Hacker Newsnew | comments | ask | jobs | submit | yatsyk's commentslogin

This is bad advice. If your friends was happy with WhatsApp they don't care much what it the most secure messenger but probably want to use it on iOS or chat with friends with iPhones.

-----


> Ukraine government outlawing access to any Russian language news a few days ago

Filter content by Content-language header? :)

> New Kiev government has banned national broadcasts in this language

This statement is also wrong. There is a lot of channels in Russian language in Ukraine.

-----

1gor 36 days ago | link

I corrected my remark above. They did not ban all Russian language channels, only some of them.

-----


You can check these benchmark results with other options:

https://github.com/mgutz/vpsbench/wiki/VPS-Hosts

-----


Hate tone discussion makes me sad.

Telegram is very young project and it has bugs for sure. Some guy found potential issue in protocol and developers committed to fix it soon. There is no information that any messages were revealed due to this bug but Telegram should go away and developers should do something else.

Whatsapp is less secure then Telegram but I have not seed “Whatsapp RIP” messages. Not so hard to save videos in snapchat but no one propose to close the application. About a year ago YAML vulnerability was found but no one proposed dhh to stop development and focus on race driver career.

I think that we need more competition for TextSecure.

Terms of bug bounty are very hard to satisfy even with bad protocol but Durov seems decided to play safe with such amount of money. Guy that found problem in MTproto doesn’t win money according to conditions of the bug bounty because message is not decrypted.

Disclaimer: I don’t have any affiliation with telegram besides living in the same city as telegram developers.

-----

sillysaurus2 119 days ago | link

You must not have followed Telegram much. From the beginning they've done nothing but pretend their protocol is absolutely secure ("military-grade encryption", "world's most secure protocol", etc) and rejected any attempt from the crypto community to help them fix problems before they endanger people.

So, let's put it this way: Was it ok of them to lie through their teeth to users? If so, then that's a sad state of marketing. If not, then what are you proposing here?

-----

yatsyk 118 days ago | link

I’m not security expert, but I believe that:

- military-grade encryption – true

- world's most secure protocol – I’d consider this statement as false, I don’t know what they mean by most secure and what protocols were considered. May be messengers available at app store, better to ask them

Why do you think that they “rejected any attempt from the crypto community to help them”, especially after bug bounty proposition?

Why do you think that they lie more then TextSecure advocates? Each of these messengers is safe to passive listening. But unsecure to similar degree if user downloads them from app store and runs on hardware and software that could be easily patched. Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app and that every other app should be thrown out.

-----

sillysaurus2 118 days ago | link

Why do you think that they “rejected any attempt from the crypto community to help them”, especially after bug bounty proposition?

I've written about this pretty extensively: https://www.hnsearch.com/search#request/all&q=by%3Asillysaur...

It's an interesting contrast in cultures that you phrase it like "Why do you think Telegram lies more than TextSecure advocates?" .... As far as I'm aware, TextSecure advocates haven't lied at all. TextSecure's interest is in security, whereas Telegram's interest seems to be in money and power.

Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app

I just don't know what to say to this. Telegram has been proven insecure, TextSecure hasn't. Telegram isn't designed by cryptographers, TextSecure is. There is absolutely every reason to assume Telegram is broken.

Each of these messengers is safe to passive listening.

This is mistaken because Telegram has been proven vulnerable to MITM attacks. Even after they patch this latest security problem, it would be very unwise to trust them.

-----

DanBC 118 days ago | link

> Current implementation of telegram api is prone to MiM attack but I would not consider TextSecure completely safe app

> I just don't know what to say to this. Telegram has been proven insecure, TextSecure hasn't. Telegram isn't designed by cryptographers, TextSecure is. There is absolutely every reason to assume Telegram is broken.

Textsecure is designed by cryptographers, and hasn't been broken yet, but that doesn't mean that it is secure. People need to risk assess when they're using any software.

> If you want to be secure from the NSA, use TextSecure [...]. It's really that simple.

That claim is far too confidant! If you want to be secure from NSA you need to do many things - have a look at the specifications for buildings that handle secret documents for example, as well as just using a piece of well designed but relatively untested software.

