The Most Backdoor-Looking Bug I’ve Ever Seen
buttondown.email> Anyway, it’s been a while, the world is a different place now, and maybe Hanlon’s razor cuts deeper than I thought.
I don't think people give credit for just how deep this actually does cut. On one project I worked on, which stored obscenely sensitive information, their product manager gave a speech about password security and told us he had a better algorithm than bcrypt. You couldn't explain why this was a bad idea - he wasn't taking feedback. When it landed, I found the botched the algorithm so this "sql injection detection code" basically changed every character to a ' mark. You just needed the right number in a password and it would always match. So I logged a bug, used it to push that they just use bcrypt, I got a big story about how he knows exactly what he was doing and he would fix the bug. It was "fixed" for a few days. Apparently what happened was, the developer didn't know how to use git properly and copied an older file on top the repo and brought the bug back. After it was known, disclosed, and every one was told it was fixed. The algorithm turned out to only handle a-z, and every other character was left in place. So I went though this again. Same speech about incredibly great design. They could have easily snuck a backdoor in because I never looked at 90% of the code, but this ongoing nonsense was 100% Hanlon's razor.
Yup, when you get bosses dictating algorithms such bugs are likely.
The most backdoor-looking feature for me in supposedly encrypted systems are cloud backups. They are “optional” yet most users will agree (especially when given software constantly nags about it until you give up) and their backups will leak both sides of conversations, despite all end-to-end encryption attempts.
WhatsApps cloud backup on Android sits on Google drive by default.
It is encrypted with a per user key known to WhatsApp.
That means for a third party to access the chats, they need Google to hand over the data, and Facebook to hand over the key.
The logical next step to add would be for Google to additionally encrypt the data with the users logon password or something derived from it. Google won't do this anytime soon for business reasons.
I've posted this here before.
> It is encrypted with a per user key known to WhatsApp.
This is no longer true! For a few years now. The backup is stored on Google Drive in plain text.
https://faq.whatsapp.com/android/chats/about-google-drive-ba...
That page doesn't say that, and "tied to the phone number" sounds like they will only give you the key if you can authenticate via SMS.
Do you have a better cite or did you check directly recently?
You can extract it yourself.
https://github.com/YuriCosta/WhatsApp-GD-Extractor-Multithre...
I do not vouch for this repo, but it gets the job done.
The only creds required are your Google account creds. No per-user whatsapp keys necessary.
That's disappointing, thank you for the link.
https://github.com/B16f00t/whapa (among other tools) appears to download it from Google without requiring any key from facebook or a rooted device.
I haven't tried this specific tool yet (or others recently) but it was definitely possible in the past without requiring any key from FB/WA.
> authenticate via SMS
It's now "authenticate via SMS and pin (if enabled), or authenticate via SMS and wait 7 days (if pin enabled)"
I'm sorry, but where did you get that information from? The FAQ only states:
> Media and messages you back up aren't protected by WhatsApp end-to-end encryption while in Google Drive.
That makes sense, why would you re-encrypt the messages with the end-to-end-key which is individual for each chat, if you could simply use a symmetric encryption for backups?
So the statement
> It is encrypted with a per user key known to WhatsApp.
could still hold true, there's no information contrary to that in the FAQ (but no information indicating another kind of encryption either).
WhatsApp backups are a bit of an anti-feature, as I found out while trying to ditch the app after the recent policy update.
1) The backup can only be made to Google drive, you cannot create a manual backup to a location of your chosing
2) The backup is created in a secret folder that cannot be accessed by the user
3) The backup is deleted if you delete your account. (not much of a backup, eh?)
4) You can only create per-channel exports, but this won't export the entire chat, it will export up to ~12MB of recent media, and ignore the rest, silently. WhatsApp would only share the last 40 messages of a 4-year-old chat because the last few messages contained a few images.
I believe there is still an (undocumented, unofficial) way to backup to the SD card. The backup is still encrypted tho, and can only be restored to the same whatsapp account as created it.
