
Telegram Isn't for Sale - kaiyi
https://www.bloomberg.com/news/articles/2017-12-12/cryptic-russian-crusader-says-his-5-billion-app-can-t-be-bought
======
baybal2
FIY: While they claim being hounded back in Russia, and that they will be
instantaneously jumped upon by 3 letter services if they were to run there,
they were proven to have a huge office there as well as their main server
infrastructure.

Another red flag, is that they were never blocked in Russia.

They look suspicious.

~~~
eps
Got a source for the first claim?

Second would've been a red flag if the Russian gvmnt would've been routinely
blocking other chat systems.

~~~
Grue3
Russian government _is_ routinely blocking other chat systems. LINE, CacaoTalk
and WeChat are currently banned.

~~~
Dolores12
>LINE, CacaoTalk and WeChat are currently banned.

No they are NOT banned, I just tried Line & WeChat.

~~~
Grue3
Maybe you got lucky with your ISP, or the apps learned to work around the
block. My home ISP definitely blocks Line website. There are plenty of news
sites reporting on the blocks, such as [1]

[1] [http://money.cnn.com/2017/05/08/technology/wechat-blocked-
ru...](http://money.cnn.com/2017/05/08/technology/wechat-blocked-russia-
china/index.html)

~~~
Dolores12
I have checked blocklist, indeed line.me is blocked[0]. I have tried to run
application.

[0]
[https://reestr.rublacklist.net/rec/170456/](https://reestr.rublacklist.net/rec/170456/)

------
yeukhon
> The locations of his servers are a secret, as are many of the names of his
> employees, several of whom he’s said are fellow millionaires.

How is that possible? Are the servers behind an onion network?

~~~
em3rgent0rdr
If the locations of his servers are merely a secret, isn't that just security
through obscurity? Isn't that a serious weakness? Or is there a more advanced
way his servers are kept secret than merely being a secret?

~~~
K0nserv
A common misconception with "Security by Obscurity" is that it's always a bad
thing.

It's only a bad thing if the obscurity is critical to the security of what you
are protecting. For example if you make your API completely open, but obscure
it inside an app and make the domain hard to discover e.g a random string
that's obviously not good.

However if you use obscurity as an extra layer in a system that is secured by
other means such that removing the obscurity would not have an adverse effect
on the security of the system that's fine. Hence there's no reason not to
obscure things to make it more difficult for an attacker as long as that's not
all your security.

~~~
twhb
I’d counter that the security benefit may be so small as to underweigh the
hassle and bug potential of those obscurities.

... and counter myself by reminding that all computer security is obscurity,
just varying levels.

I think, in the end, we do need to measure things :)

~~~
K0nserv
You might very well be correct that it's not worth it, but it doesn't counter
my point.

------
rkachowski
I haven't used telegram for a while, but the last time I used it e2e
encryption was only an optional feature (secret conversation) instead of the
default option. How does this compare to Signal or Whatsapp which both have
e2e enabled by default?

~~~
samat
They have opted for user convinience on this matter. Fully searchable history
of all communication synced on all your devices. A nightmare for a dissident
attacked by state, but convinience 90% of the population should not be
stripped of.

~~~
slazaro
Is it technically impossible to have end to end encryption with full history,
even synced? As long as you have the decryption key, you could have synced
encrypted history, the best of both worlds, right?

~~~
samat
Consider you’ve lost all your devices and logged in to a service. It either
can decipher your history or it can’t. And if it can (which is convinient) -
why have a e2e in the first place?

~~~
drdaeman
Revoke the key, so the lost device won't be able to read the new messages.
What the device already knows - it just can't be helped.

This is irrelevant to E2E or even PFS. Basically, it's about message archive
security - either it's leaked (and no amount of encryption and authentication
would help) or not.

E2E systems can sync message history - by mutually verifying device keys and
then propagating data across such trusted links. I mean, if someone can send
you a large file there is no reason one of your devices can't send a message
to another your device, with a large encrypted blob of what it knows about the
past. And if all devices (including possible server-kept archive private key
derivation passphrase) are lost, then message history is gone.

~~~
niij
>And if all devices (including possible server-kept archive private key
derivation passphrase) are lost, then message history is gone.

If a server can decrypt your messages, then it's not really E2E anymore, is
it?

~~~
drdaeman
I believe E2E means that data is encrypted and decrypted on endpoints and
nothing else. It doesn't imply how the keys are produced or who else knows the
keys.

But I was thinking about a scheme, where the key is encrypted with a
passphrase (that user's ought to remember) and kept on server. You fetch the
blob, decrypt it (server can't), get the key and thus are able to decrypt the
existing data (message archive).

This lowers security, but adds a significant convenience of being able to
recover history if the only device is broken or lost. Which may be important
for casual users.

------
Aoyagi
Well, I wouldn't trust Telegram with something really secret and/or sensitive,
but as an every day IM/calling client, it sure got even more sympathy from me
by this.

------
buovjaga
> Telegram, which is open-sourced

The server-side code is not open.

