Here’s what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

  • sneakyninjapants@sh.itjust.works
    link
    fedilink
    arrow-up
    238
    arrow-down
    2
    ·
    6 months ago

    Telegram’s server side software is closed source, owned and ran by them exclusively so they really have no room to talk. WhatsApp doesn’t even have OSS clients so they’re even worse in that regard

    • Eager Eagle@lemmy.world
      link
      fedilink
      English
      arrow-up
      59
      arrow-down
      4
      ·
      edit-2
      6 months ago

      exactly, they (Telegram) don’t need to put sketchy code in the clients when most messages are not E2E encrypted and they control the servers lol

      • rottingleaf@lemmy.zip
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        Still the code in telegram desktop client may not be sketchy, but is ugly as fuck, so that too should be considered.

  • shrugal@lemm.ee
    link
    fedilink
    arrow-up
    182
    arrow-down
    4
    ·
    edit-2
    6 months ago

    It’s hard to overstate what a nothing-burger this article really is! Let me break it down:

    • Signal got $3 million from the Open Technology Fund at some point in its development
    • Some anonymous source alleges that the OTF’s ultimate goal is to promote US foreign interests
    • The current chairman of the board Katherine Maher worked at the National Democratic Institute and Wikipedia before
    • The same anonymous source says she was recruited because of connections to the OTF
    • She has at some point voiced the opinion that a completely free internet without regulation just reproduces existing power structures, and that balancing regulation and 1st amendment rights is a tough problem
    • Signal doesn’t have reproducible builds on iOS (it absolutely does on Android btw)
    • Some people feel like Signal chats come up more often than they should in court cases and media reports

    That’s it, that’s the whole story. That’s the reason why the Telegram guy of all people thinks you should be careful, and better use his chat service instead, and the Twitter guy agrees.

    I mean, reproducible builds on iOS would be nice, but that platform has much bigger problems from a privacy/security/sovereignty/freedom standpoint anyway. And the rest is just nothing turned up to 11.

    • Eager Eagle@lemmy.world
      link
      fedilink
      English
      arrow-up
      89
      arrow-down
      1
      ·
      6 months ago

      tl;dr “Signal might be untrustworthy because the tech came from a State-sponsored project and the current chairman acknowledges that Wikipedia has a white and Western bias.”

      just wait until they find out pretty much all tech we have can be traced back to government-funded research.

      • 9488fcea02a9@sh.itjust.works
        link
        fedilink
        arrow-up
        47
        arrow-down
        1
        ·
        6 months ago

        Did you know the early early internet researchers were part of a clandestine government organization known as ARPANET??? The entire TCP/IP stack is just a state-sponsored backdoor into your life!!!

        WAKE UP SHEEPLE!!!

        • refalo@programming.dev
          link
          fedilink
          arrow-up
          16
          ·
          edit-2
          6 months ago

          yea just wait until they find out why the first digital computer was made:

          ENIAC was designed by John Mauchly and J. Presper Eckert to calculate artillery firing tables for the United States Army’s Ballistic Research Laboratory (which later became a part of the Army Research Laboratory). However, its first program was a study of the feasibility of the thermonuclear weapon.

    • rollerbang@lemmy.world
      link
      fedilink
      arrow-up
      10
      arrow-down
      6
      ·
      6 months ago

      Isn’t it that Telegram doesn’t claim to be super secure, apart from possibly their encryption on mobile?

      This doesn’t prevent them from uncovering other possible plots in supposedly secure platforms.

  • DaseinPickle@leminal.space
    link
    fedilink
    arrow-up
    124
    arrow-down
    3
    ·
    6 months ago

    Maybe he should focus on adding e2e encryption to the default chats and group chats instead of spreading FUD.

    • dsemy@lemm.ee
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      10
      ·
      6 months ago

      Telegram secret chats are e2e encrypted though

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        40
        arrow-down
        1
        ·
        6 months ago

        Secret chats only. With their own, in-house encryption, that, if I remember correctly, the apps don’t use according to the specifications.