Most people do not have nearly enough operational discipline to withstand investigation by well funded government agencies. Merely using this software is not enough.

-----

sillysaurus2 118 days ago | link

> If you want to be secure from the NSA, use TextSecure [...]. It's really that simple.

That claim is far too confidant! If you want to be secure from NSA you need to do many things - have a look at the specifications for buildings that handle secret documents for example, as well as just using a piece of well designed but relatively untested software.

That's why I removed it 15 seconds after I wrote it. But perhaps it could be downgraded to "if you want to live in a world where it's very difficult for governments to vacuum up all your data by default, then use TextSecure, because it's the first step towards that." Telegram offers no such protection since it's vulnerable to MITM attacks (even after they fix this one).

-----

Twirrim 118 days ago | link

If you rely on a single secure (for certain values of the word 'secure') messaging system or protocol you're absolutely insane. You'd want to be splitting your communication across multiple communication sources, with none of them ever seeing enough data to compromise whatever it is you're worried about. Deep and computationally expensive is great; deep, computationally expensive and broad is better. If one form (e.g. Telegraph) falls they've not got the full message, and they've still got a lot more work to do to get the whole thing.

-----

yatsyk 118 days ago | link

I've not found any attempts to help them apart from this bug report.

>TextSecure's interest is in security, whereas Telegram's interest seems to be in money and power

I can't read minds or even their messenger logs so I can't comment what is their interest but I'd be interested to know why you think so

> TextSecure completely safe app

Just wrong. How could you call something "completely safe" or bug free?

>Each of these messengers is safe to passive listening >This is mistaken because Telegram has been proven vulnerable to MITM attacks

How Telegram is prone to passive listening?

-----

sillysaurus2 118 days ago | link

Telegram seems to be interested in money and power because they've turned down offers from Moxie (the creator of TextSecure and a well-known cryptographer) to join forces. There's no reason to do that unless they were interested in money or power more than security.

I didn't say TextSecure is completely safe. I said Telegram has been demonstrated to be broken.

Telegram is prone to passive listening because their design doesn't prevent it. There's nothing stopping someone from MITM'ing every Telegram secret chat when it's first initiated. It's in the design.

Their contest means nothing, because due to the way the contest is designed, it's impossible to MITM or other side channel attacks like timing attacks. These are the real attack vectors, yet the format of the contest prevents anyone from employing them.

-----

danabramov 118 days ago | link

>Telegram seems to be interested in money and power because they've turned down offers from Moxie (the creator of TextSecure and a well-known cryptographer) to join forces.

Is there a cause-effect relationship I'm missing here?

-----

yatsyk 118 days ago | link

> I didn't say TextSecure is completely safe.

Yes you do. "TextSecure completely safe app" was copied from your message before you or someone else edited it. I've not typed it but copied exact phrase from your message.

-----

sillysaurus2 118 days ago | link

You copied it from your own message, not mine. http://i.imgur.com/pxMVDwA.png

-----

garethadams 118 days ago | link

The best part was when he copied it from your quoting of his message, but removed the "not" that came before it

-----

biafra 118 days ago | link

>> TextSecure completely safe app

> Just wrong. How could you call something "completely safe" or bug free?

Where did he say that "TextSecure [was a] completely safe app"?

Why are you misrepresenting his words?

He said TextSecure was not proven insecure (As was Telegram). That does not mean or imply that it is safe or secure.

-----

jessedhillon 118 days ago | link

You seem to be missing the larger point. Nobody is proposing that secure messaging apps should not exist. Everyone is better when more people try, iterate and fail (then recover and fix) to create secure messaging solutions.

What's unsafe and unproductive is when bozos jump in the pool, apparently ignorant or otherwise misrepresentative of the reality of how difficult it is to create a correct solution -- and confidently declare their implementations to be trustable.

If the messaging on Telegram had been, the world needs a secure messaging solution and we're committed to building it starting with this thing which we think is pretty good for XYZ, nobody would be objecting. Instead, these guys presented themselves as having solved a problem which is known to be difficult, and moreover using an unlikely method.

-----

eps 119 days ago | link

Hey, you forgot to plug TextSecure.

