
Signal’s Moxie Marlinspike calls out Telegram founder Pavel Durov - ianopolous
https://techcrunch.com/2017/09/18/signal-moxie-marlinspike-techcrunch-disrupt-sf-2017-telegram/
======
TeMPOraL
'joecool1029 links[0] to an interesting Github thread[1]. It starts with Moxie
not being OK with LibreSignal using Signal's name and servers, but quickly
turns into a discussion about federation.

Moxie:

"I understand that federation and defined protocols that third parties can
develop clients for are great and important ideas, but unfortunately they no
longer have a place in the modern world. Even less of a place for an
organization the size of ours. Everyone outside the FOSS community seems to
know it, but it took actually building the service for me to come to the same
understanding, so I don't expect you to believe me."

Now, I understand Moxie's goal is to (quoting from further down that thread)
"make mass surveillance impossible for the world we live in, not a fantasy
land inhabited only by cryptonerds and moralists (...) to produce technology
that is privacy preserving but feels just like everything else people already
use, not somehow convince everyone to fundamentally change their workflow and
their expectations.", but still - is that the consensus now? That federated
protocols are dead and "no longer have a place in the modern world"?

\--

[0] -
[https://news.ycombinator.com/item?id=15282380](https://news.ycombinator.com/item?id=15282380)

[1] -
[https://github.com/LibreSignal/LibreSignal/issues/37#issueco...](https://github.com/LibreSignal/LibreSignal/issues/37#issuecomment-217211165)

~~~
samtoday
Signal is built on top of the phone number system (ie. falling back to SMS,
phone numbers as ids). Telephony is pretty clearly a federated system -
somebody on one carrier can talk to another; even internationally.

I find it so ironic that he doesn't "support federated systems" when the
Signal is tied to one.

~~~
evgen
And yet you can't create your own small phone network, assign whatever numbers
you want to your users, and expect others to interconnect with you or honor
your numbers. Telephony is federated within an internationally regulated
system, to claim that this in any way supports federation in a similar manner
as what is being discussed is to fundamentally misunderstand how the system
works.

~~~
kuschku
> And yet you can't create your own small phone network, assign whatever
> numbers you want to your users, and expect others to interconnect with you
> or honor your numbers.

Actually you can quite easily, and quite a few people have done so. Including
hacker clubs for events (the CCC operating a local custom GSM network with
their own SIMs, and working numbers a few years back for their congress comes
to mind), small ISPs with only a few hundred or thousand customers, and more.

It’s definitely possible, easy, and cheap.

~~~
detaro
I wouldn't call these event networks "part of the federated phone system".
They are clients of companies that are part of it. External numbers into these
networks are extensions of a public number they get from the upstream - just
like any company having a PBX, they do not participate in any of the inter-
provider infrastructure, do not own the phone numbers, ...

The internet equivalent to what they are doing would be getting a business
line with a fixed, provider-owned IP prefix. The equivalent to what the parent
describes would be getting a prefix delegation from a registry and peering
with other networks.

It's still really cool for island systems though, which is the more important
thing for those events.

~~~
kuschku
> I wouldn't call these event networks "part of the federated phone system".
> They are clients of companies that are part of it. External numbers into
> these networks are extensions of a public number they get from the upstream
> - just like any company having a PBX, they do not participate in any of the
> inter-provider infrastructure, do not own the phone numbers, ...

I mean, they ran their own full MVNO, with their own SIM cards, with their own
code on the cards, and operated their own tower.

That isn’t a simple number.

~~~
detaro
I meant purely from a "connection to the general phone system" perspective -
at all events I've been they only had internal numbers and you could be called
from the outside through an extension. If there was an event where that wasn't
the case I stand corrected.

Having the entire (mostly/entirely? open-source) GSM network is really really
cool and important, but from the perspective of the wider phone network still
"only" a "fancy internal phone system", with the limitations of control that
come with that.

------
rdl
It's frustrating that there are now so many "secure messengers" but none of
them is so much better than the others to cause consolidation. I end up
needing to communicate over 20-30 of them with different people.