        Maybe I’m mixing up mtproto 1 and 2 with that second part, though.

        • dsemy@lemm.ee
          link
          fedilink
          English
          arrow-up
          5
          ·
          6 months ago

          I don’t mind in-house encryption (the Signal protocol didn’t just appear out of nowhere either), however the latter part is worrying.

          In any case, I personally don’t trust Signal or Telegram.

            • dsemy@lemm.ee
              link
              fedilink
              English
              arrow-up
              4
              ·
              6 months ago

              Molly still depends on Signal’s centralized servers.

              Best solution I know of currently is SimpleX, though Veilid (and VeilidChat by extension) also seem promising, though it might take a while for those to be usable.

              • Possibly linux@lemmy.zip
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                From a cryptographic and usability perspective Signal still has a few benefits. However Simplex is promising.

            • toastal@lemmy.ml
              link
              fedilink
              arrow-up
              3
              ·
              6 months ago

              The best is to not trust the centralized server of either of these platforms. Set up your own XMPP server & gives these the boot.

                • toastal@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  6 months ago

                  XMPP is battle-tested* and thriving*

                  I don’t think you know how many commercial use cases are relying on XMPP, nor how much the community has been working on updates. Older technologies tend to have maturity is spec but also in implementations where the servers are robust & already at the point of optimization over chasing features. We see this with how little specs it takes to run a server & have Conversation forks on Android have some of the best battery life & data plan usage in the chat space. The network is massively decentralized too… unlike Matrix where almost everyone is on Matrix.org or a server provided/hosted by Matrix.org giving them all the metadata.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        7
        arrow-down
        2
        ·
        6 months ago

        But extremely hard to use to the point that nobody uses them. I send a secret chat to someone and they write me back in the unencrypted chat.

        It shouldn’t be possible to send anything unencrypted

        • efstajas@lemmy.world
          link
          fedilink
          arrow-up
          3
          arrow-down
          4
          ·
          edit-2
          6 months ago

          Tbf not all the chats being E2E encrypted is a UX compromise. It makes Telegram a lot nicer to use across devices and allows just accessing your messages from anywhere without needing your phone to be on. Plus no need to back up chats etc. because they’re all just on the server. As opposed to secret chats, which of course are bound to one particular device and can only be accessed from there.

          I’m all for E2E by default but I must say I actually like the idea of having a choice in this particular case.

          • delirious_owl@discuss.online
            link
            fedilink
            arrow-up
            2
            ·
            6 months ago

            There’s no reason for secret chsts to not be stored on the server and to not be synced to all your devices. We’ve had double ratchet for a while. Telegram rolling their own crypto is dumb for many reasons

            • efstajas@lemmy.world
              link
              fedilink
              arrow-up
              2
              ·
              6 months ago

              Correct me if I’m wrong, but even with double ratchet, retrieving and decrypting the message history is tricky / impossible, no? Afaik signal does allow you to receive new messages on multiple “linked devices”, but a new linked device doesn’t have access to any messaging history.

                • efstajas@lemmy.world
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  6 months ago

                  From a privacy POV, sure, not trying to argue that. Just saying that Telegram does have a bunch of features like that that wouldn’t really work if all chats were always E2E encrypted, so there’s a reason that it’s opt-in. Whether it’s a good one or not is up to you to decide for yourself.

                  Though I definitely think that Telegram could do a much better job explaining the trade-off, especially in a world where many major messengers are always e2e encrypted, and people somewhat expect it to be the default.

    • Fushuan [he/him]@lemm.ee
      link
      fedilink
      English
      arrow-up
      2
      ·
      6 months ago

      It’s encrypted though?

      You are trusting their server security and them as a company, sure, but it is encrypted against the server for sure.

      It’s not as good as ir could be but that’s no reason to spread misinformation.