-----

DanBC 118 days ago | link

> Whatsapp is less secure then Telegram

Whatsapp never claimed to keep your chat secure. Telegram did. Many people offered gentle advice to Telegram, and they ignored it.

Maybe it's a cultural thing? Not just domains-of-expertise (mathematicians going into crypto) but international?

-----

yatsyk 118 days ago | link

Snapchat creators claim (at least imply) that messages could not be saved which is untrue.

Most advices to telegram developers at previous HN discussion were to stop doing crypto and do something else. I would not consider them as “gentle advices”. The only help from the community to their application is the bug report x7mz user from habrahabr site.

-----

girvo 118 days ago | link

Crypto is life and death. I have spent a lot of years learning it as a hobby... Its a dangerous field to play in. It's super complex, and all it takes is one tiny mistake anywhere in the program (be it at the protocol level or implementation) and then bam: game over. So, when you release something, you are nervous about it. Telegram wasn't, and as it turns out, they should have been. That is bad.

-----

danabramov 118 days ago | link

>Terms of bug bounty are very hard to satisfy even with bad protocol but Durov seems decided to play safe with such amount of money. Guy that found problem in MTproto doesn’t win money according to conditions of the bug bounty because message is not decrypted.

The guy gets $100 000:

https://vk.com/wall-52630202_7858

You may want to check before you post.

-----

yatsyk 118 days ago | link

At first my statement is still valid even after Durov decided to pay for bug report. This bug report has no connection with extracting plain message I've written.

Apart from that I can't check Durov's posts that from the future. My post was written before Durov's announcement.

-----

danabramov 118 days ago | link

Technically you're right. I thought that “decided” wasn't the right word to use before you give him a chance to decide. In other words, I read your post as conveying the idea that Pavel actively dismissed the bug report as unworthy of rewarding, when in fact the opposite was true. Perhaps I misread your post being a non-native English speaker. Apologies for that.

-----

yatsyk 118 days ago | link

Sorry if I have not been clear, I am non-native speaker too.

-----

chmike 119 days ago | link

Thank you yatsyk, I share your opinion. The app name is really great. I hope they fix it and come back with a stronger app.

I would suggest they hire security consultats to check the security in a first stage. Review by third parties is the best method to avoid things we overlooked. The prize shoud be for after all these consultancy options have been exhausted.

As a side node I see there is still a lot of room to improve automatic translation. It's difficult to understand in some places.

-----

girvo 118 days ago | link

Everyone who has been criticising Telegram would actually love for them to do what you've suggested. We want good, secure encrypted messaging. Telegram is not it, and people are worried, as their actions so far smack far too much of a project that ignores best practices...

In the crypto world, projects like Telegram have popped up over and over again. A new protocol, designed by non cryptographers, that turns out to be heavily insecure. I wish that wasn't the case, but that is why people have reacted the way that we have. This is literally life and death, so it pays to be cautious.

I hope Telegram learn from all this, and go and get audited and tested by reputable experts. Then, fix all the issues raised. Then release their apps to the public, when they are proven secure. Until that time I personally will not trust their application.

-----

makomk 118 days ago | link

It's impossible to tell whether any messages were revealed due to this bug - that's what makes it so nasty. Users would have had the same level of security if Telegram had no end to end encryption whatsoever and simply promised they wouldn't log or read the messages they had access to; it's seriously that broken. (Worse, there's a good chance this is an intentional backdoor since the way they combine the nonce and Diffie-Hellman result is incredibly fishy.)

-----

zobzu 118 days ago | link

you don't go tell you got the best thing in the world while its just another random thing that doesn't do what you say - its just for fame/ego/money - without getting hateful feedback.

And guess what, hate isn't always wrong.

-----

girvo 118 days ago | link

Whatsapp doesn't say that it's the most secure messaging app in the world. Telegram did. And they were wrong.

-----


Adblock works for desktop browser. But I watch youtube on mobile or android media player in app mostly.

-----

rdl 235 days ago | link

Would you be willing to use a mitm proxy as part of a VPN service to accomplish that?

-----

alive-or-not 235 days ago | link

There are ad-blockers for Android, they don't even require root on 4.x.

