Plus: A DOGE operative’s laptop reportedly gets infected with malware, Grok AI is used to “undress” women on X, a school software company’s ransomware nightmare returns, and more.

A United States Customs and Border Protection request for information this week revealed the agency’s plans to find vendors that can supply face recognition technology for capturing data on everyone entering the US in a vehicle like a car or van, not just the people sitting in the front seat. And a CBP spokesperson later told WIRED that the agency also has plans to expand its real-time face recognition capabilities at the border to detect people exiting the US as well—a focus that may be tied to the Trump administration’s push to get undocumented people to “self-deport” and leave the US.

WIRED also shed light this week on a recent CBP memo that rescinded a number of internal policies designed to protect vulnerable people—including pregnant women, infants, the elderly, and people with serious medical conditions—while in the agency’s custody. Signed by acting commissioner Pete Flores, the order eliminates four Biden-era policies.

Meanwhile, as the ripple effects of “SignalGate” continue, the communication app TeleMessage suspended “all services” pending an investigation after former US national security adviser Mike Waltz inadvertently called attention to the app, which subsequently suffered data breaches in recent days. Analysis of TeleMessage Signal’s source code this week appeared to show that the app sends users’ message logs in plaintext, undermining the security and privacy guarantees the service promised. After data stolen in one of the TeleMessage hacks indicated that CBP agents might be users of the app, CBP confirmed its use to WIRED, saying that the agency has “disabled TeleMessage as a precautionary measure.”

A WIRED investigation found that US director of national intelligence Tulsi Gabbard reused a weak password for years on multiple accounts. And researchers warn that an open source tool known as “easyjson” could be an exposure for the US government and US companies, because it has ties to the Russian social network VK, whose CEO has been sanctioned.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ICE’s Deportation Airline Hack Reveals Man “Disappeared” to El Salvador**

Hackers this week revealed they had breached GlobalX, one of the airlines that has come to be known as “ICE Air” thanks to its use by the Trump administration to deport hundreds of migrants. The data they leaked from the airline includes detailed flight manifests for those deportation flights—including, in at least one case, the travel records of a man whose own family had considered him “disappeared” by immigration authorities and whose whereabouts the US government had refused to divulge.

On Monday, reporters at 404 Media said that hackers had provided them with a trove of data taken from GlobalX after breaching the company’s network and defacing its website. “Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a message the hackers posted to the site read. That stolen data, it turns out, included detailed passenger lists for GlobalX’s deportation flights—including the flight to El Salvador of Ricardo Prada Vásquez, a Venezuelan man whose whereabouts had become a mystery to even his own family as they sought answers from the US government. US authorities had previously declined to tell his family or reporters where he had been sent—only that he had been deported—and his name was even excluded from a list of deportees leaked to CBS News. (The Department of Homeland Security later stated in a post to X that Prada was in El Salvador—but only after a New York Times story about his disappearance.)

The fact that his name was, in fact, included all along on a GlobalX flight manifest highlights just how opaque the Trump administration’s deportation process remains. According to immigrant advocates who spoke with 404 Media, it even raises questions about whether the government itself had deportation records as comprehensive as the airline whose planes it chartered. “There are so many levels at which this concerns me. One is they clearly did not take enough care in this to even make sure they had the right lists of who they were removing, and who they were not sending to a prison that is a black hole in El Salvador,” Michelle Brané, executive director of immigrant rights group Together and Free, told 404 Media. “They weren't even keeping accurate records of who they were sending there.”

**The Computer of a DOGE Staffer With Sensitive Access Reportedly Infected With Malware**

Elon Musk’s so-called Department of Governmental Efficiency has raised alarms not just due to its often reckless cuts to federal programs, but also the agency’s habit of giving young, inexperienced staffers with questionable vetting access to highly sensitive systems. Now security researcher Micah Lee has found that Kyle Schutt, a DOGE staffer who reportedly accessed the financial system of the Federal Emergency Management Agency, appears to have had infostealer malware on one of his computers. Lee discovered that four dumps of user data stolen by that kind of password-stealing malware included Schutt’s passwords and usernames. It’s far from clear when Schutt’s credentials were stolen, for what machine, or whether the malware would have posed any threat to any government agency’s systems, but the incident nonetheless highlights the potential risks posed by DOGE staffers’ unprecedented access.

**Grok AI Will “Undress” Women in Public on X**

Elon Musk has long marketed his AI tool Grok as a more freewheeling, less restricted alternative to other large language models and AI image generators. Now X users are testing the limits of Grok’s few safeguards by replying to images of women on the platform and asking Grok to “undress” them. While the tool doesn’t allow the generation of nude images, 404 Media and Bellingcat have found that it repeatedly responded to users’ “undress” prompts with pictures of women in lingerie or bikinis, posted publicly to the site. In one case, Grok apologized to a woman who complained about the practice, but the feature has yet to be disabled.

**A Hacked School Software Company Paid a Ransom—but Schools Are Still Being Extorted**

This week in don’t-trust-ransomware-gangs news: Schools in North Carolina and Canada warned that they’ve received extortion threats from hackers who had obtained students’ personal information. The likely source of that sensitive data? A ransomware breach last December of PowerSchool, one of the world’s biggest education software firms, according to NBC News. PowerSchool paid a ransom at the time, but the data stolen from the company nonetheless appears to be the same info now being used in the current extortion attempts. “We sincerely regret these developments—it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool told NBC News in a statement. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

**A Notorious Deepfake Porn Site Shuts Down After Its Creator Is Outed**

Since its creation in 2018, MrDeepFakes.com grew into perhaps the world’s most infamous repository of nonconsensual pornography created with AI mimicry tools. Now it’s offline after the site’s creator was identified as a Canadian pharmacist in an investigation by CBC, Bellingcat, and the Danish news outlets Politiken and Tjekdet. The site’s pseudonymous administrator, who went by DPFKS on its forums and created at least 150 of its porn videos himself, left a trail of clues in email addresses and passwords found on breached sites that eventually led to the Yelp and Airbnb accounts of Ontario pharmacist David Do. After reporters approached Do with evidence that he was DPFKS, MrDeepFakes.com went offline. “A critical service provider has terminated service permanently. Data loss has made it impossible to continue operation,” reads a message on its homepage. “We will not be relaunching.”

