Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Telegram Says It Has 'About 30 Engineers'; Security Experts Say That's a Red Flag (techcrunch.com) 50

An anonymous reader shares a report: Over the weekend, a clip from a recent interview with Telegram's founder Pavel Durov went semi-viral on X (previously Twitter). In the video, Durov tells right-wing personality Tucker Carlson that he is the only product manager at the company, and that he only employs "about 30 engineers." Security experts say that while Durov was bragging about his Dubai-based company being "super efficient," what he said was actually a red flag for users.

"Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare," Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.) Green was referring to the fact that -- by default -- chats on Telegram are not end-to-end encrypted like they are on Signal or WhatsApp. A Telegram user has to start a "Secret Chat" to switch on end-to-end encryption, making the messages unreadable to Telegram or anyone other than the intended recipient.

Also, over the years, many people have cast doubt over the quality of Telegram's encryption, given that the company uses its own proprietary encryption algorithm, created by Durov's brother, as he said in an extended version of the Carlson interview. Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation and a longtime expert in the security of at-risk users, said that it's important to remember that Telegram, unlike Signal, is a lot more than just a messaging app.

This discussion has been archived. No new comments can be posted.

Telegram Says It Has 'About 30 Engineers'; Security Experts Say That's a Red Flag

Comments Filter:
  • by Artem S. Tashkinov ( 764309 ) on Tuesday June 25, 2024 @10:27AM (#64576647) Homepage

    1. P2P encrypted chats that hardly anyone uses or even knows about and which are only between two people? Pretty secure, have yet to be cracked.
    2. Normal chats, bots and groups? All your data is stored in plain text on Telegram's servers. That's basically public data.

    • by OrangeTide ( 124937 ) on Tuesday June 25, 2024 @11:39AM (#64576879) Homepage Journal

      The problem with making a secure product is that users would be annoyed if you cut out any functionality that was insecure. But I think including convenient but insecure features in a "secure" product makes it very complicated to communicate the implications to end users.

      As many always know, Signal has had some form of encrypted group chat for at least a decade. And there is also the SILC protocol (an IRC replacement), they made a decent effort at solving the encrypted group chat problem over 20 years ago.

      While not perfect, the problem is solved to a significant degree better than what Telegram offers. From a technical standpoint I think Telegram is a failure. Somehow they linger around on word-of-mouth from their users and the general inertia that large communities have. But even ICQ, AIM, MSN, and Y! died despite having millions of users. A large user base doesn't make Telegram immune to market failure.

      • by AmiMoJo ( 196126 )

        Telegram isn't primarily a 1-1 or group chat service, it's about channels. Channels are designed to be more public, like social media, so encryption isn't really a priority for them.

        Telegram is popular with hobbyists who want their smart devices and servers to be able to message them because it is easy to integrate, but if you want secure chat look elsewhere.

      • What Signal, and even better, Matrix (but they lack userbase) have figured out, is multiple device encrypted chat: I continue the same -encrypted (group-)chat on one device then back on another.

        The reason people don't use E2EE on Telegram, and I think why it's not the default, is that they have NOT made multi-device E2EE an option. If only.

      • by jonadab ( 583620 )
        > I think including convenient but insecure features in a "secure" product
        > makes it very complicated to communicate the implications to end users.

        That's true, but it's also true that if the user is sufficiently naive about security, *any* ability to communicate, is inherently insecure at some level, because they're going to say things they shouldn't say to people they shouldn't say them to.

        Granted, there are different levels of insecurity, and different levels of user naivete, and some insecure featu
    • Re: (Score:1, Insightful)

      by Moryath ( 553296 )

      This is inaccurate, but as we saw with the January 6 Terrorists, all it takes is ONE endpoint to be compromised. One phone or computer, and then the entire chat log is exposed.

      Which in some ways is a good thing. Fuck those terrorists.

    • Have yet to be cracked, or have yet to be cracked that we know of?