There are also WiFi routers that filter all traffic.

-----


Some domains are free. Why limit yourself to second-level domains?

-----


Similar Sharp costs $5500 [1]

[1] http://www.computerworld.com/s/article/9234078/Sharp_to_laun...

-----


How many megahashes this hardware computes?

-----

vidarh 368 days ago | link

I love this board, but keep in mind that the entire premise of this board is parallel execution of _separate instruction streams_. From the performance people are getting from GPU's for bitcoin mining, I presume the calculations can be done extremely parallel with few instruction streams - for that a normal GPU is likely to be a far better choice.

-----

Tuna-Fish 368 days ago | link

Much, much less than the specialized ASIC platforms do.

-----

helpbygrace 368 days ago | link

But when we consider the consuming power of ASIC platform, I think this board has strength. They said this board consumes 5 watt for typical jobs.

https://en.bitcoin.it/wiki/Mining_hardware_comparison

-----

Tuna-Fish 368 days ago | link

> But when we consider the consuming power of ASIC platform, I think this board has strength.

No, it can't possibly have.

SHA is half bitshifts-by-constants. On an ASIC platfrom, those essentially refactor to no-ops. There is no way, no how general-purpose hardware could ever possibly get anywhere near even a piss-poor special purpose ASIC for this task. If you think otherwise you simply don't understand the domain. Those 600-watt ASIC systems contain multiple chips and run at tens of GHashes/s. That 5-watt chip, if it's very, very good, might maybe break 40MHash/s.

-----

IanCal 368 days ago | link

It's nowhere near fast enough. My 7970s can push out about 1.3Ghash/s and combined they are capable of around 7 TFLOPs. When (/if) they release the BFL Jalapeño it'll run at 5 Ghash/s and be powered by USB. 90 GFLOPs is equivalent to a decent processor, but nowhere near powerful enough for bitcoin mining.

-----

wmf 368 days ago | link

Not enough. Don't bother.

-----

DanBC 368 days ago | link

They say 90 GFlops.

(https://bitcointalk.org/index.php?topic=26824.20;wap2)

> For example a Radeon 6990 has 5.2 gigaFLOPS of computing power[1] and yields roughly 800 megahash/s in bitcoin mining.

That was in July 2011. Mining is harder now.

-----

trotsky 368 days ago | link

Cayman XT [Radeon 6970] outputs 2.7 TFLOPS in Single-Precision and 675 GFLOPS in Dual Precision. [1] I think the 6990 is just two of those, or at least that's normally their convention.

[1] http://www.brightsideofnews.com/news/2010/12/13/amd-radeon-h...

-----

sp332 368 days ago | link

Doing a single hash isn't harder though. Increased difficulty just means you have to do more hashes. So the numbers given should still be about right.

-----

mas921 368 days ago | link

Radeon 6990 is 5.1 TERAflops (5099 GigaFLOPS) ... several orders of magnitude faster than this thing

http://en.wikipedia.org/wiki/Radeon_HD_6000_Series#Northern_...

-----

helpbygrace 368 days ago | link

I agree with you. This might be good for bitcoin mining. :)

-----

lucb1e 368 days ago | link

The real question is: How much power does it consume compared to its hashing power?

-----


Have you considered to implement subsonic api to support native apps for iphone and android? I run subsonic server on my home server and it's quite resource hungry.

-----

zx2c4 463 days ago | link

This would be pretty cool. I hadn't considered it. But you say application support is widespread for their API. If so, it could be a worthwhile one to implement.

> I run subsonic server on my home server and it's quite resource hungry.

Yea, that's the thing about subsonic -- big bloated app. Lots of features, but it needs to start fresh and lean.

-----


Very useful!

What is the license of the code? I'd like play with visualization some day. Some of the bars is not very comprehensible due to height.

-----

colin_scott 480 days ago | link

It's licensed under BSD: https://github.com/colin-scott/interactive_latencies

Pull requests would be much appreciated!

-----

More

Lists | RSS | Bookmarklet | Guidelines | FAQ | DMCA | News News | Feature Requests | Bugs | Y Combinator | Apply | Library

Search: