US Intelligence Agencies Tried To Bribe Our Developers To Weaken Encryption, Says Telegram Founder

In a series of tweets, Pavel Durov, the Russian founder of the popular secure messaging app Telegram has revealed that U.S. intelligence agencies tried twice to bribe his company's developers to weaken encryption in the app. The incident, Durov said, happened last year during the team's visit to the United States. "During our team's 1-week visit to the US last year we had two attempts to bribe our devs by US agencies + pressure on me from the FBI," he said. "And that was just 1 week. It would be naive to think you can run an independent/secure cryptoapp based in the US."

Telegram is one of the most secure messaging apps available today, though researchers have pointed flaws in it as well.

Don't trust US

[qbast]

Keep that in mind. If you are using VPN/encryption tool/secure communication network/etc. created by US based company, it is very unlikely that it is actually secure.

Re:Don't trust US

Before PGP was released there were encryption standards where a company could have encryption that couldn't be broken by a person or another company but it had to be weak enough that the NSA, CIA, etc... could break into it. When PGP was released it made it where companies went against this and could make encryption as strong as they wanted to. A side note they tried to prosecute the creator of PGP for violating the Arms Export Act but were unable to since he put the code online for free and never sold it.

The thing we are seeing now is the government is either trying to scare companies into giving them the information or bribing the developers into making the encryption weaker.

Re:Don't trust US

[jellomizer]

Also don't trust, Russia, China, Europe, India, Middle East, East Asia...
That is why I get all my software from Antarctica, those penguins just don't care about political pressure and they do just what they do.

However encryption from a bad actor state is still better than no encryption.
 

Re:Don't trust US

The thing we are seeing now is the government is either trying to scare companies into giving them the information

But they can't do that.
The better encryption systems are made so the vendor can't "let the government in" because the vendor himself have no backdoor or key into the communications. There is end-to-end encryption, the vendor merely supply software and act as an exchange setting up connections. They don't see what's transmitted.

Re:Don't trust US

[cellocgw]

I get all my software from Antarctica, those penguins just don't care about political pressure and they do just what they do.

So you're saying all Linux software is safe? //bad joke

Re:Don't trust US

Actually, putting the source code online would have violated US law. Selling it was just fine so long as it didn't cross borders as computer code, which is why the complete source code was published, with OCR friendly formatting, see the introduction at http://www.mit.edu/~prz/EN/essays/BookPreface.html.

Re: Don't trust US

Add France and the rest of the EU to the list. Every one of them have restrictions on the use of encryption, even just storing hashed passwords can get you arrested under some circumstances.

Re: Don't trust US

This is true but I will elaborate a little. If you are using a VPN/proxy make sure and use one based in the US, one based in Russia, and one based in another country outside of the 5/14 eyes countries. This is because unless you are some high level ISIS target all 3 intelligence agencies will not work together to own you.

Re:Don't trust US

Is there any actual proof that these accusations are true? Or are we suppose to automatically believe everything a Russian company says just like every statement made by Putin is the truth and nothing but the truth? And since this is a Russian company they are required by Russian law to hand over their encryption keys and any other information the state security agencies ask them for or they cannot operate in Russia. And if the accusations are true than at least we have a couple government agencies doing their fucking jobs. It is still amazing people act surprised when they learn that an intelligence or counter intelligence agency actually spies. It's like an avalanche of stupidity has blanketed the world and wiped away any intelligent thought on the planet.

Good lord! People have picked sides and there is no amount of evidence or facts that would ever get them to alter their opinions. Todays' political upheaval has accelerated because the goal is not to fix any of the problems we currently face it is all about winning the argument and nothing else. And to win the argument all the various sides use lies, obfuscation, and screeching hyperbole. And all of this has been accomplished using the most effective weapon the world has ever seen. The Internet. It is easy to manipulate global public opinion.

Is it any wonder that this type of thinking is leading us into the next global war? Because WW3 has already started and by the time the mindless proles and trolls on the Internet realize that it will be to late. Every day the world's natural resources are becoming scarcer, the global population is increasing and accelerating the depletion of the natural resources, technology is replacing human workers in a world where there is already a shortage of jobs paying more than minimal subsistence wages, and the intertwined global economies are marching towards a global trade war which will inevitably lead towards real wars. At least the US citizens will finally receive a ROI for all the money spent on creating the strongest military on the planet.

Re: Don't trust US

[KGIII]

I'd also add that, while we may not agree with the government in this matter - it's kinda pretty much what I'd expect them to do. I'm pretty sure they're gonna keep doing this, too.

That doesn't mean give up, it just means keep resisting.

Re:Don't trust US

Agreed. Consider the source. A Russian app maker, who has a Russian app company, where the chance of a backdoor for the Russian spy agencies decides to make some Russian propaganda about US spy agencies.

If you can't attack a country by force, attack them via propaganda. This worked well in Viet Nam, worked with Iraq 2 and Iran. Daesh, even with all their losses is still going strong, just because they are masters at propaganda.

Wonder when the US and Europe will learn to not allow the hearts and minds of their population to be handed over people who want to do them harm. China has a Great Firewall for a reason.

Re: Don't trust US

It would be foolish to think that US is the only country that engages in this, and other countries are innocent.
Straw man argument in bold.

Re: Don't trust US

He was not making an argument, he was making a statement. As such its impossible for it to be a straw man argument. It was just an "also here is a heads up there may be other countries that do this FYI" to paraphrase (just so we ate clear I'm not making a straw man)

Re:Don't trust US

[mbkennel]

And of course the FSB would never, ever ever think to """bribe""" a Russian-based employee into a similar arrangement.