  • Youtube and ebay are no better. They rot too.
  • You 'crypt dude? (Score:4, Insightful)

    by Dru Nemeton ( 4964417 ) on Tuesday June 25, 2024 @10:30AM (#64576667)
    100% "Trust me bro..." mentality. Brocryption is Bestcryption!
  • by King_TJ ( 85913 ) on Tuesday June 25, 2024 @10:57AM (#64576737) Journal

    My experience with software development teams are that once you get more than so many people involved in a specific project? You see diminishing returns. It's not normally a situation where you need millions of lines of code cranked out and splitting the task up among more people get you there quicker. It's normally a situation where you've already got the code that many, many people are using on a daily basis. Your developers are just needed to fix bugs that get reported, and to make relatively small changes as needed. (Maybe a new mobile device comes out and you need to adapt the code to detect the non-standard sized display it uses, or ??)

    You might also add new functionality per a "roadmap" that was laid out, or due to user suggestions/feedback. But even in the biggest companies, the security part is mostly reactive, just like other bug fixes are. You don't usually fix the bugs before anyone ever finds them. You fix them as they're discovered and reported. You don't prevent someone from breaking your encryption before anyone ever breaks it. You react to reports someone broke it and try to revise or redo it at that point. (Even so called "proactive" changes to use stronger/better encryption methods only happen because someone published a research paper showing the one you originally chose is weak/breakable, or someone else already had a breach due to flaws in it.) So how many software engineers do you need to manage all of this, day to day? I don't know, but I can see how 30 good employees is enough. Some of the greatest and most reliable software utilities or apps I ever used were written and maintained by only one person.

    • It's about maintaining it at scale for so many users. Those software apps you used maintained by one person probably were binaries you downloaded and provided the infrastructure for. By Telegram's very nature, it's cloud/SaaS, which requires people to maintain things like massive databases, elasticsearch, authentication; not to mention fix bugs..including security ones. At the scale Telegram is operating, that probably means no one is really even dedicated to security bugs and/or security engineering.
    • by jonadab ( 583620 )
      Well, at some point there's a "bus factor": if the team is _too_ small, then one person's unforseen personal crisis (e.g., mom has cancer, so work is suddenly a much less pressing priority) can throw significant portions of the project into the "not actively maintained" bin. For example, if only one guy knows the installer code well enough to update it, and a new OS version comes out and the installer code needs to be updated, and that one guy isn't available for personal reasons, you have a problem.

      I don
  • Until there are real consequences to a break-in, Companies will never take cyber security seriously. That seems to be a rule of life.

    Once CEO and high-level execs face jail time and stockholders loose their stake, nothing will ever change. Also, if a break-in occurs, companies should be prevented from going chapter 11 to avoid the consequences of ignoring security.

  • Job security (Score:4, Insightful)

    by Luckyo ( 1726890 ) on Tuesday June 25, 2024 @11:03AM (#64576765)

    Security engineers and consultants are of opinion that company needs to hire many more security engineers and consultants.

    • Many (most?) security "consultants" are leeches and scammers. Then you have true "experts" like Mudge, Dildog, and most of the L0ft or Rapid7 guys who "rapidly" started working for the feds as soon as they got any recognition and have been helping to fuck the regular citizens since the day after they signed some contract with the spooks, early on. There are a few bright spots like Bruce Schnier, but for the most part these guys are busy using fear tactics to squeeze the honey out of companies large and smal
    • Exactly. I work as a security engineer and my position is that the number of engineers is not related to the security of a product. There are many concerning things about telegram, but the number of engineers working on it is not one of them.

  • by The Conductor ( 758639 ) on Tuesday June 25, 2024 @11:07AM (#64576777)
    The article's basis of comparison, Twitter, is a completely different kind of platform. Yeah, if you handle tons of personally identifying data you do need a bigger staff (though even Twitter was bloated before Musk took a chainsaw to the payroll). If you have a Si Valley blitzscaling business model to justify a giant series-A valuation, then you need staff for that.

    Or don't handle PII, be reasonable with the technical scope of your platform, and have a smaller staff. Bitcoin, for example, was coded by a single person (or at most a tiny group). Even today there are only about 30 people actively writing code for it. You don't need a big team if you link to standard libraries and don't bloat up with gratuitous features.

    • by pjt33 ( 739471 )

      If you handle lots of PII then you need a lot of staff, sure, but you don't need most of them to be engineers. I've worked in companies where 90% of the staff were customer support, and if any of them were software devs then they were only working in customer support as a way to get their foot in the door and make an internal application to the much smaller development team.

    • I mean if they could show telegram had a lot of unresolved CVEs and huge regressions in new versions, then they might have a point. Otherwise, really this is fear mongering.

