Confide app used by White House staff not as secure as claimed, report suggests

Posted:
in iPhone
Confide -- a messaging app being used by some White House staff and reporters, and available for Apple's iPhone and Mac among other platforms -- may not be sufficiently secure, according to a new report.




The phone numbers of two high-level White House officials -- press secretary Sean Spicer, and director of strategic communications Hope Hicks -- were discovered through a feature in the app that lets people find friends who have already joined, BuzzFeed News said. Spicer in fact confirmed his use of Confide in a call with BuzzFeed, calling their story "an invasion of my privacy." He insisted however that he only sent one message several months ago at the request of a reporter, and uses a separate phone for official White House business.

The number listed for Hicks was unreachable, but a source within Confide suggested that she could have deleted the app months ago. The company's policy is to keep users listed even after they delete an account, the source said.

A security expert told BuzzFeed that while read messages are deleted immediately on a person's device, they're kept up to a week on Confide's servers, and the company is also saving metadata. If exposed legally or otherwise, this could at least be used to identify how often a person is sending messages and to whom.

Another issue is that Confide doesn't make its code public or identify which brand of encryption it uses. A researcher with Kudelski Security, Jean-Philippe Aumasson, indicated that the app relies on the OpenSSL library, some versions of which are known to be vulnerable to hacking.

The Washington Post recently said that White House staff are using Confide to avoid being blamed for a stream of leaks to the media, something allegedly being scrutinized in an investigation ordered by U.S. President Donald Trump.

Other reports said that the app is popular with journalists at the White House, as well as a number of people in the Republican Party worried they could fall prey to the same sort of hacking that victimized the Democrats during last year's election campaign.
«1

Comments

  • Reply 1 of 29
    "Another issue is that Confide doesn't make its code public"????

    That is an issue? Seriously? Does everything have to be "open source" or it's an issue?
    Solibigmonstrositywatto_cobraStrangeDays
  • Reply 2 of 29
    steven n. said:
    "Another issue is that Confide doesn't make its code public"????

    That is an issue? Seriously? Does everything have to be "open source" or it's an issue?
    If it's open, that can in theory make it better subject to testing and scrutiny.
    watto_cobraSpamSandwich
  • Reply 3 of 29
    SoliSoli Posts: 2,316member
    steven n. said:
    "Another issue is that Confide doesn't make its code public"????

    That is an issue? Seriously? Does everything have to be "open source" or it's an issue?
    I gave you a Like because I agree with your overall sentiment, but I also wouldn't use* one of these apps unless it was open source because I want to be able to read forensic reports from developer communities to help be fairly certain that the developers aren't storing the data. Of course, if the data get routed through one of their servers who the hell knows what could be going on.

    * I've never used nor do I expect to use one of these apps. For starters, anything sent could just be saved with a screenshot on the other end, so the best it could do is probably just hid your name, assuming you didn't use RealPOTUSSteveBannon.
    edited February 17 dasanman69big
  • Reply 4 of 29
    mtbnutmtbnut Posts: 142member
    Putin's reading through all those "secure" chats as we speak. 


    watto_cobrajony0
  • Reply 5 of 29
    Other reports said that the app is popular with journalists at the White House, as well as a number of people in the Republican Party worried they could fall prey to the same sort of hacking that victimized the Democrats during last year's election campaign.
    By this point it should be obvious to everyone that any communication can potentially result in someone else gaining access to that communication. Some devices are more secure than others and we should aim for maximum security, but we really have no idea what devices 'hackers' may have already successfully defeated the security of or what they'll be able to do in the future. We should weigh the pros and cons and act accordingly.
    watto_cobra
  • Reply 6 of 29
    maestro64maestro64 Posts: 3,263member
    steven n. said:
    "Another issue is that Confide doesn't make its code public"????

    That is an issue? Seriously? Does everything have to be "open source" or it's an issue?


    That is because the open source communicate feel they are better equipped to find issue and as group they and also fix them. But I also work for a networking equipment manufacture and we did not allow use of open source or any libraries which were not internally developed, why for security reasons. We did not want the product software to contain code which people outside the company had knowledge of.

    With that said, when are these people going to learn, if you do not want people to know what you are doing never write it down, and do all your dirty work in person. I personally only document facts in Emails and such, everything else it is in a personal conversation, this way I can always deny what was said since it was never written down.