ICE’s Deportation Airline Hack Reveals Man ‘Disappeared’ to El Salvador

A CBP spokesperson tells WIRED that the agency plans to expand its program for real-time face recognition at the border, potentially aiding Trump administration efforts to track people who self-deport.

United States Customs and Border Protection plans to log every person leaving the country by vehicle by taking photos at border crossings of every passenger and matching their faces to their passports, visas, or travel documents, WIRED has learned.

The escalated documentation of travelers could be used to track how many people are self-deporting, or leave the US voluntarily, which the Trump administration is fervently encouraging to people in the country illegally.

CBP exclusively tells WIRED, in response to an inquiry to the agency, that it plans to mirror the current program it’s developing—photographing every person entering the US and match their faces with their travel documents—to the outbound lanes going to Canada and Mexico. The agency currently does not have a system that monitors people leaving the country by vehicle.

“Although we are still working on how we would handle outbound vehicle lanes, we will ultimately expand to this area,” CBP spokesperson Jessica Turner tells WIRED.

Turner could not provide a timeline on when CBP would begin monitoring people leaving the country by vehicle.

She tells WIRED that CBP currently matches photos of people coming into the country with “all documented photos, i.e., passports, visas, green cards, etc,” and adds that all “alien/non-US citizens encounter photos taken at border crossing” are stored by CBP. “The encounter photos can be used for subsequent crossings to verify identity,” Turner says. She did not specify whether CBP may integrate additional photos or data sources in the future.

When asked, Turner says it’s not currently evident that a purpose of the outbound face-matching system would be tracking self-deporations. “Not to say it won't happen in the future, though, with the way self-deportation is going,” Turner says. She later adds that the goal of an outbound system would be to “biometrically confirm departure from the US.” This differs from the purpose of tracking people coming into the US, she says, which also considers the “purpose and intent” of entering the country.

WIRED reported this week that CBP recently asked tech companies to send pitches on how they would ensure every single person entering the country by vehicle, including people two or three rows back, would be instantly photographed and matched with their travel documents. CBP has struggled to do this on its own. The results of a 152-day test of this system, which took place at the Anzalduas border crossing between Mexico and Texas, showed that the cameras captured photos of everyone in the car that met “validation requirements” for face-matching just 61 percent of the time.

Currently, neither CBP nor Immigration and Customs Enforcement have any publicly known tools for tracking self-deportations, aside from an ICE app that allows people to tell the agency when they leave the country.

Last month, ICE announced that it is paying the software company Palantir $30 million to build a tool called ImmigrationOS that would give the agency “near real-time visibility” on people self-deporting from the US, with the goal of having accurate numbers on how many people are doing so, according to a contract justification published a few days later.

When asked, CBP would not confirm or deny whether its monitoring of outbound vehicles would or could be integrated with ImmigrationOS. “CBP does not use Palantir Technologies,” Turner says. (CBP has paid for Palantir services three times, with the last payment in 2013.)

ICE has not specified where Palantir would get the data to power the ImmigrationOS. However, the agency notes that Palantir could create ImmigrationOS by configuring the case management system that the company has provided to ICE since 2014.

This case management system integrates all of the information ICE may have about a person from investigative records or government databases, according to a government privacy assessment published in 2016. At the time of the assessment, it stored information about people’s physical attributes—like hair and eye color, height and weight, and any scars or tattoos—as well as any "location-related data” from “covert tracking devices” and any data from license plate readers, which can provide a detailed travel history.

DHS noted in a 2024 report that CBP has struggled to get biometric data from people leaving the country over land—meaning, people traveling via "cars, trains, buses, bicycles, trucks, and on foot.” The report says that CBP wants to create a “biometric-based departure program” to monitor when people considered aliens leave the country, which DHS notes is required under US law.

The Trump administration is strongly encouraging self-deportation. In March, the Department of Homeland Security revoked the legal status of more than half a million people from Cuba, Haiti, Nicaragua, and Venezuela who were given temporary parole to stay in the US due to instability in their home countries. A judge temporarily blocked the move, but the government is challenging this in court.

In April, the Social Security Administration listed more than 6,000 of these people who had temporary parole as dead, as a way of effectively ending their financial lives in the US. DHS also sent emails to an unknown number of people claiming that their legal parole had been revoked and demanding them to self-deport. Then, this week, the Trump administration offered to pay people in the country illegally $1,000 for a plane ticket to self-deport.

_Updated 2:25 pm ET, May 9, 2025: Added additional details provided by CBP._

US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car

CBP’s acting commissioner has rescinded four Biden-era policies that aimed to protect vulnerable people in the agency’s custody, including mothers, infants, and the elderly.

US Customs and Border Protection (CBP) has quietly rescinded several internal policies that were designed to protect some of the most vulnerable people in its custody—including pregnant women, infants, the elderly, and people with serious medical conditions.

The decision, outlined in a memo dated May 5 and signed by acting commissioner Pete Flores, eliminates four Biden-era policies enacted over the last three years. These policies were intended to address CBP’s long-standing failures to provide adequate care for detainees who are most at risk—failures that have, in some cases, proved fatal.

The May 5 memo was distributed internally to top agency leadership but was not announced publicly.

CBP justified the rollback by stating in the memo–titled Rescission of Legacy Policies Related to Care and Custody–that the policies were “obsolete” and “misaligned” with the agency’s current enforcement priorities.

Together, the now rescinded policies laid out standards for detainees with heightened medical needs—requiring, for instance, access to water and food for pregnant people, ensuring privacy for breastfeeding mothers, and mandating diapers and unexpired formula be stocked in holding facilities. They also instructed agents to process at-risk individuals as quickly as possible to limit time in custody.

“It's appalling and it's just an extension of the culture of cruelty that the administration is trying to perpetrate,” says Sarah Mehta, deputy director of government affairs for the ACLU’s Equality Division. Rescinding the policies, she says, “is a damning statement about the way that this administration thinks and cares about people with young children.”

CBP did not immediately respond to WIRED’s request for comment.

