
Telegram Bot Platform - thiagoperes
https://telegram.org/blog/bot-revolution
======
gioi
Just yesterday I was trying to get a bot working on the TextSecure platform. A
vastly disappointing experience: almost not existing libraries, sparse and
incomplete documentation, unstable protocol breaking without any kind of
notice
([https://github.com/JavaJens/TextSecure/issues/6](https://github.com/JavaJens/TextSecure/issues/6),
for example). And still no way to register without a phone, which would be
amazing for this kind of project:
[https://github.com/WhisperSystems/TextSecure/issues/1085](https://github.com/WhisperSystems/TextSecure/issues/1085)

I think Telegram is succeeding in what TextSecure is failing: attracting a
widespread community of developers. This is only a confirmation, in my
opinion.

EDIT: and, by the way, while Telegram security is no good, I wonder why we
cannot have both (security & developer-friendliness)

~~~
moxie
Try using libtextsecure instead of interacting with websockets directly. We
publish artifacts, and while the API might change over time, if you stick with
a versioned artifact you'll be good. [http://open-whisper-
systems.readme.io/v1.0/docs/textsecure-j...](http://open-whisper-
systems.readme.io/v1.0/docs/textsecure-java-library)

We have a few bots in production that use libtextsecure and have been running
fine for almost a year without any maintenance.

~~~
dmix
Last year I wanted to help out with the TextSecure browser (chrome extension)
project and had a similar experience as the OP.

I was a bit at loss about where to begin, as I couldn't find documentation
about getting the extension setup for dev/testing. Specifically I couldn't get
past the QR-code auth screen as I seemed to be missing some special
configuration to connect with the servers.

I just assumed it wasn't really ready for outside devs yet.

But I just checked back in on the repo and it looks like a new CONTRIBUTING
doc has been added, which is great:
[https://github.com/WhisperSystems/TextSecure-
Browser/blob/ma...](https://github.com/WhisperSystems/TextSecure-
Browser/blob/master/CONTRIBUTING.md) This is the type of stuff I was looking
for.

I'm happy to see WhisperSystems making contributing more accessible. I
probably could have learned this stuff by asking the devs, but I didn't want
to bother them, I much prefer reading docs and playing with it myself first.

------
sweis
I briefly looked at Telegram's crypto code a couple months ago. Here's a few
funny things I spotted:

Telegram's message format uses ambiguous padding, so they have to try all
padding lengths when validating a message:
[https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...](https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/HandshakeAction.java#L346)

That loop leaks timing information, as does the "Utilities.arraysEquals"
method it uses. I'm not sure if it opens up a timing attack, but it's suspect:
[https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...](https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/Utilities.java#L283)

There is another spot where they pad with zero bytes without any
authentication. This may leave room to mess with the protocol:
[https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...](https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/HandshakeAction.java#L261)

There are also some weird things throughout the code, like using
SecureRandom.nextDouble() all over:
[https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...](https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/android/SecretChatHelper.java#L1531)
[https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...](https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/HandshakeAction.java#L164)

~~~
Kiro
What does leaking timing information mean?

~~~
sweis
Nate Lawson has a good explanation of timing attacks (against my own code):
[http://rdist.root.org/2009/05/28/timing-attack-in-google-
key...](http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-
library/)

------
yagop
I've beeing developing this [https://github.com/yagop/telegram-
bot](https://github.com/yagop/telegram-bot) for a year. Currently most
Telegram Bots uses my proyect for building bots.

Now it's deprecated and I'm really sad about that.

~~~
tomlock
Hey! I found your work really useful. Thanks very much for your effort :) I
look forward to your next project!

------
kh_hk
OT:

Awesome, great, APIs are good.

Know what's better? Open specifications and federated services. It's called
XMPP and if it's not enough, then something better should be developed.

Is this the replacement of SMS? Not sure what people would have thought at the
time if they could not send SMS to other mobile carriers. It saddens me even
more to see public institutions moving their SMS infrastructure to the new
'carriers'.

Protocols are not a new thing. Let's not go back to the time were computers
could not talk to each other.

~~~
runn1ng
Anecdote:

In our company, we recently switched from Jabber to Telegram.

Telegram is easier to use on multiple devices (it synchronized automatically
and you don't have to worry that if you leave one device open, you won't get
the message elsewhere), has both a usable mobile app and a usable web/desktop
app, it has the "private" chat that's much easier to use than OTR (Pidgin,
Gadjim and Adium each implement OTR differntly and it never works right cross-
client), and, as one co-worker noted, it finally looks like something from
21st century.