  • electric_nan@lemmy.ml
    link
    fedilink
    arrow-up
    107
    arrow-down
    5
    ·
    6 months ago

    Looks like a push to discredit Signal right now. While I know Signal isn’t perfect, I do like it and I haven’t seen anything that is better (on the whole). The 3rd “emoji-point” is quite an accusation, and I would love to see any evidence of this kind of thing, that didn’t result from the cops unlocking a defendants phone, or having infiltrated a chat.

    • MajorHavoc@programming.dev
      link
      fedilink
      arrow-up
      17
      ·
      edit-2
      6 months ago

      While I know Signal isn’t perfect, I do like it and I haven’t seen anything that is better (on the whole).

      Agreed. But it is worth mentioning that XMPP with OMEMO seems to be the current gold standard - runs almost everywhere, tons of available (free) servers, secure end to end messages, and fully auditable public source code.

      • electric_nan@lemmy.ml
        link
        fedilink
        arrow-up
        12
        arrow-down
        1
        ·
        6 months ago

        I have used xmpp a lot, but I can’t really recommend it to friends and family as a secure messenger. There are too many compatibility issues between clients and servers. If your friend is on a client or server that doesn’t support the same encryption protocols, then you can’t have a secure chat. Basically there is too much user knowledge and effort required at this time, for xmpp to be a good, secure, general use chat. I very much look forward to this changing. I also really like Matrix, but it is still a bit rough around the edges as of my last check.

        • SLfgb@feddit.nl
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          6 months ago

          I use xmpp all the time. Biggest hurdle for certain fam/friends using xmpp has been certain android builds (samsung) and ios interfering with timely notifications. User knowlege is not a problem as I can recommend the apps that are compatible encryption protocols with mine.

          • electric_nan@lemmy.ml
            link
            fedilink
            arrow-up
            2
            ·
            6 months ago

            That’s great, and I’m happy it’s working out for you. It’s still kind of a bummer that this open protocol ends up fragmented across all those clients and severs. I’ve met other Linux enthusiasts online, connected with them via xmpp only to find we can’t encrypt our chats. Neither of us wants to give up our preferred client for various reasons, so we have a non-working situation.

            • SLfgb@feddit.nl
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              6 months ago

              Hmm, I see. But isn’t there an obvious solution to this? One of you just run two different clients side-by-side?

              • electric_nan@lemmy.ml
                link
                fedilink
                arrow-up
                2
                ·
                6 months ago

                Sure there are workarounds, but every one of them erases a bit of convenience or is at odds with the benefits of federation. Again, I think XMPP is great, but I wish it was better. As it is now, it doesn’t fully meet my needs better than Signal does.

            • SLfgb@feddit.nl
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              6 months ago

              Well if only those samsung & ios users that never get my messages until I see them and tell them to open their app had phones that didn’t interfere with it running in the background / push notifications it would be working out for me even better, but that’s not an issue with the protocol or client but with OS’s being hostile to xmpp.

        • MajorHavoc@programming.dev
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          Agreed on all points. It’s not the best solution when I can’t get both parties into it successfully.

          That’s why I still use Signal a good bit.

        • toastal@lemmy.ml
          link
          fedilink
          arrow-up
          3
          ·
          6 months ago

          client or server that doesn’t support the same encryption protocols

          Outside of TLS which most any server uses by default, XMPP or not, the server is not responsible for E2EE. Conversations Compliance & Are We OMEMO Yet have existed for a long while & I never see anyone recommending a client not on these lists so while certain features may be fragmented, the communication essentials have been more or less established for years now. XMPP is an extensible format, and some applications that aren’t for chatting with your friends/family, don’t need many of these features which allows the protocol to morph into something stripped down for the task… which is why the base spec is basically barren, & community XEPs are what folks get behind for adding new features for different use cases.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      5
      ·
      6 months ago

      Tin hat time:

      I wonder if Russia’s trying to get everyone on Telegram because they have control over it.

  • rivvvver@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    78
    arrow-down
    1
    ·
    edit-2
    6 months ago

    arent telegram chats unencrypted by default?