One of the world’s largest law enforcement agencies, CBP is primarily responsible for apprehending and detaining individuals who cross the US border without authorization. While Immigration and Customs Enforcement (ICE) oversees longer-term detention and deportation proceedings, CBP handles the earliest stages of custody, when migrants are held and processed in short-term facilities that have repeatedly drawn criticism for poor medical care and overcrowding

In January the Senate Judiciary Committee issued a damning report revealing dysfunction in CBP's medical operations. The investigation revealed chronic understaffing, improper use of medical record systems, and vague or nonexistent guidance for treating children, pregnant individuals, and others with complex medical needs.

The report was prompted by the death of 8-year-old Anadith Danay Reyes Álvarez, who died in May 2023 at a CBP facility in Harlingen, Texas. The Panamanian girl, who had a known history of heart problems and sickle cell anemia, reportedly pleaded for help along with her mother. Both were ignored. She died in custody, her final hours spent in a facility whose staff were unequipped—and seemingly unwilling—to provide critical care.

“Just last week in letters to the Trump administration, I raised serious concerns about transparency, accountability, and the humane treatment of detained individuals, particularly in light of repeated reports of detainee mistreatment and inadequate medical care,” US senator Dick Durbin, chairman of the Senate Judiciary Committee, tells WIRED. “Instead of taking actions to course-correct, the Trump administration rescinded several internal policies aimed at protecting some of the most vulnerable individuals in CBP custody—including pregnant women, children, the elderly, and those with serious medical conditions. This is unacceptable. We are a nation of values, and these values should be represented in the care of vulnerable people in our government’s custody.”

Policy reversals have come to define the Trump administration's immigration tactics, from attempts to revoke the status of 500,000 immigrants from Cuba, Haiti, Nicaragua, and Venezuela living legally in the US to purging student visas. In January, a day after President Donald Trump's inauguration, the Department of Homeland security reversed a Biden-era policy that forbade ICE and CBP officers from arresting people in "protected areas," including schools, places of worship, and hospitals.

As the number of people held in ICE detention has climbed–reaching roughly 47,928 in April, according to the Transactional Records Access Clearinghouse–apprehensions at the southern US border have fallen sharply, dropping to levels not seen in decades.

CBP says that its personnel will continue to follow broader standards under the National Standards on Transport, Escort, Detention, and Search (TEDS), and remain bound by the Flores agreement, which requires that children be given safe and sanitary quarters. The Trump administration has previously argued that the original settlement does not require that children be allowed to sleep or wash themselves with soap.

US Customs and Border Protection Quietly Revokes Protections for Pregnant Women and Infants

CBP says it has “disabled” its use of TeleMessage following reports that the app, which has not cleared the US government’s risk assessment program, was hacked.

The United States Customs and Border Protection agency confirmed on Wednesday that it uses at least one communication app made by the service TeleMessage, which creates clones of popular apps like Signal and WhatsApp with the addition of an archiving mechanism for compliance with records-retention rules.

“Following the detection of a cyber incident, CBP immediately disabled TeleMessage as a precautionary measure,” CBP spokesperson Rhonda Lawson tells WIRED. “The investigation into the scope of the breach is ongoing.”

President Donald Trump's now former national security adviser Mike Waltz was photographed last week using TeleMessage Signal during a cabinet meeting, and the photo seemed to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US director of national intelligence Tulsi Gabbard, and what appears to be US secretary of state Marco Rubio.

In the days since the photo was published, TeleMessage has reportedly suffered a series of breaches that illustrate concerning security flaws. Analysis of the app's Android source code also appears to indicate fundamental flaws in the service's security scheme. As these findings emerged, TeleMessage—an Israeli company that completed an acquisition last year by the US-based company Smarsh—imposed a service pause on its products pending investigation.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement on Monday. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

WIRED contacted CBP about its potential use of the software after some data stolen from TeleMessage in one of the recent breaches indicated that CBP was potentially a customer.

US senator Ron Wyden called for the Department of Justice to investigate TeleMessage in a letter on Tuesday, alleging that the service is “a serious threat to US national security.” TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP. In his letter, Wyden referenced that “several federal agencies” use TeleMessage, asserting that the company “sold dangerously insecure communications software to the White House and other federal agencies.”

There is still no complete public accounting of US government officials and agencies that have used the software.

Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage

In the wake of SignalGate, a knockoff version of Signal used by a high-ranking member of the Trump administration was hacked. Today on Uncanny Valley, we discuss the platforms used for government communications.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.

When former national security adviser Mike Waltz had a picture taken of him last week, he didn’t expect for the whole world to see that he was using TeleMessage, a messaging app similar to Signal. Now the app has been hacked, with portions of data linked to government entities like Customs and Border Protection (CBP) and companies like Coinbase. Today on the show, we’re joined by WIRED senior writer Lily Hay Newman to discuss what this incident tells us about the growing vulnerabilities in government communications.

Articles mentioned in this episode:  
**Mike Waltz Has Somehow Gotten Even Worse at Using Signal**, by Lily Hay Newman  
**The Signal Clone the Trump Admin Uses Was Hacked** , by Joseph Cox and Micah Lee  
**The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats**, by Lily Hay Newman

You can follow Zoë Schiffer on Bluesky at @zoeschiffer and Lily Hay Newman on Bluesky at @lhn. Write to us at uncannyvalley@wired.com.

**How to Listen**

You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here’s how:

If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts and search for “Uncanny Valley.” We’re on Spotify too.

**Transcript**

_Note: This is an automated transcript, which may contain errors._

**Zoë Schiffer:** Hi, this is Zoë. Before we start, I want to take the chance to remind you that we want to hear from you. If you have tech-related questions that have been on your mind or a topic that you wish we'd cover, write to us at uncannyvalley@WIRED.com. And if you listen to and enjoy the show, please rate it and leave a review on your podcast app of choice. It really honestly makes a difference. Welcome to WIRED's _Uncanny Valley_. I'm WIRED's director of business and industry, Zoë Schiffer. Today on the show, the hacking scandal surrounding TeleMessage, the knockoff version of Signal, which is used by at least one high-ranking member of the Trump administration. The app has temporarily suspended its services while it investigates the incident. We're going to talk about how former national security adviser Mike Waltz was seen last week using the app in a cabinet meeting and what this latest incident tells us about the growing vulnerabilities in government communication. I'm joined by Lily Hay Newman, senior writer at WIRED. Lily, welcome to the show.