Signal has the worst app (on iOS) and worst UX of anything I regularly use.
There's unlikely to be a desktop client which is actually usable (doesn't
depend on a phone, works on platforms I care about). The app is less buggy on
iOS than it used to be, but it's still not great. Also doesn't work well with
groups. And tied to PSTN identities, and the "talk to a new person on the
street" interaction sucks. But, the most widely audited crypto, a good
development model, and good adoption within some activist communities.

Wire is great, although it's a little "game-like" vs. professional for certain
UX. I know the developers and really like it, and it's great for group chat
and desktop, but doesn't have much adoption. But, one big global system, too.

Riot/Matrix and Mattermost are nice because you can run them on private
networks. Nice apps. I've not seen as much analysis of their security as
Signal.

Whatsapp, Telegram, etc. have massive adoption. Whatsapp is now solid security
for user to user.

Apple's stuff is great but is Apple-only, and I'm wary, even if I trust the
security model, to let a single company own my OS (and update whenever,
without really auditing it) and my "end to end encrypted" apps -- way too easy
to slip in any kind of backdoor there if they want.

etc. I'd happily trade in 50 ok to good systems for one great standard and
then OS/other-application integration -- but it seems like we don't do
standards anymore.

~~~
amedvednikov
> There's unlikely to be a desktop client which is actually usable

Check out eul, it's a native desktop client for all major messaging platforms.
Signal support is coming in October. It's only 4 MB, and it can handle
thousands of messages without lag.

[https://eul.im](https://eul.im)

~~~
StavrosK
Seems to only be 4 MB because it downloads 100 MB of "embedded browser" when
you first run it. I smell an Electron.

~~~
amedvednikov
It's about 40 MB compressed, and it's only used for authentication. The app
will work without it.

I'm really sad it has to be downloaded, but there's no other way to do
authentication. Will switch to Servo once it's ready, it's only ~20 MB.

------
jabot
Originally, I didn't install signal because i have a google-free android
smartphone, and signal depends/depended HARD on the play framework, even
though that's not necessary. [1]

> Marlinspike reiterated that the whole point of end-to-end encryption is that
> users no longer need to trust anyone if the protocol works — and Signal
> does.

But it depended on the google play framework - and I don't trust google. So
where does that leave me?

EDIT:

To reiterate: As far as I can tell Signal itself is secure enough. However,
the most secure chat app is insecure if it is run on an insecure operating
system.

Now, I don't want to start a discussion about android security. But:

\- The update situation is quite bad, leaving (for example) my phone with
exploitable bluetooth

\- Google itself ... could at least be coerced by a state actor into
compromising anyone's privacy

With those two facts given, the practical difference between signal and
telegram seems... less relevant.

[1]: Look at the "conversations" app. Yes, it is for XMPP, which is old and
uncool - but it (a) doesn't use the play framework either and (b) uses very
little battery on my phone, despite holding an open connection most of the
time. That IMO proves that depending on the play framework is unnecessary in
this case.

~~~
m3adow
Isn't the dependency gone now? I think I read something about using WebSockets
instead, although with more battery drain.

~~~
lucb1e
> although with more battery drain.

Telegram doesn't drain battery at all and doesn't need Google. Not sure what
Signal and others do, but of Wire I know that they drain battery as fast as if
I had a game running constantly in the background.

Signal I'd use, but it (still) doesn't work on my phone because I've got many
Google software firewalled. When reporting this bug years ago it was a
WONTFIX. I also heard they removed that dependency months ago and I keep
trying every few months, but Signal won't even let me confirm my phone number
because it relies on Google so deeply, so I can't use it.

So unfortunately Telegram is still my messenger of choice: high usability,
everyone has it, it's not owned by some big corporation and it's not of the
USA, and optional encryption (for non-group chats) is better than nothing.

