I think it's slowly high time the anti-monopolistic regulation looks into their business practices and starts considering cutting them up into discrete companies per market.
Be it messengers, social networking apps, eCommerce stores, ERP software, anything - If we choose one organization to rule them all, it won't be very long before they start showing the traits of that one Saruman's ring that rules them all.
Facebook, by doing things like this, will only hurt themselves. We've been down this road before with Microsoft. It is anti-trust, and will get them in a lot of trouble.
We the people have invented these authorities a long time ago precisely because we the people suck at making individual decisions to improve global outcomes, and we need to organize ourselves in institutions such as these to fix things.
Of course that's just the obvious consequences, ignoring the larger implications of allowing companies to place arbitrary restrictions on their services - when at the same time those services become more and more critical infrastructure.
This is fine.
However online communication is different. Imagine if the telephone company would bleep out any time your friend mentions a competitor's company. You'd never know a competitor exists. Especially if that competitor is up-and-coming and doesn't have the pockets to send flyers to every damn house in the state.
It's well past being solely an aggregator.
LinkedIn is a good tool for viewing someone's public resume, though I don't regularly log into it. Every once in a while, I'll log in to check out how a previous employer is doing (e.g. see which of my ex-coworkers are still at the company, what new positions have been created, etc.). I still have dozens of unanswered connection requests from recruiters, though (I don't accept people I don't know), and the site has gotten progressively spammier over the years.
Joking aside I almost never get followed by spam accounts on g+, weekly or more on my English speaking twitter account.
- LinkedIn: The worst of the worst ... :D
- HN / Reddit / Twitter: How do you share pictures privately with friends? (to name one necessary feature)
Further, HN/Reddit/Twitter etc. each only have a subset of my friends. ALL of my friends are on FB.
Flickr. Some of the holes in the group management are a weakness there (no albums in Groups, for example).
Of course, a Linux VPS needs a fair amount of love (fiddling with settings, updating, and so on). But there are other ways: https://sandstorm.io/
This is certainly a problem. If only there was some kind of . . . mechanism . . . by which her computer could collect photos off her friends servers and display them locally? Sounds almost impossible!
(Sorry for giving you a hard time:-) I appreciate your comment, but think that's a very solvable problem in practice.)
Your comment actually deserves a better response than I gave it. Spam is the open protocol killer. It's a totally serious issue. If our goal was to replicate HN or Reddit via only personal servers, I would be pretty dang paranoid about getting our anti-spam solution perfect:/
Happy in the case of Facebook-on-personal-servers, we have all the advantages and the spammers have all the disadvantages. Social network's main purpose is communication between people who know each other. Ignoring the Pages part of FB (which is really more Reddit-like than it is essential to a social network) communication happens between friends, or friends of friends commenting on photos or whatever. Spammy friend requests will be a problem, but that's not too big of a deal.
And then, once that's done . . . ahhhh. Your own filtering software, blocking game notifications to your heart's content (since it's your own server you can install whatever filter you want, though of course there will be good defaults). Guess where most of the unwanted posts on Twitter or Snapchat come from for me . . . Twitter and Snapchat. No more!
If you're running on someone else's platform and automatically accepting updates, are you really "administering" it yourself?
A majority of people will never develop any real skill level at administering servers. We still need them to be able to use reasonably humane software though, because the consumer software industry revolves around them. If they continue to be easy pickings for predatory software (lock-in, etc.) the incentive for industry will be to continue improving at making predatory software . . . not ideal.
So empowering normal users (even partially, Sandstorm certainly doesn't give as much freedom as becoming a unix guru or whatever) is good for expert users too.
. . .
The exact same thing. The exact same thing would happen, because the new social network would have _exactly the same incentives_ as facebook.
I have some more thoughts on this here: http://housejeffries.com/page/3 Not sure how clear my writing is, but the "Inspiration" section at the end has some links to great projects trying to fix this problem.
