"For the last 24 hours Telegram has been under a ban by internet providers in Russia. The reason was our refusal to provide encryption keys to Russian security agencies. For us, this was an easy decision. We promised our users 100% privacy and would rather cease to exist than violate this promise.
Despite the ban, we haven’t seen a significant drop in user engagement so far, since Russians tend to bypass the ban with VPNs and proxies. We also have been relying on third-party cloud services to remain partly available for the rest of our users.
Thank you for your support and loyalty, Russian users of Telegram. Thank you, Apple, Google, Amazon, Microsoft – for not taking part in political censorship.
Russia accounts for ~7% of the Telegram user base, and even if we lose that entire market, Telegram’s organic growth in other regions will compensate for this loss within a couple of months. However, it is personally important for me to make sure we do everything we can for our Russian users.
To support internet freedoms in Russia and elsewhere I started giving out bitcoin grants to individuals and companies who run socks5 proxies and VPN. I am happy to donate millions of dollars this year to this cause, and hope that other people will follow. I called this Digital Resistance – a decentralized movement standing for digital freedoms and progress globally."
: The story of Karl Koch for example https://en.wikipedia.org/wiki/Karl_Koch_(hacker) who's death was ruled a suicide, and his history is... "colourful".
* has (almost) no tests,
* has no CI (at least I could find none),
* lacks some basic features competitors have,
* sometimes doesn't ring when you call, and
* they just closed all 1100 open issues without reading their contents ."
Don't get me wrong, I think Signal is a great idea and have contributed some code to it, but these look like some red flags to me.
Obviously hard to compare to Telegram, which is closed source so we can't know whether they have similar problems.
>However, the sheer volume of legacy issues, combined with submissions that completely ignore the provided issue template, has created a situation where there are currently more than 1,100 open tickets. Most of these issues have been inactive for several years and they reference versions of Signal that are no longer available. Many open issues are essentially ad-hoc discussion threads or feature requests that are a better fit for the community forum. Perhaps most importantly, many of these issues lack debug logs, descriptions, and the steps that would be necessary to understand and reproduce the reported behavior.
What do tests and CI have to do with the usability and usefulness of a program? I agree that the other issues could be worrying, but those first two throw me for a loop.
The grandparent poster also wrote about security/privacy, for which I think tests are pretty important.
Finally, having CI would allow the developers/contributors with limited time to spend more time on usability and usefulness instead of on issues like "master doesn't build, anybody else have this problem?" (when I wanted to PR something to Signal, master did not build).
This also makes the assumption that since there are few automated tests, that there are no tests done on a build at all. I disagree that it is a valid assumption. Most security vulnerabilities are not found by unit or functional tests, but instead by linting and code reviews.
This may be true in a megacorp. I doubt it's true in a project like Signal where resources are limited and a few developers are the single bottleneck for everything, UX or otherwise.
Oh, and they will keep doing so: "Legacy issues that are more than one month old will be closed by an automated process as part of this cleanup effort."
I'm running this on my own server (using ejabberd  as Prosody - which I used previously - still has problems with some of the required XEPs) using several different clients (Conversations  on Android, Pidgin on Linux, etc).
The one weak link in OMEMO is the difficulty of verifying the authenticity of the device key signatures used by communication counterparts. These signatures are 64-character hexadecimal strings which the user is supposed to verify being authentic before initiating encrypted communications. Humans as not very good at this task, computer can help but they can also be tampered with. There are ways around this problem - e.g. meeting up in person before initiating communications (viz. PGP key signing parties), sending Q-codes off-line, using algorithms to turn those numbers into things which humans are better at recognising (e.g. the coloured emoji used by Telegram etc.). Encrypted group chat only works if all participants have all other participants in their address lists. Then again, it does work and it is fully standardised with several compatible implementations.
It's "good enough" for 90% of cases, but it depends on clients supporting emoji.. :(
(not just individual people obsessed with privacy, the large numbers of people who can see the advantage of privacy but may not invest a lot of effort to achieve it)
True anonymity in a messaging service is hard to achieve, and not even remotely user friendly.
As a practical example, would you say that bitcoin wallets are anonymous, given that they use random IDs?
Still beats using your phone number for chats, or your SSN in place of bitcoin wallet.
Again, for the practical example, people bought and sold bitcoins with the broad assumption that it was anonymous. It's a widely understood falsehood, yet new people almost universally believed it was anonymous and safe from law enforcement/the tax man.
Pretending that a random yet static ID adds any level of anonymity is simply dangerous. At best, it keeps honest people honest; like locking your door but not the bay window next to it.
Imagine the following: a manager in a supermarket explaining how to setup a proxy to a customer so that she (a woman in her 60s) could use their bot again.
Or a woman with a kid who is asking what the are going to do: "It's okay, we'll ask dad and he's going to do proxy-something".
Cyberpunk is now.