~~~
magic_quotes
> optional encryption is better than nothing

It's strictly worse than nothing. Opting to use _optional_ end-to-end
encryption basically shouts to your local friendly dictatorship, "Hey, look at
this person!" Would you like that kind of attention? There are no such
concerns with _mandatory_ end-to-end encryption. It probably would be banned
altogether, but that's a different problem.

------
dmix
Yasha Levine, the other person in the conversation attacking Signals
credibility, is another person to take very lightly in these conversation.
He's a Russian pop-tech author known for his research into Russian/US
espionage, but following his twitter for the last 2yrs he also seems to dabble
in plenty of borderline conspiracy theorists stuff with. He seems to have a
strong bias against anything American (occasionally rightfully but many times
seemingly for just the sake of it). In conversations I've had with him he also
demonstrated a poor understanding of crypto/software development - but those
things are not uncommon for journalists covering infosec from the outside-in.

Either way I'm not surprised he is included here accusing Signal of colluding
with the US gov merely because it indirectly took funding... all of those
espionage fans see "US gov funding" and instantly assume collusion - but the
reality is typically much more boring. Maybe not so much in Russia where money
from the state often comes with expectation of favours in return (the opposite
of America where money going _in_ to the state demands favours in return)...

------
rdtsc
Last time I looked Telegram wasn't recommended by Moxie and a few other
people. That was 2-3 years ago. What's the status now?

They came up with their own encryption protocol and they are not trained or
known as cryptographers, that's a warning sign.

> [Durov] The encryption of Signal (=WhatsApp, FB) was funded by the US
> Government. I predict a backdoor will be found there within 5 years from
> now...

That's another red flag, needing to spread fud and lies about Signal. Another
reason not to trust Telegram. Indicates that maybe their ethics and integrity
are a bit too flexible.

> During our team's 1-week visit to the US last year we had two attempts to
> bribe our devs by US agencies + pressure on me from the FBI.

Some people might read it as "these guys are so good, FBI is begging to
backdoor them". But it can also be read as FBI suspects they are ethically
compromised and they have a chance of succeeding.

~~~
geofft
_> [Durov] The encryption of Signal (=WhatsApp, FB) was funded by the US
Government. I predict a backdoor will be found there within 5 years from
now..._

To emphasize even more why this is silly: nobody from the government (well, at
least nobody who has said they're from the US or any other government) was
involved with the actual development of the Signal Protocol. It was just
_funded_ by the government, through the Open Technology Fund, a project of
Radio Free Asia (which is itself under the Department of State; the OTF was
largely an initiative of Sec. Clinton). This is an extremely different part of
the government from _either_ NIST _or_ any of the three-letter agencies.

There has been exactly one backdoor found in crypto relating to the US
government (Dual_EC_DRBG), and it was in crypto _developed by_ the NSA and
basically pushed into a standard. It was also crypto that looked extremely
suspicious, immediately, to any cryptographer who looked at it: it had a
contrived design for no good reason, ran much slower than the existing options
in the space, and appeared to support a backdoor. A lot of people have looked
at the Signal Protocol and found nothing like this.

The US government has been accused of hiding backdoors before in one case,
DES. It turned out that they were hiding a way of strengthening DES against an
attack that was not yet public (differential cryptanalysis) but had been
discovered by the NSA. Nothing like this happened to Signal: the developers
were not told by the government "Great, just use these S-boxes instead."

(In fact, it occurs to me that there's not much room in Signal for a backdoor
along the above lines: no S-boxes, no constants, etc. The closest it gets to
that is picking Curve25519 and Curve448, both of which are well-known curves,
predating Signal, with simple mathematical descriptions that make them
essentially impossible to have backdoors. Perhaps he means that the Signal
_software_ is backdoored? But that wouldn't make sense with the reference to
WhatsApp and Facebook, and also is a much more easily disprovable assertion
than that crypto is backdoored.)

The US government also, of course, weakened crypto with the ridiculous export
rules of the '90s. But that wasn't a backdoor, and they were pretty explicit
that the intention was to weaken crypto. The OTF has no such motivation here;
their goal was to produce secure tools that can be used by dissidents around
the world, and intentionally-weakened crypto would be dangerous in such a
context.