Of course, they are going to say that this is because of Telegram's links to terrorism. But any secure messenger can be used by bad actors, so that same excuse could be used for the wholesale blocking of all competing messengers. This is clearly anticompetitive behavior.
Signal / TextSecure on the other hand is encrypted by default, implements more thoroughly audited cryptography, and is recommended by Edward Snowden and Bruce Schneier.
I don't use it because it doesn't sync chats between devices or have a desktop client.
Full-on e2e is great, and I'd use Signal if it supported my use case, but it doesn't. So I use Telegram instead, as a fast, easy-to-use, grandparent-compatible chat client with sane picture and file-transfer support. The oddball encryption and the fact that it's not end-to-end by default is a downside, but it's better than plaintext and it's actually useful to me, so…
Don't get me wrong, Signal is absolutely the right choice for people who don't need or care about multi-device syncing and only need a mobile client, or people who want the best security they can get. I fully support the widespread adoption of top-tier cryptography, including by people who don't need to protect their communications from global powers. But right now Signal is not (yet?) a one-size-fits-all solution.
> The UX is nice. The crypto is like being stabbed in the eye with a fork.
Which pieces of information do you need exactly? You can search HN for 'Telegram', it get's criticized nearly every time it makes headlines. Or just look at Telegram's interface and you'll see that 'secret chat' is not the default option, it's not end-to-end encrypted by default making it marginally more secure than HTTPS.
Signal/TextSecure on the otherhand has been the 'golden child' of the privacy and infosec scenes since it was released and their website has plenty of documentation on their protocol.
edit: Apparently alpha versions of NW.js now support running Chrome Apps. This could be interesting. https://groups.google.com/forum/#!msg/nwjs-general/YuwMHd_uv...
Why a chrome extension and not a desktop app? Because a desktop app is 3 desktop apps if you want to be cross platform, and since it is secure communication software, all of those edge cases that pop up in cross platform desktop application development really matter.
I think it's better that Signal takes its time and gets it right so that eventually we have a good solution. If Signal were to throw caution to the wind and hackathon up some desktop apps, then we may never have a single good option.
Signals competitors don't share it's security standards, and so it's not really reasonable to compare it to its competitors feature for feature. I expect that adding a given feature or other unit of complexity bears a higher cost for Signal than, say Whatsapp or Telegram. In the meantime, we still have the Signal mobile apps for situations where inconvenience isn't an insurmountable barrier.
 Signal-Browser doesn't seem to be able to add contacts properly when used with the production server, and the staging server looks like it's down right now.
 NW.js currently refuses to recognize Signal-Browser as a Chrome App unless I rename package.json to something else. Remote debugging doesn't seem to work with Chrome Apps running under NW.js at the moment - the inspector just gives me an empty response for each page I try to access. And there will need to be some way of configuring the Chromium engine to use Signal's self-signed SSL cert, though they'll have to solve this for the Chrome App as well.
Right now, Telegram suffers from the same faults (phone number = identity, closed/central server), but excels in usability and client availability. Signal is - for me, right here - worse. And I _should_ be part of Signal's target group.
I don't know your mail address or telephone number. If this message manages to reach you - can you explain your point a bit more?
If the private key would _be_ the identify, that'd be awesome. And maybe I fail to understand ChatSecure/Signal. I'd be glad to be corrected. But as far as I understand, that system ties a user to a mobile number, because 'that is as good a unique identifier as we get' and uses that instead. I think Threema does what you describe - or at least expects you to exchange keys via QR code when you physically meet?
My gripe with telephone numbers is this: I don't want to be tied to an identity I cannot control, to an identify that is public knowledge and unchangeable. I want to contact people via IM without them being able to call me.
Phone numbers are for calls (okay, texts for historical reasons).
F.x. I installed a while ago Signal on my phone and recently went to another country where I used a different SIM card (hence a different phone number) and I could still use my Signal app as usual.