    An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media

    source?? (i bet this ends up being a “they had full access to my unlocked phone” situation again)

    also the whole thing abt US funded encryption is the same bullshit argument ppl use against Tor all the time. it doesnt mean shit.

    this just reads like someone desperately trying to get more market share by spreading FUD

    • VeganCheesecake@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      8
      ·
      6 months ago

      https://www.spiegel.de/netzwelt/apps/telegram-gibt-nutzerdaten-an-das-bundeskriminalamt-a-0e4d3fcb-8081-4b87-b062-db412bbc294b

      Well, Telegram seems to be giving user data to the German Federal Criminal Police Office, and if they’re cooperating with the German authorities, I don’t see why I’d presume they aren’t cooperating with others as well.

      All this is actually documented, compared to those nebulous “important people”.

      • UnfortunateShort@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        6 months ago

        Tbf, they held a user vote in Germany (supposedly, although the app did ask me to vote) whether to work with them or risk to cease services. Iirc the backgrounds were extremist (terrorist?) groups operating on the platform

    • rdri@lemmy.world
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      6 months ago

      arent telegram chats unencrypted by default?

      Encryption is always there. Problem is, some people refer to anything “not e2e encrypted” as “unencrypted” for some reason.

      • Fushuan [he/him]@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        And it infuriates me to no end. It’s one thing to trust them and their servers and it’s another thing altogether to send actual plaintext data around the net, that’s crazy and it’s what people are implying.

        For the record, until WhatsApp implemented e2e their messages were indeed fucking plaintext, and it took a while before they were pressured into e2e. It helps for them that their platform is very mobile based vs telegram, where the service is more server based. Telegram did have enough time to implement a server based e2e 0 knowledge encryption protocol though, it’s not really rocket science at this point.

        • rdri@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          6 months ago

          Telegram did have enough time to implement a server based e2e 0 knowledge encryption protocol though, it’s not really rocket science at this point.

          What do you mean by server based e2e? From what I get, most people’s complain is that Telegram doesn’t support e2e in group chats, and that is what seems to be close to rocket science in my opinion. Also Telegram is historically filled with ever growing group chats, which means quite serious implications for server requirements from what I understand.

          • Fushuan [he/him]@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            6 months ago

            Tegram stores all the conversation in their servers, since you don’t need to be connected in the phone or have the phone witchednon if you want to chat in the pc, or in another phone. This means that the authority is the server. WhatsApp it’s not like that, if you delete a shared photo after a while it will be cached out and you will lost access to it, meaning that they don’t store that stuff. The same thing happens with WhatsApp desktop or web, they stay in an infinite loading icon until you twitch on the phone or sometimes even unlock it.

            This means that whatever telegram develops must not only keep the group chat encrypted in the server, but any valid client of a user must be able to decipher the content, so every client must somehow have the key to unlock the content. One way of doing it would be for every client of a single user to generate keys (which I’m sure they already do) and reform a key exchange between them, to share that way a single shared key, which is what identifies your account. Then toy could use that shared key to decipher the group chat shared key which telegram can store on their server or do whatever is done in those cases, I’m not that well versed.

            The problem here lies in what happens when you delete and/or logout of all the accounts, currently you can login into the server again, because telegram has all the info required, but if they store the “shared key” then it’s all moot, I guess they could store a user identifying key pair, with the private key encrypted with a password, so that it can be accessed from wherever. They should as always offer MFA and passkey alternatives to be able to identify as yourself every time you want to log into a new client, without requiring the password and so on.

            This is some roughly designed idea I just had that should theoretically work, but I’m sure that there’s more elegant ways to go about this.

            It’s work for sure to implement all of this in a secure way, provided that you have to somehow merge everything that already exists into the new encryption model, make everyone create a password and yada yada while making sure that it’s as seamless as possible for users. However, I feel like it’s been quite a while and that if they did not do it already, theybjist won’t, we either trust them with our data or search for an alternative, and sadly there’s no alternative that has all the fuzz right now.

