So…there is a concerted campaign, with Musk as its mouthpiece, to discredit Signal and get people to switch to Telegram. It’s disinformation, but there’s also useful information in it. The useful information is that a hideous, powerful, right-wing crank — or whoever’s yanking his chain — really, really wants people to use Telegram.
We’ve long known Telegram’s security is weak. But now, in light of this new information, we should move forward assuming that Telegram is actively compromised.
Lest it get lost in that longer post:
Assume Telegram is compromised. Not just vulnerable. Compromised.
Muting this conversation, which has an •unusually• low signal to noise ratio.
Addressing some greatest hits:
- “I just use telegram for [some BS]” → It’s probably still leaking your location
- “Yeah, but if you’re targeted by a state actor…” → Honey, if a state actor is targeting •you• individually, technology is not even the first problem on your list. Opsec is hard.
- “I already knew that” → Good for you, we’re trying to reach people who didn’t
More greatest hits:
- “I want to learn more. Do you have links?” → Sure! Here’s a good post: https://kolektiva.social/@Voline/112437280384669007
- “No tech is perfectly secure, therefore it doesn’t matter what you use” → This logic is exactly as stupid as “any car can crash, therefore it doesn’t matter if you wear a seatbelt”
- “Let’s argue about [tech A] vs [tech B]” → Find a forum, you two
- “But I heard X invested in alternative Y and [conspiracy theory]” → This is why we like open source comm apps, to vet security
@[email protected] @[email protected] @[email protected] Did someone say “Telegram”? [Crashes into the thread like the Kool-Aid man] Please do not use #Telegram Messenger for any message that you would not want to see on the side of a building. Don't take my word for it, listen to these folks. Here's Dan Goodin (@[email protected]) in Ars Technica summarizing an exploit discovered by Ahmed Hassan: "Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location." https://arstechnica.com/information-technology/2021/01/telegram-feature-exposes-your-precise-address-to-hackers/ Independent security researcher The Grugq (@[email protected]) on Telegram's many problems: "In summary, Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout. I couldn’t possibly think of a worse combination for a safe messenger." https://grugq.tumblr.com/post/133453305233/operational-telegram Former maintainer of the Golang cryptographic libraries Filippo Valsorda (@[email protected]) on a bug in Telegram's cryptographic protocol: "To this day, itʼs the most backdoor-looking bug Iʼve ever seen." https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/ Prof of cryptography Matthew Green (@[email protected]) on Telegram's custom encryption: "Like seriously. Wtf is even going on here." https://twitter.com/matthew_d_green/status/582249709286326272 And finally, Bruce Schneier: "Don't Use Telegram." https://www.schneier.com/blog/archives/2016/06/comparing_messa.html If you want to communicate confidentially, use @[email protected] https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/
Last but not least:
- “[Elaborate chain of logic I made up where I put 2 and 2 together and come up with 22]” → Disinformation is still disinformation even if you invented it yourself. At some point, you’re going to have to trust someone who knows more than you; puzzling it out yourself from a point of inexpertise is not better.
@inthehands I'd assume the same of Signal, to be honest. You're not safe and secure against a nation-state actor, especially not running software from that country communicating through servers run in that country.
The question is if you're worth them exposing that operation (you're probably not).
Disagree.
The question is whether you're high-profile enough that them compromising you (using a tool they own, in an environment they control) would result in their "operation" being "exposed" to a degree that would result in their operation being disrupted.
If you're anything like me, probably not.
(There's an entire class of people who can get disappeared in plain sight and everyone will automatically hallucinate their own thought-terminating explanation. Sucks)
@pettter @inthehands While I agree that it's good to expect compromise of whatever technology you're using, I don't think this take is really helpful.
The assumption that everything is compromised, apart from discussing strategies for dealing with it, just takes away our ability to make informed decisions. We have limited knowledge of the capabilities of the relevant threat actors, so we have to weight the probability that a particular implementation is still secure.
As in:
A remote code execution?