On the bright side, there's now an open source fork called SMSSecure. As the name implies, it does encrypted SMS. It works pretty well. I just hope the open source maintainers are keeping up with security updates to the protocol and not introducing any new bugs...
I believe that is only temporary. The latest version of Signal hints at multi-device synchronization, though it appears to not be fully implemented. One example of this is the Chrome browser extension.
EDIT: Apparently they're bringing desktop and "web" through a Chrome extension and possibly a desktop browser wrapper. Also multi device support for desktops but apparently not yet for mobile.
Signal is getting way better, but Telegram is just a better messaging client at the moment.
I really don't think people expect complete security and privacy from anyone ever, that's impractical and probably impossible. They expect their data to not be used for advertising or whatever and more security than WhatsApp (edit: Wait, it's not using e2e encryption by defautl now?), Skype, and the like. The only thin Telegram should be more upfront about is that the feature with all the security stuff is secret chats.
I just don't understand this mentality. People start using something that's not owned by a huge NSA-friendly megacorporation, that is using some advanced security (which will probably be called "unproven" for the next thousand years) along with regular security - and a ton of people get mad, because it's allegedly not "secure enough". What's next, people start using Signal and hordes of angry 'experts' show up claiming it's not secure and private unless you make a new identity for every chat through Tor running in a VM on some 3rd world island, using your own infrastructure?
If I was only slightly more paranoid, I'd start throwing accusations of false flag attacks directed from Facebook.
Do you have any suggestions on how to do that? The People I know either think Whatsapp is gods gift to mankind and won't switch or they can't use anything else because the people they interact with think it's gods gift to mankind and won't switch. I find it pretty hard to break that cycle.
From there you just send them messages on Telegram, or start group chats. You likely won't convince them to switch themselves instantly, but if they want to message you, hopefully they're more likely to check telegram, because they'll want to get a better idea of when you were last available.
It's not perfect, but it's something, and hopefully if whatsapp keeps up with their paid subscription nonsense, it will push more people away.
Versus that ridiculous hack where you can whatsapp in the browser, provided you scan a qr code and have the phone on the same network.
Can't say I've ever experienced that.
This totally speaks to me but I imagine saying to my buddies at the club: "You should use Telegram. It's free, you don't need an account, and best of all there is even a command line client.". That'll convince them right away. ;-)
For most people Telegram offers pretty good desktop clients (as opposed to the rather horrible WhatsApp web experience).
Their decision to purchase WhatsApp turned out to be very ill-timed. WhatsApp was at the peak of their popularity when they did, but that peak was only because of ignorance of the masses - ignorance about glaring holes in WhatsApp security, and ignorance about significantly better alternatives like Telegram. But in the age of Internet, ignorance hardly lasts long among the masses, of all people, Zuckerburg should have known this!
That was one or two years ago now and I'm not sure if the estimate has been updated, but it would seem FB is running out of time to convert the user base.
I can pull the link for you tomorrow.
The claim is made at about 95% of the way through that document.
I agree with you that Telegram has been in the news recently, but I doubt it's related with this incident.
We've seen something like this before, when AIM allowed MSN Messenger to interoperate. I know this is a little different, but that was still how AIM lost.
Here is a fantastic war story from one of the MSN engineers on the battle to subvert AIM .
Interestingly, MSN Messenger's capabilities in the late 90s/early 2000s were quite impressive. I remember being able to make long-distance audio VOIP calls using Messenger back in 2000, even on an awful 33.6kbps modem. The feature was removed pretty soon after, probably because it was abused (there was no charge for calls).
You could also send decently sized files (~10MB) using Messenger until about 2005, and that too was discontinued as people used it to send MP3s to one another.
The app with a billion plus installs, quite likely the largest actively used chat app in the world is a "regional" service. Just to take a wild guess, you're not an iOS user from the bay area by any chance?
I haven't come across too many Android users who are not using WhatsApp in the US.
Bashing on 'iOS users from the bay area' makes no sense, the parent also implies in his post that he is from Europe.