            • rdri@lemmy.world
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              6 months ago

              Sorry I have a hard time understanding the gist of your text. I don’t think it’s viable to be upset about what happens with access that was already acquired previously because that very fact already poses a bigger threat (which might have more to do with the nature of conversations vs how the platform works).

              • Fushuan [he/him]@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                6 months ago

                I wasn’t talking about situations with compromised accounts, I was talking about legitimate accounts that were created in a typical way being converted to a zero knowledge encryption method, I was aknowledging that it’s hard doing that conversion when a user might have several clients logged on (2 phones, 6 computers…).

                My point was that if they have not put any motivation in the transition, they never will because the bigger the userbase, the harder for them to manage the transition. Also, I find that sad because they should have invested more effort in that instead of all the features we are getting, but whatever.

                If you found the technical terms confusing, public/private keys are some sort of asymmetric “passwords” used in cryptography that secure messages, and shared keys would be symmetrical passwords. The theory between key exchanges and all around those protocols are taught in introductory courses to cryptography in bachelors and masters, and I’m sorry to say that I don’t have the energy to explain more but feel free to read about the terms if you feel like it.

                If you however found it confusing because I write like crap, I’m sorry for potentially offending you with the above paragraph and I’ll blame my phone keyboard about it :)

                • rdri@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  edit-2
                  6 months ago

                  No that’s not what I didn’t understand. The problem itself as you described it seems either a non-issue or something very few people (who’s already using telegram for some time) would care about. I don’t understand the scenario that would pose a problem for the user. The moment some account legitimately gains access to some chat is probably what should trouble you instead.

  • WolfLink@lemmy.ml
    link
    fedilink
    arrow-up
    69
    ·
    6 months ago

    Go read the GitHub issue. The main difficulty in implementing reproducible builds is the code signing Apple requires as well as other tweaks Apple makes to modify the binary from what the dev submits to what gets downloaded from the App Store. Note that Android already has reproducible builds. Also the reason the GitHub issue was closed wasn’t “refusal” to implement the feature, they wanted to move the discussion to their forums.

      • Thetimefarm@lemm.ee
        link
        fedilink
        arrow-up
        7
        arrow-down
        1
        ·
        6 months ago

        Who knows how apple decides to do anything? There may be some really stupid arbitrary reason apple modifies signal but not telegram just because apple insists on being difficult. If you don’t trust apple don’t use an iPhone and just download it on android.

  • Archon of the Valley@infosec.pub
    link
    fedilink
    English
    arrow-up
    70
    arrow-down
    4
    ·
    6 months ago

    Sounds like someone is mad that security experts would rather trust a tried-and-true encryption standard over Telegram’s encryption which is known to not be anywhere near as secure as the Signal protocol.

    Pavel resorting to outright slander to promote Telegram is not something I expected to see.

    • tetris11@lemmy.ml
      link
      fedilink
      arrow-up
      29
      ·
      edit-2
      6 months ago

      he does raise very valid points about reproducible builds, which should be a priority if your product is security

      Edit: oh @Wolflink below points out that such builds are available for Android, but iOS has issues stemming from Apple and not Signal. This then begs the question, why is Telegram reproducible on iOS?

      • aicse@lemm.ee
        link
        fedilink
        arrow-up
        5
        ·
        6 months ago

        You need some loops to jump through to get there. But that can be achieved for Signal as well, if you check the discussions regarding reproducible builds for Signal’s iOS client, you’ll see that people just decided it is not worth the hassle to push it through.

    • rottingleaf@lemmy.zip
      link
      fedilink
      arrow-up
      5
      arrow-down
      1
      ·
      6 months ago

      Sounds like someone is mad that security experts would rather trust a tried-and-true encryption standard over Telegram’s encryption which is known to not be anywhere near as secure as the Signal protocol.

      There’s an issue in Russia with graduates of a few of the “kinda top” universities considering themselves elite, but not quite being as qualified as they think.