Re:Don't trust US

[davester666]

They are now (or already have) begun legally forcing companies to redesign their software to permit the company to be able to decode the communication. Yay, freedom.

Re: Don't trust US

[Darinbob]

This isn't new either. I was first using pre-internet in 1983 and the view had already been well established that the NSA was snooping on everything. The response was to either never put anything important on the net, or to obscure the snooping by putting in keywords in every post designed to overload the NSA.

Re: Don't trust US

[Zero__Kelvin]

It wasn't "pre-internet" ... You presumably mean pre-world-wide-web.

Re:Don't trust US

[rogoshen1]

I think as an American, less harm would come to me from the Rooskies snooping in on my online activities (If i was doing anything worth snooping in on, of course).

It's not like the Russians would voluntarily share anything with the US government. In fact they'd make a point not to. Now if I were a Russian, living in Russia, I'd be very cautious about using any kind of service based in Russia.

Re:Don't trust US

[MangoCats]

FWIW, I wrote and published this steganography/cryptography app:

http://mangocats.com/stegamail...

and got it registered/approved via "the system." Granted, I did follow all the rules, encryption is only 56 bits, but nobody ever questioned the truth of that claim, nor requested any technical information beyond the simple claim of conformance.

I'm sure if it were more widely used, like Twitter or something, it would come under closer scrutiny. But, there are two points here:

First - if you don't use mainstream stuff, you can be as secure as you like, there's nobody to stop you.

Second - hide in plain sight tech like steganography doesn't seem to be getting serious consideration by these agencies.

Re: Don't trust US

[Darinbob]

It was before various networks were linked together to create an inter net. ARPAnet was not internet.

Re: Don't trust US

[Zero__Kelvin]

The term "internet" was adopted in the first RFC published on the TCP protocol (RFC 675:[39] Internet Transmission Control Program, December 1974) as an abbreviation of the term internetworking and the two terms were used interchangeably.

So no ... unless 1974 happens after 1983 on your planet.

Re:Don't trust US

What companies have been legally forced to redesign their software to permit the company to be able to decode the communication?

Re:Don't trust US

It doesn't matter who created it, what matters is how it works. If you own the key and it uses solid encryption algorithms you are pretty safe. If the provider is handling the encryption you shouldn't trust it in any country.

Re:Don't trust US

[johanw]

Open source software can;t be attacked in that way.

Re:Don't trust US

[Plus1Entropy]

You should never trust closed-source encryption anyway, as it won't have been vetted as well or by as many people. The algorithm doesn't have to be secret for encryption to be secure.

Re:Don't trust US

[AHuxley]

AC recall "Microsoft handed the NSA access to encrypted messages" (12 July 2013)
https://www.theguardian.com/wo...
"circumvent its encryption"
"pre-encryption stage access to"
"video calls being collected through Prism"
"direct access"
"working with the FBI, developed a surveillance capability to deal"
"worked "for many months" with the FBI – which acts as the liaison between the intelligence agencies and Silicon Valley on Prism"

Re:Don't trust US

What "harm", exactly, do TehRusskiez(TM) want to do to us? Can you list a few things, and be specific? I'm being serious.

Because I honestly don't give two fucks if the goddamned Russians can read my fucking communications. I give a fuck if MY government can read my communications, because they're the ones that have the arbitrary power to fuck me over should I say something that pisses them off.

And beyond that, you seem to contradict yourself. Vietnam is still to this day a Marxist-Lenininst pure communist one-party government. China is, too, and you're pro-great-firewall/internet censorship. This is OK, right? It shouldn't be propagandized against. And by that logic, if this is what the left in the USA wants to install here at home, you're saying that Russia is trying to "attack" a Marxist-Lenininst one-party government in this country, or are you saying Russians are still the commies who want to kill capitalism, or, what exactly are you saying?

Putin was ex-KGB, so, communist right? KGB is bad. Or wait, socialism is good, that's what we want. So, I should be pro-Putin? But the socialist is "helping Trump". So, I should hate him. But wait, then I should be pro-Trump if I want socialism in the USA? Really, I don't. I want a free-market based on capitalism without corporate cronyism, but then that means I should be pro-leftism and not pro-Trump then? But the leftists that want socialism in the USA, that's not right...Or is Putin a capitalist then since he's helping Trump? If so, then he must be reformed KGB, since they were communists, and then maybe he's not a bad guy. But he's still helping Trump, right? So, bad. But if he's a not a bad guy, he HAS reformed, AND he's helping Trump, then is Trump maybe a good guy, too?

This is the circular logic that truly blows my mind. Am I supposed to hate Putin because he's ex-KGB or because he's a capitalist now? What's the official party line of our mass media? I get that I'm supposed to hate the Russians because they're interfering in our political process. But it's only "interference" if the Russians are fundamentally our enemy to begin with, otherwise being involved in our political process isn't automatically a bad thing. The USA is involved in the political processes of many of our allies and our allies are involved in our politics.

So, again, why is Russia fundamentally our enemy? I'm so confused. Because if I thought they were socialists, and I was on the left, then why would I have a problem with them? And if I thought they were capitalists, and we live in a capitalist society, then it's not really "interference" from an "enemy", it's political posturing from an ally. So, really, what's the deal?

Re: Don't trust US

That's an internet, not the internet

Re:Don't trust US

Because it's not like US TLAs have ever done this before, have they.

Here's a hint for you lower IQ types: THIS IS WHAT THEY FUCKING DO. Take your DNC-issued goggles off and take an honest look at things, for a change.

