So…there is a concerted campaign, with Musk as its mouthpiece, to discredit Signal and get people to switch to Telegram. It’s disinformation, but there’s also useful information in it. The useful information is that a hideous, powerful, right-wing crank — or whoever’s yanking his chain — really, really wants people to use Telegram.
We’ve long known Telegram’s security is weak. But now, in light of this new information, we should move forward assuming that Telegram is actively compromised.
Lest it get lost in that longer post:
Assume Telegram is compromised. Not just vulnerable. Compromised.
Muting this conversation, which has an •unusually• low signal to noise ratio.
Addressing some greatest hits:
- “I just use telegram for [some BS]” → It’s probably still leaking your location
- “Yeah, but if you’re targeted by a state actor…” → Honey, if a state actor is targeting •you• individually, technology is not even the first problem on your list. Opsec is hard.
- “I already knew that” → Good for you, we’re trying to reach people who didn’t
More greatest hits:
- “I want to learn more. Do you have links?” → Sure! Here’s a good post: https://kolektiva.social/@Voline/112437280384669007
- “No tech is perfectly secure, therefore it doesn’t matter what you use” → This logic is exactly as stupid as “any car can crash, therefore it doesn’t matter if you wear a seatbelt”
- “Let’s argue about [tech A] vs [tech B]” → Find a forum, you two
- “But I heard X invested in alternative Y and [conspiracy theory]” → This is why we like open source comm apps, to vet security
@[email protected] @[email protected] @[email protected] Did someone say “Telegram”? [Crashes into the thread like the Kool-Aid man] Please do not use #Telegram Messenger for any message that you would not want to see on the side of a building. Don't take my word for it, listen to these folks. Here's Dan Goodin (@[email protected]) in Ars Technica summarizing an exploit discovered by Ahmed Hassan: "Using readily available software and a rooted Android device, he’s able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user’s precise location." https://arstechnica.com/information-technology/2021/01/telegram-feature-exposes-your-precise-address-to-hackers/ Independent security researcher The Grugq (@[email protected]) on Telegram's many problems: "In summary, Telegram is error prone, has wonky homebrew encryption, leaks voluminous metadata, steals the address book, and is now known as a terrorist hangout. I couldn’t possibly think of a worse combination for a safe messenger." https://grugq.tumblr.com/post/133453305233/operational-telegram Former maintainer of the Golang cryptographic libraries Filippo Valsorda (@[email protected]) on a bug in Telegram's cryptographic protocol: "To this day, itʼs the most backdoor-looking bug Iʼve ever seen." https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/ Prof of cryptography Matthew Green (@[email protected]) on Telegram's custom encryption: "Like seriously. Wtf is even going on here." https://twitter.com/matthew_d_green/status/582249709286326272 And finally, Bruce Schneier: "Don't Use Telegram." https://www.schneier.com/blog/archives/2016/06/comparing_messa.html If you want to communicate confidentially, use @[email protected] https://theintercept.com/2016/06/22/battle-of-the-secure-messaging-apps-how-signal-beats-whatsapp/
Last but not least:
- “[Elaborate chain of logic I made up where I put 2 and 2 together and come up with 22]” → Disinformation is still disinformation even if you invented it yourself. At some point, you’re going to have to trust someone who knows more than you; puzzling it out yourself from a point of inexpertise is not better.
Paul Cantrell