Telegram Says It Has 'About 30 Engineers'; Security Experts Say That's a Red Flag (techcrunch.com) 50
An anonymous reader shares a report: Over the weekend, a clip from a recent interview with Telegram's founder Pavel Durov went semi-viral on X (previously Twitter). In the video, Durov tells right-wing personality Tucker Carlson that he is the only product manager at the company, and that he only employs "about 30 engineers." Security experts say that while Durov was bragging about his Dubai-based company being "super efficient," what he said was actually a red flag for users.
"Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare," Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.) Green was referring to the fact that -- by default -- chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a "Secret Chat" to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient.
Also, over the years, many people have cast doubt over the quality of Telegram's encryption, given that the company uses its own proprietary encryption algorithm, created by Durov's brother, as he said in an extended version of the Carlson interview. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said that it's important to remember that Telegram, unlike Signal, is a lot more than just a messaging app.
"Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare," Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.) Green was referring to the fact that -- by default -- chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a "Secret Chat" to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient.
Also, over the years, many people have cast doubt over the quality of Telegram's encryption, given that the company uses its own proprietary encryption algorithm, created by Durov's brother, as he said in an extended version of the Carlson interview. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said that it's important to remember that Telegram, unlike Signal, is a lot more than just a messaging app.
The quality of Telegram's encryption (Score:5, Informative)
1. P2P encrypted chats that hardly anyone uses or even knows about and which are only between two people? Pretty secure, have yet to be cracked.
2. Normal chats, bots and groups? All your data is stored in plain text on Telegram's servers. That's basically public data.
Re:The quality of Telegram's encryption (Score:5, Insightful)
The problem with making a secure product is that users would be annoyed if you cut out any functionality that was insecure. But I think including convenient but insecure features in a "secure" product makes it very complicated to communicate the implications to end users.
As many always know, Signal has had some form of encrypted group chat for at least a decade. And there is also the SILC protocol (an IRC replacement), they made a decent effort at solving the encrypted group chat problem over 20 years ago.
While not perfect, the problem is solved to a significant degree better than what Telegram offers. From a technical standpoint I think Telegram is a failure. Somehow they linger around on word-of-mouth from their users and the general inertia that large communities have. But even ICQ, AIM, MSN, and Y! died despite having millions of users. A large user base doesn't make Telegram immune to market failure.
Re: (Score:2)
Telegram isn't primarily a 1-1 or group chat service, it's about channels. Channels are designed to be more public, like social media, so encryption isn't really a priority for them.
Telegram is popular with hobbyists who want their smart devices and servers to be able to message them because it is easy to integrate, but if you want secure chat look elsewhere.
Re: The quality of Telegram's encryption (Score:2)
What Signal, and even better, Matrix (but they lack userbase) have figured out, is multiple device encrypted chat: I continue the same -encrypted (group-)chat on one device then back on another.
The reason people don't use E2EE on Telegram, and I think why it's not the default, is that they have NOT made multi-device E2EE an option. If only.
Re: (Score:1)
> makes it very complicated to communicate the implications to end users.
That's true, but it's also true that if the user is sufficiently naive about security, *any* ability to communicate, is inherently insecure at some level, because they're going to say things they shouldn't say to people they shouldn't say them to.
Granted, there are different levels of insecurity, and different levels of user naivete, and some insecure featu
Re: (Score:1, Insightful)
This is inaccurate, but as we saw with the January 6 Terrorists, all it takes is ONE endpoint to be compromised. One phone or computer, and then the entire chat log is exposed.
Which in some ways is a good thing. Fuck those terrorists.
Re: (Score:3)
Re: (Score:2, Insightful)
Re: The quality of Telegram's encryption (Score:1, Insightful)
Re: The quality of Telegram's encryption (Score:2)
Have yet to be cracked, or have yet to be cracked that we know of?
Irresponsibility is Par for the Tech Course (Score:2)
Re:"AKSHUALLY: The Article" (Score:5, Informative)
Considering that Ukrainians have been using TG for their military shit for entire war, and circumstances under which Durov was exiled from Russian Federation, latter is highly unlikely.
Re: (Score:2)
Counter argument: What if the Russian military is incompetent, and failed to milk TG for intelligence?
Re: (Score:3)
Re: (Score:2)
KGB, or more correctly GRU is not military, but intelligence arm of the government.
And if intelligence is that incompetent on the number one issue for the government for years, what does anyone have to fear from it?
You 'crypt dude? (Score:4, Insightful)
Not sure it's necessarily an issue? (Score:5, Insightful)
My experience with software development teams are that once you get more than so many people involved in a specific project? You see diminishing returns. It's not normally a situation where you need millions of lines of code cranked out and splitting the task up among more people get you there quicker. It's normally a situation where you've already got the code that many, many people are using on a daily basis. Your developers are just needed to fix bugs that get reported, and to make relatively small changes as needed. (Maybe a new mobile device comes out and you need to adapt the code to detect the non-standard sized display it uses, or ??)