    As I told my kids, if they are ever doing something they should not be doing, and someone pulls out a phone and begins recording get yourself out of there. I told them I did lots of things when I was younger and no one can prove it since it not written down, no pictures, and my friends memory is far worse than mine.

    watto_cobramagman1979
  • Reply 7 of 29
    steven n. said:
    "Another issue is that Confide doesn't make its code public"????

    That is an issue? Seriously? Does everything have to be "open source" or it's an issue?
    If it's open, that can in theory make it better subject to testing and scrutiny.

    For systems with closed source there are other certifications people can also feel better about such as being FIPS Validated (Federal Information Processing Standards) or having a Common Criteria Certificate which you need for a CSfC (Consumer Solutions for Classified) listing.
    magman1979pscooter63
  • Reply 8 of 29
    steven n. said:
    "Another issue is that Confide doesn't make its code public"????

    That is an issue? Seriously? Does everything have to be "open source" or it's an issue?
    If it's open, that can in theory make it better subject to testing and scrutiny.
    That argument is so bloody meaningless it's not even funny... ALL of the most virulent and deadly hacks now proliferating the Internet are targeting anything Linux based, including Android, platforms "open to inspection and thus more secure"...

    Yeah, better scrutiny and testing a monkey's ass!
    StrangeDays
  • Reply 9 of 29
    mtbnut said:
    Putin's reading through all those "secure" chats as we speak. 


    He doesn't have to listen.   He's already CC'd on anything of importance.
    montrosemacs
  • Reply 10 of 29
    I find this hilarious!
    Republicans have spent the last 4 years and tens of millions of dollars attacking Hillary's use of non-government systems -- and within the first month, they are doing the same!   I wonder who will investigate THEM?
    Solimontrosemacsjlandd
  • Reply 11 of 29
    Interesting this thread hasn't been locked yet.  :o
    tallest skil
  • Reply 12 of 29
    SoliSoli Posts: 2,316member
    I find this hilarious!
    Republicans have spent the last 4 years and tens of millions of dollars attacking Hillary's use of non-government systems -- and within the first month, they are doing the same!   I wonder who will investigate THEM?
    Since Paul Ryan is their lapdog there is little chance this will happen.
    GeorgeBMacsingularityjlandd
  • Reply 13 of 29
    I wonder, now that Hillary is out of the way, if Julian Assange happens to possess other emails or documents that he might want to leak, in order to balance his karma, so to speak.
    GeorgeBMac
  • Reply 14 of 29
    Interesting this thread hasn't been locked yet.  :o
    Why would it be? You guys are being civil to each other.
    Soli
  • Reply 15 of 29
    Interesting this thread hasn't been locked yet.  :o
    Why would it be? You guys are being civil to each other.
    Because nearly every thread posted by AI with a political component and not posted under Political Outsider recently has been suddenly and without warning locked, regardless of the civility of the posters. Not by you, mind you.

    Just a few random examples:
    http://forums.appleinsider.com/discussion/198480/apple-weighing-legal-action-against-trump-immigration-ban-to-match-employee-donations-to/p2
    http://forums.appleinsider.com/discussion/comment/2933095/
    http://forums.appleinsider.com/discussion/comment/2932628/#Comment_2932628

    That last one was the weirdest, since there were no actual comments posted, the thread was simply locked. As a result of me posting this response I fully expect my post and comments to be deleted.
    edited February 18 StrangeDays
  • Reply 16 of 29
    SoliSoli Posts: 2,316member
    Interesting this thread hasn't been locked yet.  :o
    Why would it be? You guys are being civil to each other.
    Because nearly every thread posted by AI with a political component and not posted under Political Outsider recently has been suddenly and without warning locked, regardless of the civility of the posters. Not by you, mind you.