And as a non-iOS user, not from the bay area, I have rarely see people using WhatsApp, neither in Europe, nor in the US. The only few people I've seen using it is foreigners who want to stay in contact with relatives/friends in an country where WhatsApp is popular.
I did because it had the best quality video chat at the time, before Skype became a thing, but that was probably 15 years ago. My current company used to use it for in-office communication as recently as five years ago when I was first hired. It was an abysmal mess of sending out group chats as individual windows every time someone had a question. For a software company it was really disgraceful.
Lost? AIM was the dominant IM platform in the US until the late 00s/early 10s when mobile and cloud-based services took over. First SMS/MMS and then platforms like Facebook Messenger, Google Hangouts, and Skype.
The only place MSN was dominant was third-world countries like Brazil.
Probably, AIM usage correlated with AOL's marketing strategy, meaning it prevailed in the US, though I'm not even sure about europe.
Anyhow, your assertion that MSN was only dominant in 3rd world countries is unfounded.
Intentionally blocking your competitor in this situation doesn't seem like a good idea, it mostly generates publicity for them.
> The smoking gun is a pattern match performed on any URL string that begins with the word 'telegram.' In the most recent version of the app, these strings are classified as a "bad host," so that no hyperlink is generated and it becomes impossible to copy or forward any message with that URL. No other strings trigger the match, so this block is purposefully targeted at Telegram.
Local variable names aren't normally stored in an APK, they're just refereed to by register numbers. For instance, I wouldn't expect to see "for(Pattern badHost : BAD_HOSTS)" (specifically the badHost) - last time I checked, this information would be lost during compilation.
I'm not suggesting that the code is falsified - the person that decompiled it probably just guessed at some variable names and re-factored to make it more readable. It just stood out to me, so I thought it was worth mentioning.
I was under the impression that it's now no longer possible to upload an APK that has been built in Debug Mode to Google Play. I don't know if other app stores (i.e. Amazon App store) are enforcing this.
What part would you refer to as "method variable name"?
I'm not getting the same results as you with a little sample program I wrote - see: https://gist.github.com/JosephRedfern/662131ceb2119abf3e83. Field names and method names are preserved (which make sense), but local variable names are lost (which also makes sense to me!)
Are you sure that your example code doesn't include debug information?
I suppose this is diverging a little from the original comment (which was in the context of an Android application), but surely if running `strings` on the class file found the method, class and field names then it would also find the local variable name too, if it was there.
If I specifically compile the java file with `javac -g:vars DecompilationTest.java` then the local variable name IS included in the file. It is not by default.
I still think this will result in more publicity for Telegram than all the messages that are blocked.
I made a screenshot of this response and wanted to share that instead. The funny thing is that in the screenshot, FBs red comment re: the dangerous link was so blurry that you could not read it. I guess this was probably due to a compression algorithm they apply on pictures but it is funny that the rest of the message was easily readable in the screenshot.
Could you repeat the test and provide the name of the service so others can try to replicate it?
That's what I initially thought. But then again, it seemed a bit too paranoid.
The name of the service is discardmail.com
Next to WhatsApp I also have installed:
And I will use those (in described order) if possible.
Threema seems to be comparatively popular in Germany, while Telegram is at least not among my peers and Signal (the one recommended by Schneier and Snowden) is only used by my gf (b/c I installed it for her).
If you do a Google search that's the first result. Would be funny if they were afraid enough to do a SEO 'attack'. Yeah, tinfoil.
Coming soon to a server near you!
Airbnb chat also censors messages. Typically when you try to give your number or whatsapp or some link.
But yeah, they censor emails, phone numbers and such in order to prevent deals from being made off site. They don't do it to protect anyone.
I mean, I'm a technical guy. I don't understand what either of us was doing wrong. Have you seen anything like this in your experience?
Why do you say that? Snowden keeps recommending Signal every time he's asked.