You might also add new functionality per a "roadmap" that was laid out, or due to user suggestions/feedback. But even in the biggest companies, the security part is mostly reactive, just like other bug fixes are. You don't usually fix the bugs before anyone ever finds them. You fix them as they're discovered and reported. You don't prevent someone from breaking your encryption before anyone ever breaks it. You react to reports someone broke it and try to revise or redo it at that point. (Even so called "proactive" changes to use stronger/better encryption methods only happen because someone published a research paper showing the one you originally chose is weak/breakable, or someone else already had a breach due to flaws in it.) So how many software engineers do you need to manage all of this, day to day? I don't know, but I can see how 30 good employees is enough. Some of the greatest and most reliable software utilities or apps I ever used were written and maintained by only one person.
Re: (Score:2)
Re: (Score:1)
I don
consequences (Score:2)
Until there are real consequences to a break-in, Companies will never take cyber security seriously. That seems to be a rule of life.
Once CEO and high-level execs face jail time and stockholders loose their stake, nothing will ever change. Also, if a break-in occurs, companies should be prevented from going chapter 11 to avoid the consequences of ignoring security.
Job security (Score:4, Insightful)
Security engineers and consultants are of opinion that company needs to hire many more security engineers and consultants.
Security "experts" we could do with a lot less of (Score:2)
Re: (Score:3)
Exactly. I work as a security engineer and my position is that the number of engineers is not related to the security of a product. There are many concerning things about telegram, but the number of engineers working on it is not one of them.
How much staff do you need? (Score:3)
Or don't handle PII, be reasonable with the technical scope of your platform, and have a smaller staff. Bitcoin, for example, was coded by a single person (or at most a tiny group). Even today there are only about 30 people actively writing code for it. You don't need a big team if you link to standard libraries and don't bloat up with gratuitous features.
Re: (Score:2)
If you handle lots of PII then you need a lot of staff, sure, but you don't need most of them to be engineers. I've worked in companies where 90% of the staff were customer support, and if any of them were software devs then they were only working in customer support as a way to get their foot in the door and make an internal application to the much smaller development team.
Re: (Score:3)
I mean if they could show telegram had a lot of unresolved CVEs and huge regressions in new versions, then they might have a point. Otherwise, really this is fear mongering.
Re: (Score:2)
if you handle tons of personally identifying data you do need a bigger staff
Why?
Where I work, we handle tons of PII.... by computer, not by hand. It's automated. You don't WANT humans reading PII unless 100% necessary.
So if you handle tons of PII, get a bigger server, don't hire more bodies.
Re: (Score:1)
Article Doesn't Understand what an Engineer Is (Score:5, Insightful)
Re: Article Doesn't Understand what an Engineer Is (Score:2)
Er.
No.
Pulling from the first random source I found, "Google US employs over 100,000 people, and while there is no official number, estimates suggest that around 60,000 are software engineers."
It's about half.
Re: (Score:2)
Reminds me of Commodore. A custom chip was designed on a shoestring budget by one engineer, and when that engineer left the company, it took years for the company to figure out how to release a new product. Meanwhile, management lavishly spent hundreds of millions on luxury offices, and they even owned a private company jet.
super efficient (Score:2)
Dear Telegram (Score:3)
I would be perfectly willing to become an "employee" to raise your numbers and make you look better to the community, for a small monthly fee.
Sounds like a five eyes op (Score:2)
Maybe the intel community is unable to crack Telegram and are using this as a way to dissuade people from using it.
Proprietary, non-peer reviewed encryption (Score:2)
Not to mention closed-source. What could possibly go wrong ?
Re: Proprietary, non-peer reviewed encryption (Score:2)
Re: Proprietary, non-peer reviewed encryption (Score:2)
It hasn't been proven to be crap, but neither has it been proven to be free from obvious securiyy flaws. That's the point of peer review. Security by obscurity is never a great idea.
Even if the protocol is peer reviewed, closed source programs might not stick to it, or have flawed implementations.
Re: Proprietary, non-peer reviewed encryption (Score:2)
The clients are open source. Heck, I even bitlbee Telegram. But indeed, the server isn't.
I remember when a Turkish friend sent me a msg, "hey what are you doing on Turkgram?" Seemed their (govt?) had forked the client, slapped a new logo on it (the Turkish flag) and marketed it as a Turkish network.
Durov, on his personal channel, claimed (such, I presume) incidencents made them decide not to open up the server's source.
On open API and clients: https://t.me/durov/58 [t.me]
Re: (Score:2)
Thanks. I did not know that. Went to take a look, and the TDlib depends on OpenSSL. At least they didn't try to reinvent the wheel. There are still many ways to misuse perfectly good primitives, though. It looks like there has been research and attacks devised against their MTProto protocol.
Switch to signal already (Score:1)
What's wrong with 30 engineers? (Score:3)
I don't know why Telegram exists, when Signal is (Score:3)
Signal is the superior product, I'm not really sure what the value of Telegram is. Signal is an Actually Encrypted messaging platform, whereas Telegram is a Mostly Plaintext Social Media app. Signal is end to end encrypted, period. There's no option to even drop down to unencrypted anymore, since they dropped SMS support. To call it "secure by default" is borderline undermining it's security, since as far as I know, there's no way to send unencrypted messages of any kind.
In it's features telegram is way ahead (Score:1)
I don't want to defend security on telegram but man did you check telegram features at all? It is a cloud storage system. Handy got lost? No backup? No problem with telegram. Upload 2GB or 4GB (premium) Files and have them stored in as many chanels as you like. Video call on groups. A formidable bot API. It is not just a "mostly plaintext social Media app".