    Just a few random examples:
    http://forums.appleinsider.com/discussion/198480/apple-weighing-legal-action-against-trump-immigration-ban-to-match-employee-donations-to/p2
    http://forums.appleinsider.com/discussion/comment/2933095/
    http://forums.appleinsider.com/discussion/comment/2932628/#Comment_2932628

    That last one was the weirdest, since there were no actual comments posted, the thread was simply locked. As a result of me posting this response I fully expect my post and comments to be deleted.
    You're not seeing the ad hominem posts that he removed.
  • Reply 17 of 29
    Soli said:
    Interesting this thread hasn't been locked yet.  :o
    Why would it be? You guys are being civil to each other.
    Because nearly every thread posted by AI with a political component and not posted under Political Outsider recently has been suddenly and without warning locked, regardless of the civility of the posters. Not by you, mind you.

    Just a few random examples:
    http://forums.appleinsider.com/discussion/198480/apple-weighing-legal-action-against-trump-immigration-ban-to-match-employee-donations-to/p2
    http://forums.appleinsider.com/discussion/comment/2933095/
    http://forums.appleinsider.com/discussion/comment/2932628/#Comment_2932628

    That last one was the weirdest, since there were no actual comments posted, the thread was simply locked. As a result of me posting this response I fully expect my post and comments to be deleted.
    You're not seeing the ad hominem posts that he removed.
    Fair enough. But if AI is the source of the original post, shouldn't they put the story under Political Outsider to begin with? A political story invites political comments.
  • Reply 18 of 29
    I wonder, now that Hillary is out of the way, if Julian Assange happens to possess other emails or documents that he might want to leak, in order to balance his karma, so to speak.
    because leaks for Trump are good and leaks against are double plus bad
    "Boy, I love reading those WikiLeaks!" -- Nov. 4, 2016
    "Russia, if you're listening, I hope you're able to find the 30,000 emails that are missing," 
    but suddenly as the leaks go against the the so called presidental view point
    Papers are being leaked, things are being leaked,It’s criminal actions ... and it’s been going on for a long time -- before me.
    its all fake news ... honest guvnor!
    GeorgeBMac
  • Reply 19 of 29
    SoliSoli Posts: 2,316member
    Soli said:
    Interesting this thread hasn't been locked yet.  :o
    Why would it be? You guys are being civil to each other.
    Because nearly every thread posted by AI with a political component and not posted under Political Outsider recently has been suddenly and without warning locked, regardless of the civility of the posters. Not by you, mind you.

    Just a few random examples:
    http://forums.appleinsider.com/discussion/198480/apple-weighing-legal-action-against-trump-immigration-ban-to-match-employee-donations-to/p2
    http://forums.appleinsider.com/discussion/comment/2933095/
    http://forums.appleinsider.com/discussion/comment/2932628/#Comment_2932628

    That last one was the weirdest, since there were no actual comments posted, the thread was simply locked. As a result of me posting this response I fully expect my post and comments to be deleted.
    You're not seeing the ad hominem posts that he removed.
    Fair enough. But if AI is the source of the original post, shouldn't they put the story under Political Outsider to begin with? A political story invites political comments.
    And they allow political posts on political stories until the comments stay on track regarding a discussion about the politics of the story. If jit umps into recursive "You're a ******* for supporting x" then I understand why they shut it down.
    edited February 18
  • Reply 20 of 29
    Soli said:
    Soli said:
    Interesting this thread hasn't been locked yet.  :o
    Why would it be? You guys are being civil to each other.
    Because nearly every thread posted by AI with a political component and not posted under Political Outsider recently has been suddenly and without warning locked, regardless of the civility of the posters. Not by you, mind you.

    Just a few random examples:
    http://forums.appleinsider.com/discussion/198480/apple-weighing-legal-action-against-trump-immigration-ban-to-match-employee-donations-to/p2
    http://forums.appleinsider.com/discussion/comment/2933095/
    http://forums.appleinsider.com/discussion/comment/2932628/#Comment_2932628

    That last one was the weirdest, since there were no actual comments posted, the thread was simply locked. As a result of me posting this response I fully expect my post and comments to be deleted.
    You're not seeing the ad hominem posts that he removed.
    Fair enough. But if AI is the source of the original post, shouldn't they put the story under Political Outsider to begin with? A political story invites political comments.
    And they allow political posts on political stories until the comments stay on track regarding a discussion about the politics of the story. If jumps into recursive "You're a ******* for supporting x" then I understand why they shut it down.
    Why not simply publicly or privately warn or "punish" the offender instead? Are there really that many posters incapable of civil discourse?
Sign In or Register to comment.