Re:Don't trust US

[davester666]

Yes, it can. While the code itself may not be altered in public, a company running that software to provide some service could be forced to run slightly different code.

I am Jack's

... complete lack of surprise.

Re:I am Jack's

I am Jack's dick... Eat me!

Re:I am Jack's

Wow CRTC consider your self slightly less hated.
Now if you could stop pretending you have any jurisdiction over the internet because you do not and stop fucking with Netflix etc.

Apps and crypto

Appy app apps with crypto apps for the FBI luddites to have crypto back door sessions on apps.

APPS!

I sense a new business model

[SuperKendall]

Step 1) Create messaging app with no users but strong encryption.

Step 2) Profit from government payoffs!

Step 3) ENDLESS PROFIT

Re:I sense a new business model

[KGIII]

Fuck... Now I have to change my password.

Re:I sense a new business model

[sconeu]

Try 12345 for your new password. I use it for all of my luggage.

Re:I sense a new business model

[painandgreed]

That's a better business plan than some companies out there.

Re:I sense a new business model

[MangoCats]

Did this, the government doesn't talk to you, much less offer payment, until you have users.

Published source is a huge help here

[davidwr]

It would be naive to think you can run an independent/secure cryptoapp based in the US.

Published source makes it a lot easier to spot problems with the code.

Also, with published source code you can, with the appropriate license, legally recompile it yourself using your own set of tools as a hedge against the publisher's tool-chain or binary-repository being compromised.

Granted, if your tools (anything from the bare metal on up) is compromised or if you are using it to talk with someone else who is using a different binary, all bets are off.

Re:Published source is a huge help here

[beelsebob]

Published source makes it a lot easier to spot problems with the code.

No it doesn't. It has been shown repeatedly that the idea that thousands of people will look at code and magically spot bugs is a myth.

In practice, people either 1) don't look at the code, or 2) don't have the domain knowledge to know what that very specific function is doing.

In reality, only the person who write it, and the 1 or 2 people who reviewed it really understand what's going on, and often not even the people who reviewed it.

Re:Published source is a huge help here

[TFlan91]

^ This.

Try onboarding a new dev into a framework...

Re:Published source is a huge help here

No it doesn't. It has been shown repeatedly that the idea that thousands of people will look at code and magically spot bugs is a myth.

Yes.

But it is much easier to find bugs with the source code than without the source code.

Re:Published source is a huge help here

[alvinrod]

No it doesn't. It has been shown repeatedly that the idea that thousands of people will look at code and magically spot bugs is a myth.

You don't need thousands of people doing that, and if you had closed code and paid for an audit of it, the auditors wouldn't do that either. But it is by definition easier for me, you, or anyone who actually cares to evaluate open source code because we actually have access to the code.

If you wanted to evaluate it really well what I'd suggest doing is creating a set of test cases prior to even looking at the code. If something gets caught by some simple black-box tests, it's obviously not very good. Better yet, open source your test cases so then can be reused and built-upon. But since you can access the code, you could also analyze it from a white-box perspective with the test cases and look for any branches or paths that the test cases didn't cover, which may be sources of bugs or intentional tampering.

Hell, if you want cheap labor, just have an instructor make it a project for a testing or cryptography class. It gives the students something a little more real to work with, as well as the opportunity to get involved with an open source project.

Re:Published source is a huge help here

[zifn4b]

No it doesn't. It has been shown repeatedly that the idea that thousands of people will look at code and magically spot bugs is a myth.

If you have bad reviewers, you get bad reviews. Garbage in/garbage out. With quality reviewers, you get quality results. It's a qualitative problem not a quantitative problem.

Re:Published source is a huge help here

[nine-times]

Also, it's possible to disguise malicious code to look like it's doing something else (e.g. The Underhanded C Contest). It's entirely possible that intelligence agencies try to insert these kinds of things into open source projects.

But I don't think that was davidwr's point. I take the statement "Published source makes it a lot easier to spot problems with the code." to be pointing out that it's much ore difficult to identify weaknesses if you're provided a compiled binary, as opposed to having access to the source code. It's not that open source code is a guarantee that someone will spot bugs, but with closed source, you're completely at the mercy of the original developer.

Re: Published source is a huge help here

But if the code is closed, it's impossible. How is that better?

Re:Published source is a huge help here

Wow. A "^this" and "onboarding" as a verb (hell, as a WORD). Please go back to HR where you belong.

Re:Published source is a huge help here

[Frosty+Piss]

Published source makes it a lot easier to spot problems with the code.

Who's to say that what is published is what is actually under the hood?

Re: Published source is a huge help here

[beelsebob]

It's not - the point is it's not worse either.

Re:Published source is a huge help here

[JohnFen]

Published source makes it a lot easier to spot problems with the code.

It makes it possible, not easier. When you're looking at the math, it's the next best thing to impossible to notice a weakening of the crypto unless you're a crypt expert. And even if you are a crypto expert, it's not an easy thing to spot.

Re:Published source is a huge help here

That's what the Reproducible Builds project is about: making it so you can confirm that the source you see corresponds to the binaries you have.

Re:Published source is a huge help here

[wisnoskij]

often not even the people who reviewed it.

I don't know about you but as a software developer, sometimes I don't even understand how my code works.

Re:Published source is a huge help here

[Darinbob]

And yet closed source is even worse! How do you audit their code, do you just take the company at its word?