Russians do make up a huge list of telegrams overall userbase. But most importantly, whatsapp and viber are end to end encrypted. Whatsapp uses signal. Viber uses a signal inspired encryption format. The common ground between both is that every single message is encrypted using a different secret key that is deleted after the message is received and decrypted on the device. Whatsapp and Viber have no way to give chat details even if they wanted to. Provided that they follow the protocol, and all accounts seem to point to the fact they do, then there is no backdoor or secret key they can give to any government.
Telegram in contrast uses a set of master keys to encrypt the conversations using RSA and aes256 as they travel through the servers. The keys are split across multiple servers residing in multiple jurisdictions so that legally, a government would have to seek permission to obtain each part of the key from a separate state.
Basically, this means that at the end of the day, if telegram ever forgoes its integrity (based off its public statements), every message will suddenly become decryptable.
That last point is what seems to really make telegram worth targeting.
Not even close. Whatsapp and Viber are much more popular. Telegram was barely 3rd before the ban. 
Viber moved their data to Russia, they won't get a ban.
Not sure about Whatsapp.
Telegram's independence is what separates them from other services, what allowed them to deny the demand for crypto keys, and why they were targeted.
None of the other messengers you mentioned are designed to work like this (not 100% sure about Viber), the ability of operators to read most of the conversations on the platform is very much unique to Telegram.
It's really not a coincidence that the Russian government is choosing to ban the worst "encrypted messenger" on the market.
That Telegram has handed their keys to the Russian government? Difficult, but unnecessary.
That Telegram was deliberately designed in a manner which enables its owners to easily hand over the keys to the government? Easy to prove, Signal and Whatsapp do not share the same surveillance features.
Who pays for it now that it is free?
I for one refuse to think that Facebook bought it for a number of billion USD and keep operating and improving it for no good reason.
We also know, based on what they had to tell EU and based on their new EULA - that they tried to introduce by default - that they wanted to harvest metadata from it.
Attacking Telegram while simultaneously praising WhatsApp seems really strange to me.
As for Signal, that's another story. They have their own issues but I personally believe it is better than both Telegram and WhatsApp.
Look at them both from a purely technical perspective.
WhatsApp has made an effort to ensure that they're limited to only monetizing the metadata of the chats, Telegram by design does not share this limitation.
Even if you don't trust Whatsapp, you know that they'd have to push a backdoored app to everyone in order to intercept your chats. Telegram is backdoored by default.
In an open environment, you would simply change the mirror urls and run apt-get update.
I this particular case the centralization around the push service of google actually helps.
No, it does not, and you even argued why. This centralization makes it harder to make the system more resilient.
We need an alternative to GCM.
The other option would be for google to turn push notifications off selectively for Telegram and only in russia. Not sure if they can/will do that.
It's called SMS.
I always get notifications about Telegram messages on my phone at around the same time (within a second or so) as I get the notification on the web client.
Currently Telegram keep working because it's get new backend IPs constantly via Google Play / AppStore services. Since push notifications are centralized they'll stop working as soon as application removed from stores so app wouldn't be able to get lists of unbanned IPs.
More like Putin's interest/security.
Wonder if they'll merge it.
The same "hack" was used to block Google and other huge sites. Once they found out this "hole", they introduced a white list of resources which shouldn't be blocked.
These guys are really "smart" )
If they were just being protectionist, I'd be able to understand them in some way. But it's deeper.
Region Desc IPs Blocked % Blocked
ap-northeast-1 Asia Pacific (Tokyo) 1984800 786451 39.62%
ap-northeast-2 Asia Pacific (Seoul) 459024 131073 28.55%
ap-northeast-3 Asia Pacific (Osaka-Local) 65808 0 0.00%
ap-south-1 Asia Pacific (Mumbai) 524560 65542 12.49%
ap-southeast-1 Asia Pacific (Singapore) 1067552 425990 39.90%
ap-southeast-2 Asia Pacific (Sydney) 1147168 163852 14.28%
ca-central-1 Canada (Central) 196880 3 0.00%
cn-north-1 China (Beijing) 231456 0 0.00%
cn-northwest-1 China (Ningxia) 100368 0 0.00%
eu-central-1 EU (Frankfurt) 1049888 787013 74.96%
eu-north-1 EU (North tba) 65808 0 0.00%
eu-west-1 EU (Ireland) 3757344 1966319 52.33%
eu-west-2 EU (London) 393488 131087 33.31%
eu-west-3 EU (Paris) 131344 1 0.00%
sa-east-1 South America (Sao Paulo) 491808 65536 13.33%
us-east-1 US East (N. Virginia) 10317600 4260203 41.29%
us-east-2 US East (Ohio) 1179920 131079 11.11%
us-gov-east-1 AWS GovCloud (US, East) 65552 0 0.00%
us-gov-west-1 AWS GovCloud (US) 131088 32768 25.00%
us-west-1 US West (N. California) 1311536 196642 14.99%
us-west-2 US West (Oregon) 4917552 1769549 35.98%
Total 29590544 10913108 36.88%
That's not something you can do very fast, especially not from google's compute engine or AWS.
