this post was submitted on 03 Jul 2024
1 points (100.0% liked)

Technology

59587 readers
2940 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L4s@lemmy.world
L3s@fry.gs
L4s@fry.gs
enu@lemmy.world
1
Telegram says it has 'about 30 engineers'; security experts say that's a red flag (techcrunch.com)
submitted 4 months ago by ForgottenFlux@lemmy.world to c/technology@lemmy.world
75 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] ForgottenFlux@lemmy.world 0 points 4 months ago (1 children)

Summary:

  • Telegram founder Pavel Durov claimed in an interview that the company only employs "about 30 engineers."
  • Security experts say this is a major red flag for Telegram's cybersecurity, as it suggests the company lacks the resources to effectively secure its platform and fight off hackers.
  • Telegram's chats are not end-to-end encrypted by default, unlike more secure messaging apps like Signal or WhatsApp. Users have to manually enable the "Secret Chat" feature to get end-to-end encryption.
  • Telegram also uses its own proprietary encryption algorithm, which has raised concerns about its security.
  • As a social media platform with nearly 1 billion users, Telegram is an attractive target for both criminal and government hackers, but it seems to have very limited staff dedicated to cybersecurity.
  • Security experts have long warned that Telegram should not be considered a truly secure messaging app, and Durov's recent statement may indicate that the situation is worse than previously thought.
[–] henfredemars@infosec.pub 0 points 4 months ago (3 children)

proprietary encryption algorithm

Oh God why would you do this.

[–] mozz@mbin.grits.dev 0 points 4 months ago (1 children)

The quote leaves out the best part.

people have cast doubt over the quality of Telegram’s encryption, given that the company uses its own proprietary encryption algorithm, created by Durov’s brother

[–] sunzu@kbin.run 0 points 4 months ago

Durov’s brother = FSB?

[–] knightly@pawb.social 0 points 4 months ago

So they can implement their own backdoor

[–] catastrophicblues@lemmy.ca 0 points 4 months ago (1 children)

To be fair: someone somewhere has to make algorithms that we use. I honestly don’t know if Telegram’s encryption is strong or how strong based on their white paper, but I’m interested in an unbiased evaluation.

[–] henfredemars@infosec.pub 0 points 4 months ago (2 children)

Developers should not design encryption algorithms. They should instead implement algorithms that were designed by a mathematician.

load more comments (2 replies)
[–] eager_eagle@lemmy.world 0 points 4 months ago (1 children)

“Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.)

good job Remi, that was the main concern lmao

[–] MMNT@lemmy.world 0 points 4 months ago (2 children)

Just use signal ffs.

[–] eager_eagle@lemmy.world 0 points 4 months ago

don't have to tell me that, I even donate to signal

[–] BearOfaTime@lemm.ee 0 points 4 months ago (2 children)

Signal sucks from a UI/UX standpoint, when they dropped SMS support I lost any ability to convince people to switch, and everyone who had already switched left.

Then there's the seamless switching between devices...which it doesn't do.

[–] TheGrandNagus@lemmy.world 0 points 4 months ago* (last edited 4 months ago) (1 children)

I'm a signal donor and while I disagree with your point regarding UI (have you used in the past couple of years? It's went from feeling dated to feeling pretty modern), I agree with the rest.

Even worse, though, is that the EU offered them the opportunity to become relevant on a silver platter, by forcing WhatsApp to open up their app and be cross-platform with others who want to. Signal said no thanks.

I get it, WhatsApp stores metadata, and Signal doesn't like that. But they were fine with (way way worse) SMS for a while? The day Signal chose that path was the day Signal willingly chose to be irrelevant for the vast vast vast majority of people.

[–] pandapoo@sh.itjust.works 0 points 4 months ago* (last edited 4 months ago) (1 children)

.... agreeing to be directly compatible with Whatsapp would mean they agree to surrender the privacy for every single instance of Signal-WhatsApp communication.

If the whole reason for your foundations existence is privacy, it seems that it would be an existential danger to create a partnership with the implicit understanding that it will destroy privacy.

[–] TheGrandNagus@lemmy.world 0 points 4 months ago* (last edited 4 months ago) (1 children)

Some level of privacy, yes. Solely in WhatsApp-signal chats. And users can be notified of that, like they were with SMS.

But you know what the alternative is? Nobody using signal. And that's objectively worse.

Cross-compatibility with WhatsApp would mean way more people on signal, and way more people willing to try, meaning more signal-signal chats.