Interesting. I just created a 900MB backup of a chat history, on my iOS WhatsApp, that appears to have all messages and all data.
Being an iOS device it probably doesn’t ‘backup’ to Google Drive so this story may not apply
yeah, on ios whatsapp backs up the data to icloud
WhatsApp also creates (encrypted) backups in the WhatsApp/Databases folder on your internal storage. Aside from a single line displaying the time of the last local backup in the backup settings it's not really well-documented though.
I can't find any source for this 12MB limit? Backups I've restored (Android) seen to contain all media although I haven't checked in detail.
That point was talking about the "Export Chat" function (which creates a medialess text file), not the backup function.
> encrypt the data with the users logon password or something derived from it
This leads to inability to restore a backup if you forget your password and need to reset it.
That's going to lead to screams/tears from a lot of folks who don't realise those implications.
> That means for a third party to access the chats, they need Google to hand over the data, and Facebook to hand over the key.
National intelligence agencies (plural) would already have both.
True, but it still makes the attack surface much smaller - employees of neither company could steal your data. Your data is now protected by the intersection of the companies privacy policies rather than the union of them.
It used to be that way. But then, one day, Google announced that WhatsApp backups (a) no longer count towards your quota, and (b) are no longer encrypted.
There are two beneficiaries of this change:
1) Intelligence and law enforcement agencies, which now have direct access to WhatsApp history for everyone who uses cloud backup (99.9% of users, if not 100%), without the need to 0day any specific phones, risk detection, or even have those phones on except occasionally.
2) Google, who can now mine your private conversations, metadata, etc.
(At a tiny storage cost for Google, for which they are likely compensated by the NSA)
This is something i don't understand (at least for me/my use case):
Are historic chats that important to have them backed up? To me, if there's anything of value, i'll save it via other means...
For me, chat history has a huge value.
How many times things looks like meaningless when they are said but have a lot of values at a later date?
For example, sometimes you wonder, "when was it that time when XXX event happened". Or "I remember that one day someone told me that he had the same problem as me, but who was it and what was his solution?"
Otherwise, we are used to share thousands of links and snippets with my friends that we usually discuss. A lot of time, after a very long time (sometimes years), for some reason we remember that something or link about a topic was discussed long time ago, and then it is convenient to look into the history with keywords to find back the links and what was said at that time!
>"when was it that time when XXX event happened"
Then you go and look that up in your issue tracker.
>"I remember that one day someone told me that he had the same problem as me, but who was it and what was his solution?"
Ideally, you've that saved to your Wiki/FAQ Database or at least have it in your ticketing system.
That is, if we're talking about a professional setting - or some random "might be useful later" notes.
But still, this isn't something i am going to dig up in a random chat log - because if you're able to find / search for it there, chances are you are pretty close to the solution anyways...
You are thinking of a professional dev context. But it is not the same thing for everyday discussions with friends.
A lot of things can look not useful and common at the current time, but have a lot of values in the future. But you can't document every step of your life.
For example, imagine that some friend tell you that his brother is currently working in Singapore and that everything goes well for him and all. But so far you have no relation to Singapore and don't travel so much.
Then 1 year later, you will unexpectedly be sent to Singapore for work and you would highly appreciate a contact there. At that point you remember that the brother of someone is there, but who was it?
You just have to search for 'singapore' in Telegram and you can get easily the reply to your question and so recontact the relevant friend.
Same thing when you are suddenly thinking about buying a Xiaomi phone, and you are wondering who was the friend that told you that he bought one 6 months ago to get his review.
Sure, but wouldn't you want to have control over these backups yourself? Not only do you get increased privacy from it, you also won't be in for a nasty surprise when the service decides to remove old logs/stop doing business.
Of course you want to have control. So why does whatsapp and others do their best to prevent this?
So that explains why chat history has value in itself without just storing outside the important info on a given moment.