Yes, eventually, they will, but that's a massive task for most companies.
Seems like a weird move for Russia.
As someone in Russia, the block pretty much only hinders use of the legitimate services, not of Telegram. Numerous services exist to allow it to continue, and the block is a hack-job to try to prove a point.
Isn't WhatsApp supposed to be end-to-end encrypted making it next to impossible even for developers (Facebook Inc. in this case) to access the transmitted messages' content?
It does not sound correct.
I would also adventure that it might have been seen as an easy target by the Russian intelligence agencies and they anticipated Telegram to secretly comply.
Next we will see how effective the deletion of the telegram app from the Russian app stores will be. Because of the centralized nature of the stores telegram can’t do much with it (they can try publishing clones of the client under unaffiliated entities, but apple and google can easily ban those too). Also it is rumored that the client uses push notifications to deliver proxy settings to devices and these also can be easily blocked by the store owners.
It's also actually pretty clever.
You're conflating legal restriction on individual behavior with market/individual-preference constraints.
"Life" in general is constrained. We are not trying to get rid of limited options (every choise is between limited options), we're trying to limit totalitarian control over individuals.
That is, behaviour which is artificially constrained by imprisonment, punishment and death for the sake of preserving tyrannical power structures.
It doesn't matter to me if my rights are restricted by legal means or by corporate hegemonies, in fact the mechanisms in play are so complex nobody can really be sure anymore.
Having your choices restricted by social cooperation and negotiation (in a market places) is NOT the same as having them restricted by a bully with a military.
This false equivalence is a defense of genocide whether you are willing to own up to that or not.
My sympathy with state action ends however, when the leaders are murders, dictators and rutheless pilliagers of the public's wealth.
Russia's oligarchy stole Russia's wealth after the dissolution of the SU, and here you are equivocating objecting to regimes of murder and abuse with "muh food idle dont be having no choices fur me1112"£""11¬11223
The entitlement and ignorance is overwhelming. You arent owed two major search engines. "Bing" not being bigger is not the same as having to use apps which in encrypt your commnunication because you fear the police will imprison or murder you.
You are owed your political freedom. Which is de jure removed from you in Russia, and the suppression of telegram is state action to supress it further.
And the "better" AI is going to get, the easier it will be for them to call for such censorship, especially when people like Zuckerberg say they can already "stop 99% of the terrorist posts automatically".
Because that's most definitely misleading and wrong, unless we can actually review what that content was. Like I bet a large portion of those posts were not posts by terrorists, but posts about terrorists. I don't think the AIs we have today can distinguish between them very well. And at least a small portion probably had very little to do with terrorism, but maybe were posts from people in the same area as some terrorists, or stuff like that.
The AI will automatically block content that nobody will ever see. And we'll only depend on people who can somehow raise awareness that their content was blocked, produce a scandal, and then get the companies to unblock it (assuming the censorship will mostly be done by private companies in democratic countries). But this is not going to be a pretty future.
Which democratic country has blocked a major messaging app because it is used by political dissenters?
While it hasn't yet blocked it, the UK Government is certainly constantly after WhatsApp to remove the encryption (or build a backdoor) because a couple of terrorist jackoffs used it that one time (and I think they count as "political dissenters".)
Australia too. :-(
If your government can pass laws to allow themselves to block any Internet services, it may as well go ahead pass laws to prevent people from circumventing that block.
So, the only defense you have, is to prevent your government from issuing the first law.
Also could someone from Russia confirm telegram/AWS are blocked?
Telegram still works without (manually adding) proxies :D
EC2 Ireland (at least the subnets where my servers are) also works.
I already had Bitlocker on all my PCs, 2FA everywhere, moved from Gmail to Fastmail, and VPN was one of the last privacy-related things I procrastinated on. Now I have VPN on all my desktops and on my phone, turned on by default. And I also switched to 18.104.22.168 for DNS.
Thank you government, I guess?
 In Russia every ISP is legally required to perform this sort of KYC and keep those records for a while.
A power play - sure. It's not the first (and surely not the last, unless something unthinkable happens) time our Tsar and his boyars introduce "countermeasures" against "foreign agents" that barely affect anyone abroad, but are essentially showing the world what kind of enforced restrictions Russian serfdom can tolerate for "national security" reasons - if any reasons at all.
When the Soviets had dissolved, Russia had its internal power struggles and was late to this game - but as we've entered this era of stabilnost' (cf. Harmonious Society) we're catching up fast.
- Internal communication of the Russian Security agency
(However this might apply: https://www.xkcd.com/1138/ )
(These look like outliers even considering xkcd population density.)
It might be immoral, but it's the fastest solution to the harm this causes to all other affected customers I can think of.
No, but I don't think that's how it would be spun -- I would exect it to be framed as a ToS violation.
And Kremlin minions certainly not going to stop ban subnets now even if will be 1:1000 ratio of Telegram's one and other services.
And it also shows why relying on AWS or GCP is a horrible business decision.