Re:Published source is a huge help here

[Darinbob]

There was the attitude in the past that security was best if the code was closed and hidden. Ie, "Security Through Obscurity". However good cryptography does not rely upon secrecy of the methods used, and in the past a lot of things assumed to be secure actually were very sloppy. And we're still making similar mistakes today. Keeping the source closed and hidden is just going to make most knowledgeable people assume there is some security through obscurity going on.

These days you can get FIPS certifications. Yes, there is a lot of US government involvement there but the point of it is to secure the government's own files. Many of the standards it uses come from outside the government. Many recommendations made actively hurt the governments efforts (ie, to crack iphones). Such as making sure crypto computations are not done in RAM which can be snooped or hacked, automatically wiping keys if a device is compromised, etc. As a company you can basically describe what you're doing (opening the kimono) to the experts and prove that you're doing things securely. Then with that seal of approval you can give confidence to others who are not as savvy on security. FIPS doesn't require your code to change to be weaker.

Re: Published source is a huge help here

[Zero__Kelvin]

If that was the point then you have no point.

Re: Published source is a huge help here

[Zero__Kelvin]

If you don't understand how it works then you don't even know if it actually does.

Re: Published source is a huge help here

More to the point, it's **ILLEGAL** to fix proprietary software.

Re:Published source is a huge help here

More important is the ability to change the code that is running on the device. Example: You have the source code for Stagefright, you've rebuilt it against your deivce's compiler, and copied it to said device, but the device won't execute it because it requires a signature that you can't fake or override.

The GPLv3 does try to fix the problem with it's Anti-Tivoization clause, but as we've seen countless times: Developers don't want the end user to be able to alter the code. Whether that's due to DRM / Licencing requirements, Legal mandates, "security", or just plain out control over "the experience", the end result is the same. The end user cannot alter the executed code even if they have the source for it.

The public largely doesn't care, much like everything else with computers / IT. They just want it to do what they tell it to do, with no thinking / effort required on their part, and they don't care how it gets that way. Even if it will ultimately hurt them in the long run. (How's those Identity Theft Insurance Polices doing? Are they up to getting a law passed mandating their purchase yet????)

The governments around the world are just doing what comes natural to them: Abusing the living fuck out of the situation for their own personal gain. So much of this wouldn't even be a blip on the radar if the "We don't have to give a fuck" problem was fixed. But as we are still seeing even now, people will spend a ridiculous amount of money to NOT be responsible for their own actions and decisions. Time will tell if this gets fixed in any reasonable way shape or form, but I'm betting it won't be, at least not without WWIII level BS happening on a massive scale because of it. And even then, it'll be a kneejerk reactive fix.

Re: Published source is a huge help here

[beelsebob]

No, if that was the point, then the parent poster had no point.

Re: Published source is a huge help here

[Zero__Kelvin]

Don't be confused by your +5 rating on your initial comment. It is a phenomenally fucking stupid thing to say. Plenty of highly qualified people have reviewed the source for various implementations of algorithms when the source code is available. It doesn't matter if there are "only a few" as you put it. What matters is it that it is a well qualified few. There are people who know their shit, and those people have reviewed, for a single example, TrueCrypt and those audits matter. You want to claim that because nobody is reviewing some open source script written by a wannabee expert that nobody ever audits the important code. If you think nobody with a clue ever audited Openssh or Phil Zimmerman's code then you are an idiot. If you know they did then you are a disingenuous troll. So which are you?

I know. Here comes the ridiculous argument that since the vulnerabilities weren't caught earlier, catching them at all didn't really matter.

Re:Published source is a huge help here

[nine-times]

As a company you can basically describe what you're doing (opening the kimono) to the experts and prove that you're doing things securely.

And what if they leave some things out of that description?

Because if we're talking about intelligence agencies compromising developers and having them weaken security in their own products, it doesn't seem like they'd then disclose that weakness to security experts. I posited in the previous post that an intelligence agency might try to get some innocent-looking malicious code into an open source project. So what if that intelligence agency had the cooperation of the developer of a closed source project? The code wouldn't even need to look particularly innocent then.

Re:Published source is a huge help here

[Darinbob]

You don't have to stop with FIPS, you can go above and beyond. Nothing is preventing a higher standard of paranoia.

The standard is there for the government to use itself - it wants to protect information on its own devices, making sure that its own employees are not using equipment that is easy to snoop on. Because the government does use third party software and equipment, including open source. Of course, the government could actually compromise itself and weaken its own security, so that if a government employee lost a phone in a bar that other countries could crack it easily (or worse, the Washington Post). But my guess is that the government actually does want good security for itself.

Re:Published source is a huge help here

[MangoCats]

What the open code can do is expose backdoors, if they're not cleverly hidden.

If a crypto app is too long for a thorough review, it's poorly written and probably is hiding a backdoor somewhere.

Re: Published source is a huge help here

[beelsebob]

Your comment assumes that no one ever audits closed source implementations of encryption code.

You may well be right in the case of random implementations by random small shops (in fact, you probably are), but that really just tells you the well known trope "never implement your own cryptography".

In the case of the implementations built into {mac|i|tv|watch}OS, Windows, Android etc; for all that there are potentially bribable people writing those implementations, I'll take them any day over any open source implementation. In fact, the number of glaring, horrible security holes discovered (after attacks, not by code inspection) in OpenSSL recently has rather reinforced that.

Re:Published source is a huge help here

In reality, only the person who write it ... really understand what's going on,

When it comes to encryption, this is way too often not true. It is quite easy for someone to write encryption software without understanding what they actually wrote, e.g. they could have made a mistake or too often someone tries to roll their own encryption scheme that is much weaker than they realize. Even when implementing standard encryption methods, they might not realize they picked something that has very bad nothing-up-the-sleeve numbers that were chosen by a three letter agency.