But sure, the best thing to deal with that is to be able to 'backup/export' your history and also being able open/import it in a usable form.
Whatsapp mostly fails on both topics. You can't easily backup, otherwise it would be stored in clear in google drive, in an area that is not even accessible to you.
And then it is a sqlite db with proprietary format for fields, so so far nothing can display it properly offline.
For telegram, they have a good export/backup feature.
I don't know of anytool that would allow to browse your history nicely when loaded offline from backups, but as the format is open, that should be doable.
An average user doesn't commonly want to have control over anything themselves :P.
I disagree. They'd love to have control, but that control requires tech sophistication that none of the current tooling adequately elides.
They surely love to have the possibility (and illusion) of control, they don't actually care much for the control itself.
There are numerous marketing studies that show people are most content when choices are made for them (e.g. in getting a new washing machine), as long as they know (or at least believe) they could have made another choice if they wanted to.
Yes - sometimes you don't realise the value until after the point.
I made a card for my girlfriend on our 5th anniversary by going back and finding our first messages to each other on WhatsApp, and putting a screenshot of them on the front of the card with some corny message. She balled up and was crying for quite some time. Anyway we are broken up now, but that's not the point!
These things really do have sentimental value, and it's not always obvious at the time.
Yes. Backups without easy access are mostly worthless. If I make backups, I have to think about how they're stored, where they're stored, how they're preserved, how I access them, and how I query them.
Do I have a backup per contact? Per app? Are they stored in my Google Drive? In flat files on my local PC? What happens if my PC's hard drive crashes? How do I automatically keep the backups up to date? How do I keep them in sync? How do I access and query them remotely if I'm not at my PC?
Now multiply that across every different service you use, and that's a lot of mental effort that I don't want to go through if I don't have to. Most users don't want to either.
Yes, I find referring back to old chats is extremely valuable - they’re as important to me as old emails are.
If the dead comment by user ‘paveldurov’ is the actual Pavel Durov, then I just found extremely solid reasons never to go near Telegram. Yikes.
Their account is 7 years old. They used to post substantive things about Telegram. Looks like him.
Where can we see this comment? Here at HN or the post itself? I could not see any comments with 'paveldurov'.
"[flagged]". I'm a HN noob, is there a way to see it? Or what did it say?
Set "show dead" to "yes" in your profile.
Oh, thanks, I thought it's only needed for it to show up at all.
That's very yikes indeed
Set ‘showdead’ in your profile to yes and scroll down the comments to the end.
Thank you for the explanation!
I'm not seeing it here in this post at least.
It’s a dead comment; you need to enable ‘showdead’.
Yep, did it, thank you.
- Clickbait title: Check.
- Half-admission that the clickbait title might not apply (at the end of the article by mentioning Hanlon's Razor): Check.
- Actual good criticism on "don't roll your own crypto": Check (this is not a sarcasm, I liked that part of the article very much).
- Casual mention that the incident is from 7 years ago but implying that today there's a backdoor: Check.
- HN going crazy negative when Telegram is mentioned, as it always happens: Check.
---
I am not shilling for Telegram. I have no reason to. I can switch to Signal with my most important contacts in the space of one hour if I wanted to. I never invested any money in them either. I won't get sad if they get nuked from orbit tomorrow.
But it's really baffling how non-constructive most Telegram HN coverage is, both articles and comments. Sure, they have no bulletproof end-to-end encryption of messages. So, like 99.9% of all apps on all app stores then? Some generic marketing on the homepage using vaguely non-accurate language ("secure chats")? So, again, like 99.9% of the apps that have a page and put marketing lingo on them?
What's so uniquely awful about Telegram?
It's legitimately intriguing how hostile HN gets at the mention of Telegram. There might be some interesting sociological study hidden there somewhere.
> - Half-admission that the clickbait title might not apply (at the end of the article by mentioning Hanlon's Razor): Check.
That it might not apply is already in the title. backdoor-looking already explicitly expresses that.