TextSecure/Signal/what's the name now has - in addition to confusing branding
cross-OS - strange SMS reliance and no working desktop app. I would prefer it
to Telegram though, if they had some reliable destop application, but they
don't.

~~~
dhemmerling
TextSecure SMS is getting phased out.

[https://whispersystems.org/blog/goodbye-encrypted-
sms/](https://whispersystems.org/blog/goodbye-encrypted-sms/)

~~~
veeti
Encrypted SMS is, but the Android app will (apparently) continue to support
unencrypted SMS.

~~~
sanjayparekh
This is why I switched to SMSSecure. It's a TextSecure fork that continues to
support encrypted SMS direct to the phone and not through a server of any
kind.

------
_jomo
This is nice, but I really wonder why they don't focus on more important
things. For example this issue I opened over a year ago, asking them to use
end-to-end encryption by default and for group chats:
[https://github.com/DrKLO/Telegram/issues/156](https://github.com/DrKLO/Telegram/issues/156)

Probably because features are more important than security, sigh.

~~~
jhasse
It's not that easy: How would you exchange the private keys when using
multiple clients? This would require to user to transfer the private key files
or to remember a secure password. Both options aren't possible for usability
reasons if you want to beat WhatsApp.

~~~
_jomo
This has been discussed a lot in the issue thread. Key exchange really isn't
the issue.

Scanning a QR code or creating a secure connection between the clients to
exchange the keys isn't that hard.

~~~
jhasse
What when I want to login at a computer but don't have my phone with me?

~~~
chralieboy
Same as using 1Password — you don't.

You're trading convenience for increased security.

~~~
sherjilozair
This is why it isn't 'by default'.

------
joeyspn
> Telegram is about freedom and openness – our code is open for everyone, _as
> is our API_.

Open _for usage_ I guess. It's a pity that the API (and server) source is
still closed. The Bot Platform is a cool initiative anyways, so good luck!

~~~
jhasse
Not only for usage. The protocol is open and the clients are GPLv3.

------
colordrops
Telegram is not truly open source. They utilize a pre-compiled library for the
actual messaging code, as seen here:

[https://github.com/DrKLO/Telegram/tree/master/TMessagesProj/...](https://github.com/DrKLO/Telegram/tree/master/TMessagesProj/libs)

They would like to have you believe otherwise through their PR efforts, but I
wouldn't trust them simply on the fact that they claim they are open source
when they are not, and it's not clear what's going on in that binary lib. If
they never claimed to be open source in the first place, it would be a
different story.

~~~
izacus
Ehm, the "jni/" directory contains the source for those files. Running "ndk-
build" (from Android NDK) in top-level dir will recompile them.

Looking at the source the libraries contain AES code, libjpeg, libwebp and
libyuv to handle image decoding, some image blur algorithms and video NV21-YUV
conversion routines.

Nothing out of the ordinary for an Android app - offloading CPU intensive
stuff to C/C++ where it's almost always noticably slower.

Can you please, PLEASE, check your facts before jumping the gun next time?

~~~
colordrops
I retract my statement. This used to be the case, but appears to no longer be
so.

------
gcmartinelli
I believe this an amazing move by Telegram. I firmly believe that open
platforms tend to win in the long run.

Whatsapp should take the hint and open up their platform for developers...
Curiously I was thinking about building bot-based services on their platform
(largest user base in my country), but basically gave up after seing how
closed they are to any initiative like this. Felt even worse after reading
things like this:
[https://twitter.com/gcmartinelli/status/605776036358291456](https://twitter.com/gcmartinelli/status/605776036358291456)

~~~
techaddict009
[http://www.whatshash.com/](http://www.whatshash.com/) Someone built whatsapp
bot! I dont know if they used some official api or what.

~~~
gcmartinelli
Thanks for the reference! I've seen some implementations
([https://github.com/asdofindia/python-whatsapp-
bot](https://github.com/asdofindia/python-whatsapp-bot)) but usually Whatsapp
bans accounts that do it.

------
daniel-levin
Telegram is really cool. I have long thought about what additions and
modifications I could make to my mobile texting program. Now I have to
convince all my friends to move from Whatsapp.

------
scriptnull
Great news ! Check out Github bot for sure people . I am already in love !
This feature is making me remember my own simple telegram bot that helped me
to convey 1000 Happy birthdays to my friend in 15 mins.
[https://gist.github.com/scriptnull/7877b404f33de2b7445a](https://gist.github.com/scriptnull/7877b404f33de2b7445a)

