
$300k for Cracking Telegram Encryption - techquery
https://telegram.org/blog/cryptocontest
======
tptacek
Obligatory:

[https://www.schneier.com/crypto-
gram-9812.html](https://www.schneier.com/crypto-gram-9812.html)

$300,000 isn't a whole lot more than it would cost to get n entire novel
cryptosystem for a complex application built out of idiosyncratic components
assessed professionally. They should just retain Riscure or Rambus to do that
for them instead of the PR stunt.

Previous thread about Telegram on HN, featuring Moxie Marlinspike:

[https://news.ycombinator.com/item?id=6913456](https://news.ycombinator.com/item?id=6913456)

~~~
kirushik
What's the mathematical expectation of "Let's pay $300K for the security
analysis?"

–$300 000, and good publicity among security experts.

What's the mathematical expectation of "Let's start a contest with $300K for
dealing with our crypto on our terms (assuming 5% of success)"?

–$15 000, and much larger PR effect. ($300K-resistant crypto, yay!)

Seems to be an easy choice, unfortunately.

~~~
hughes
They could probably even purchase insurance against their loss. They just need
to convince a prize indemnity insurance company that their security is
unlikely to be broken, which might itself necessitate a $300 000 security
audit...

------
eliteraspberrie
If no one wins the contest, it proves nothing.

But contests like this are a bad idea for another reason: people will hoard
bugs instead of disclose, sometimes for years. For example, the Pwn2Own
contest boosted the discovery and disclosure of bugs in browsers for the first
few years, but now companies have co-opted it into a marketing event. They sit
on exploits in order to win two or three years from now.

I noticed a bug in one of the Telegram clients when the first contest was
announced, but it wouldn't have qualified. Now the reward has tripled, and the
scope expanded. As the user base grows, the reward will go up again (and
again), and I'm sure no one will claim the bug since real experts have better
things to do, so maybe it's smart to wait, maybe not...

Telegram, and other projects thinking of doing this: think small. In the
lottery model, there is one big winner; you should prefer a model with many
(smaller) winners. Pay for patches that improve the quality of the code base,
fix compiler warnings, improve documentation, etc. _Many grains of sand will
sink a ship._

------
ropman76
Maybe restating the obvious, but why don't they pay out the 300k to some
professional pen testers or cryptography auditors and publish the results. At
least then they would have a shot at validity in this area.

~~~
Tehnix
They could do that: Pay $300k for professionals to maybe or maybe not find
something, and get limited PR

Or, what they do now: Get good PR and if someone manages to win the
competition, it means they found flaws which the pros would, hopefully, also
have found. If no one wins, they can then use the $300k to get pros on it.
Win-win if you ask me.

~~~
owenmarshall
> Win-win if you ask me.

For the company, maybe.

If you're a user of their half-baked crypto you're playing a high stakes game
with a partner that isn't actually interested in keeping you safe.

------
_jomo
I have different opinions about Telegram.

I like how Telegram is truly cross-platform with the clients being open source
and available on every platform. They usually look great and are simple to
use, which is why Telegram is the only non-whatsapp IM that more than 3 of my
contacts use. It also works with multiple devices connected*, which is another
pro against many other IMs.

What I dislike is that even though Telegram advertises their messages as
"private" and "heavily encrypted" on their landing page, secure chats are NOT
the default, do not work in group chats and do not work across multiple
devices. I am aware that this requires encryption for every recipient, but
that shouldn't be an issue. TextSecure actually came up with a great solution
[1] for this. What I also do not understand is why they are rolling their own
crypto. They say it's for speed and stability [2], but don't provide any facts
or measures. The fact that the server is closed source and the founders coming
from VK (a russian Facebook alternative) doesn't make this any better.

All in all I consider Telegram a great alternative to WhatsApp, but I wouldn't
rely on it for secure messaging.

1: [https://whispersystems.org/blog/private-
groups/](https://whispersystems.org/blog/private-groups/)

2: [https://core.telegram.org/techfaq#q-why-are-you-not-
using-x-...](https://core.telegram.org/techfaq#q-why-are-you-not-using-x-
insert-solution)

------
cpt1138
Have the Nigerian 419 scams gotten more sophisticated?

"Your email must contain: . . \- Your bank account details to receive the
$300,000 prize."

~~~
dvl
and what else I can do with your bank account besides send you money?

~~~
13
You'd think nothing, but people have failed attempting to prove this before.