> - HN going crazy negative when Telegram is mentioned, as it always happens: Check.
glass houses...
And nobody here is claiming that Telegram is "uniquely awful", it's just that Telegram is more notable than 99.9% of other apps, in a field (messengers) where both privacy is generally more looked at and alternatives that are widely considered better in that regard exist, all the while Telegram is widely advertised/recommended as "secure" despite being worse in that regard. On the other hand, this criticism isn't new and widely known. That's why it's called out a lot, and tbh both (paraphrased) other unrelated apps have problems too and (unsourced) people surely understand that it's just advertising and Telegrams limitations are really bad defenses.
EDIT: and I suspect Telegram is especially annoying because it's otherwise really good, so if it also solved the security question it'd be a no-brainer recommendation.
> EDIT: and I suspect Telegram is especially annoying because it's otherwise really good, so if it also solved the security question it'd be a no-brainer recommendation.
That would be quite hilarious and paradoxical: to attract so much negative reactions because the app is very good but it doesn't do everything as the tech-savvy crowd expects (in terms of cryptography). But I can see it being the true sentiment. Interesting perspective, thank you for it.
It’s really messed up that people worried about their privacy are switching from WhatsApp (which has e2e enabled so nobody can read your messages) to Telegram (which generally doesn’t). People whose messages were secure are now going to get exposed when there’s a Telegram breach.
> What's so uniquely awful about Telegram?
Telegram puts its users in danger by lying to them. They claim to be a secure, encrypted messenger but do not actually encrypt chats.
Then there’s the backdoor...
>I am not shilling for Telegram
:)
Well, sue them. I don't think all other messengers save for maybe Matrix and Signal are any better.
Even better, make a messenger that does encrypt chats. Make it paid. Prove its end-to-end encryption properties. I'll buy it and advocate for it to my friends and family.
In any case, the constant hate is (a) very tiring and (b) very uncharacteristic for HN.
Why are you so bothered by Telegram receiving some well deserved criticism? It’s weird.
There are lots of posts on HN I don’t care about, but I don’t think I’ve ever had the urge to make comments like yours.
> In any case, the constant hate is (a) very tiring and (b) very uncharacteristic for HN.
There are people who trust their life and liberty on these apps, I don’t think the “hate” towards Telegram is inappropriate at all.
And actually, I think that most of the time the HN community is far too positive about Telegram. Usually I see comments criticizing it get downvoted. Funny, no?
It's only weird if (a) I accept that the criticism is well-deserved, which I don't, and (b) because I want to read educated technical discussions. If I want to read half-baked snark then I can go to Reddit or 9GAG. Place like HN should be better than this.
I see some people linking old articles and cryptography research, and some historic incidents. Good! That's arguing in good faith and I've read those with an interest, and upvoted them. "I don't trust Durov", which many of the HN comments about Telegram boil down to, is just noise. I don't want noise in threads where I want to find objective information. I am doing my part to improve HN by downvoting / flagging comments I see as noise or non-constructive attacks.
> Usually I see comments criticizing it get downvoted. Funny, no?
Filter bubbles then, I suppose. Seems we are both in our own and apparently neither of us is right in their generalization. ¯\_(ツ)_/¯ I can live with that.
You don’t seem to actually respond the criticism, instead you just dismiss it as “half-baked snark” or with “other apps do bad stuff too!”
You complain about the quality of discussion here, but do little to participate in a constructive manner.
Yeah, I definitely got worked up so I partially contributed to the problem. Can't deny the facts.
I already responded to those criticisms elsewhere but here goes: I never expected any messenger to do end-to-end encryption. I am quite aware how un-ergonomic such a messenger would be so I know that Telegram does little more than TLS protection of the network socket. And that's fine with me and with millions of others.
