I am liking how this time around a lot of people are outright calling the media out on their parroting Telegram's PR bullshit about how "encrypted, secure, private" the service is.
(it is not.)
As in, not just writing about how Telegram is neither of these things, but very clearly pointing a finger at the media and going: "stop spreading this misinformation, you are putting people in danger."
Keep this pressure on!
Yesterday I shared my own write-up on Telegram's failings, today I came across Matthew Green's stellar blogpost:
https://blog.cryptographyengineering.com/2024/08/25/telegram-is-not-really-an-encrypted-messaging-app/
And this blogpost *starts* with calling the media out on this.
Fantastic.
At this point it's clear Telegram has no interest in fixing their stuff. We should not be talking to them, we should be talking about them to the media so that they stop promoting it.
Because as I said yesterday: that constitutes journalistic malpractice.
Great post, hits the nail right on the head. Thanks for sharing this @rysiek.
This kind of journalistic malpractice is usually caused by ignorance, in which case they need to be called in and patiently educated. But in some cases I think there is an intent to mislead, by people who ought to know better. They need to be contacted in private and given a chance to retract and apologise, and if they don't, they need to be publicly called out on their wilful malpractice.
"Indeed, it no longer feels amusing to see the Telegram organization urge people away from default-encrypted messengers, while refusing to implement essential features that would widely encrypt their own users’ messages. In fact, it’s starting to feel a bit malicious."
#MatthewGreen, 2024
#Telegram always smelt like a honeypot to me;
* centralised, tick (like Signal)
* encryption doesn't work for groups, only 1:1, tick (like Signal)
* opt-in E2EE for 1:1 chats while heavily promoted as "encrypted messenger", tick (unlike Signal)
* Roll-Your-Own cryptography, tick (maybe like Signal, but crucially...)
* no source code published for server, so no independent auditing of cryptographic primitives or implementations, tick (unlike Signal)
I can't fathom why anyone uses it.
One more honeypot quality of Telegrab;
* Setting up an account requires a working phone number, tick (unlike Signal as of Feb 2024)
In countries (eg China) that don't allow unregistered mobile connections ("burner" phone numbers), this associates a 'secure messaging' account with an identifiable person.
Signal had the same problem for most of it's history, and until Feb 2024, it shared the phone number with anyone the account chatted with;
https://www.androidcentral.com/apps-software/signal-rolls-out-usernames
*though they have a security hole where you can just copy your desktop client's directory and launch it on another device and signal will have zero problem with that and won't even alert that connection is now coming from a different device. it will just send messages to this session, even though that session is shared by different devices now. at least telegram desktop has ability to set PIN to protect against that, which encrypts all your data.
@brawaru
> it's the other way around, lol. signal and telegram both always required a phone number, but [details]
I appreciate the clarifications, but they're orthogonal to my point. Which is that speaking as a veteran of numerous direct action campaigns in the late 90s and noughties, both of these centralized chat silos smell suspiciously like honey to me.
This topic comes up a *lot*. I must finish that blog post laying out my take on it.
To add to this, the 2027 Steel Dossier included intelligence that Telegram's encryption was compromised but that little tidbit was overshadowed by the Trump 'pee-pee tapes' accusations.
@drewfer
> the 2027 Steel Dossier included intelligence that Telegram's encryption was compromised
I believe Matthew covered that in the blog post I linked. Must check that...
Me:
> I can't fathom why anyone uses it
@lindi2
> telegram is in f-droid and Debian, it reportedly has around 900M users. So most popular instant messaging app with a free software client application
See above.
> * encryption doesn't work for groups, only 1:1, tick (like Signal)
Can you elaborate on what you mean by the '(like Signal)'?
(2014) https://signal.org/blog/private-groups/
(2020) https://eprint.iacr.org/2019/1416.pdf
One of the major features we introduced in the TextSecure v2 release was private group chat. We believe that group chat is an important feature for encrypted communications projects, so we wanted to try to summarize some of the existing work in this area, as well as how TextSecure’s group chat pr...
@strypey I think you might be confusing signal with telegram. telegram has some stuff that is not encrypted by default. signal is always encrypted and always has been, regardless of groups/1:1
https://support.signal.org/hc/en-us/articles/360007318911-How-do-I-know-my-communication-is-private
https://www.reddit.com/r/signal/comments/ohn71i/are_all_groups_encrypted_on_signal/
@bengo
> Signal is always encrypted and always has been, regardless of groups/1:1
The closest thing I can see at the first link is;
"... messages and calls cannot be accessed by us or other third parties because they are always end-to-end encrypted."
Please quote me the text I missed specifying that *groups* are encrypted.
The second link is a claim by a *deleted* user on dReddit. I don't believe what I read on toilet walls, and neither do I take anything said or web forums as gospel truth.
@strypey I find this pretty funny. "A Signal group is built on top of the private group system technology." https://support.signal.org/hc/en-us/articles/360007319331-Group-chats
which links to https://signal.org/blog/signal-private-group-system/
which links to the IACR paper from 2019 I linked to a month ago..
"Signal groups are built on top of the new private group system technology we previewed last year, which gives you a modern group chat experience while keeping your groups private"
https://signal.org/blog/new-groups/
If this stuff doesn't convince you, nothing I say will
@bengo
> If this stuff doesn't convince you, nothing I say will
What would convince me is a link to a page that contains both the words "groups" and "encrypted", not just one or the other. I'm confused as to why you think anyone ought to be convinced by anything less. Of the three links in your last post, one *one* does that;
https://signal.org/blog/signal-private-group-system/
Which just shows how inclined some people are to take positive claims about Signal on faith, while demanding robust sources for negative claims.
Groups are inherently social, and Signal is a social app. Whether you’re planning a surprise party, discussing last night’s book club meeting, exchanging photos with your family, or organizing something important, group messaging has always been a key feature of Signal. Signal provides private gr...
@rysiek Interestingly, I have reported to Lithuanian national broadcaster (LRT) false claim Telegram was supposedly "secure and private" communication app - the further coverage of Pavel Durov arrest did not contain such claims about the app anymore 
So it's also up to us to help our media understand tech better 
@gytisrepecka well it's up to the media to start doing their jobs right, I'd say.
But as your intervention shows – and thank you for doing it! – we have some influence we can use to push them in the right direction. 👍
@rysiek Problem is media produce content so quick they rely on news agencies and press releases - news mashups go out so quick without any editorial oversight or subject area expert review whatsoever 
I would probably not waste time on proprietary media, but helping out national broadcasters, if they are willing to accept any advice, is well worth 
Gell-Mann amnesia effect:
https://en.wikipedia.org/wiki/Michael_Crichton#Gell-Mann_amnesia_effect
@rysiek you’re got to wonder if this is a publicity stunt to get criminals to believe Telegram is secure so they can more easily be surveilled by law enforcement. After all, that’s what the FBI did with the fake criminal-friendly phone service Anom, and much earlier the NSA with CryptoAG. Durov now has French citizenship.
On its 10th anniversary, Signal’s president wants to remind you that the world’s most secure communications platform is a nonprofit. It’s free. It doesn’t track you or serve you ads. It pays its engineers very well. And it’s a go-to app for hundreds of millions of people.
Michał "rysiek" Woźniak · 🇺🇦
mochaandmuses 😈
Strypey
Braw ☕🏳️🌈
Mg. Tau
drewfer
Timo Lindfors
bengo
Gytis Repečka
Fazal Majid
Rabbitt@mstdn.social