> "But Clarkson admitted he was "wrong" after he discovered a reader had used
> the details to create a £500 direct debit to the charity Diabetes UK."

[http://news.bbc.co.uk/2/hi/7174760.stm](http://news.bbc.co.uk/2/hi/7174760.stm)

~~~
vidarh
Though the Direct Debit guarantee gives an automatic right to a no-questions
asked instant refund.

Not even having a provably validly signed mandate protects merchants against a
refund (merchants recourse is small claims court), so while it's a nuisance,
and while some people do get de-frauded by not paying attention to their
statements, the article overstates things: If he "lost" money it'll be because
he _chose_ not to demand a refund.

------
bascule
They already paid $100,000 for finding flaws in their system before:

[https://vk.com/wall-52630202_7858](https://vk.com/wall-52630202_7858)

------
jturolla
This contest is only valid if they provide access to their servers and
databases. They will never prove, this way, that Telegram cannot crack itself.

~~~
michael_h
Well:

    
    
      ...this time contestants can not only monitor traffic, but also act as the Telegram server and use active attacks

------
electic
I give them, or anyone, credit for trying to create a secure messenger. It is
not easy. However, I just wish they would release the source code to their
clients and server. They have not. That would go a long way.

~~~
tptacek
Both OTR (ChatSecure on your phone) and TextSecure are good options. Telegram
is not a good option.

~~~
rmsaksida
Unfortunately, those are not real alternatives to Telegram. Telegram is meant
to be a WhatsApp replacement.

WhatsApp thrives because in many places, SMS costs are prohibitive (so
TextSecure is not an option). In addition, it requires no registration and
doesn't rely on external services (so ChatSecure is also out of the question).

~~~
tptacek
Then use WhatsApp!

~~~
kruk
Telegram allows you to use the same account on multiple devices, which is the
main reason why I use it. It's also independent of Facebook, which many people
don't trust.

------
natch
>To prove that the competition was fair, we will add a command that returns
the keys used for encryption as soon as a winner is announced.

So, using a bug-prone process (software development) we will alter the
software after the fact to introduce a feature which, _if_ it escapes the
sandbox and gets into the wrong build, will _potentially_ reveal the secret
keys of all users.

Am I reading that right?

------
mistagiggles
Slightly off topic, but I really like their icons on their front page. Very
reminiscent of the vault boy icons in the newer fallout games.

~~~
astrodust
Those are reminiscent of 1950s marketing art.

------
higherpurpose
Which encryption? The end-to-end encryption that isn't even available by
default for the vast majority of its users, or the SSL one?

------
ecaron
When I see contests like this, my first thought always goes to "But do they
really have the money to pay me if I figured it out."

For big prize payout contests, I'd get a lot more serious if they provided
proof that the funds were waiting in escrow until end-date/winner.

But I'm probably unnecessarily suspicious of the depth of a startup's
pockets...

~~~
Geee
It's not a 'startup'. It's a project by the founders of VK, and they surely
have deep pockets.

------
scott_karana
For the cryptographic newb, can someone explain how _this_ contest is rigged,
and destined for failure, like the previous one apparently was?

The rules seem much more liberal this time, to my uneducated eyes...

Even if it's still a contest in bad faith, why _not_ break it and claim the
money?

------
VikingCoder
> Your email must contain: > \- Your bank account details to receive the
> $300,000 prize.

Uh, no.

------
orasis
Bruce Schneier on Crypto Cracking Contests (1998) -
[https://www.schneier.com/crypto-
gram-9812.html](https://www.schneier.com/crypto-gram-9812.html)

------
rthomas6
The comments here are showing me that this contest is a _good_ idea, because
everyone is talking about Telegram. It doesn't matter that they're mostly
saying they don't trust it. Without the contest, most people wouldn't even
have heard of this app in the first place.

~~~
akerl_
It's worth noting that the contest caused people _here_ to talk about how
Telegram's model of security and their approach to testing that security have
flaws.

But as is shown by the fact that they are running this contest, plenty of
people who are not here see the contest and believe it is an indication of the
trust they should have in Telegram. Otherwise, they wouldn't have run another
contest after the response on HN to the last one.

The contest is a bad idea because for the people who don't see our discussion
here, they will be tempted to trust their sensitive data to Telegram. For lots
of people around the world, that trust could put them at risk of serious harm.

~~~
rthomas6
I should have said "good idea for Telegram". I can see why the contest, and
Telegram's general approach, is a bad idea for everyone as a whole, but IMO
this is the best advertising $300,000 can buy.