      Durov’s brother won a few programming competitions for highschoolers. Because of that apparently he should be considered something in cryptography. For people thinking like this at least.

      Pavel resorting to outright slander to promote Telegram is not something I expected to see.

      Why, it’s very much like him.

  • lemmyreader@lemmy.ml
    link
    fedilink
    English
    arrow-up
    51
    ·
    6 months ago

    This comes a few days after Jack Dorsey confirmed that he had left the board of Bluesky and then starting to use Tw(X)tter and calling Tw(X)tter “freedom technology”. Coincidence ?

    • LiveLM@lemmy.zip
      link
      fedilink
      English
      arrow-up
      5
      ·
      6 months ago

      ???
      Is this guy stupid or what, current day Twitter could not be further than “Freedom technology”.
      You can barely even see Tweets while logged out for fucks sake

      • lemmyreader@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        6 months ago

        https://www.theguardian.com/technology/article/2024/may/07/jack-dorsey-quits-bluesky-board-urges-users-stay-elon-musk-x-twitter

        Earlier on Saturday, he unfollowed all but three accounts on X: Edward Snowden, Stella Assange, the wife of the WikiLeaks founder Julian, and Musk.

        “Don’t depend on corporations to grant you rights,” Dorsey tweeted. “Defend them yourself using freedom technology. (you’re on one).”

        Despite his promotion of alternatives to the site he founded, Dorsey has publicly shared his admiration for Musk. In 2022, he called the multibillionaire the “singular solution I trust” for the future of Twitter, though a year later he criticised Musk for his “fairly reckless” moves after taking control of the site.

    • Optional@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      Why does it say Telegram, but it’s about the Twitter/Bluesky guy?

      Actually, nevermind. It’s just confusing.

  • PotatoesFall@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    46
    ·
    6 months ago

    Okay first things first Jack Dorsey is a tool

    The US government / CIA did in fact develop the protocol back in the day, with the goal of helping people in China and other countries message securely, probably with ulterior motives.

    But the protocol itself is open source, and you can use it without any affiliation with the US government.

    The claim " It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺" is therefore so stupid it almost invalidates everything else being said because the person writing is either an idiot or purposely misrepresenting the facts.

    Not having reproducible builds is definitely weird though. Does anybody have more information on that?

    • bamboo@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      10
      ·
      6 months ago

      Not having reproducible builds is definitely weird though. Does anybody have more information on that?

      They boast this as a feature, but on the instructions for how to do this for iOS, even Telegram admits “As things stand now, you’ll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process”. Browsing the steps, it’s extremely complex, and doesn’t seem like something that is very user friendly and that you’d do weekly or monthly when a new version is released.

      On the GitHub issue linked to in the body, it’s disingenuous to claim they refused to implement this, and that the technical hurdles Apple has in place make this extremely difficult which halted progress. In the community forums where the conversation was moved to, someone pointed out that even if you were to reproduce it on a jailbroken iPhone, that there’s no way to confirm that non-jailbroken iPhones aren’t receiving a version with a backdoor.

      And even if you are using a jailbroken device exclusively and can confirm the reproducibility of the iOS app, then the risk becomes the latest available jailbroken iOS could be outdated from the real versions, and you’d have other issues with not receiving timely security updates. This same issue applies to Telegram also.

      • ArcaneSlime@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        then the risk becomes the latest available jailbroken iOS could be outdated from the real versions

        Flipper0: iOS 17 Lockup Crash has entered the chat juuuust to be annoying.

    • Steamymoomilk@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      8
      ·
      6 months ago

      My theory is that apple wont let the developer share there code for IOS because of “security”

      I remember an emulator (retro arch i think?) Got on ios at one point and was later removed because it showed apples file system layout. Which apples reason was “because it could be used to make malware for IOS”

      I feel like there is some similar thing with signal IOS

  • NotMyOldRedditName@lemmy.world
    link
    fedilink
    arrow-up
    48
    arrow-down
    4
    ·
    6 months ago

    You don’t need a backdoor in signal to bypass its encryption.