~~~
samat
And mobile app repos are not updated regularly, too.

------
alien2003
Telegram is FSB's spyware. Their main office is in St. Petersburg and
telegrams are still not blocked in Russia but in Russian television they
always talk about ducking crazy super duper Telegram security and how
difficult is to beat for FSB

------
b3lvedere
I'm still not sure which one is better: Signal or Telegram.

~~~
omnimus
Signal. Telegram is a business run by a millionare who is having fun. Signal
is run by well known security expert / activist and his very transparent
company Open Whisper systems.

The way Signal tackles the problems is smart gradual development and they are
the closest to making the holy grail - e2e encryption without users even
noticing it. There are no "secure" and "not secure" messages in signal - it is
all encrypted and you can't turn it off. That's awesome.

~~~
Mithaldu
You're making the mistake of assuming "better" is a single vector.

Signal is more secure, yes. However its UI, UX, accessibility, feature sets
and performance are absolutely in baby shoes.

------
IBalic
> A lot of people in the western world don’t realize how much taxes limit
> their options. You can end up paying almost half your income in taxes, which
> basically means you’re working for the government for 180 days a year. I
> think I can find better ways to use the money I make for the benefit of
> society.

ok, so he's basically suggesting to get of rid government. I respect different
stands on the size/role of the government in society, but this is just a weak
argument. What works out for him, won't work out for everybody.

~~~
mrwong
Tax burden in Germany for middleclass is at around 70%. Beeing a software
engineer in germany means that you code 8months for the government and 4months
for yourself.

The western governments introduced more and more “hidden” taxes. So just
looking at income tax is not fair.

Just because he advocates for lower taxes doesn’t mean he want anarchy.

~~~
_s
> Tax burden in Germany for middleclass is at around 70%. Beeing a software
> engineer in germany means that you code 8months for the government and
> 4months for yourself.

> The western governments introduced more and more “hidden” taxes. So just
> looking at income tax is not fair.

Please don't pluck figures like that out of thin air - I worked in Berlin as a
developer and I easily took home ~60% of my monthly salary (placing tax at
around 40%).

Those taxes already comprise of Social Security* (roughly 20%) and income tax
(the remainder 20%).

* Health, Retirement, Unemployment etc.

~~~
krrrh
You’re not counting VAT which is 19% of most of what you purchase. Corporate
tax is largely bundled into consumer prices as well, and depending on your
consumption patterns, and transportations choices there are other taxes that
apply. In no way is this list exhaustive.

~~~
SyneRyder
There's also the compulsory 9% Church Tax in Germany, unless you formally
renounce your religion:

[http://www.telegraph.co.uk/news/worldnews/europe/germany/113...](http://www.telegraph.co.uk/news/worldnews/europe/germany/11380968/Compulsory-
income-tax-on-Christians-drives-Germans-away-from-Protestant-and-Catholic-
churches.html)

Notably: _" The changes include German banks now having to withhold the tax on
capital gains of account-holders who are church members."_

~~~
germanier
It's 8-9% of your income tax – so in reality maybe 2% of your income or less.

This tax is levied by the churches. You may be against the fact that they get
this right because you support a more strict separation of church and state
(which is not in the spirit of the German constitution) but this is hardly
something the state is to blame for.

~~~
reitzensteinm
It's opt out, which is pretty evil. You can absolutely blame the state for
that.

[https://www.settle-in-berlin.com/stop-paying-german-
church-t...](https://www.settle-in-berlin.com/stop-paying-german-church-tax/)

~~~
germanier
It is not opt-out. Everybody who pays has opted into the system (or in most
cases their parents did[0]). Catholic foreigners might be surprised that the
Catholic church is considered a single world-wide religious community. If they
move to Germany they will be taxed even if they are not religious (because
they haven't left – which is in some countries hard or impossible). This is a
thing the Catholic church does to their members, not the German state.

[0]: It is not a regular contract but even those can bind you if your parents
entered into them in your name.

~~~
reitzensteinm
You immigrate to Germany as an atheist with no affiliation to any church, but
answer questions about your upbringing truthfully.

You're then taxed 2% of your gross income unless you pay a fee and visit
multiple government departments. The money is distributed to private parties
with little oversight on its spending. This is enforced by the same body and
with the same penalties and rules as other forms of taxation.