Re: Published source is a huge help here

[Zero__Kelvin]

There were no glaring obvious I securities in Openssl, but you also don't seem to understand Microsoft at all, for example. With FOSS vulnerabilities are patched post haste. With Microsoft it is "thanks for the feedback. We might fix it someday, but then again probably not." I hope you figure out how all this really works someday, but until then just STFU and stop weakening the security landscape with misinformation. Thanks in advance on behalf of real security experts everwhere.

Re: Published source is a huge help here

In the case of the implementations built into {mac|i|tv|watch}OS, Windows, Android etc; for all that there are potentially bribable people writing those implementations, I'll take them any day over any open source implementation. In fact, the number of glaring, horrible security holes discovered (after attacks, not by code inspection) in OpenSSL recently has rather reinforced that.

The number of security holes in closed source software exceeds that of open source by orders of magnitude - and many of these are extremely serious problems that have hurt a lot of people. You just haven't been paying attention. Hint: Why do you think your "OS Update" is running all the time for your non-open-source OS? Another hint: why do you think the virus and malware 'definitions' are always getting out of date?

It has been shown repeatedly that the idea that thousands of people will look at code and magically spot bugs is a myth.

Further, you are greatly lacking in your skills at assessing social science research: please take a course in research design, or read a couple of textbooks. No legitimate research that makes credible measurements has shown that significant open source software gets insufficient review over the long term.

Nor is anybody with any sense interested in thousands of people looking at a given piece of open source - even a dozen or so is a lot more than will ever look at a typical closed source piece of code.

I have trouble getting my employer to have even one other person look at my code. We're all human, nobody's perfect, and nobody should get that much trust. It's pretty clear that many of the venders we use (big commercial companies) follow the same policies, since we end up having to help them debug the problems in their software. Complex systems inevitably have lots of problems.

There's a big lemming push in the current business world to make more money by being "agile" and getting to market faster - and it results in a lot of bad judgements with respect to quality.

That kind of third party review happens all the time in the open source community, with respect to programs that matter. People have been using tools (such as the Unix tool 'patch') to provide countless third party patches to open source software for decades - they wouldn't be doing that if they hadn't reviewed the code, found the problems, and even come up with a fix. If you review the history of tools like this, you'll conclude that a large number of bugs are found and fixed by third parties in open source software - and there is every reason to believe that closed source software has more bugs. When people put their name on something, and they know the whole world will see it, they tend to put in extra effort to get it right.

Re:Published source is a huge help here

[aknowles]

Counterpoint: https://github.com/google/oss-... Google is fuzzing a whole bunch of open source projects and filing bugs.

Morse code from the grave...

[__aaclcg7560]

Telegraph found Samuel Morse is still alive?!

https://en.wikipedia.org/wiki/Samuel_Morse

Re: Morse code from the grave...

A known racist and a huge proponent of anti immigration. He'd fit right at home today ;) /s

Re: Morse code from the grave...

He was anti-Catholic and wanted to limit immigration from Catholic countries. You Lefties would probably be bowing at shrines dedicated to him if you knew that.

Who are the bad guys again?

When the U.S. tries to bribe Russian app developers to break their app, but Russian government doesn't... so yeah, who are the bad guys again?

U.S. government agencies and news outlets wants us to believe it's every damn country east of Europe... nobody buys your lies and false-flags any more.

Re:Who are the bad guys again?

Russia don't really need to break into civillian communications - because they have other methods:

If a "little guy" piss them off - he get beaten by some thugs and possibly a couple of years in prison. Maybe he learns his lesson, maybe he dies - there are enough people anyway and they can't sue the government.
If an oil billionaire pisses them off, he suddenly finds all assets frozen and gets a decade or two in prison.
If someone try to be clever and hide in the west after pissing them off - they might get the polonium diet.

So you may communicate securely in Russia. The day they really want you, they just kick down your front door anyway. No need for any "proof" first. No search is "unreasonable".

Russian authorities simply don't need to be subtle. American authorities still need to appear nice, so they need to snoop in silence. They can't blatantly beat information out of people, or tell them to "speak now, or you disappear to some fearsome interrogation camp for some years." So they want to listen in on everything instead. As long as nobody notices enough to prove anything, they aren't visibly violating the constitution or other laws.

Re:Who are the bad guys again?

"American authorities still need to appear nice, so they need to snoop in silence. They can't blatantly beat information out of people, or tell them to "speak now, or you disappear to some fearsome interrogation camp for some years.""

What? Like Guantanamo Bay?

Re:Who are the bad guys again?

They can't blatantly beat information out of people,

No, they just use different torture methods

or tell them to "speak now, or you disappear to some fearsome interrogation camp for some years."

So all those black-ops sites and FISA prisons and Guantanamo Bay don't exist?

You spooks are really having trouble trying to a) appear as "normal" posters and b) running out of bogey-man arguments to the point where they are just obvious, blatant falsehoods.

I fart in your general direction.

Re:Who are the bad guys again?

The US police forces routinely shoot civilians for no cause and escape legal consequences; and the US president authorizes a weekly assassination list for people he doesn't like abroad, which can include (and already have included) US citizens. And I could cite many other ways in which the US regime doesn't have to appear to play nice.

Not the end of it.

[Gravis+Zero]

If the NSA failed to bribe their developers, it doesn't mean they are just going to give up. A bribe is just the most cost effective solution for the long term. Have no doubt that they will seek or even maybe even create a weakness in the application.

