
Security Analysis of Telegram: 6.857 Final Project [pdf] - lainon
https://courses.csail.mit.edu/6.857/2017/project/19.pdf
======
vanilla_nut
Even as a final paper for an undergraduate class, this is pretty light on
details and doesn't appear to have even undergone basic editing. The "exploit"
is only a couple pages of bare discussion that's very similar to the
defaultnamehere discussion of Facebook Messenger from over a year ago.

Given the skimpy details and lack of citation of the exploit's inspiration...
I'd probably give this a C- at best. I really wish people in CS would ask
friends to peer review their writing, because a lot of writing (not all, but a
_lot_ ) is awful.

~~~
justboxing
> because a lot of writing ... is awful.

Yes. I was expecting to see an Architecture Diagram in the section titled
Architecture. Instead, there's a screenshot of the app.

------
sjroot
I think it is important to note that this is a final paper for a course at
MIT. I would not hold it to the same quality standards as novel, peer-reviewed
research.

~~~
lucb1e
There are LaTeX errors, jokes... but of course the contents is what counts,
and I don't see anything noteworthy there either. It's a good writeup of what
is quite well known (if you're into this kinda thing anyway) but it's not
research. I wonder whether they passed the course.

~~~
sjroot
It appears to be an introductory computer and network security course for
undergraduates. With that in mind, it seems like they did a good enough job,
though I agree that the jokes are distracting.

I was only curious as to why this was submitted to HN.

~~~
robobro
``Lainon" is a term for a user of Lainchan, a 4chan-alike for programmers. It
could be that someone in that community wrote that paper or found it
interesting.

------
aaronmacy
Professionals anonymously ripping apart a non-anonymous undergraduate paper
:clap:

~~~
CapacitorSet
I think nobody would mind criticising the paper with their name and surname.
It is an objective fact that the paper contains grammar mistakes, jokes, and
no original research - it is hardly defamation or libel to say so.

------
tobscore
The CLI isn't even an official client. And the open source projects on github
are not up to date either. This could've been researched easily.

------
iamandoni
Everyone is bashing this as if it's a peer-reviewed paper...Note guys: This is
just two students' final project for a class, not some security experts'
publication

------
fareesh
Similar exploit published by an engineer earlier this month on WhatsApp
[https://robertheaton.com/2017/10/09/tracking-friends-and-
str...](https://robertheaton.com/2017/10/09/tracking-friends-and-strangers-
using-whatsapp/)

------
yummy
Why is this even upvoted and discussed?

~~~
kbart
Because it's from MIT? It's a golden standard when it comes to technology, so
I guess everybody was expecting some super-mega-hack and were disappointed to
find just a mediocre essay that one could expect to see on some noname, local
university.

------
Anon1096
The paper is very light on details. I'm a little surprised MIT published this
actually. It doesn't present anything new, and hinges on vulnerabilities since
fixed to say that there are definitely new ones. Snooping on friends by
looking at when they are online is interesting, but something known for a
while and circumventable by just changing who can see your online status (I
think it's people on your contact list by default). If you're expecting a
security vulnerability, this isn't the paper to find one in (not that rolling
your crypto is a good idea)

~~~
lwf
6.857 is a class taken by undergraduates, and this is a final project paper,
not a published paper.

------
morpheuskafka
I sure hope this is a preprint because I caught three obvious grammar errors
in the first 30 seconds of reading.

------
elSidCampeador
Guys use the ` character for the beginning double quotes

------
3327
MIT needs to peer review before publication this document is full of grammar
errors.

~~~
saagarjha
As is your comment, coincidentally. This is just a student’s project paper,
not an actual research paper in a journal. I wouldn’t hold it up to that
standard.

