carrying a profile photo of the national security adviser and connected to accounts bearing the names of people closely associated with him, was left open to the public until Wednesday afternoon. A WIRED analysis shows that the account revealed the names of hundreds of Waltz’s personal and professional associates, including journalists, military officers, lobbyists, and others—information a foreign intelligence service or other actors could exploit for any number of ends, experts say.
Among the accounts linked to “Michael Waltz” are ones that appear to belong to Susie Wiles, the White House chief of staff, and Walker Barrett, a staffer on the United States National Security Council. Both were fellow participants in a now-infamous Signal group chat called “Houthi PC small group.”
Oopsie.
While this is hardly the first time a politician left their Venmo info exposed, we’re not talking about some random congressman’s late-night pizza orders — this is the National Security Advisor, whose entire job revolves around protecting sensitive information. You’d think having even basic operational security would be, you know, a job requirement.
Hell, you might think that the National Security Advisor, of all people, would have someone on staff whose job includes making sure his digital pants are zipped. But that would require caring about security basics in the first place.
But Waltz’s carelessness isn’t isolated. Last month, it was revealed that Defense Secretary Pete Hegseth left his Venmo exposed as well. And on Thursday, Wired found that many others in the “bomb the Houthis” Signal chat group have been walking around with their digital pants down – more members had left their Venmo info exposed in ways that created massive security risks.
A number of top Trump administration officials—including four who were on a now-infamous Signal group chat—appear to have Venmo accounts that have been leaking data, including contacts and in some cases transactions, to the public. Experts say this is a potentially serious counterintelligence problem that could allow foreign intelligence services to gain insight into a target’s social network or even identify individuals who could be paid or coerced to act against them.
The officials in question include Dan Katz, chief of staff at the US Treasury; Joe Kent, President Donald Trump’s nominee for director of the National Counterterrorism Center; and Mike Needham, counselor and chief of staff to the secretary of State. All three were participants in the “Houthi PC small group” chat in which sensitive attack plans were discussed and to which Jeffrey Goldberg, editor in chief of The Atlantic, was accidentally invited. Katz was named in it as a point of contact by Scott Bessent, the Treasury secretary; Kent by Tulsi Gabbard, the director of national intelligence, to whom Kent serves as acting chief of staff; and Needham by Marco Rubio, the secretary of State.
It gets worse.
As if the Venmo exposure wasn’t bad enough, the German newspaper Spiegel dropped another bombshell this week: they found private data — including actual passwords — for these same officials just sitting exposed on the internet. And we’re not talking about old, abandoned accounts.
Private contact details of the most important security advisers to U.S. President Donald Trump can be found on the internet. DER SPIEGEL reporters were able to find mobile phone numbers, email addresses and even some passwords belonging to the top officials.
To do so, the reporters used commercial people search engines along with hacked customer data that has been published on the web. Those affected by the leaks include National Security Adviser Mike Waltz, Director of National Intelligence Tulsi Gabbard and Secretary of Defense Pete Hegseth.
Now, some might argue that everyone’s data gets leaked eventually. But there’s a world of difference between your average person’s old MySpace password getting exposed and what we’re seeing here. These are our top national security officials, using current credentials that provide access to their most sensitive communications — including, as the Spiegel report notes, their Signal phone numbers:
Most of these numbers and email addresses are apparently still in use, with some of them linked to profiles on social media platforms like Instagram and LinkedIn. They were used to create Dropbox accounts and profiles in apps that track running data. There are also WhatsApp profiles for the respective phone numbers and even Signal accounts in some cases.
This matters a lot. While Signal’s encryption remains secure, foreign adversaries (particularly the Russians) have found a much simpler way in: exploiting Signal’s “linked devices” feature. It’s not a technological hack — it’s old-fashioned social engineering that preys on user carelessness. The feature lets you use Signal on multiple devices (like your phone and computer), but if attackers can trick someone into “linking” a device they control, they can read all of that person’s messages. With the phone numbers and other data now exposed, staging such attacks becomes dramatically easier.
Indeed, just days before the “bomb the Houthis” Signal chat happened, the Defense Department had warned everyone to beware of this kind of attack on those who use Signal.
Whoops.
Spiegel found that both Waltz and Director of National Intelligence Tulsi Gabbard (yes, that’s right — the person in charge of coordinating all US intelligence activities) had active Signal accounts linked to their exposed phone numbers:
Tulsi Gabbard has declined to comment. DER SPIEGEL reporting has demonstrated, though, that privately used and publicly accessible telephone numbers belonging to her and Waltz are, in fact, linked to Signal accounts.
Let’s break this down: The two officials most responsible for America’s intelligence security (1) were using Signal to illegally discuss information that should have been classified, (2) had their phone numbers and other personal data exposed online, including in Waltz’s case, about his social circle, and (3) kept using those same compromised accounts even after being warned about potential attacks.
Seems… not great.