Seems like he changed his mind.
A big deal breaker for me is being able to use it without a phone number, and from desktop/sim-free devices, as well as from multiple devices simultaniously
(I just tried with my colleague)
It looks a bit fishy as it reads like an actual code as opposed to one outputted from a decompiler.
Same problem as I have with facebook, there is too much critical mass to switch :(
A migration has begun.
Soon we'll have wall charts of who can and can't talk to what.
This is wrong. If you follow the logic (which is admittedly difficult) you'll see they are stripping out the "sent from WhatsApp" tagline WhatsApp adds when you share a photo, etc from WhatsApp to Telegram.
You'll still get the photo, it just won't have the tagline indicating where it came from. Still a bit shady but I also dislike the "Sent from ..." taglines.
EDIT: Parent is a WhatsApp employee... now this seems like sort of a lame attempt to justify their own unethical behavior. This makes me pretty bummed.
So you will run in to issues (not sure how it would manifest itself) if you share photo or video that does have text, but just doesn't contain "WhatsApp" ("Sent from FooBar").
It looks like it'll send a text and then send the photo but who knows what kind of state will be modified when you send the text first.
The logic is too mixed up and this method does too many things. Off the top of my head you might refactor it so that inspection, classification, validation, preparation, etc all happen separately, right now this method does them all and then some.
I think you're right. There is a lot of room for refactoring here. A few more (business/model) classes would not hurt here.
> Showing 208 changed files with 5,479 additions and 1,841 deletions.
It looks like they squash all their commits and just push one big diff for each update. This isn't really what I've expect from a product that advertises itself as open source security software.
They handle this pretty weirdly, with each commit on master being a release. There's dev branch that was meant to have actual changes (without commit comments - developer said most of his commits have useless descriptions like "bugfixes", but that's a personal preference), but seems to be dead.
This was all discussed here: https://github.com/DrKLO/Telegram/pull/76
Dirty games. I don't want to use either.
2. Given that you're a WhatsApp employee, commenting about Telegram on a thread about how WhatsApp (unfairly?) competes with Telegram, you should probably disclose your affiliation. That would be true even if your comment was accurate, but since it's an outright false claim...
The interesting question here, I think, is whether you're just careless and didn't take the time to double check your claims, or if your comment was actually made in bad faith.
Also the fact that you're a WhatsApp employee makes your comment a poor attempt at justifying your own censoring behaviour
1. The message not being delivered.
2. The exception block being fired where this toast message will be displayed to the user: "Unsupported content"
2. error=true is set in the else if case, which can not be stepped into anymore after having checked if the text contains "WhatsApp"
I can't trigger this behaviour in telegram though on mac or windows phone. Maybe just for Android?
I don't have time right now to dig through the source myself, but the desktop source code is here if you want to see if this logic is in it: https://github.com/telegramdesktop/tdesktop
In other words: As my (green/new) sibling ones_and_zeros states, afaik that ONLY strips the text if it contains "WhatsApp" and you send non-text content. Which .. is an improvement, I guess. Or a band-aid to grudgingly fix a 'bug' in WhatsApp.
This code is written with a bulldozer !
How hard is it to refactor each of those branches into separate functions or objects ?
If there's no time for that, I wonder, is there enough time to figure out the security and privacy implications
of this entire codebase ?
Should I trust this code with my life ? Because some people will ...
Also, open source does not automatically imply high quality or immunity from criticism.
In this particular case, when people can be arrested or even executed for what they say (in some countries), this kind of code can be plain dangerous.
Even if their intentions are absolutely pristine and they really want to do good in the world (which I hope they are) - a bit more diligence about the quality of the stuff you're sharing never hurts.
It seems to me about as constructive as walking into any software company and saying, "Ugh, these engineers are wearing t-shirts and their shoes are completely unshined! People, if these programmers care so little for their appearance, can you trust them to care about their code?"
How do you even share a message from whatsapp to telegram?