    • if you handle tons of personally identifying data you do need a bigger staff

      Why?

      Where I work, we handle tons of PII.... by computer, not by hand. It's automated. You don't WANT humans reading PII unless 100% necessary.

      So if you handle tons of PII, get a bigger server, don't hire more bodies.

      • I could be wrong, but I'm guessing they are referring to non-technical roles. If you have lots of PII, you need to hire people like compliance officers, legal staff, policy type positions. Then you need to hire officers to make sure the compliance officers are compliant, and so on.
  • by SmaryJerry ( 2759091 ) on Tuesday June 25, 2024 @11:22AM (#64576821)
    People don't realize that most of the giant companies that exist today were all originally coded by a couple people sometimes even one. Software is profitable because it scales, you don't need lots of people. When you hear someone works for Google or Microsoft odds are they are doing one of thousands of other non-engineering jobs: accounting, compliance, marketing, etc. The actual engineers that make the products are few and security of software has absolutely zero to do with the quantity of employees.
    • Er.

      No.

      Pulling from the first random source I found, "Google US employs over 100,000 people, and while there is no official number, estimates suggest that around 60,000 are software engineers."

      It's about half.

    • Reminds me of Commodore. A custom chip was designed on a shoestring budget by one engineer, and when that engineer left the company, it took years for the company to figure out how to release a new product. Meanwhile, management lavishly spent hundreds of millions on luxury offices, and they even owned a private company jet.

  • I'm not a user and wonder what happened to Twitter/X's 'efficiency' after Elon Musk made dramatic cutbacks. Were the only issues centered on moderation? Perhaps there's some variation of Parkinson's Law such that work expands when it can feed off excess capital investment and overvalued stock.
  • by sunderland56 ( 621843 ) on Tuesday June 25, 2024 @12:45PM (#64577121)

    I would be perfectly willing to become an "employee" to raise your numbers and make you look better to the community, for a small monthly fee.

  • Maybe the intel community is unable to crack Telegram and are using this as a way to dissuade people from using it.

  • Not to mention closed-source. What could possibly go wrong ?

    • But has it already been proven to be crap? Nope. Any encryptionscheme could be a problem. I'll bet a lot of hackers already tried to crack/review it.
      • It hasn't been proven to be crap, but neither has it been proven to be free from obvious securiyy flaws. That's the point of peer review. Security by obscurity is never a great idea.

        Even if the protocol is peer reviewed, closed source programs might not stick to it, or have flawed implementations.

    • The clients are open source. Heck, I even bitlbee Telegram. But indeed, the server isn't.

      I remember when a Turkish friend sent me a msg, "hey what are you doing on Turkgram?" Seemed their (govt?) had forked the client, slapped a new logo on it (the Turkish flag) and marketed it as a Turkish network.

      Durov, on his personal channel, claimed (such, I presume) incidencents made them decide not to open up the server's source.
      On open API and clients: https://t.me/durov/58 [t.me]

      • by madbrain ( 11432 )

        Thanks. I did not know that. Went to take a look, and the TDlib depends on OpenSSL. At least they didn't try to reinvent the wheel. There are still many ways to misuse perfectly good primitives, though. It looks like there has been research and attacks devised against their MTProto protocol.

  • Signal is 1000x better. And it has actual security audits. and they give a sh** about your security.
  • by SuperDre ( 982372 ) on Tuesday June 25, 2024 @03:06PM (#64577741) Homepage
    To be honest, I even think 30 engineers on Telegram project is even a pretty big number. But hee, I've been used to only one or two engineers having to build and maintain big applications.
  • Signal is the superior product, I'm not really sure what the value of Telegram is. Signal is an Actually Encrypted messaging platform, whereas Telegram is a Mostly Plaintext Social Media app. Signal is end to end encrypted, period. There's no option to even drop down to unencrypted anymore, since they dropped SMS support. To call it "secure by default" is borderline undermining it's security, since as far as I know, there's no way to send unencrypted messages of any kind.

    • I don't want to defend security on telegram but man did you check telegram features at all? It is a cloud storage system. Handy got lost? No backup? No problem with telegram. Upload 2GB or 4GB (premium) Files and have them stored in as many chanels as you like. Video call on groups. A formidable bot API. It is not just a "mostly plaintext social Media app".

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...