
Telegram stalking - bolland
http://oflisback.github.io/telegram-stalking/
======
kobayashi
For those wondering, head into Setting > Privacy and Security > Last Seen to
change the setting. Available options are Everybody, My Contacts, and Nobody.
Manual overrides for specific contacts can be toggled with the Always Share
With setting.

~~~
vayan
It doesn't stop to show you as "online" when the app is in the foreground.

~~~
TelegramApp
Yes, it DOES stop showing you as online. If you are not sharing your last
seeen/online status with somebody, he will NOT see you online, regardless of
the app they are using.

There is one exception to this: people will see you online for a brief period
of time right after you send THEM a message (otherwise it would feel like
talking to a wall).

See: [https://telegram.org/faq#q-can-i-hide-my-last-seen-
time](https://telegram.org/faq#q-can-i-hide-my-last-seen-time) And:
[https://telegram.org/faq#q-who-can-see-me-
online](https://telegram.org/faq#q-who-can-see-me-online)

------
crypt1d
So basically, somebody could use telegram metadata to see when I came
online...on telegram? And they could also make a best guess at who I'm talking
to? You don't even have to go to the CLI client for this, the 'target' status
is visible on the top of every conversation. Pretty much any chat client I
could think of has a feature like this.

Seriously, how is this even on the front page? It seems that people lately are
coming up with excuses to call out any app/software/company based on privacy
concerns, just so they get some attention.

~~~
detaro
Which other chat clients reveal if they are the foreground app right now or
not? I haven't come across any as far as I remember (I don't use that many
though). How many of those reveal it to everybody, without any confirmation?

(And even if it were general default behavior doesn't mean it isn't pretty
crappy from a privacy point of view)

~~~
joshvm
WhatsApp will hide last seen, but will still show you if a user is online
instantaneously - you'd have to have their conversation open.

Facebook too, will show a user as instantaneously online even if they have
chat turned off for you (I think). On the plus side, Facebook recently
disabled API access for online/offline status of your friends unless they've
consented.

~~~
ljk
> _Facebook recently disabled API access for online /offline status of your
> friends unless they've consented._

Is this for just the messenger app or the facebook mobile app?

~~~
joshvm
It's for the graph API, which I have no experience with, but I guess it covers
both?

The limitation is in the API only, you can still see the statuses in-app and
online, but you would have to resort to a webscraper to get them.

------
rnhmjoj
I realized this as well the first time I logged in the account of the bot I
develop and maintain: it's quite creepy.

I'm open to changes but I absolutely need a system with a desktop client and
an API or something to interface it with hubot. So Signal, as the author
suggested, is not a valid alternative for me.

~~~
Legogris
Same here. I will migrate to Signal and try to convince my network to do the
same the second there is a good cross-platform desktop app and all clients
have full functionality.

~~~
newman314
I've been experimenting with ricochet.im as a desktop client.

Ideally, it would be great if Signal and Ricochet could merge best of breed
features. That could mean a unified app across mobile and desktop with good
security over Tor...

~~~
slasaus
A downside with Ricochet is that it reveals when you are online to anyone who
knows your id.

> Anyone with the onion address can still estimate availability by watching
> descriptors

[https://github.com/ricochet-
im/ricochet/issues/155](https://github.com/ricochet-im/ricochet/issues/155)

------
unicornporn
Speaking of third party clients... Does anybody know a good way to
export/backup all of your Telegram conversations? I see there's a history
command in [https://github.com/vysheng/tg](https://github.com/vysheng/tg), but
it doesn't look like it will do what I want. Ie. dump each separate each
conversation.

~~~
ju-st
The "tdata" folder of my Telegram Desktop installation contains propably all
my conversations, but the files are apparently encrypted.

------
_jomo
I've been more and more concerned about Telegram recently. Here's a mail I
sent them recently covering most of these concerns. Naturally, I got no
response.

" Hey there Telegram!

I have been an early Telegram user since late 2013 and was highly optimistic
that it would become a perfect messenger. It's quite perfect from a UX point
of view – which is important to gain users – but other things aren't that
perfect.

You claim to be open and secure, but taking a closer look that doesn't seem to
be true. Your API is open and the client apps were released as open source,
but your server-side code remains closed source. It's been 2 years now and you
still haven't open sourced the server. Do you still plan to release it? You
say that you will eventually add paid options, which doesn't seem to be
compatible to open-sourcing the server.

Of course one would have to trust you that you actually use that version of
the server on your side, which leads to the second issue that concerns me. You
advertise being secure a lot, but default chats don't use end-to-end
encryption and secure chats aren't even possible for group chats. Even for
encrypted chats a bunch of concerns were raised by much respected people in
the security community, I'm sure you are aware of that and will not brag about
that here.

I opened an issue on the Android app's issue tracker in early 2014 about end-
to-end encryption ([https://archive.is/9SfYt](https://archive.is/9SfYt)).
There have been dozens of comments on that issue, discussing how it could be
implemented but there was no official reply by the Android maintainer or any
official Telegram account, despite numerous attempts.