I think at this point, we're arguing about the definitions of "opt out" and
"enforced by the state". "Evil" is open to interpretation, but I stand by it.

[https://www.reddit.com/r/germany/comments/41305s/church_tax_...](https://www.reddit.com/r/germany/comments/41305s/church_tax_is_a_scam_why_is_this_still_a_thing_in/)

~~~
germanier
It's exactly what I said above: The Roman Catholic church is a single world-
wide entity and if you become member in one country your rights and duties
carry over to Germany if you move here.

> but answer questions about your upbringing truthfully

Whether or not you answer questions truthfully has no impact on taxation. You
might get around paying it if you lie but you are still liable for the tax.

> same penalties and rules as other forms of taxation

It is not, here is a decent publicly available primer: [https://www.hrr-
strafrecht.de/hrr/archiv/08-08/index.php?sz=...](https://www.hrr-
strafrecht.de/hrr/archiv/08-08/index.php?sz=11) In short: The usual tax
offences don't apply to church tax.

~~~
reitzensteinm
> Mit der Aufnahme der persönlichen Daten bei der Behörde werden die
> Betreffenden u.a. nach ihrem Religionsstatus gefragt. Die Frage der
> Verwaltungsbeamten lautet nicht etwa: „Sind Sie Mitglied der „Körperschaft
> des Öffentlichen Rechts Katholische Kirche Deutschland“? Das wäre korrekt.
> Auf diese Frage würden sie zutreffend mit Nein antworten, denn sie wurden in
> ihrem Heimatland getauft und nicht in Deutschland.

> Der Verwaltungsbeamte fragt stattdessen, in Unkenntnis der Sachlage,
> einfach: „Sind Sie katho-lisch?“, oder „Sind sie getauft?“ Die Betroffenen
> erkennen nicht die mit der Frage verbundene deutsch-katholische Problematik
> und antworten mit Ja, wenn sie jemals getauft wurden. Daraufhin wird vom
> Verwaltungsbeamten das entsprechende Konfessionsmerkmal in den Akten
> vermerkt. Diese Zuerkennung des Etiketts „kath.“ führt dazu, dass die
> Betroffenen von diesem Zeitpunkt an von der staatlichen Verwaltung als
> Mitglieder der „Körperschaft des öffentlichen Rechts Katholische Kirche
> Deutschland“ geführt werden – mit allen Konsequenzen.

[https://hpd.de/node/14728](https://hpd.de/node/14728)

They ask if you're baptized, which can be true if you're an atheist. This
saddles you with a tax obligation that you must then opt out of even though
you're a member of no religion. The tax is collected by the state.

Ich denke, dass Sie nur streiten wollen. Es ist genug für mich.

~~~
germanier
Sorry, that page is a complete misinterpretation of the actual laws. This
question is only of declaratory nature of already established facts and has no
influence on the actual taxation status (if it ever becomes a court case that
is thoroughly examined). You do not become a member of a religious entity by
answering a question there (the state has no power at all to decide to
admitting new members) – mistakes made while filling the form are always
curable. It's the same thing as with marriage status on the same form: You do
not simply become married by answering a question there wrongly nor can you
claim tax benefits by doing so.

There is no difference between the "Körperschaft des Öffentlichen Rechts
Katholische Kirche Deutschland" and the worldwide catholic church. That's a
single entity.

(I say that as a non-religious person that never has been a member of a
religious entity. If a community decides to tax its members they should be
free to.)

------
sitepodmatt
cue ICO...

------
thisisit
>He sees Telegram as a charity that he’ll start to monetize early next year,
but only enough to fund expansion.

Charity and monetization don't go hand in hand.

~~~
simonbarker87
Yeah they do, charities are just businesses that don’t distribute profits to
share holders. Making money or not has nothing to do with charity status -
it’s about what you do with the profits.

~~~
randomThoughts9
This is a very recent interpretation. It is legally true, but it goes against
the true meaning of the word.

When you work for a charity, do you ask for a raise? Do you get a bonus if you
collect more money? How much to you get to keep?

Not even mentioning that sometimes the money goes through a chain of
charities, all making a living out of it, but leaving almost nothing for the
final beneficiary.

~~~
HatchedLake721
For you -
[https://www.ted.com/talks/dan_pallotta_the_way_we_think_abou...](https://www.ted.com/talks/dan_pallotta_the_way_we_think_about_charity_is_dead_wrong/up-
next)

------
peterburkimsher
He is getting "buy-in offers like those he's received from some of Silicon
Valley's biggest names".

I got one of those this week, and I'm very excited. I haven't yet chosen how
to respond. Please discuss it at my Ask HN:

[https://news.ycombinator.com/item?id=15902196](https://news.ycombinator.com/item?id=15902196)