~~~
mahouse
Your friend sure appreciated that...

~~~
scriptnull
yeah ! He was surprised and so were my other friends.

------
vijucat
I woke up one night with the idea that if WhatsApp allowed API integration, it
would so awesome : you could message DHL or UPS with your waybill tracking
number, and they could push updates to you.

More interestingly, the WhatsApp text box then effectively becomes a REPL
shell to a remote API : you could ask for stopping updates, updates only once
a day, etc; If the remote server implements a DSL, you could do a LOT.

The possibilities were endless and exciting.

But I have a feeling WhatsApp / their new owner are going to just let the
opportunity pass by. If anyone at FB is reading this : guys, Business
integration with WhatsApp is where the next $250 billion is. That's how FB
will get a permanent, maybe even irreversible, grip on mobile. Imagine every
service business providing updates via WhatsApp by integrating with their
backend.

~~~
detaro
They did announce plans for B2C use cases earlier this year (and of course are
already used for conducting business, but only for communicating with a human
on the other end

------
hobarrera
All the comments on this news item made me really want to try this out and see
how it works.

I downloaded and installed the desktop version. Created an account with my
phone number (okay: if I ever lose my phone, I'll permanently lose access to
my account!).

I see how to add contacts. I need their phone number. I don't know my friend's
numbers. We use facebook, xmpp, email, lots of shit, but nobody still relies
on SMS nowadays, and my phonebook is literally under 10 entries long (and I'm
sure mum and dad won't be using Telegram).

This reliance on old networks really kills it for me. IMHO, linking an account
to a device that _can_ get stolen or lost is also something I'll never really
understand.

------
task_queue
Telegram is the company that ignores proven crypto standards, rolls their own
crypto without any verification or audit, then offers a $200k bounty to
"break" their crypto by requiring developers to work with an arm tied behind
their back by reducing the types of attacks that could be made in the real
world.

Seems MTProto is the same as its always been

[https://news.ycombinator.com/item?id=6931457](https://news.ycombinator.com/item?id=6931457)

[http://www.cryptofails.com/post/70546720222/telegrams-
crypta...](http://www.cryptofails.com/post/70546720222/telegrams-
cryptanalysis-contest)

------
harryf
Bananas or oranges anyone?
[http://telegram.me/PollBot?startgroup=c4dd5512c96b2952a17396...](http://telegram.me/PollBot?startgroup=c4dd5512c96b2952a17396273a72e18f)

~~~
ddon
Not found There is no Telegram account with the username you provided.

------
Cieplak
I really like that they embrace HATEOAS, e.g., "what can this bot do?", even
though the API might not be strictly RESTful (they call it an "HTTP-based
interface").

------
wodenokoto
Can telegram be considered safe? I looked at eff's guide to secure chat
earlier today and was quite confused that it seeming,y scores full marks and
not-full marks.

[https://www.eff.org/secure-messaging-scorecard](https://www.eff.org/secure-
messaging-scorecard)

------
pbreit
I've always been surprised something like this never really got going. I think
the issue here is that it needs to be on message platforms that people
actually use (iMessage, WhatsApp, Gchat, etc). Is it really not possible to
hook in to those platforms?

~~~
ryukafalz
The moment you hook into those systems, you're segmenting your userbase. If
you rely on iMessage for transport, you can only talk to Apple users. The
situation is similar with Hangouts and WhatsApp - while you're not limited to
one device manufacturer, there's no official API, and any attempt to do so is
a hack that could break at any time with no warning.

Telegram is slightly better in that it at least has a client API, but you're
still locked to a single provider (the official Telegram server).

~~~
pbreit
And that provider is a tiny fraction the size of iMessage, GChat, WhatsApp, et
al.

------
orzfly
Create you own bot with Node.js! [https://github.com/orzFly/node-telegram-
bot](https://github.com/orzFly/node-telegram-bot)

------
DLion
I made a simple bot plugins based in Node.js.
[https://github.com/dlion/smagenBot](https://github.com/dlion/smagenBot)

------
thelad
I'm guessing this was inspired by IRC eggdrop bots? Seem awfully similar, just
different comms mechanism

------
ohitsdom
I don't have any experience with Telegram. Can anyone share how it compares
with Slack?

~~~
eertami
They have completely different goals, Telegram is a competitor to
SMS/WhatsApp, not Slack/IRC.

------
avens19
This is great, nice work guys

------
ommunist
PingBot for server health monitoring anyone? or we'll just spam chats with
Elisa clones?

