Telegram is indistinguishable from an FSB honeypot
Telegram is indistinguishable from an FSB honeypot
Many people who focus on information security, including myself, have long considered Telegram suspicious and untrustworthy. Now, based on findings published by the investigative journalism outlet ISt
Investigation by investigative journalism outlet IStories (EN version by OCCRP) shows that Telegram uses a single, FSB-linked company as their infrastructure provider globally.
Telegram's MTProto protocol also requires a cleartext identifier to be prepended to all client-server messages.
Combined, these two choices by Telegram make it into a surveillance tool.
I am quoted in the IStories story. I also did packet captures, and I dive into the nitty-gritty technical details on my blog.
Packet captures and MTProto deobfuscation library I wrote linked therein so that others can retrace my steps and check my work.
You're viewing a single thread.
Also, AMA I guess.
What would you recommend as an alternative for the general non-technical population?
For the internet messenger functionality that would be Signal.
For other things (channels, mostly), anything that does not pretend to be end-to-end encrypted when it is not. A website with an RSS feed would be one trivial choice for channels that are open to anyone. Public communication like that has no business going through "platforms".
Matrix
I would most definitely not recommend Matrix for private or sensitive communication, no.
https://soatok.blog/2024/07/31/what-does-it-mean-to-be-a-signal-competitor/
https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/Matrix is fine as IRC replacement, it might also be a decent replacement for Telegram's channels thingy, sure. But I would not trust my family photos to it. Much less anything actually important.
That's all FUD. Matrix is as secure as Signal if you - like Signal - rely on a single centralized server. Actually, since you can host it yourself, it would be even more secure since you don't need to trust Signal.
(I defend infrastructure and perform hacks against cryptograph & protocols for a living)
My question was specifically about "the general non-technical population". Do you expect my mom to even remotely understand what different servers are and why talking to me is securely encrypted but talking to her friends group isn't? The point about secure software is that it needs to be secure by default or else, entry level users will manage to accidentally send their stuff in plain text and not even notice.
For nerds like us, I agree that Matrix is probably a good choice. For someone who needed to be told that "the internet" isn't the blue "e" on their desktop... not so much. I'd rather send carrier pigeons than explain Matrix to my family.
My extended family use Matrix - including my elderly parents. It's no more difficult to understand than any other service.
(I defend infrastructure and perform hacks against cryptograph & protocols for a living)
If you need to say itâŚ
I would most definitely not recommend Matrix for private or sensitive communication, no.
https://soatok.blog/2024/07/31/what-does-it-mean-to-be-a-signal-competitor/
https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/
Matrix is fine as IRC replacement, it might also be a decent replacement for Telegramâs channels thingy, sure. But I would not trust my family photos to it. Much less anything actually important.Regarding Soatok, I am prone to completely ignore impolite individuals. As far as my experience goes, and for most of the general populace, Matrix is fine. And it is likely to continue improving. Compared to Signal and Telegram, who both incentivize crypto"currencies", a.k.a. tech bro multi-level marketing pyramid schemes, enshittification has already begun.
Roy says: August 6, 2024 at 4:28 pm
Interesting post! I would be really interested in knowing your opinion on SimpleX Chat.Soatok says: August 6, 2024 at 4:55 pm
See, this is exactly the fucking problem. I never invited anyone to query me to look at YET ANOTHER fucking chat app. Yet this still keeps happening. Doing security reviews is labor. Youâre asking me to work for free to satisfy your curiosity. This is annoying to do. I donât have a fucking opinion about SimpleX. I donât have an opinion about a lot of apps. If I want to share my opinion, Iâll blog about it WITHOUT being prompted. Until then, please stop asking.
By Post AuthorRegarding Soatok, I am prone to completely ignore impolite individuals.
Please feel free to ignore me as well then, because saying that technical analysis by an expert can be outright ignored just because the expert happened to be impolite that one time might make me become somewhat impolite.
Imagine getting dozens of randos in your replies asking about dozens of random chat apps. At some point I am pretty sure you'd also reach a breaking point. Some would call that kind of behaviour a bit impolite, I'd wager.
I'm not saying arguments necessarily become invalid because of impoliteness. But to me it doesn't convey trustworthiness on first impression, especially when not knowing someone. The world / the Internet already contains so much toxicity, there's no need for needless additional discord. Especially when encountering something frustrating on the Internetâas opposed to real lifeâit is trivial to just take a breath, go for a walk, and come back and respond peacefully. The simplest thing for Soatok to have done would be to ignore the message, or use AutoKey to paste a generic neutral response denying the request.
Soatak
Soatok. At least get the name right.
The simplest thing for [Soatok] to have done would be to ignore the message
Which also happens to be the simplest thing you could have done, even simpler as none of the toots you quote were addressed to you. Instead, you are dragging this one random exchange into this thread about something else entirely.
The simplest thing for Soatok to have done would be to ignore the message
Which also happens to be the simplest thing you could have done, even simpler as none of the toots you quote were addressed to you. Instead, you are dragging this one random exchange into this thread about something else entirely.
Does it really matter whether or not it is addressed to me? And, the simplest route is not necessarily the most virtuous one. To take an extreme example, if I see someone being bullied I will interfere to stop the bully and console the target. Here, I am simply arguing in favor of less toxicity for it improves credibility.
You say you're arguing in favor of less toxicity, but your example was a screenshot of a comment where I asserted my own healthy boundaries (after being needled by hundreds of demands in the form of "what about <other app>?" from strangers over the course of months).