The Android app's maintainer also doesn't seem to understand version control /
git and commits tons of changes in a single commit and also doesn't use tags
for versioning. He also doesn't merge pull requests but rather includes them
in his large commits (thus also removing all attribution). There are also
binary blobs in the source code and there are various licensing issues. All
these issues have been raised but the Android maintainer doesn't seem to care
about it.

The issue tracker for that app has now been closed by the maintainer and there
was no explanation for this. Several people tried several times to reach out
to the maintainer, but he never replied. I believe this is a huge problem for
a security app, and for open source apps in general.

Last but not least, the current version of Telegram on the Google Play Store
(3.2.4) is not open source.

Of course, client apps don't have anything to do with the server
implementation, API, or general issues about Telegram. You've linked a Trello
board somewhere deep on your website, but the link is broken. It's a major
issue that there is no way to discuss problems, feature requests, or ask
questions to the developers (we don't even know who the developers are). There
is a community-run Telegram support account and a press contact and there's
this email address and a Twitter account. Obviously none of these work as a
discussion / issue platform, and you don't seem to reply to Telegram questions
or Twitter.

A very good way to fix this is creating an organization account on GitHub and
create a repo where you can use the issue tracker and wiki. You could also
move the "official" clients to that account to have them at one place and you
could use it to open-source or document other things related to Telegram.

It's also not clear at all who runs Telegram. All your website says is that
it's financially supported by Pavel Durov and technically supported by Nikolai
Durov. Your official apps and AS Networks are registered by " Telegram
Messenger LLP" or "Telegram LLP" and your website claims your headquarters are
based in Berlin, although no such company seems to be registered in the EU.
You are legally required to publish your address and contact information to
comply with German law §5 TMG. Additionally, both the LLP's and Nikolai's
address are apparently at (different) British P.O. boxes. Is Nikolai the only
developer or are there more? How are the official maintainers related to the
LLP? Are they paid? Are they employees? Are there any employees at all? Who
runs the company?

I'm really trying to not hate you and hope that you are what you claim to be,
but it seems like you advertise security and openness successfully, so that
the average user and the press buys it, but taking a closer look you seem
rather shady without being very open. I feel very sad about this and hope
you'll improve that.

Please shed some light and address these issues, most importantly a public
issue tracker / discussion forum.

Thank you! – jomo "

~~~
ex3ndr
Just use Actor.im. I worked at Telegram and because of it's closed-source
policy quit and reimplemented server based on same ideas.

After a year we are already well-established company and fully open source
platform.

~~~
gnud
A beautiful site devoid of any technical or pricing details, and the 'contact
us' button doesn't even work.

------
stevebmark
So if your have every possible iteration of phone numbers in your contact
list, you could find every single Telegram account? How is this not a
published attack vector?

~~~
ahelwer
Similar to how Snapchat was hacked last year:
[http://techcrunch.com/2013/12/31/hackers-claim-to-publish-
li...](http://techcrunch.com/2013/12/31/hackers-claim-to-publish-list-
of-4-6m-snapchat-usernames-and-numbers/)

~~~
Buge
I tried to post a link to that on reddit back when it happened, but I got
shadowbanned.

I was posting a link to a link to personal information (the phone numbers were
censored in the version I referenced) and thus it was considered witch
hunting.

Witch hunting every single user of Snapchat...

------
drvortex
Well, at least Telegram is open source. So this is something that is easily
fixed.

~~~
bqe
For those that missed the sarcasm, Telegram is not open source:
[https://telegram.org/faq#q-why-not-open-source-
everything](https://telegram.org/faq#q-why-not-open-source-everything)

~~~
detaro
The client apps are, which might be enough

------
sashk
ICQ (remember that one?) used to show when user logs in, or logs out - without
need to add user to contact list and get his/her authorization. I used one
terminal client to monitor when I get disconnected to see how "stable" my
connection was. So this is not new.

~~~
tshtf
It may not be new, but ICQ never made the security claims of Telegram.

------
mbloom1915
signal >>>

~~~
newman314
While I'm generally on Signal bandwagon, I don't buy the previously given
reasons for using telephone numbers as endpoint identifiers.

What I would like to see is the ability to periodical regenerate endpoint ids
like what Burner does for phone numbers. Also, optionally add the ability to
traverse Tor like ricochet.im

That would be nice.

~~~
chmike
This would also allow to use it from wifi tablets. The suggestion to be able
to change end point identifier is excellent.

------
profeta
telegram is slightly better than the alternative, such as whatsapp.

only problem is that nobody uses it. so i might as well not use as well. which
increases the problem that nobody uses it.

it is really hard to break into the IM market.

~~~
arnvald
I'd say the opposite - to me IM market seems pretty dynamic, and it's not
dominated by one player. I myself use a few different apps: iMessages,
Facebook Messenger, Whatsapp, Skype, Google Hangouts. Then there's WeChat
(huge in China), Line (big in Japan and Korea). I've also met quite a few
people using Telegram.

~~~
collyw
Probably depends on your friends. I bought an Ubuntu phone and its a struggle
to get people to switch from Whatsapp to Telegram.

------
piplgobde
Can't even use signal on my phone, due to not having GAPPS installed.

It's too bad, because I would use it otherwise.

------
juskrey
Everything by Durov is a sucker trap.

