Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Intelligence Agencies Tried To Bribe Our Developers To Weaken Encryption, Says Telegram Founder (twitter.com)

Posted by msmash on from the revelations dept.

In a series of tweets, Pavel Durov, the Russian founder of the popular secure messaging app Telegram has revealed that U.S. intelligence agencies tried twice to bribe his company's developers to weaken encryption in the app. The incident, Durov said, happened last year during the team's visit to the United States. "During our team's 1-week visit to the US last year we had two attempts to bribe our devs by US agencies + pressure on me from the FBI," he said. "And that was just 1 week. It would be naive to think you can run an independent/secure cryptoapp based in the US."

Telegram is one of the most secure messaging apps available today, though researchers have pointed flaws in it as well.

11 of 135 comments (clear)

  1. Don't trust US by qbast · · Score: 5, Informative

    Keep that in mind. If you are using VPN/encryption tool/secure communication network/etc. created by US based company, it is very unlikely that it is actually secure.

    1. Re:Don't trust US by Anonymous Coward · · Score: 5, Insightful

      Before PGP was released there were encryption standards where a company could have encryption that couldn't be broken by a person or another company but it had to be weak enough that the NSA, CIA, etc... could break into it. When PGP was released it made it where companies went against this and could make encryption as strong as they wanted to. A side note they tried to prosecute the creator of PGP for violating the Arms Export Act but were unable to since he put the code online for free and never sold it.

      The thing we are seeing now is the government is either trying to scare companies into giving them the information or bribing the developers into making the encryption weaker.

  2. Published source is a huge help here by davidwr · · Score: 5, Interesting

    It would be naive to think you can run an independent/secure cryptoapp based in the US.

    Published source makes it a lot easier to spot problems with the code.

    Also, with published source code you can, with the appropriate license, legally recompile it yourself using your own set of tools as a hedge against the publisher's tool-chain or binary-repository being compromised.

    Granted, if your tools (anything from the bare metal on up) is compromised or if you are using it to talk with someone else who is using a different binary, all bets are off.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Published source is a huge help here by beelsebob · · Score: 5, Insightful

      Published source makes it a lot easier to spot problems with the code.

      No it doesn't. It has been shown repeatedly that the idea that thousands of people will look at code and magically spot bugs is a myth.

      In practice, people either 1) don't look at the code, or 2) don't have the domain knowledge to know what that very specific function is doing.

      In reality, only the person who write it, and the 1 or 2 people who reviewed it really understand what's going on, and often not even the people who reviewed it.

    2. Re:Published source is a huge help here by nine-times · · Score: 5, Insightful

      Also, it's possible to disguise malicious code to look like it's doing something else (e.g. The Underhanded C Contest). It's entirely possible that intelligence agencies try to insert these kinds of things into open source projects.

      But I don't think that was davidwr's point. I take the statement "Published source makes it a lot easier to spot problems with the code." to be pointing out that it's much ore difficult to identify weaknesses if you're provided a compiled binary, as opposed to having access to the source code. It's not that open source code is a guarantee that someone will spot bugs, but with closed source, you're completely at the mercy of the original developer.

  3. For real? by Corbets · · Score: 5, Insightful

    While I wouldn't be terribly surprised if the various three letter agencies try this... would they really be stupid enough to let him know where they were from? It's not like they would have appealed to the Russian's sense of patriotism for the US.

    On the other hand, this sort of publicity could drive users to his product, providing a motive to lie.

    Methinks that we should remain a bit skeptical on this one.

  4. Don't trust proprietary protocols by Cajun+Hell · · Score: 5, Informative

    It's not really about the US; the US government's behavior is merely helping to illustrate the deeper errors made by the users.

    If you are using VPN/encryption tool/secure communication network/etc. created by US based company, it is very unlikely that it is actually secure.

    More generally:

    If you are using an app created by a company, which is only compatible with itself rather than complying with a public spec, it is very unlikely that it is secure. (It's also pretty unlikely that it won't suck in other ways too.)

    Stop talking about apps, and start talking about protocols. Answer the "which of these apps works best for me?" question later, after protocol selection. If telegram doesn't work with anything else except telegram, then you can be pretty sure that telegram is the wrong choice.

    --
    "Believe me!" -- Donald Trump
  5. Is it true? by GuB-42 · · Score: 5, Insightful

    While bribing developers to weaken encryption is most likely not above what intelligence agencies do, this could also be a PR move.
    By saying an intelligence agency attempted to bribe your devs, it implies that :
    - Your app is so secure that it can't be cracked by external means
    - That your company standards are so high that bribes don't work
    - That the government is watching and using unethical methods, and that an app like the one you offer is needed
    - Competitors may have been bribed too, and if they aren't saying anything, they may have fallen for it

    Considering the flaws of Telegram, this may be just an attempt to make it feel more secure than it really is.

  6. Comment removed by account_deleted · · Score: 5, Informative

    Comment removed based on user account deletion

  7. Re:Many eyes theory is mostly a myth by drinkypoo · · Score: 5, Informative

    Published source makes it a lot easier to spot problems with the code.

    Demonstrably false in most circumstances. Just because the code is available does not mean competent people are looking at it and finding bugs.

    Your logical fallacy is moving the goalposts. GP didn't claim that it meant that problems would be spotted.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Re:Who are the bad guys again? by Anonymous Coward · · Score: 5, Insightful

    Russia don't really need to break into civillian communications - because they have other methods:

    If a "little guy" piss them off - he get beaten by some thugs and possibly a couple of years in prison. Maybe he learns his lesson, maybe he dies - there are enough people anyway and they can't sue the government.
    If an oil billionaire pisses them off, he suddenly finds all assets frozen and gets a decade or two in prison.
    If someone try to be clever and hide in the west after pissing them off - they might get the polonium diet.

    So you may communicate securely in Russia. The day they really want you, they just kick down your front door anyway. No need for any "proof" first. No search is "unreasonable".

    Russian authorities simply don't need to be subtle. American authorities still need to appear nice, so they need to snoop in silence. They can't blatantly beat information out of people, or tell them to "speak now, or you disappear to some fearsome interrogation camp for some years." So they want to listen in on everything instead. As long as nobody notices enough to prove anything, they aren't visibly violating the constitution or other laws.