~~~
abecedarius
I worked on three OTF-funded security audits a few years ago (though not of
Signal). No spook crossed my radar at any time. I'd have been very surprised
if any had tried to pressure us at that work; you can read Bamford or the
Snowden stories to get a better idea of how they seem to work.

(Despite having some security experience I'm not a cryptographer, and I feel
kind of silly speaking up here. But the FUD is even sillier.)

------
Fej
How ironic, the founder of Telegram - _Telegram!_ \- calling into question
Signal's crypto.

Telegram's crypto is a complete question mark. I wouldn't be surprised if it's
backdoored by Russian intelligence.

~~~
baybal2
They don't need to backdoor it. The re-transmission with a different key
feature is the very definition of a vulnerability. For as long any encryption
protocol allows for it to happen, one can trigger a key renegotiation that can
be taped.

And it was used few times already. Some of such occurrences were well
documented.

In 2015, in a lobby discussion on DEFCON two people confronted Marlinspike
about the retransmission vulnerability in the Signal. He was asked to give a
_yes or no answer_ to whether the central server can trigger the key
renegotiation by sending the "I lost my phone" command to both parties. And he
answered this question _no_. This was long before the Guardian lashed at FB
with the backdoor article.

I personally verified this account with 2 people.

Marlinspike Moxie is a liar.

~~~
willstrafach
That is incorrect. You are talking about a design chouce in WhatsApp which is
explicitly not a problem in Signal.

~~~
baybal2
Yes, this happens automatically in whatsapp. In Signal, you will be prompted
to confirm the new key.

Still, _it is possible to trigger this process for a third party_, and then to
MITM the key exchange.

~~~
problems
Actually, in Signal more recently now you don't even get to confirm the new
key, it just says "hey, the key changed" in the conversation text and keeps
going.

I'm not exactly comfortable with this now - it seems like someone may be able
to spam messages to hide the key change.

~~~
LurkersWillLurk
If you manually verify safety numbers and mark your contact as verified, it
will hard-stop you and require confirmation if your contact's identity key
changes afterwards.

------
ZoomZoomZoom
With all those controversial statements Moxie was making and questionable
decisions in development Signal lost its initial attractiveness and, in my
opinion, relevance. Even Wire opened their server-side source code by now (not
that Signal hadn't). While this was happening, we got Matrix[0] and GNU
Ring[1] in a usable state, and I can't see any reason to use Signal (let alone
Telegram) any more.

This is all very unfortunate, because the success of this type of services
depend strongly on its initial user-base size. For a while, with the rise of
mobile there seemed to appear a critical window (from the public perspective:
ICQ forgotten, XMPP not even noticed, Skype annoyed everyone, Google talk ?)
for a new IM to fit itself, but it seems lost. I fear enticing users to switch
to the reasonable solutions, like those mentioned, is already a Sisyphean
task. Don't know about you, but I'm not valuable enough contact to keep one
more application installed on someone's smartphone to contact me exclusively.
"Cut showing off, use what everyone's using!" Even in a rarest occasion when I
manage to successively tempt anyone, with the first bug or UX flaw they jump
ship and become even more opposite to the idea of trying what's supposed to be
a better solution.

[0] [https://matrix.org/](https://matrix.org/)

[1] [https://ring.cx/](https://ring.cx/)

~~~
kilburn
I'm sorry to say that but... have you actually tried GNU Ring? It is the
_least_ usable IM-thingy I've ever tried.

I tried it in 3 different plaforms (OSX, Android, Linux) and in every case I
found (different) experience-breaking bugs (>30min to find a contact,
registration timeouts, missing GUI buttons, and so on). Also, you can have
multiple devices connected but not all messages will reach all devices, and of
course an offline device will not receive messages sent since it was last
online.