Re:Not the end of it.

You realize that isn't how the world works, right?

When humans attain power over others, their brain changes a bit. There is no escape from the neural re-adjustment. They see other power-holders as contemporaries that are deserving of respect, and everyone beneath them as mere means-to-an-end. They barely recognize subordinates as humans, even.

In order to call NSA heads to justice, their peers would have to act against them. Us nobodies can't make that happen. When we demand it should happen, our demands sound whiny and ridiculous to those with power. Like a farmer listening to his pigs demanding that he punish his wife for giving them low-quality feed. It just isn't worthy of consideration.

Re:Not the end of it.

There's a reason I pointed out 'hanging'.

There is just one thing people can do in this situation after all.

The pigs will have to build gallows, and "illegally" drag the criminals out to them in big groups.

Happens in the end of every single empire.

For real?

[Corbets]

While I wouldn't be terribly surprised if the various three letter agencies try this... would they really be stupid enough to let him know where they were from? It's not like they would have appealed to the Russian's sense of patriotism for the US.

On the other hand, this sort of publicity could drive users to his product, providing a motive to lie.

Methinks that we should remain a bit skeptical on this one.

Re:For real?

Yeah ... I think the takeaway here isn't "You can't run a crypto app in the US without attracting government scrutiny." ... I think the actual message to be read is "You can't import a crypto app that was developed in Russia into the US without attracting government scrutiny."

Re:For real?

Where else would they be from? The dairy industry? They were offered bribes, AND got intimidated by the FBI, it was the U.S. gov alright. Wake up dude.

Re:For real?

NSA/CIA also tried to get Linus to install backdoor into the linux kernel, this is public knowledge.

The question is...Did he cave?

I mean, here we got this Russian guy, and then there's Trump, probably offering to buy him out, just as soon as he pays off his other Russian debts.

The czech is in the mail

OpenKeychain

[wasteoid]

Manage your own asymmetrical PGP keys and encryption, while using any messaging app. Not as integrated as Telegram or other streamlined apps, but secure communication is possible, just need to take a few extra steps.

It's a bluff

Trying to induce a false sense of security:
"they are trying to bribe us so we must be doing something right."

Whereas the ploy may be to make you think that.......

Re:It's a bluff

[AvitarX]

This:

It seems just as likely that this is a misinformation campaign to sow distrust of American vendors, or even all others, while their product is backdoored by the Russian government.

I'm not saying that's the case, but it seems just as likely with the Russian propaganda machine being so efficient.

Re:It's a bluff

You can have secure communications. Nest several different VPNs inside each other. Sure, the NSA have keys for the american sw, and the russians no doubt have ways to access russian sw. Nobody has all the keys though, and these agencies don't cooperate too well.

Re:It's a bluff

[AHuxley]

AC that VPN use will be tracked.
https://en.wikipedia.org/wiki/...
"Showing the usage of virtual private networks (VPNs) and machines that can potentially be hacked via TAO"

Don't trust proprietary protocols

[Cajun+Hell]

It's not really about the US; the US government's behavior is merely helping to illustrate the deeper errors made by the users.

If you are using VPN/encryption tool/secure communication network/etc. created by US based company, it is very unlikely that it is actually secure.

More generally:

If you are using an app created by a company, which is only compatible with itself rather than complying with a public spec, it is very unlikely that it is secure. (It's also pretty unlikely that it won't suck in other ways too.)

Stop talking about apps, and start talking about protocols. Answer the "which of these apps works best for me?" question later, after protocol selection. If telegram doesn't work with anything else except telegram, then you can be pretty sure that telegram is the wrong choice.

Re:Don't trust proprietary protocols

[qbast]

No, it is in fact very much about US and willingness of the government to strong-arm developers into crippling their crypto solutions. All the compliance with public spec won't help you when developers have been pressured into introducing a subtle bug that allows to make encryption easier to break or to modify their official binary builds by adding a piece of code that will store your private key somewhere.

Re:Don't trust proprietary protocols

[MobyDisk]

Stop talking about apps, and start talking about protocols.

This is the problem with computing and the internet over the last 10 years. We switched from developers saying "I want to create a protocol that does X, and I'll make the first app that implements it" to developers saying "I want to sell ads, so I'll make a proprietary app that does X, and refuse to open it up to other developers." It's the pre-1983 IBM -vs- Compaq mentality.

Re: Don't trust proprietary protocols

Thats the same answer youbalways get from an American. If someone does something better than us, then that thing thats better is irrelevant.

Re:Don't trust proprietary protocols

[retchdog]

yeah i suppose they wanted people to use their software and get paid.

what bastards!

Re:Don't trust proprietary protocols

[ctilsie242]

The problem is that open protocols don't bolster the quarterly results. This is why we have so many websites that are best served by HTML5 or something else going with apps. Plus, with the fact that most apps want every permission under the sun, it is another way to slurp data to sell to whomever has the cash, or find another way to throw ads as alerts. If it were not for the fact that we have multiple PC web platforms with different languages for coding in, I wouldn't be surprised to see sites require viewing through their app only, with the website just a forward to whatever store has it for download.

Re:Don't trust proprietary protocols

yeah i suppose they wanted people to use their software and get paid.

what bastards!

Considering their efforts are making the world of technology a worse, more insecure, less reliable, less upgradable, and less manageable place, yes. Yes they are bastards.

Developers could compete by making a better product worth buying. Instead the majority went the route to create a mini monopoly and lock-ins.