Signal-SMS is FAR less private, but they were fine with that for years.

[–] pandapoo@sh.itjust.works 0 points 4 months ago (1 children)

Those choices don't occur in a vacuum.

What do you think happens to the nonprofit foundation built entirely around a fanatical devotion to privacy, if they partnered with Facebook. Not just partnered with, but in doing so, weakened the overall privacy of their platform.

Putting aside adoption rates, how does that impact their organizational sustainment and viability e.g. their ability to draw in donations, retain talent, or stay independent?

load more comments (1 replies)
[–] Hellmo_Luciferrari@lemm.ee 0 points 4 months ago

Using SMS through signal defeats the purpose of signal...

The UI is fine, what more do you expect out of it? It has a list of chats, a menu button with menu options, like it's a messaging app not a social media platform akin to discord or telegram.

[–] nao@sh.itjust.works 0 points 4 months ago

talking to carlson is a red flag

[–] Ghostalmedia@lemmy.world 0 points 4 months ago (5 children)

To be fair, in a large company, there is usually only about 30 people who are actually good and know what is going on, and hundred of others who are checking in trash.

[–] flamingo_pinyata@sopuli.xyz 0 points 4 months ago (3 children)

It's not even about the quality of individual people. The organizational structure of large companies encourages pointless work.

Internal mobility and cross department collaboration are frowned upon. So you get many people doing duplicate work, new ideas don't propagate, and even if someone has an idea it's quickly shut down.

The only way to achieve anything substantial is to be both: 1. assertive and energetic, and 2. at the correct level of hierarchy. And make no mistake even if you pull a miracle there will be no reward. Maybe a 3% raise at the yearly review.

Sorry for the rant, I currently work in a company like this.

[–] Ghostalmedia@lemmy.world 0 points 4 months ago

Yeah. The most secure companies I’ve worked at actually only had a small group, of very competent people, who were paid well, treated with respect, and with not presented with a lot of organizational or infrastructural red tape.

I’ve worked with teams of 10 that had shit locked down tight, and teams of hundreds who had software that was exploding and getting exploited left and right.

If someone tells you more head count = security, I would not consider them an expert.

load more comments (2 replies)
[–] Magister@lemmy.world 0 points 4 months ago (1 children)

30? Sometimes very less, 2 or 3. It's incredible that some piece of software used by milions/billions of people, have been written and sometimes maintained by 2 or 3 guys.

[–] snooggums@midwest.social 0 points 4 months ago

Even if every employee was equally competent, decision making needs to be consolidated enough that it can be decisive and shared throughout large companies. Complex systems that need to change rapidly gain no benefit from having too many people wanting to make decisions, you only need most of them to be competent enough to complete the work based on the decisions of a small group or the work will end up getting too convoluted and unmaintainable.

There really isn't a benefit to have everyone understand all of the parts of a large and complex system, if they only have time to work on a portion or to facilitate decisions that take into account the knowledge of the people in the different parts.

[–] avidamoeba@lemmy.ca 0 points 4 months ago

I see this parroted now and then. Often the people I've heard it from are the type of folks who would drastically underestimate the complexity and effort needed to make things. I've also seen and worked on codebases made by such folks and usually it ain't pretty, or maintainable, or extensible, or secure, or [insert fav cut corners here].

load more comments (1 replies)
[–] knightly@pawb.social 0 points 4 months ago (3 children)

I'm still waiting for the furries to switch to Matrix.

[–] romp_2_door@lemmy.world 0 points 4 months ago

that wasn't a very good movie, specially matrix 5

[–] Fitik@fedia.io 0 points 4 months ago

As a furry, real

[–] southsamurai@sh.itjust.works 0 points 4 months ago

Furries are the ones that have escaped the matrix via their fursona

[–] dandi8@fedia.io 0 points 4 months ago (6 children)

There are good reasons to dislike Telegram, but having "just" 30 engineers is not one of them. Software development is not a chair factory, more people does not equal more or better quality work as much as 9 women won't give birth to a baby in a month.

[–] pooberbee@lemmy.ml 0 points 4 months ago

And lawyers are pretty likely not staff at all.

[–] Rinox@feddit.it 0 points 4 months ago

I can understand if someone like Google or Microsoft employs lawyers directly, as they have the resources and scale to do so. But someone like Telegram should really not do that. They should use an external legal office when needed. Even keep them on retainer, but definitely not open a legal office inside the company.