**Lily Hay Newman:** It's a pleasure to be here.

**Zoë Schiffer:** What exactly is TeleMessage?

**Lily Hay Newman:** Yeah. So TeleMessage is a company that's been around since the late ’90s. It was founded in Israel, and it creates apps that are sort of mirror images or clones of existing communication apps, and then adds in an archiving feature. So this is especially perhaps wanted for apps that are securing communications, such that it's difficult to retain copies of the messages. So if you need copies for compliance or you need a record, the idea is that these services are giving the same functionality as apps you know, like WhatsApp or Telegram or Signal, but with the addition of these archiving features.

**Zoë Schiffer:** And that's important, obviously, for people who work in government because, technically, members of the press and other people are supposed to be allowed to access a lot of the communications that aren't classified by submitting Freedom of Information Act requests. And you can't do that if the messages are disappearing.

**Lily Hay Newman:** Correct. There are record retention laws in the US and other countries for transparency and information requests, as you said. But historically, the way governments and other institutions have complied with that is by using communication platforms that are built for the purpose of government communications, tailor-built to be in compliance in a number of ways. So all of this is coming up because now the Trump administration in recent months has been sort of departing from the standard ways that officials in the US have communicated to use consumer platforms, particularly the secure messaging platform Signal, to talk to each other, but doing so in a very ad hoc consumer way like in the same way that you and I would set up a Signal conversation. That's what they've been doing, and that's where you get into this whole question of how do you comply with records requirements. How do you comply with safety requirements when you're just kind of using off-the-shelf tech in a regular way? And so that's where TeleMessage comes in.

**Zoë Schiffer:** Well, it seems like one of the people, as we mentioned earlier, who was using TeleMessage was Mike Waltz, the now former national security adviser, who at this point is best known for starting that infamous Signal group chat a few weeks back that accidentally added a senior member of The Atlantic Newsroom. How did we find out that he was using TeleMessage in the first place?

**Lily Hay Newman:** So his screen, the screen of his phone, was sort of inadvertently captured in a photo of a cabinet meeting, a Reuters photo, that Mike Waltz was participating in, was sitting at the table with Trump and a number of officials. The photo is a bit funny because it seems like he thinks no one can see him using his phone, or he is kind of checking his phone. I mean, we've all been there, looking under the conference table at our phone. But additionally, his screen shows what appears to be Signal. So we're really going, zooming in deep into this photo, right. We're looking over his shoulder at his phone. Now we're seeing this notification. And then in the notification, instead of the normal words that would be there, people noticed that the Signal … where it would normally say Signal, was being referred to as TM Signal. And that's how people realized that, actually, he was using this other app called TeleMessage.

**Zoë Schiffer:** Got it. Yeah. Nothing makes me love reporters more than the absolute psychotic behavior of zooming in on a tiny little phone screen to be like, “What exactly is going on here?” But kudos to 404 Media, because I think they were the first ones to point that out. You wrote in a recent WIRED article that Mike Waltz has inexplicably gotten even worse at using Signal. So, I guess what did you mean by that? How is he getting worse at using this end-to-end encrypted app?

**Lily Hay Newman:** This whole revelation about his use of TM Signal is building on this previous situation called Signal Gate. Mike Waltz was the person who inadvertently added Jeffrey Goldberg, the top editor of The Atlantic, to the chat. And so already Mike Waltz was not having a great track record, and then disappearing messages were on the whole time. And so, one of the many criticisms was that this was not in compliance with government record-retention laws. So we don't know this, but presumably then he started using TM Signal as a solution to that aspect of the issues raised. But I just want to be clear. We don't know. It could be that they were already using it, or he was already using TM Signal at the time. I'm not sure. But one might suspect that hearing some of this criticism, he was like, “OK, let me find a solution that does retain records and does have an archiving feature.” And that's where TeleMessage would come in.

**Zoë Schiffer:** So the national security advisoer sets up this group chat, presumably not in compliance, then switches to one that looks like it might be in compliance, and then that version is promptly hacked. Do we know at this point who is behind the hacking?

**Lily Hay Newman:** More and more is coming out about potential hacks of TeleMessage or sort of ability to intercept messages and see messages in memory. First, 404 Media and Micah Lee published a piece with an unnamed hacker providing evidence that they could breach TeleMessage. And then, on Monday, NBC News published an additional report with an additional unnamed hacker. So clearly there's a lot of insecurity here. And the criticism of TM Signal from this company, TeleMessage, is that it claims to have all the same security features as real Signal and to sort of preserve that, and just add on this archiving feature. But, definitionally, adding in the archiving feature breaks Signal security. The way signal is designed and other end-to-end encrypted apps like WhatsApp, when you add in this other party, it's virtually impossible that the security guarantees could be preserved. And then, on top of that, it seems like from source code review that's starting to come out, and research that's starting to happen, and analysis into TM Signal, that actually it's just not constructed in a very secure way at all. So, just a lot of layers to get to the point, which is that this was a wildly insecure app for Mike Waltz to be using, sitting at a table with the top cabinet members and the president of the United States. It's wild.

**Zoë Schiffer:** We're going to get into what exactly was accessed in this hack. But before we do that, we're going to take a short break.

\[_break_\]

**Zoë Schiffer:** We are back. So let's get into what exactly was accessed when it looks like multiple hackers were able to break into TM Signal, which was being used by at least one member of the Trump administration.

**Lily Hay Newman:** So far, these researchers, what they've shown is that some messages, sometimes at least, are being sent to the archiving server in plain text, meaning they are readable. That's precisely what a platform like genuine Signal is trying to avoid. And so that's what's happening. So these were sort of fragments or pieces or whole messages, but not whole conversations, things like that, so far. One thing that 404 Media reported on from these leaks was evidence that US Customs and Border Patrol agents have been using TM Signal. It's not totally clear what's going on with this. WIRED reached out to CBP. We've been trying to get clarification on what this leaked data means. There seem to be confirmed CBP phone numbers associated with these accounts that came out of this breach. CBP has told WIRED just that they're looking into it. But that's an example that is really concerning, it would potentially show that this app is in wider use across other agencies in the US government.