There is a word for people that think of themselves above others and make the lives of others worse for their own selfish benefit: evil.

Re: Don't trust proprietary protocols

[Zero__Kelvin]

HTML5 is a standard. Complaining about that is like saying "best used with blowfish or SHA512" would be bad.

Re: Don't trust proprietary protocols

[Zero__Kelvin]

I guess you don't know any of us. I am an American, and I can assure you nobody has ever done it better than US, ever ... well until January 2017 anyway ;-)

Re:Don't trust proprietary protocols

And of course it's impossible to make money on software that's open, trustworthy, and respects the user.

Re:Don't trust proprietary protocols

[MobyDisk]

Open standards have the power to break monopolies and make a lot of people a lot of money. For 25 years, open languages, protocols, and specifications caused the PC industry to grow exponentially. IBM lost their hold, DEC died. Apple maintained their hold, but was a small player until they created the iPod. Why won't the same thing work now? Why can't we have, instead of one FaceBook, dozens of FaceBooks all using the same protocol. In the past, whoever invented the protocol received the first mover benefit of defining new versions of the protocol, and charging royalties for it. See VHS and MP3 for examples. Even committee standards like DVD and Blu-Ray created entire industries. It brought us ISA, EISA, VESA, PCI, and x86. It brought us Android which disrupted Apple's hold on the smartphone industry. Blackberry and Windows proprietary OSs fell down and the industry just grew.

The lesson here is that interoperability is more profitable, for the economy as a whole, and better for the consumers. So why is there a perception otherwise?

Re: Don't trust proprietary protocols

He's saying that HTML5 and a web browser provide almost everything that one needs to implement the functionality of most apps, but this is being passed over because apps allow for more profitable abuse of the users.

Re: Don't trust proprietary protocols

[Zero__Kelvin]

I see that now that you point it out. I guess I am still traumatized by the old "best when viewed with IE6", or better than that the "only works with IE6" sites of old. "Served by" is clearly different than "viewed with" ... mea culpa.

Many eyes theory is mostly a myth

[sjbe]

Published source makes it a lot easier to spot problems with the code.

Demonstrably false in most circumstances. Just because the code is available does not mean competent people are looking at it and finding bugs. It would be safe to say most open source programs are not being looked at by a lot of eyes beyond the primary developers. You need more than published source code to make it easy to spot bugs. Heck a lot of code is so badly written that it would be easier to re-write from scratch than to find a bug in it.

Re:Many eyes theory is mostly a myth

Published source makes it easier to find & fix user-visible bugs. Which is why so few open-source programs crashes - people hate that & fix it. Those who use closed source think it is "normal" that a computer crash now and then - once or twice a day perhaps - and it is normal that it gets slower with uptime due to memory leaks and such.

But none of that is normal. I run laptops for two months continously - only rebooting to get a kernel upgrade. (Everything else is upgraded more often - but that does not require a reboot). The laptop is not sluggish after two months - and of course it hasn't crashed in that timespan either.

Unnoticeable bugs like heartbleed are not easily discovered in open-source, and persist for long time. But that problem is just as bad in commercial sw.

Re:Many eyes theory is mostly a myth

[drinkypoo]

Published source makes it a lot easier to spot problems with the code.

Demonstrably false in most circumstances. Just because the code is available does not mean competent people are looking at it and finding bugs.

Your logical fallacy is moving the goalposts. GP didn't claim that it meant that problems would be spotted.

Re:Many eyes theory is mostly a myth

[Darinbob]

We've used third party penetration testers. Given access to full code and hardware specs and they'll pour through it with a fine tooth comb and I'm amazed at some of the things they can discover.

"Those Evil Americans tried to bribe us!!!"

[Nutria]

Maybe. Or maybe you're just *saying* it to make yourself look better while bashing the US.

How will we ever know for sure?

Re: "Those Evil Americans tried to bribe us!!!"

Is it you, Donald?

Re:"Those Evil Americans tried to bribe us!!!"

Few sure things:
slashdot ran the news story,
the story weakens trust towards US,
the imago of slashdot as an anti-establishment website got a boost,
someone benefits from the boost,
slashdot is an US website.

Re:"Those Evil Americans tried to bribe us!!!"

Do you read what you write? They don't need to "look better" to anyone. They've got a solid app and great reputation, their app is free and open source, they have nothing to hide, and nothing to gain from making up lies.

You have no reason to believe they are lying, so it seems to us that you're just part of the anti-Russia brigade crawling out from under your rocks.

Re:"Those Evil Americans tried to bribe us!!!"

BS. Telegram server code is closed source. You have no idea what they are doing.

Comment removed

[account_deleted]

Comment removed based on user account deletion

US is a rogue state

There's no way any software of US origin can be trusted - paricularly closed source. The US interferes in the affairs of most countries on earth, including in elections and referendums in my own nation. Now they also want to spy on personal communications, and bribe developers from countries that have less invasive surveilence policies. Time to completely isolate this parriah state in my opinion.

Alternatives, we need alternatives

[what+about]

Telegram is an alternative to whatsapp or equivalent service from google.
Hopefully European politicians will not be so dumb to break it... (look out to fake "save the children" broadcast)

Any person that does any "professional" work must consider the sharing of contacts,documents, communications as a breach of contract with the client.

I am looking at what happens on the cellphone/tablet market and pray/hope that there will be a NON US based company providing some reasonable platform.

The amount of information that an Android phone share with Google by default (same with Apple) is way too much, real big brother on steroid.