    All you need is to exploit the phone and wait for them to open or use signal.

    If you think your phone is safe from the NSA or similar services, I got some bad news for you.

        • Greg Clarke@lemmy.ca
          link
          fedilink
          English
          arrow-up
          6
          ·
          6 months ago

          I forgot to post an affiliate link and explain how routing all your internet traffic though one company equals security

          • ArcaneSlime@lemmy.dbzer0.com
            link
            fedilink
            arrow-up
            1
            ·
            6 months ago

            routing all your internet traffic though one company

            You mean my ISP which is known to monitor, censor, keep logs, and sell my info or Mullvad who hasn’t been caught doing that yet?

        • rottingleaf@lemmy.zip
          link
          fedilink
          arrow-up
          1
          ·
          6 months ago

          Nothing is against the attack described TBF.

          Say, if I run only OpenBSD, carefully selecting non-base applications, with tightened setup and so on, the baddies may just come when I’m not at home and flash a trojan into my laptop’s UEFI.

          Well, it’s easier with phones because these likely already have plenty of backdoors to do this remotely, available only for nation-states.

          I’m starting to like the taste of this “conspiracy theorist” thing.

    • emergencyfood@sh.itjust.works
      link
      fedilink
      arrow-up
      3
      ·
      6 months ago

      All you need is to exploit the phone and wait for them to open or use signal.

      Physical access is root access. But just because you can’t make something NSA-proof dosen’t mean you can’t make it bloody difficult to break into.

      • NotMyOldRedditName@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        6 months ago

        There’s been enough zero day remote exploits that there’s bound to be more.

        Pretty sure there’s more than 1 about receiving an SMS and the payload rooting the phone and you not even knowing it happened. At least 1 but I think 2 or more.

        Something about a malicious image also rooting a phone.

        It goes on and on and phones don’t always get security updates.

        You can do your best, but then longer you use a given phone the higher the risk. That’s why people switch out phones frequently when doing shady or important shit

    • Dark Arc@social.packetloss.gg
      link
      fedilink
      English
      arrow-up
      5
      ·
      6 months ago

      I can’t read it because of the paywall but IIRC (based on a similar article) that was such a nothing-burger issue.

      People turned on an entirely optional (I think off by default setting) for some feature that allowed discovery of users by location … and shocked pikachu they could be tracked or something like that.

      • DaseinPickle@leminal.space
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        6 months ago

        It’s not nothing if Telegram makes people believe they only share their location in a limited manner, but instead broadcast it to the whole world. That’s a serious breach of trust. I don’t know why Telegram users keep making excuses for that platform.

        • Dark Arc@social.packetloss.gg
          link
          fedilink
          English
          arrow-up
          13
          arrow-down
          1
          ·
          edit-2
          6 months ago

          I don’t know why Telegram users keep making excuses for that platform.

          Honestly? Because the others are just so bad.

          • Element has an extremely clunky UX and uses Electron. The other Matrix app implementations are incomplete buggy messes.
          • Signal can’t sync old messages to the desktop, uses a messy Electron interface, and lacks a bunch of features/polish I’ve come to expect.
          • Discord doesn’t even pay lip service to privacy and uses a similarly doesn’t invest in native apps.
          • Threema has been saying that cross-platform/multi-device connectivity is coming for like 2+ years and has had nothing but the most minor of unexciting features added.
          • WhatsApp is run by Meta, has a crappy desktop experience, and has had several serious security vulnerabilities.
          • Jami is … extremely glitchy.
          • Session is basically Signal backed by a Crypto platform.

          If someone took Telegram’s UX and feature set and paired that with Signal’s approach of “everything is encrypted”, that would be a winner. I kinda hope someday Telegram just does that and moves everything to E2EE. When Telegram was launched E2EE for group chats/at scale wasn’t really a thing … now it’s not nearly as novel but nobody has deployed E2EE with a feature set like Telegram’s.

