
Pavel Durov: “last year we had two attempts to bribe our devs by US agencies” - gukov
https://twitter.com/durov/status/873868773119451136
======
DKnoll
Signal is on Github. You can audit it if you want.

Telegram is closed source with a proprietary crypto implementation.

I know how I'm placing my bets.

Also Telegram is a much better target for US intelligence, it's the messenger
app of choice for ISIS.

~~~
guelo
There's no way to verify that the Github code is what is distributed by the
app stores. To look for backdoors you would have to audit the binaries, which
you can also do with Telegram. And you have no visibility into the server
code.

~~~
daxorid
Right. And while I generally dismiss conspiracy theories about the protocol
itself (and have great respect for moxie), the _one_ thing I find very curious
is their staunch refusal to implement anything other than phone numbers as
account identifiers.

There's absolutely no reason not to, and yet they refuse to do it.

~~~
xap
Usability. As soon as you install Signal you can message all your friends
(whether they have Signal or not), because you already have their phone
numbers.

This feature is possibly the most important reason that Signal has seen
widespread adoption in average-user land.

Signal makes a lot of decisions for you, which enrages nerds but is actually
pretty appealing to everyone else.

~~~
LyndsySimon
> As soon as you install Signal you can message all your friends (whether they
> have Signal or not), because you already have their phone numbers.

I had no idea. I've played with Telegram before but didn't know anyone else
that used it. I was looking for new SMS app now that Google Hangouts no longer
allows you to consolidate carrier and Google Voice SMSs in the same app -
switching to Signal means I get the security portion for free.

~~~
nindalf
You're probably already aware but just to be clear, Signal offers no security
related benefit while using ordinary SMS. Only messages sent to another Signal
user are encrypted.

~~~
LyndsySimon
Yep, intuitively I saw no way it could, except perhaps offering at-rest
encryption of message history on your device.

It gives me one place for encrypted and plain-text SMS though, and that's a
very good thing.

------
daxorid
Some context for this tweet: infosec twitter has been going absolutely nuts
over Durov's conspiracy theory over Signal's USG funding in the last couple
days:

[https://twitter.com/matthew_d_green/status/87356403040063897...](https://twitter.com/matthew_d_green/status/873564030400638976)

------
throwaway-1209
I think he meant to say "two unsuccessful attempts". Who knows how many
attempts were actually successful. I sometimes wonder what percentage of e.g.
Facebook, Google, Microsoft etc are covert NSA/CIA agents. I'd be willing to
bet my own money that the number is not zero for any company of any
significance.

~~~
talmand
I think bigger, what percentage of workers in all industries throughout the
world are covert government agents of one form or another. Not just US on top
of that. I'm willing to bet it's much higher than one would think.

------
dkarapetyan
Pretty weird statement to make. Why are people buying into the drama? The US
government funds all sorts of basic research, implementation, and
infrastructure work. Modern web would be impossible without government
funding. I see no problem with the government funding work on Signal.

~~~
c0nducktr
Yasha Levine has been promoting this view for years now. He doesn't appear to
have a complete understanding of the technology he writes about, but still
makes these accusations that anything the USA spends money on must be
compromised.

See: [https://pando.com/2014/07/16/tor-
spooks/](https://pando.com/2014/07/16/tor-spooks/) another:
[https://surveillancevalley.com/blog/government-backed-
privac...](https://surveillancevalley.com/blog/government-backed-privacy-
tools-are-not-going-to-protect-us-from-president-trump) and another:
[https://pando.com/2015/03/01/internet-privacy-funded-by-
spoo...](https://pando.com/2015/03/01/internet-privacy-funded-by-spooks-a-
brief-history-of-the-bbg/)

He brings up some good points, but then jumps to conclusions which don't
actually seem reasonable.

~~~
wuch
I kinda wonder if he will eventually substantiate his claims in book he is
working on now: "Surveillance Valley" (planned for release in 2018). Otherwise
what he is doing now, with all those grandiose conclusions, seems pretty
harmful for actual security and privacy of users.

------
yehi
Does anyone have thoughts on XMPP? If I understand correctly it is a group /
private chat protocol similar to email in that there is a protocol that can
allow you to communicate to each other. Similar to email there are many
companies that offer software that can communicate with any other software
using that protocol.

Since it is simply an open protocol if one app gets compromised, users can
easily switch to another without having to worry about loosing touch with
their contacts.

~~~
ruste
I'd also be interested to hear an experts thoughts on this. Could this be
asked as a question in a thread of its own?

------
lawnchair_larry
This is standard MO for the feds, so probably not a lie. They do this to
everyone.

[http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-
backd...](http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor/)

------
guelo
Not saying it didn't happen since there's no way to verify/falsify it, but I'd
take it with a giant grain of salt. Telegram vs Big Bad USA is a great
marketing story for Telegram.

------
mtgx
Relevant:

[http://securitywatch.pcmag.com/security/319544-what-it-s-
lik...](http://securitywatch.pcmag.com/security/319544-what-it-s-like-when-
the-fbi-asks-you-to-backdoor-your-software)

------
ColinWright
... that we know of ...