**Zoë Schiffer:** Is there a national security concern with the fact that this app was developed in Israel, regardless of the fact that it was acquired by a US company recently?

**Lily Hay Newman:** The thing is, even without getting into any specific geopolitics, the point of the protocols that exist for the US government to use its own purpose-built communication platforms is that any and all foreign governments conduct espionage. The US does it. Everyone does it. So, for your most sacred and sensitive national communication, you want to do that on a platform that you completely control, that you have built and vetted yourself, and just all parameters are controlled by you. You don't want to involve any other parties. So Israeli espionage groups are known for being very aggressive, very innovative, very cunning. So, for that reason, particularly, perhaps it's a concern that TeleMessage was founded in the country and has those ties. But just in general, regardless of what country it is, I think it's important conceptually to understand that it doesn't make sense to use the app in this way.

**Zoë Schiffer:** After this reporting came out, TeleMessage has paused or stopped its services. What's the status of the company right now?

**Lily Hay Newman:** Right. So clearly, they have concerns, and their parent company, Smarsh, has concerns about these findings as well. They say that they are investigating a potential breach and have employed a third-party firm to help them with that. And they've taken down all the content from the TeleMessage website and paused TeleMessage operations, essentially. So they say it's a pause and pending the investigation, but a pretty big reaction here to these findings.

**Zoë Schiffer:** That's a good place to end it. When we come back, we'll share our recommendations for what to check out on WIRED.com this week. Welcome back to _Uncanny Valley_. I'm Zoë Schiffer, WIRED's director of business and industry. I'm joined today by WIRED senior writer Lily Hay Newman. Before we take off, Lily, tell our listeners what they absolutely have to read on WIRED this week.

**Lily Hay Newman:** I'm just fascinated by this story by our colleague Caroline Haskins. US border agents are asking for help taking photos of everyone entering the country by car. And this is, we're just continuing our CBP discussions for today. CBP has apparently released a request for information seeking pitches, essentially for companies to help them do vehicle surveillance at the border and face recognition technology to see specifically who is in cars, not just the front seat. And I think it's really important for all of us to be aware of the extensive and expansive surveillance dragnet at the US border and all different types of US border crossings. The southern border of the US has long been known as sort of like a forefront of surveillance technology. And so it's dark, but interesting to hear that CBP feels like they don't yet have what they need to do this type of analysis and face recognition in cars, but that they want it, and they're trying to expand the analysis they can do on who is in every car.

**Zoë Schiffer:** Right. And it'll be interesting to see which company gets this contract. OK. Well, I wanted to flag a piece that we published yesterday by Paresh Dave and Kylie Robison. It's about OpenAI announcing that it is not, in fact, going to restructure its company to make the nonprofit arm not in control. In other words, the nonprofit arm is going to remain in control of the company. And this is a reversal of a prior announcement where it said it was going to become a public benefit corporation, likely to make fundraising easier. But after the plan was announced, the company got a ton of pushback from a variety of civic organizations and also Elon Musk, who was involved in the founding of the company before an acrimonious split in 2018. These groups don't usually agree on a lot, but they agreed on this, that becoming a for-profit company was in violation of OpenAI's founding mission. So we have a lot of good reporting on how people are taking this news and what it means for the future of the company. That's our show for today. We'll link to all the stories we spoke about in the show notes. Make sure to check out Thursday's episode of _Uncanny Valley_, which is about Trump's meme coin saga and the conflict of interest that come with it. Adriana Tapia produced this episode. Amar Lal at Macro Sound mixed this episode. Jordan Bell is our executive producer. Condé Nast's head of global audio is Chris Bannon. And Katie Drummond is WIRED's global editorial director.

The Trump Administration Sure Is Having Trouble Keeping Its Comms Private

A new analysis of TM Signal’s source code appears to show that the app sends users’ message logs in plaintext. At least one top Trump administration official used the app.

The communication app TeleMessage Signal, used by at least one top Trump administration official to archive messages, has already reportedly suffered breaches that illustrate concerning security flaws and resulted in its parent company imposing a service pause this week pending investigation. Now, according to detailed new findings from the journalist and security researcher Micah Lee, TM Signal's archiving feature appears to fundamentally undermine Signal's flagship security guarantees, sending messages between the app and a user's message archive without end-to-end encryption, thus making users' communications accessible to TeleMessage.

Lee conducted a detailed analysis of TM Signal's Android source code to assess the app's design and security. In collaboration with 404 Media, he had previously reported on a hack of TM Signal over the weekend, which revealed some user messages and other data—a clear sign that at least some data was being sent unencrypted, or as plaintext, at least some of the time within the service. This alone would seem to contradict TeleMessage's marketing claims that TM Signal offers “End-to-End encryption from the mobile phone through to the corporate archive.” But Lee says that his latest findings show that TM Signal is not end-to-end encrypted and that the company could access the contents of users' chats.

“The fact that there are plaintext logs confirms my hypothesis,” Lee tells WIRED. “The fact that the archive server was so trivial for someone to hack, and that TM Signal had such an incredible lack of basic security, that was worse than I expected.”

TeleMessage is an Israeli company that completed its acquisition last year by the US-based digital communications archiving company Smarsh. TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP.

Smarsh did not return WIRED's requests for comment about Lee's findings. The company said on Monday, “TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”

Lee's findings are likely significant for all TeleMessage users but have particular significance given that TM Signal was used by President Donald Trump's now-former national security adviser Mike Waltz. He was photographed last week using the service during a cabinet meeting, and the photo appeared to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US Director of National Intelligence Tulsi Gabbard, and what appears to be US Secretary of State Marco Rubio. TM Signal is compatible with Signal and would expose messages sent in a chat with someone using TM Signal, whether all participants are using it or some are using the genuine Signal app.

Lee found that TM Signal is designed to save Signal communication data in a local database on a user's device and then send this to an archive server for long-term retention. The messages, he says, are sent directly to the archive server, seemingly as plaintext chat logs in the cases examined by Lee. Conducting the analysis, he says, “confirmed the archive server has access to plaintext chat logs.”