Re: Alternatives, we need alternatives

Citation needed for the Apple part. Apple
Is a hardware company that respects your privacy, as they don't collect any data like
Google does. I've ran wireshark, little snitch and checked my firewall/proxy logs(logs all traffic). No signs of Apple sending my data to their servers for advertising purposes. No I don't use the App Store.

Google on the other hand, you are the product. They give you free stuff so they can sell you out to their advertising network.

Re:Alternatives, we need alternatives

[AHuxley]

Re "Hopefully European politicians will not be so dumb to break it"
Germany is working hard on that "Germany to pour cash into mass surveillance"
http://www.dw.com/en/germany-t...
"..BND says it needs much of the extra money - some 73 million euros over the next few years - to set up "Panos," a new project specifically aimed at decrypting messaging systems by finding weaknesses in the apps."

Rabbit hole...

[bradley13]

This may be true, and he didn't accept the bribes; he may be saying this after accepting the bribes; he may be saying this as a publicity stunt; he may be saying this to deflect attention away from the backdoors already installed for the Russian government; he may be saying this because... ...we have no fricking idea. How deep down the rabbit hole do you want to chase your favorite conspiracy theory?

Granted, it's hard to be prepared for all eventualities, but it sure would be nice if he had a recording of the meeting, and the words exchanged.

Re:Rabbit hole...

[Khyber]

You hit exactly what I was thinking. I'd bet money this is a ploy to get more people to use the app, so that more spying can be done.

Good thing I don't trust/use apps which require my phone number. That's none of their fucking business.

Re:Rabbit hole...

I probably wouldn't trust a recording of the meeting, as it could be tampered with. I would only trust it if the audio was cryptographically signed by a tool without any backdoors.

Re:Rabbit hole...

[JonnyCalcutta]

Yup. The problem now is - to what degree can you trust anything?

Is it true?

[GuB-42]

While bribing developers to weaken encryption is most likely not above what intelligence agencies do, this could also be a PR move.
By saying an intelligence agency attempted to bribe your devs, it implies that :
- Your app is so secure that it can't be cracked by external means
- That your company standards are so high that bribes don't work
- That the government is watching and using unethical methods, and that an app like the one you offer is needed
- Competitors may have been bribed too, and if they aren't saying anything, they may have fallen for it

Considering the flaws of Telegram, this may be just an attempt to make it feel more secure than it really is.

BULL SHIT

It's self-grandizing bullshit. Haha. Suckers! Believe! Anything! Here!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Not sure what to believe

[Aequitarum+Custos]

Option 1: Could be Russian/Telegram propaganda.
Option 2: Could be true because seriously, who trusts the FBI/NSA not to violate our privacy anymore?

Really not sure what to believe about this one.

Kettle meet pot.

So Russians are accusing US intelligence of weakening their apps security? Meanwhile they hacked whole elections. And have been relentlessly undermining our Intelligence. Complaint seems legit ....smh.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Tried?

Technically, it's worth clarifying a few things:
- It's RSA the security company (peddling their encryption solution), not RSA the algorithm (there continue to be no known problems with the RSA algorithm).
- What they were paid the $10 mil for is to use the Dual_EC_DRBG random number generator (this is not a cipher, merely a random number generator for one).
- The Dual_EC_DRBG algorithm was a faulty backdoored standard certified for use by NIST for use in cryptographic software (NIST = the body that certifies crypto algorithms for use and consults with the NSA about security of the algorithms). EC ciphers in general, have not yet been proven to be insecure.
- The settings for Dual_EC_DBRG were not weakened, as it was never a secure algorithm in the first place. The magic constants the NSA defined, allowed them to reconstruct the seed value for the RNG algorithm from a very small number of inputs.
- After the Snowden leaks proved Dual_EC_DBRG insecure, NIST revoked the standard.

That is the story abroad, but the one here is wors

[kelanos]

Here in the US, intelligence agencies effectively OWN many tech companies and mandate these weaknesses in engineering to their trusted men (or women) in development teams. Of course I'm talking primarily about Google and Microsoft, and many others besides.

conspiracy theory blah blah blah

Too long of an argument to make to defend, but it might suffice to point out how everyone important is invested in every important business and so this mutual investiture forms the mechanism for the 'crazy crazy impossible' conspiracies that many like to comfort themselves by ignoring.

Get with the times

[SuperKendall]

This is 2017 man, you don't need actual users, just a trend-line and PROJECTED users.

If you can't ramp up a nice trend line from India for under $100 well I don't know what to tell you.

Heck if you spend the $100 to buy users from Russia THAT trend line will have the government BEGGING to give you money to weaken encryption.

Why Do You Give Putin A Pass?

You've invented a strawman based upon Left versus Right politics. Or Capitalism versus Centrally Planned economies. Or something, frankly I couldn't force myself to read your whole tortured logic in detail.

Putin is an enemy because he is a totalitarian leader and a kleptocrat. He seeks to destabilize as much of the world as he can get away with in order to increase Russia's power and influence. More to the point he wants to increase Putin's power and influence.

Do you know what intervention from friends looks like? People who identify themselves and state their opinions and motivations openly. Do you know what interference from enemies looks like? People who conceal their identities and use subterfuge and misdirection to achieve a hidden agenda.

Oh, but you're smart! You know what's what, and certainly the Russian campaign of interference had no impact upon you! Nor anyone else, of that you are certain. Well good for you. Your smug ignorance left you open to the Russian campaign of interference and it will do so again.

You ask "So, really, what's the deal?" Yet you appear to need the difference between a "friend" and an "enemy" explained, when everyone already knows the difference. So what's your deal then?