SN 1025: Secure Conversation Records Retention - FBI Says to Toss Your Old Router - podcast episode cover

SN 1025: Secure Conversation Records Retention - FBI Says to Toss Your Old Router

Security Now (Audio)
May 14, 20252 hr 44 minEp. 1025
--:--
--:--
Listen in podcast apps:
Metacast
Spotify
Youtube
RSS

Episode description

  • The state of Virginia passes an age-restriction law that has no chance.
  • New Zealand also tries something similar, citing Australia's lead.
  • A nasty Python package for Discord survived 3 years and 11K downloads.
  • The FBI says it's a good idea to discard end-of-life consumer routers.
  • What's in WhatsApp? Finding out was neither easy nor certain.
  • The UK's Cyber Centre says AI promises to make things much worse.
  • A bunch of great feedback from our great listeners, then:
  • Is true end-to-end encryption possible when records must be retained?

Show Notes - https://www.grc.com/sn/SN-1025-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

Transcript

Primary Navigation Podcasts Club Blog Subscribe Sponsors More… Tech The TeleMessage Signal Controversy

May 16th 2025

AI-created, human-edited.

 

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte dove deep into the growing controversy surrounding TeleMessage, an Israeli company offering messaging archive services that became the center of a significant security breach. The discussion illuminated the fundamental tension between true end-to-end encryption and the legal requirements many organizations face for records retention.

The story began with revelations that multiple U.S. government departments had been using TeleMessage's services to archive conversations from supposedly secure messaging apps like Signal. According to Gibson's analysis, three U.S. government departments banned TeleMessage after hackers breached the company's backend systems, exposing potentially sensitive communications.

"Customs and Border Protection confirmed on Wednesday that it uses at least one communication app made by the service, TeleMessage," Gibson noted, citing Wired's reporting. In response to the breach, CBP "immediately disabled TeleMessage as a precautionary measure."

What made this story particularly troubling was the discovery that despite TeleMessage's marketing claims of providing "end-to-end encrypted" services, their actual implementation fundamentally undermined the security that apps like Signal are designed to provide.

Gibson took time to clarify what genuine end-to-end encryption actually means, citing Wikipedia's definition:

"End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, internet providers, or malicious actors, can access the cryptographic keys needed to read or send messages."

The hosts emphasized that this standard means service providers should never, under any circumstances, have access to unencrypted content or the keys that could decrypt it.

After security researcher Micah Lee conducted a thorough technical analysis of TeleMessage's Android app, the fundamental security flaws became clear. As Gibson explained:

"The TeleMessage system is depositing the full plain text transcripts of all conversations conducted with the Signal protocol whenever using this app... It's sending everything you sent and received to Microsoft Outlook or any SMTP email account in the clear."

This revelation prompted Leo Laporte to ask the obvious question: "Why bother using Signal if you're going to use this?"

The hosts also clarified that despite claims from some listeners, TeleMessage's use had never actually been approved under the U.S. government's Federal Risk and Authorization Management Program (FedRAMP). Gibson expressed relief about this fact, noting that any app "which sends conversation plain text to any email servers specified by their users could never have possibly been considered safe or secure to use."

Rather than dismissing the entire concept of secure records retention, Gibson proposed an elegant alternative solution:

"The solution I've come up with... providing truly secure records retention for users of Signal and using only the official, unadulterated Signal app to deliver full, true, end-to-end encrypted conversation security would be for these individuals to add a secure government Signal bot to their conversations."

This Signal bot would:

Run in a secure facilityAuto-accept conversation invitations from authorized personnelPassively receive and permanently archive all dialogueFunction as a silent observer named "Federal Records Retention"Preserve the end-to-end encryption guarantees offered by the Signal protocol

Laporte noted that this approach aligns with existing federal protocols for classified communications, which should occur in Sensitive Compartmented Information Facilities (SCIFs) with appropriate logging and recording.

The conversation highlighted that despite technological solutions, human behavior often remains the weakest link in security systems. "The breaches often occur because humans don't follow correct procedure," Laporte observed.

This case serves as an important reminder that security isn't just about implementing the right technologies—it's about ensuring those technologies are used correctly and that security claims are thoroughly vetted before being trusted with sensitive communications.

For enterprises looking to balance security with compliance requirements, the takeaway is clear: true end-to-end encryption and records retention can coexist, but implementation matters enormously. Solutions should be carefully evaluated to ensure they don't compromise security in the name of convenience or compliance.

As Gibson concluded, "In retrospect, this seems like such an obvious solution for the secure archiving of secure messaging that I'm surprised such a service doesn't already exist."

Share: Copied! Security Now #1025
May 13 2025 - Secure Conversation Records Retent…
FBI Says to Toss Your Old Router All Tech posts Contact Advertise CC License Privacy Policy Ad Choices TOS Store Twitter Facebook Instgram YouTube Yes, like every site on the Internet, this site uses cookies. So now you know. Learn more Hide Home Schedule Subscribe Club TWiT About Club TWiT FAQ Access Account Members-Only Podcasts Update Payment Method Connect to Discord TWiT Blog Recent Posts Advertise Sponsors Store People About What is TWiT.tv Tickets Developer Program and API Tip jar Partners Contact Us
Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android
Open in Metacast