          It’s not nothing if Telegram makes people believe they only share their location in a limited manner, but instead broadcast it to the whole world.

          That’s not even what happens by the way. It’s just that you can spoof a device into random locations and eventually figure out where someone is.

            • Dark Arc@social.packetloss.gg
              link
              fedilink
              English
              arrow-up
              2
              ·
              6 months ago

              A “toot” isn’t a very persuasive piece of journalism.

              I can verify that it absolutely impacts groups run by queer communities in the Gulf, because I was in one such group that was monitored and shut down by Etidal.

              That claim needs a lot more investigation and context. At the very least, it needs investigated by a credible third party.

              Also, do you even know what the feature you’re criticizing is? A “channel”? Because it’s not even really a part of the messaging portion of Telegram. It’s basically an in-app blogging platform.

            • Dark Arc@social.packetloss.gg
              link
              fedilink
              English
              arrow-up
              5
              ·
              6 months ago
              • Signal can’t sync old messages to the desktop
              • Persistent voice rooms
              • Custom emoji
              • Animated emoji
              • Location sharing
              • Chat folders
              • Topics/rooms for larger group chats
              • Support for larger group chats
              • Quoted replies (i.e., quote part of a reply or create an arbitrary quote block)
              • Code snippets
              • Message forwarding
              • Polls
              • Animations in the UI
              • Detailed custom theming
              • Chat room theming
              • A content index (e.g., view only the files, links, videos, etc that were sent in this chat)
              • Group invite links to people you don’t have in your contacts
              • Channels (i.e., micro-ish blogging)
              • A nice bot API
              • Subjective UI/UX changes to put things in more reasonable places (e.g, why can’t I right click on a chat to pin it in the desktop client, why is the Electron menu bar shown by default)

              And probably several other things I’ve forgotten because … basically nobody I know is still using Signal.

              • nix@midwest.social
                link
                fedilink
                English
                arrow-up
                2
                ·
                6 months ago

                Thanks for the detailed reply. Signal does have location sharing and invite links, FWIW.

                • Dark Arc@social.packetloss.gg
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  6 months ago

                  Signal’s location share AFAIK can’t be a live location share (which is useful during events like amusement park trips and stuff)

                  They have invite links to group chats? I don’t know how that would work

          • Tehdastehdas@lemmy.world
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            6 months ago
            • Telegram allows everyone in a chat to delete messages by anyone from anyone without a trace, making gaslighting easy. “I told you so!” - “No you didn’t!” - (mutual distrust forever)
  • winterayars@sh.itjust.works
    link
    fedilink
    arrow-up
    32
    ·
    6 months ago

    I don’t think i care what Jack Dorsey says that isn’t backed up independently. Even if he’s right i just don’t trust him.

    • Dessalines@lemmy.ml
      link
      fedilink
      arrow-up
      17
      arrow-down
      5
      ·
      6 months ago

      You shouldn’t need to trust open source, it should be independently verifiable. Unfortunately that’s not possible with either signal or telegram, as there’s no way to tell what server code they’re running.

      • delirious_owl@discuss.online
        link
        fedilink
        arrow-up
        6
        ·
        6 months ago

        If encryption happens client side then it doesn’t matter.

        Its where the server is open but the client is closed that we need to worry, as is the case with Beeper

        • ForgotAboutDre@lemmy.world
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          6 months ago

          Closed sources server (even open source with no verification of the code running on the server) means it’s possible the server records who you talk to, when, where and the size of the messages. This can be useful to sell to advertisers.

          • Dark Arc@social.packetloss.gg
            link
            fedilink
            English
            arrow-up
            3
            ·
            6 months ago

            Cloud source server or open source server, you can’t know what server their running.

            Pavel’s whole argument here is basically the same thing for the client; “you can’t verify the build in the app store matches what’s in the source code, so you have no way of knowing it’s actually what you’re auditing.”