Data taken from the TeleMessage archive server in the hack included chat logs, usernames and plaintext passwords, and even private encryption keys.

In a letter on Tuesday, US senator Ron Wyden called for the Department of Justice to investigate TeleMessage, alleging that it is “a serious threat to US national security.”

“The government agencies that have adopted TeleMessage Archiver have chosen the worst possible option,” Wyden wrote. “They have given their users something that looks and feels like Signal, the most widely trusted secure communications app. But instead, senior government officials have been provided with a shoddy Signal knockoff that poses a number of serious security and counterintelligence threats. The security threat posed by TeleMessage Archiver is not theoretical.”

The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats

Now the US director of national intelligence, Gabbard failed to follow basic cybersecurity practices on several of her personal accounts, leaked records reviewed by WIRED reveal.

Tulsi Gabbard, the director of national intelligence, used the same easily cracked password for different online accounts over a period of years, according to leaked records reviewed by WIRED. Following her participation in a Signal group chat in which sensitive details of a military operation were unwittingly shared with a journalist, the revelation raises further questions about the security practices of the US spy chief.

WIRED reviewed Gabbard's passwords using databases of material leaked online created by the open-source intelligence firms District 4 Labs and Constella Intelligence. Gabbard served in Congress from 2013 to 2021, during which time she sat on the Armed Services Committee, its Subcommittee on Intelligence and Special Operations, and the Foreign Affairs Committee, giving her access to sensitive information. Material from breaches shows that during a portion of this period, she used the same password across multiple email addresses and online accounts, in contravention of well-established best practices for online security. (There is no indication that she used the password on government accounts.)

Two collections of breached records published in 2017 (but breached at some previous unknown date), known as “combolists,” reveal a password that was used for an email account associated with her personal website; that same password, according to a combolist published in 2019, was used with her Gmail account. That same password was used, according to records dating to 2012, for Dropbox and LinkedIn accounts associated with the email address tied to her personal website. According to records dating to 2018 breaches, she also used it on a MyFitnessPal account associated with a me.com email address and an account at HauteLook, a now-defunct ecommerce site then owned by Nordstrom.

Records of these breaches have been available online for years and are accessible in commercial databases.

The password associated with all of the accounts in question includes the word “shraddha,” which appears to have personal significance to Gabbard: Earlier this year, The Wall Street Journal reported that she had been initiated into the Science of Identity Foundation, an offshoot of the Hare Krishna movement into which she was reportedly born and which former members have accused of being a cult. Several former adherents told The Journal that they believe Gabbard received the name “Shraddha Dasi” when she was allegedly received into the group. Gabbard’s deputy chief of staff, Alexa Henning, responded to questions from The Journal at the time by posting them on X and accusing the news media of publicizing “Hinduphobic smears and other lies.”

“The data breaches you’re referring to occurred almost 10 years ago, and the passwords have changed multiple times since,” wrote Olivia Coleman, a Gabbard spokesperson, in response to questions from WIRED. “As our deputy chief of staff has already made clear on a number of occasions, the DNI has never and doesn’t have affiliation with that organization. Attempting to smear the DNI as being in a cult is bigoted behavior.“

“Your bigoted lies and smears of a cabinet member and your story fomenting hinduphobia is noted,” wrote Henning in response to a follow-up question about the probability of Gabbard’s password containing the same name she was reportedly received into Science of Identity Foundation with, given her denials that she has ever been affiliated with the group. “This was well litigated during her confirmation hearing so congrats on being about 6 months late to this story. Great job.”

Science of Identity did not respond to a request for comment.

Security experts advise people to never use the same password on different accounts precisely because people often do so. If a password for one account is revealed in a breach, hackers will often attempt to use it to access other accounts controlled by the same person. Reusing passwords is especially dangerous with email, because a compromised email account can be used to reset credentials for other accounts or systems.

The Cybersecurity Infrastructure and Security Agency, the top US government authority on digital security, advises members of the public to use a password manager to generate a different password of at least 16 characters, consisting of random strings of mixed-case numbers, letters, and symbols or at least four unrelated words, for every account they use.

As director of national intelligence, Gabbard oversees the 18 organizations comprising the US intelligence community, including the Central Intelligence Agency and the National Security Agency, and their budget of roughly $100 billion. By statute, she is the principal adviser to the president and the National Security Council on intelligence matters relating to national security, and so is charged with maintaining the security of much of the most sensitive information in the government. The Democratic National Committee, citing a 2019 statement that Syrian dictator Bashar al-Assad was “not the enemy of the United States,” news reports on the support she has enjoyed from Russian state media, and her ties to “conspiracy theorists,” has characterized Gabbard as a “direct threat to our national security.”

Gabbard addressed these criticisms during her Senate confirmation hearings in January.

“Those who oppose my nomination imply that I am loyal to something or someone other than God, my own conscience, and the constitution of the United States, accusing me of being Trump’s puppet, Putin’s puppet, Assad’s puppet, a guru’s puppet, Modi’s puppet, not recognizing the absurdity of simultaneously being the puppet of five different puppet masters,” she said. “The fact is, what truly unsettles my political opponents is I refuse to be their puppet.”

Tulsi Gabbard Reused the Same Weak Password on Multiple Accounts for Years

Customs and Border Protection has called for tech companies to pitch real-time face recognition technology that can capture everyone in a vehicle—not just those in the front seats.

United States Customs and Border Protection is asking tech companies to send pitches for a real-time face recognition tool that would take photos of every single person in a vehicle at a border crossing, including anyone in the back seats, and match them to travel documents, according to a document posted in a federal register last week.

The request for information, or RIF, says that CBP already has a face recognition tool that takes a picture of a person at a port of entry and compares it to travel or identity documents that someone gives to a border officer, as well as other photos from those documents already “in government holdings.”

“Biometrically confirmed entries into the United States are added to the traveler’s crossing record,” the document says.

An agency under the Department of Homeland Security, CBP says that its face recognition tool “is currently operating in the air, sea, and land pedestrian environments.” The agency’s goal is to bring it to “the land vehicle environment.” According to a page on CBP’s website updated last week, the agency is currently “testing” how to do so. The RIF says that these tests demonstrate that while this face recognition tool has “improved,” it isn’t always able to get photos of every vehicle passenger, especially if they’re in the second or third row.