I really wanted to like it and push for it, but I just can't in its state :(

~~~
tripzilch
Matrix/Riot.im works pretty well. It's a bit of a hassle getting the devices
verified[0], and (imho) a bit unintuitive about how it shows contacts, chats
and rooms. But it works.

[0] Tip: name the devices and remove any you don't recognize, I just have
three devices with Riot.im installed but during setup some others appeared,
maybe duplicates or a web session, I got rid of those. Less devices is less
verifications.

------
leksak
It's a struggle getting non-privacy minded people to change to Signal.

~~~
izacus
That's because they refuse to make it seamless in a way iMessage is. Or
Telegram. Both of those will work on several devices, have dedicated clients,
synchronize messages and iMessage will transparently use SMS (on all
platforms).

Signal does nothing of the sort - it's impossible to backup conversations,
they won't sync to a new device, it won't work on a tablet, it's SMS support
is buggy and incomplete and their desktop client is based on a dead technology
(and limited to a single machine without SMS support). It also doesn't offer
anything over builtin SMS/call support like Telegram does. To top it off, it
hijacks SMS store meaning you can't even use OS-based software to backup at
least SMS conversations.

I can't give Signal to non-tech users and just say "hey, use this instead of
SMS", because it won't work and it'll lose their conversations. I can do so
with iMessage.

~~~
Vinnl
> their desktop client is based on a dead technology (and limited to a single
> machine without SMS support)

They're working on an Electron version (Chrome apps aren't dead yet, so they
still have some time), and I'm using Signal Desktop on two machines.

~~~
MaymayMaster
>Electron

Absolutely disgusting.

~~~
Vinnl
Regardless of your opinion of it, it's not "dead technology" like Chrome apps
are, i.e. apps written using it are not guaranteed to stop working at some
point.

~~~
magic_quotes
I wouldn't be so sure. Electron (libchromiumcontent) is a patchset on top of
Chromium and it can be easily broken by upstream changes.

~~~
Vinnl
But its deprecation hasn't been planned, and a binary you provide won't
suddenly be upgraded and stop working. That is not the case for Chromium apps.

~~~
magic_quotes
Yeah, I'm actually more worried about Electron devs manpower/ability to catch
regressions on the very big and simultaneously fast moving codebase where the
upstream project doesn't really care about their use cases. This must be total
PITA. Otherwise it's an ok platform, I guess.

------
bitL
Is there any messaging app that uses a single chain of US, Russian and Chinese
encryption technology so that neither of them can decrypt the whole thing? I
would only trust such an app ;-)

------
intoverflow2
I'll never understand the point of an encrypted service attached to a phone
number.

~~~
StavrosK
Ease of discovery.

------
pjs_
Moxie owns. He went in IMHO.

------
dijit
Why is anything against Telegram FUD but anything against Signal is clear
sailing.

I'm dubious about Signal, it has the same issues as most other encrypted
communication channels (metadata leakage) but surely competition in this space
is good.

Being "owned" by Facebook for me is a large red flag, as Facebook have an
incentive to gobble up data- not saying the same is not true for telegram
either- the only messenger I actually trust is iMessage but that's purely for
reasons of: "Apple has no incentive at all to snoop".

It's not FUD to criticise Signal.

It's not FUD to question Telegrams crypto.

Holding Moxie and Durov to account for releasing servers that can actually be
used would be a great help in being able to independently assess their claims.
And even then, I might still err on the side of Durov purely for the fact that
after doing what he did (telling the Russian government they couldn't do
anything to Telegram) he fled the country, lost most of his fortune, his
company. Etc.

~~~
m3adow
Can you elaborate on the "owned by Facebook" part? I couldn't find any link
between OpenWhisperSystems and Facebook apart from OWS helping WhatsApp
integrating their Crypto.

~~~
dijit
Facebook employs Moxie.

I can't find public information about this interestingly but he's on the
internal roster of employees.

~~~
evgen
Once you are on the payroll as a contractor or FTE you are in the employee DB
table and show up in the internal wiki as a current or former employee. Moxie
was a consultant with the WhatsApp team to integrate the signal protocol
(putting it into Messenger was done independently out of the London office
without direct input from Moxie or his team IIRC) so he should show up if you
do an employee search.