There’s a particular irony in watching an administration that campaigned against the “deep state” bureaucracy and “DEI hires” while promising to bring in only the “best people” install national security officials who can’t figure out basic privacy settings. The “deep state” types, whatever their faults, at least knew how to use secure government communication systems. (And probably knew better than to add journalists to their classified chat groups.)
These aren’t just embarrassing gaffes or fodder for tech journalists. They’re potentially devastating vulnerabilities in our national security apparatus, created by the very people tasked with protecting it. When your National Security Advisor and Director of National Intelligence are ignoring basic security practices that every corporate IT department requires of entry-level employees, something has gone deeply wrong with your hiring practices.
Perhaps we should consider bringing back DEI, since the people in charge sure seemed a lot more competent back then. At the very least, they knew how to lock down their Venmo accounts.
Filed Under: dan katz, joe kent, mike needham, mike waltz, national security, pete hegseth, security, signal chat, tulsi gabbard
Companies: signal, venmo
Comments on “Trump’s “Best Security People” Can’t Figure Out Basic Security”
OpSec failures this bad should result in people not only losing security clearances and jobs, but the right to work a job more complicated than “janitor”.
Re:
I would not let these people patch my Windows servers.
Re:
I would bet you real cash money that the janitors in the pentagon have to go through some positively nightmarish OPSEC training.
Re: Re:
I had people in my Security+ classes years ago who were only doing it because DoD was making them get certified. I don’t even remember the jobs they were naming, but some of them weren’t even tangential to security beyond the DoD wanting them certifiably educated in security.
They were a particularly unhappy bunch. Which, on the one hand I get. On the other hand, monopolizing class time to complain about your employer’s requirements isn’t acceptable. Your employer sent you to the course. The course doesn’t exist to give you warm fuzzies about what your employer requires.
I got off on a little bit of a tangent, but my point is, you’re almost certainly right.
Re: Re:
Yeah, I wouldn’t be surprised if Pentagon janitors have a better idea of proper security protocols than these people.
Not that that’s a high bar, but still.
Re: Re:
I’d bet you actual cash money that any given janitor in the Pentagon got more screening than all of Trump’s cabinet combined.
Re:
Under Trump reign, a “simple” counselor can cancel dozen billion dollars Federal contracts, so even a janitor picked by Trump could have the clearance to launch nuclear missiles on Yemen.
Re:
Do you want these motherfuckers cleaning the place where you work?
Re: Incompetency begets loyalty
They don’t have anything but loyalty to offer to Trump. Competency causes talkback. People who have a clue upstage Trump.
So this is not going to get anybody fired. Summoned to kiss the ring, maybe.
Re:
idk man, janitors have keys and frequently have access to places no oneelse goes, and access to nearly everywhere, including when there is no one else around. God forbid they work at a school.
I always[0] say: Being smart doesn’t make you good.
This would imply the corollary: Being evil doesn’t make you dumb.
But It looks like Trump is out to prove me wrong (at least statistically).
[0] meaning: when ever I’m not saying something else, or simply just not talking.
I think one of my very favorite comments to come out of all this was Pete Hegseth’s “Goldberg has never seen a war plan.” Dude, unless they were passing out top secret war plans to Fox News correspondents, I’m pretty sure you hadn’t either until at least February. Also, don’t these people- with their utter lack of credentials- count as DEI hires (hired because of how they looked and because they were parts of favored groups)? Most of America knows at this point they certainly were not hired for their skill sets.
Re:
Musk is an illegal immigrant who’s admitted to lying on his immigration documents, a felony that could cost him his naturalization.
Mike Waltz, welcome to the resistance??
Isnt there?
A Beginners Class in security Protocols, from Each of the Sections, that Monitor This stuff?
That Should be taken When you Start work for the Gov.?
Ironically, janitors can be required to have incredibly high security clearances….
Instead of DEI hires they have DUI hires – Divulging US Intelligence
The morons are coming, the morons…oh…too late they’re already here.
There’s not actually 24 hours in a day. A day on earth is 23 hours 56 minutes and 4 seconds long.
Please if you want to talk about truth vs lies, please be precise.
Re:
So why are you so imprecise? Are you talking about sidereal or stellar days? There’s an 8.4ms difference you know.
Excluding some specific situations relating more to astronomy, when someone talks about 24 hours a day it is implied it is the “mean solar day” that’s referenced since all our timekeeping, calendars and speech are based on that.
And I have to ask, who are you talking about?
What I liked the best...
What I liked the best was how Hegseth is so clueless that he’s saying ‘we are secure on OPSEC’ on an insecure system right as he’s giving out secret details. He’s breaking “OPSEC” while bragging about how it’s still good… and he’s the one breaking it.
Totally clueless – a perfect example of Dunning-Kruger in real life.
Well they were half right...
There’s a particular irony in watching an administration that campaigned against the “deep state” bureaucracy and “DEI hires” while promising to bring in only the “best people” install national security officials who can’t figure out basic privacy settings.
Turns out that republicans were onto something when it came to complaining about people getting jobs for reasons other than their capabilities and qualifications for the job in question, the part they got wrong is who exactly those ‘DEI’ hires were/are.