“Human behavior, multiple passenger vehicle rows, and environmental obstacles all present challenges unique to the vehicle environment,” the document says. CBP says it wants a private vendor to provide it with a tool that would “augment the passenger images” and “capture 100% of vehicle passengers.”

Dave Maass, director of investigations at the Electronic Frontier Foundation, received a document from CBP via public record request that reveals the results of a 152-day test the agency conducted on its port of entry face recognition system from late 2021 to early 2022. The document Maass obtained was first reported by The Intercept.

Maass said that what stood out to him were the error rates. Cameras at the Anzalduas border crossing at Mexico’s border with McAllen, Texas, captured photos of everyone in the car just 76 percent of the time, and of those people, just 81 percent met the “validation requirements” for matching their face with their identification documents.

The current iteration of the system matches a person’s photo to their travel documents in what’s known as one-to-one face recognition. The primary risk here, Maass says, is the system failing to recognize that someone matches their own documents. This differs from one-to-many face recognition, which police may use to identify a suspect based on a surveillance photo, where the primary risk is someone getting a false positive match and being falsely identified as a suspect.

Maass says it’s unclear whether CBP’s error rates primarily have to do with the cameras or the matching system itself. “We don't know what racial disparities, gender disparities, etc, come up with these systems,” he says.

As reported by The Intercept in 2024, the DHS's Science and Technology Directorate issued a request for information last August that’s similar to the one that CBP posted last week. However, the DHS document currently appears to be unavailable.

Maass adds that it’s important to remember that CBP’s push to widen and improve its surveillance isn’t unique to the current Trump administration.

“CBP surveillance strategy carries over from administration to administration—it always falls short, it always has vendor issues and contracting issues and waste issues and abuse issues,” Maass says. “What changes is often the rhetoric and the theater around it.”

DHS noted in a 2024 report that CBP has historically struggled to get “biographic and biometric” data from people leaving the country, particularly if they leave over land. This means it’s hard for it to track people self-deporting from the country, which is something the administration is encouraging hundreds of thousands of people to do. CBP’s recent request for information only mentions inbound vehicles, not outbound vehicles, meaning it’s currently not set up to use face recognition to track self-deporations.

CBP did not respond to WIRED’s request for comment.

CBP’s request for information comes less than three weeks after 404 Media revealed that Immigration and Customs Enforcement is paying the software company Palantir $30 million to build a platform that would allow the agency to perform “complete target analysis of known populations.” According to a contract justification published a few days later, the platform, called ImmigrationOS, would give ICE “near real-time visibility” on people self-deporting from the US, with the goal of having accurate numbers on how many people are doing so. However, ICE did not specify where it would get the data to power ImmigrationOS.

In the ICE document that justifies paying Palantir for ImmigrationOS, the agency does not specify where Palantir would get the data to power the tool. However, it does note that Palantir could create ImmigrationOS by configuring the case management system that the company has provided to ICE since 2014. This case management system integrates all of the information ICE may have about a person from investigative records or government databases, according to a government privacy assessment published in 2016.

It’s unclear if the system may have integrated new data sources over the past decade. But at the time of the assessment, the system stored information about someone’s physical attributes—like hair and eye color, height and weight, and any scars or tattoos—as well as any “location-related data” from “covert tracking devices,” and any data from license plate readers, which can provide a detailed history on where a person goes in their vehicle and when.

US Border Agents Are Asking for Help Taking Photos of Everyone Entering the Country by Car

The communications app TeleMessage, which was spotted on former US national security adviser Mike Waltz's phone, has suspended “all services” as it investigates reports of at least one breach.

The messaging app used by at least one top Trump administration official has suspended its services following reports of hackers stealing data from the app. Smarsh, TeleMessage’s parent company, says it is now investigating the incident.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

President Donald Trump's now-former national security adviser Mike Waltz was captured by a Reuters photographer last week using an unauthorized version of the secure communication app Signal—known as TeleMessage Signal or TM Signal—which allows users to archive their communications. Photos of Waltz using the app appear to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US Director of National Intelligence Tulsi Gabbard, and US Secretary of State Marco Rubio.

Experts told WIRED on Friday that, by definition, TM Signal's archiving feature undermined the end-to-end encryption that makes the actual Signal communication app secure and private. 404 Media and independent journalist Micah Lee reported on Sunday that the app had been breached by a hacker. NBC News reported on Monday that it had reviewed evidence of an additional breach.

TeleMessage was founded in Israel in 1999 and was acquired last year by the US-based digital communications archiving company Smarsh. TeleMessage makes apparently unauthorized versions of popular communications apps that include archiving features for institutional compliance. But the company claims that its look-alikes have the same digital defenses as their legitimate counterparts, potentially giving users a false sense of security.

Waltz's app usage came under intense scrutiny last month after he appeared to have added the editor in chief of The Atlantic to a Signal group chat in which Trump administration officials discussed plans for a military operation. Dubbed SignalGate, the scandal ultimately preceded Waltz's ouster as national security adviser. President Trump said last week that he plans to nominate him to be ambassador to the United Nations.

TeleMessage apps are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP, and yet they seem to be proliferating. Leaked data reportedly from TM Signal indicates that multiple US Customs and Border Protection agents may be using the Signal look-alike. When asked about the breach and whether CBP officers use TM Signal, the agency told WIRED, “We're looking into this.”

After a number of reports by Lee and 404 Media over the weekend, TeleMessage removed all content from its website on Saturday and took down its archiving service on Sunday.

“We are committed to transparency and will share updates as we are able,” the Smarsh statement adds. “We thank our customers and partners for their trust and patience during this time.”

Since the revelation last week that Waltz appeared to be using TM Signal, experts have feared that information shared on the app could jeopardize US national security.

Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked

The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.

Since Russian troops invaded Ukraine more than three years ago, Russian technology companies and executives have been widely sanctioned for supporting the Kremlin. That includes Vladimir Kiriyenko, the son of one of Vladimir Putin’s top aides and the CEO of VK Group, which runs VK, Russia’s Facebook equivalent that has increasingly shifted towards the regime’s repressive positioning.