If the choice would be between whatsapp or Telegram, would you still prefer the meta product?
I have some people which are either on Whatsapp or on Telegram.
Currently i use Telegram with them. Should i install WhatsApp to keep in contact with them?
How is that a false dichotomy or a not the case scenario.
@scott_guertin
@inthehands @ShadowJonathan
Yeah but i don't have any means to compel what messenger they use and i would qualify it as an asshole move to make communication with me conditional on them installing a new messenger.
They have SMS and WhatsApp and Telegram.
Should i continue my contact with them on Telegram or install WhatsApp?
^ That is a valid question.
@inthehands The simplest answer is probably the correct one.
What does a US ceo hate more than proportional taxation?
Unions.
@inthehands how about the #InconvenientTruth that both @signalapp / #Signal and #Telegram are BOTH EQUALLY BAD since they both are #proprietary, #centralized #SingleVendor & #SingleProvider solutions that collect #PII like #PhoneNumbers with no "#LegitimateInterest" because they are not "technically necessary" to fulfill their services.
Plus they not only can but will include #Govware #backdoors when pressed hard enough aka. cops with 3-hole masks put a gun to their heads...
Just like there are no #LoglessVPN's these Services and their #staff have addresses...
https://web.archive.org/web/20210226175949/https://twitter.com/thegrugq/status/1085614812581715968
Instead, consider something where the #developers nor #maintainers can't do that - like with #XMPP + #OMEMO where you have #SelfCustody of all the #Keys and thus you are in control!
@kkarhan @inthehands both have problems but “stores comms in clear text on their servers and use proprietary security” (Telegram) is not equally as bad as “provably end to end encrypted with an open and independently vetted cryptosystem” (Signal)
Spreading FUD when you could just offer honest critique makes your message extremely suspect
@calcifer @inthehands it's not #FUD, but the #InconvenientTruth: #BOTH are garbage!
#Signal is able, willing and required per law to restrict it's services to comply with #Sanctions as well as integrate #Govware #Backdoors for #CloudAct & #FISA.
https://infosec.space/@kkarhan/112439031215285462
Unless you can reproducably build and #SelfHost the entire infrastructure yourself, you won't know if the #SourdeCode released is in fact the one being used.
Unlike with @monocles / #monoclesChat which doesn't fall under #CloudAct and is available via @fdroidorg which is taking the published #SourceCode.
@[email protected] @[email protected] @[email protected] no, #Signal - like #Telegram is #proprietary, #centralized and a #SingleVendor / #SingleProvider solution, thus inherently insecure. And don't even get me started on the #Cyberfacist laws like #CouldAct it's subject to... Only true #decentralization and #SelfCustody can be secure. Everything else is just #marketing-#lies!
@inthehands three years ago, Musk did the same to get people to move from WhatsApp to Signal though.
@inthehands Never used Telegram, never will -
I find it strange that Musk wants his users to stop using Signal and to move to the far weaker, and less secure Telegram, especially after Musk championed Signal back in 2021, telling his followers on Twitter at the time to 'Use Signal' back when Moxie Marlinspike was still CEO at Signal.
idek
Paul Cantrell
(moved)Galbinus Caeli 🌯
Aral Balkan
keithzg
@
lobingera
B'Wera Tension
Konstantin Weddige
Johannes Hentschel
Dakki Reads
John Francis
Billy
drawnto 🟨⬜🟪⬛
Scott Guertin
/home/filbert
QuincyOtter
dasparadoxon
Yami no senshi
Felichs
Sarah W
Spongefile
Newbyte
إمي ❄️🏳️⚧️🇵🇸
Mensch Antimeier
Kevin Karhan 
calcifer 🧯
Ash_Crow
David Howell
Proficiency
hazelnot 
Female Custodes Julia 
Sean Eric Fagan
Rob
十里雪道不换刃的两百斤鱼雷
avi 
TJ Olsen
Philippa Cowderoy
Luo Binghe baculum truther
luna the doggie 
Chris Johnson
MrC
Catherine is not complacent