Which is more toxic?
You say youâre arguing in favor of less toxicity, but your example was a screenshot of a comment where I asserted my own healthy boundaries (after being needled by hundreds of demands in the form of âwhat about <other app>?â from strangers over the course of months).
Which is more toxic?
The one that contains the most aggression.
Do most of those strangers know that you are receiving hundreds of requests? They're strangers, so I'm betting on no. Are they then deserving of any swearing and caps lock yelling? Even if they do know, I can recall few to no instances where unironically doing so packed a punch.A more reasonable answer would have been: "Sorry, no idea. For my own healthy boundaries I have to refrain from doing too much of this often-requested but time-consuming research."
Not toxic, more effective. And as I mentioned in another reply, with AutoKey you could configure that typing the word "sigh" or phrase ''goddammit not again" automatically expands into the alternative answer suggested above. Being frustrated is fine, and venting is absolutely necessary, but there are ways to do it that are healthy for everyone involved, such as the autoreply and then going for a run. Hope for the best, prepare for the worst.
Why do you conflate politeness and trustworthiness? Seems like a weird connection to make.
Why do you conflate politeness and trustworthiness? Seems like a weird connection to make.
Is it really that weird? Imagine someone going to a store and the owner starts swearing at them because they asked a question. Would said visitor be more or less likely to trust the owner? I agree that being impolite doesn't necessarily equate to being ignorant in one's subject, but I wouldn't be surprised that on average the most knowledgeable and wise tend to be more polite.
Because the inverse of that is how people get conned. Someone blowing absolute smoke with a confident tone and a sweet word. Tone is about the worst indicator of trustworthiness
Because the inverse of that is how people get conned. Someone blowing absolute smoke with a confident tone and a sweet word. Tone is about the worst indicator of trustworthiness
Sure, skilled sociopaths con their way up that way, or that's how soulless marketers manipulate the populace. However, that does not mean that most people who are kind are sociopaths or soulless. On average kind people are just being kind.
That guy again lmao why do "security researchers" keep recommending signal with that softheaded blog. Get real
So, you drop into a thread about a pretty technically involved analysis of one protocol (MTProto), and in response to a post linking to another pretty technically involved analysis of another protocol (Matrix/Olm) all you have to offer is "that softheaded blog"?
I mean I would expect some finesse with the insults. I understand that diving into the technical nitty-gritty might not be your thing, and that's totally fine, but at the very least don't deny us the entertainment factor of a well-rounded invective!
Oh, you'll just have forgive me for not diving into the high-level discussion of whether Signal is better for furries because of the UI needs of differently-abled individuals. It's just too complicated for me. đ
No questions. Hats off. Thank you for your service, it always seemed like a honeypot to me. Nice to see some evidence other than my gut feeling.
Thank you!
No questions from me, just wanna say:
Excellent goddamned work.
Favorited this whole post for future reference.
There were reports (claims I suppose) that the fsb were using telegram to organise the stochastic gig job sabotage across Europe.
Joining a neo fash telegram group, pretending to be a rich neo fash who wants to help the cause but not risk themselves and paying people for putting up posters, damaging equipment etc.
Does what has been found here shed any more light on that? I'd guess it would allow them to find these groups to target them very easily? That was the bit I couldn't quite understand from the original report, if so this all makes more sense.
There were reports (claims I suppose) that the fsb were using telegram to organise the stochastic gig job sabotage across Europe
No no, reports: https://www.msn.com/en-in/news/world/russia-uses-telegram-to-recruit-spies-and-saboteurs-in-europe/ar-AA1xshqO
Does what has been found here shed any more light on that?
Not really/not directly, I would say. What you are describing is FSB using Telegram for recruitment. That does not require network-level observability and surveillance. That's a different "feature", so to speak.
It's not that I don't believe them, but anything coming from spooks has to be looked at a little sideways.
Thanks for the reply. I just couldn't figure out how they had enough intelligence to find all these telegram groups, maybe that's easier for a nation state than I thought.
It's trivial for a nation state, they have lists of these groups. These groups are promoted in other groups and other channels and other forums and eventually reach somebody who will make a note of them.
Any advice for people that used it in the past? After reading the article, my understanding is that what was sent in "private chat" was in fact encrypted (for the most part) and can be considered secured (to the degree - something is off and, maybe we didn't find out yet, how the encryption is compromised). But it would wise to treat all other conversations as something that is compromised. Is this a fair summary?
After reading the article, my understanding is that what was sent in âprivate chatâ was in fact encrypted (for the most part) and can be considered secured (to the degree - something is off and, maybe we didnât find out yet, how the encryption is compromised).
"Secret Chats", but otherwise spot-on, yes.
I am making a point of clarifying here because Telegram thrives on ambiguity. "Private chat" might mean anything in that system. "Secret Chat" is a specific feature that almost nobody uses but gives Telegram cover to claim they do end-to-end encryption.
But it would wise to treat all other conversations as something that is compromised. Is this a fair summary?
Yes, that's what I would say.
Telegram has access to everything that is not a "Secret Chat". They are responding to data requests. It's unclear what they include in these responses. They are also linked to FSB, through the same Vedeneev guy that owned GNM (the infrastructure provider).
This is the part that resonated with me the most as the casual user. The interface is, so confusing that the differences between various forms of chats seems deliberately unclear. And all that's "useful" is opt-in. And Groups - most used in corporate or project setting, can't be encrypted at all? That's... peculiar.
Again, thanks for the eye-opener.