Now cybersecurity researchers are warning that a widely used piece of open source code—which is linked to Kiriyenko’s company and managed by Russian developers—may pose a “persistent” national security risk to the United States. The open source software (OSS), called easyjson, has been widely used by the US Department of Defense and “extensively” across software used in the finance, technology, and healthcare sectors, say researchers at security company Hunted Labs, which is behind the claims. The fear is that Russia could alter easyjson to steal data or otherwise be abused.

“You have this really critical package that’s basically a linchpin for the cloud native ecosystem, that’s maintained by a group of individuals based in Moscow belonging to an organization that has this suspicious history,” says Hayden Smith, a cofounder at Hunted Labs.

For decades, open source software has underpinned large swathes of the technology industry and the systems people rely on day to day. Open source technology allows anyone to see and modify code, helping to make improvements, detect security vulnerabilities, and apply independent scrutiny that’s absent from the closed tech of corporate giants. However, the fracturing of geopolitical norms and the specter of stealthy supply chain attacks has led to an increase in questions about risk levels of "foreign" code.

Easyjson is a code serialization tool for the Go programming language and is often used across the wider cloud ecosystem, being present in other open source software, according to Hunted Labs. The package is hosted on GitHub by a MailRu account, which is owned by VK after the mail company rebranded itself in 2021. The VK Group itself is not sanctioned. Easyjson has been available on Github since 2016, with most of its updates coming before 2020. Kiriyenko became the CEO of VK Group in December 2021 and was sanctioned in February 2022.

Hunted Labs’ analysis shared with WIRED shows the most active developers on the project in recent years have listed themselves as being based in Moscow. Smith says that Hunted Labs has not identified vulnerabilities in the easyjson code.

However, the link to the sanctioned CEO’s company, plus Russia’s aggressive state-backed cyberattacks, may increase potential risks, Smith says. Research from Hunted Labs details how code serialization tools could be abused by malicious hackers. “A Russian-controlled software package could be used as a ‘sleeper cell’ to cause serious harm to critical US infrastructure or for espionage and weaponized influence campaigns,” it says.

“Nation states take on a strategic positioning,” says George Barnes, a former deputy director at the National Security Agency, who spent 36 years at the NSA and now acts as a senior advisor and investor in Hunted Labs. Barnes says that hackers within Russia’s intelligence agencies could see easyjson as a potential opportunity for abuse in the future.

“It is totally efficient code. There’s no known vulnerability about it, hence no other company has identified anything wrong with it,” Barnes says. “Yet the people who actually own it are under the guise of VK, which is tight with the Kremlin,” he says. “If I’m sitting there in the GRU or the FSB and I’m looking at the laundry list of opportunities… this is perfect. It’s just lying there,” Barnes says, referencing Russia’s foreign military and domestic security agencies.

VK Group did not respond to WIRED’s request for comment about easyjson. The US Department of Defense did not respond to a request for comment about the inclusion of easyjson in its software setup.

“NSA does not have a comment to make on this specific software,” a spokesperson for the National Security Agency says. “The NSA Cybersecurity Collaboration Center does welcome tips from the private sector—when a tip is received, NSA triages the tip against our own insights to fully understand the threat and, if corroborated, share any relevant mitigations with the community.” A spokesperson for the US Cybersecurity and Infrastructure Security Agency, which has faced upheaval under the second Trump administration, says: “We are going to refer you back to Hunted Labs.”

GitHub, a code repository owned by Microsoft, says that while it will investigate issues and take action where its policies are broken, it is not aware of malicious code in easyjson and VK is not sanctioned itself. Other tech companies’ treatment of VK varies. After Britain sanctioned the leaders of Russian banks who own stakes in VK in September 2022, for example, Apple removed its social media app from its App Store.

Dan Lorenc, the CEO of supply chain security firm Chainguard, says that with easyjson, the connections to Russia are in “plain sight” and that there is a “slightly higher” cybersecurity risk than those of other software libraries. He adds that the red flags around other open source technology may not be so obvious.

“In the overall open source space, you don’t necessarily even know where people are most of the time,” Lorenc says, pointing out that many developers do not disclose their identity or locations online, and even if they do, it is not always possible to verify the details are correct. “The code is what we have to trust and the code and the systems that are used to build that code. People are important, but we’re just not in a world where we can push the trust down to the individuals,” Lorenc says.

As Russia’s full-scale invasion of Ukraine has unfolded, there has been increased scrutiny on the use of open source systems and the impact of sanctions upon entities involved in the development. In October last year, a Linux kernel maintainer removed 11 Russian developers who were involved in the open souce project, broadly citing sanctions as the reason for the change. Then in January this year, the Linux Foundation issued guidance covering how international sanctions can impact open source, saying developers should be cautious of who they interact with and the nature of interactions.

The shift in perceived risk is coupled with the threat of supply chain attacks. Last year, corporate developers and the open source world were rocked as a mysterious attacker known as Jia Tan stealthily installed a backdoor in the widely used XZ Utils software, after spending two years diligently updating it without any signs of trouble. The backdoor was only discovered by chance.

“Years ago, OSS was developed by small groups of trusted developers who were known to one another,” says Nancy Mead, a fellow of the Carnegie Mellon University Software Engineering Institute. “In that time frame, no one expected a trusted developer of being a hacker, and the relatively slower pace provided time for review. These days, with automatic release, incorporation of updates, and the wide usage of OSS, the old assumptions are no longer valid.”

Scott Hissam, a senior member of technical staff also from the Carnegie Software Engineering Institute, says there can often be consideration about how many maintainers and the number of organizations that work on an open source project, but there is currently not a “mass movement” to consider other details about OSS projects. “However, it is coming, and there are several activities that collect details about OSS projects, which OSS consumers can use to get more insight into OSS projects and their activities,” Hissam says, pointing to two examples.

Hunted Lab’s Smith says he is currently looking into the provenance of other open source projects and the risks that could come with them, including scrutinizing countries known to have carried out cyberattacks against US entities. He says he is not encouraging people to avoid open source software at all, more that risk considerations have shifted over time. “We’re telling you to just make really good risk informed decisions when you're trying to use open source,” he says. “Open source software is basically good until it's not.”

Source

Wired