
The story of Telegram or “Why you shouldn’t listen to Hacker News” - paulmillr
http://paulmillr.com/posts/the-story-of-telegram/
======
ghshephard
I don't have flesh in this game one way or another, but when I read the
article, it seemed to be a pretty damning indictment on Telegram, probably not
what the author was trying to communicate.

I think the gap in understanding here, is that when it comes to security,
cryptography in particular, it's not the case that the critic has to
demonstrate where something is broken , the responsibility is on the part of
the developer to prove that, in every possible manner, the system is secure.

The telegram people, on the surface, don't appear to be familiar with the
crypto-community best practices, and, as a result, are unlikely to have made a
product that would survive any real scrutiny, and highly unlikely to survive
any actual attack on their protocol, should any adversary desire to do so.

~~~
sparkie
It's not some third party adversary to be worried about, but an internal
adversary who might harbor ill intent (or even if they mean well, might be
forced to become evil under secret court orders.)

Telegram are advertising a system which they claim is encrypted end-to-end,
which means that even with physical access to the servers which are routing
messages, one would not be able to perform MITM attacks. However, the contest
is an obvious farce because they're asking only to demonstrate flaws which can
be done externally without the same access to servers that Telegram have.

It's obviously simpler for someone knowledgeable in cryptography to be
critical in a few sentences than to demonstrate vulnerabilities with actual
proof of concepts which require lots of work for no apparent gain other than
to make a point. If Telegram were offering $100k for every flaw found in their
system though, you can bet that there would be less mouthing on HN, because
people would direct their effort at demonstrating the flaws.

~~~
ghshephard
Right - in this scenario, a user should absolutely consider Telegram to be the
adversary. If they can read a message that is sent from one use to another,
then the system is broken.

------
DennisP
So in sum:

\- Telegram said they were super-secure

\- A bunch of skeptics on HN posted long comments saying why Telegram wasn't
actually secure

\- A few days later, someone broke Telegram

\- Therefore, don't listen to HN?

~~~
mangeletti
I feel a little bad for Telegram, but at this point, I think what they have is
marketecture.

------
tptacek
You shouldn't listen to Hacker News because I might write a 1000 word comment
about message authentication codes and RSA padding? Ok.

~~~
girvo
Where's your math PhD???? Posting about why there are huge inherent issues in
someone's brand new protocol and having a wealth of experience in the crypto
world means nothing... Apparently?

------
moocowduckquack
_" Go make your own stuff and don’t listen to HN or any other skeptical
community."_

This is fine in art, but it runs into problems when you start doing
engineering and it makes absolutely no sense whatsoever in cryptography.

------
girvo
You're joking right? Also, telling TextSecure to go make their protocol
better... Have you even seen their new ratchet? It's awesome. I think you have
no idea what you're talking about... I'm sick of attempting to show people
like the OP why they're wrong, why Telegram is currently dangerous to rely on
for anything secure, and why TextSecure isn't. Also, the smug crap at the end,
real classy. Sigh.

------
59nadir
Yes, god forbid you actually listen to people in the field who have been
working on what you're trying to do longer than you when they say you're not
able to promise what you're trying to promise.

This piece is garbage with a very clear undertone of bitterness that is
completely unrelated to Telegram.

------
jerogarcia
This bs reminds me of my year working in the US ..everybody tries to burst
your bubble/project. I'm not saying everybody but in my experience i have
never seen a bigger group of [ Koolaid chugers , one uppers , non-sense
speakers , ass kissers (cause im afraid of getting sacked) ] like the ones i
saw during that massively painful year in the US.

------
vezzy-fnord
This entire article is such a gigantic and painful straw man that I'm not sure
if the people behind Telegram had any influence behind it.

------
Svoka
sounds like cheap, very cheap Telegram promo. Nothing but marketing.

------
paulmillr
So this thread disappeared from the top and all pages besides Newest.

But I see post on page 3 from 3 hours ago with 3 upvotes so this should be
somewhere on 1-2nd page.

HN mods don't like criticism?

~~~
intslack
>TextSecure folks: instead of ranting that “our stuff exists already, but we
got no money and we got no cross-platform support Y U NO USE our protocol?”
and using political tricks, go make better protocol and market yourself
better.

As DanBC posted[1] in the other thread:

>>You seem to be mistaken about why they do this. It's nothing to do with
pushing their app or their approach. They'd welcome good well-formed apps to
compete with them. But when they see an app that claims to be secure they have
an ethical duty to let people know if it is obviously not secure.

>>Most people are not bashing just for the sake of bashing. Some people need
good cryptography software to avoid imprisonment, or torture, or state-
killing. This isn't about stopping someone's teen-angsty poetry from being
discovered by a sibling, it's about protecting political dissidents from an
oppressive regime. In that context pointing out that a software is broken is
not mindless bashing, it is a crucial part of the cryptography process.

>Go make your own stuff and don’t listen to HN or any other skeptical
community.

Unproven cryptographic systems masquerading as secure need to be criticized.
It is very, very dangerous when non-crypto people pretend to be crypto people
and call their systems secure.

[1]
[https://news.ycombinator.com/item?id=6949842](https://news.ycombinator.com/item?id=6949842)