[–] Badeendje@lemmy.world 0 points 4 months ago (8 children)

30 engineers. You lose half that to people managing the infrastructure alone. That leaves 15 code monkeys. Of 2 are dedicated to deployment and 3 to setting up unit tests (that's not many btw) you are left with 10 people. If say for a global platform that's not many at all.

[–] ilega_dh@feddit.nl 0 points 4 months ago (1 children)

15 engineers for managing infrastructure?? Are they setting up servers by hand?

[–] Badeendje@lemmy.world 0 points 4 months ago (1 children)

I would not want you as my boss, that's for sure.

Try covering a 24/7 global service window. I'd think this is on the low end.

And you als need full infra stack knowledge: Server, database, Network, connectivity.

And probably some of these schmucks will get stuck managing the corporate environment too.

load more comments (1 replies)
load more comments (7 replies)
[–] awesome_lowlander@lemmy.dbzer0.com 0 points 4 months ago (3 children)

30 engineers is startup-sized. 30 engineers to deal with the needs of a sensitive software being used by millions worldwide, and is a huge target for cyberattacks? That's way below the threshold needed.

load more comments (3 replies)
load more comments (2 replies)
[–] Imgonnatrythis@sh.itjust.works 0 points 4 months ago

Engineer to lawyer ratio is the best indicator of how worried to be. What's the demoninator for telegram?

[–] sit_up_straight@lemmy.blahaj.zone 0 points 4 months ago (3 children)

telegram isn't e2e encrypted by default?! that seems like the major concern here.

i double checked the ui and i had to create a new secret chat to see any indicator of encryption presence or absence

[–] cy_narrator@discuss.tchncs.de 0 points 4 months ago (1 children)

What if its not e2e encrypted if they dont care. I know a bunch of chatrooms where you can watch paid movies that was released recently for free and Telegram dont care

[–] mal3oon@lemmy.world 0 points 4 months ago

Telegram is basically creating its own "internet", albeit much less secure and private, but it's undoubtedly is really useful for finding dev communities (OSS), support, especially for gray areas like library gensis, z-book, a bit like what aaron shwarz envisioned, the only issue is tying everything to your trust in its leadership not to misuss data, which is kinda laughable

[–] XioR112@lemmy.ml 0 points 4 months ago (1 children)

Yes, e2e encryption in Telegram only works in secret chats.

[–] EngineerGaming@feddit.nl 0 points 4 months ago

And only on mobile.

[–] accideath@lemmy.world 0 points 4 months ago

The regular chats are encrypted though, just with an (encrypted) server in the middle. Telegram also claims in their FAQ, that no one singular person has the power to decrypt and the keys are stored such that no singular government could force them to give up any data.

How far that is true is a different question though.

[–] rob200@lemmy.cafe 0 points 4 months ago

There was a post about this on lemmy awhile ago, I'm not sure which specific community it was i'm subscribed to a few tech related ones, but it was atleast a week or 2 or more ago about this same story.

I do agree that there should be more workers than 30 on one of the most known encrypted messaging apps.

[–] Manmoth@lemmy.ml 0 points 4 months ago (3 children)

Someone needs to make a browser extension that hides any article with "experts say" in the title

[–] remotelove@lemmy.ca 0 points 4 months ago (1 children)

Experts say that is not possible.

[–] stoy@lemmy.zip 0 points 4 months ago

Experts say that hurt their feelings

load more comments (2 replies)
[–] broken_chatbot@lemmy.world 0 points 4 months ago

After a long-running blogpost holywar between Telegram and Signal, I perceive these "security experts" as Signal/Telegram shills depending on their stance

[–] frezik@midwest.social 0 points 4 months ago (1 children)

Headline is terrible. The big red flags are that they don't do end-to-end encryption by default, the servers are in Dubai, and use a proprietary algorithm.

Last part should be clarified further. They didn't reinvent AES or anything. It's more like a protocol that puts together existing algorithms. It means they can use transport layers without TLS or anything else that wraps your messages in crypto otherwise.

https://core.telegram.org/mtproto

I'd still say this is a red flag. How you wrap encryption around your messages has several pits you can fall into. It's not as bad as reinventing AES, though.

[–] awesome_lowlander@lemmy.dbzer0.com 0 points 4 months ago (1 children)

Headline is terrible

They do explain though that given how below average their headcount is, it means they're likely understaffed, overworked, and have zero capacity to respond to intrusion attempts.

load more comments (1 replies)
load more comments
view more: next ›