But I still don't get why Telegram is the constant target of HN. Why not WhatsApp? Viber? Or literally every other messenger? I challenge you to find such brutal and full of flagged comments threads not pertaining to Telegram. As said above, we both live in our own bubble but all WhatsApp threads I've seen lately only aim at the user's data privacy and almost nobody ever mentions that their "encryption" is also a glorified TLS and their claims for end-to-end encryption are very likely dubious and a pure PR stunt.
Admittedly some of the responses earlier -- which were very unconstructive -- got to me.
> I am quite aware how un-ergonomic such a messenger would be so I know that Telegram does little more than TLS protection of the network socket. And that's fine with me and with millions of others.
The amount of people who understand this certainly isn’t in the millions. The fact is that most Telegram users have no idea that their conversations aren’t encrypted, most people incorrectly assume that it’s more secure than whatsapp.
> WhatsApp threads I've seen lately only aim at the user's data privacy and almost nobody ever mentions that their "encryption" is also a glorified TLS and their claims for end-to-end encryption are very likely dubious and a pure PR stunt.
This is complete nonsense. Whatsapp uses the Signal Protocol. Their claims of end-to-end encryption are true (and easily verifiable! just pull out the debugger of your choice)
> Admittedly some of the responses earlier -- which were very unconstructive -- got to me.
I think your (perfectly understandable) misinterpretation was corrected in a rather polite manner, but you still wanted to argue after being corrected by multiple native english speakers.
> This is complete nonsense. Whatsapp uses the Signal Protocol. Their claims of end-to-end encryption are true (and easily verifiable! just pull out the debugger of your choice)
I don't dispute this but apparently there's still a way for Facebook to give FBI et. al. un-encrypted chats, no? So is that truly encrypted?
> I think your (perfectly understandable) misinterpretation was corrected in a rather polite manner, but you still wanted to argue after being corrected by multiple native english speakers.
Yes and no. Being a native speaker doesn't excuse ambiguity and idiomatic expressions. I believe people who write in English on the internet have a duty to avoid idioms as much as possible. I am not a native speaker and easily misrepresented the meaning.
But, even the author corrected me so, okay.
As for polite... let's agree to disagree there. You are questioning my opinion that I get snarky replies but IMO it's clearly visible that no small amount of replies weren't made in good faith and were only aimed to express hurtful sarcasm.
>but apparently there's still a way for Facebook to give FBI et. al. un-encrypted chats, no?
I’d love to see a source for this.
Me too, but after Snowden I doubt we'd be able to even if it were true.
I don’t get it, this claim should be fairly easy to prove by reverse engineering the app.
Then why has nobody done it? F.ex. Google's Project Zero?
You mean, why has nobody found WhatsApp is actually not E2E encrypted? Could it be it's because it's actually E2E encrypted? Your evidence to the contrary is no evidence at all and now you're asking why p0 hasn't found evidence of your position either. It's a very odd line of argument.
A back door means losing trust forever. It doesn't matter if it was 7 years ago.
If it was indeed a backdoor, sure, but that's a judgment call, not something anyone knows. As others have noted, e2e was a novelty at the time, not a norm, and the platform itself was extremely new (less than a year old), and their stated reason for this was to protect against weak client RNG, which in retrospect sounds like a weak reason, but looking back at the news of 2013, this was right around the time the Snowden leaks caused everyone to believe RDRAND could indeed be compromised, so "client having state-compromised RNG" was indeed something on everyone's mind.
Further, the fact that this was caught so quickly is in some sense a vindication of Telegram's model - even in its infancy when it had orders of magnitude fewer users, the fact that the client was open source allowed someone to quickly spot a vulnerability.
The verdict? IMO Telegram secret chats are probably secure (90% certain), but if I were plotting a murder or something, I wouldn't do it over a smartphone app anyway. There's just too many leaky, complex layers in the stack, some of which aren't even open, and quite dubiously so. If security is a life-or-death situation for you, you'd be a fool to use any smartphone app.
>If it was indeed a backdoor, sure, but that's a judgment call, not something anyone knows. As others have noted, e2e was a novelty at the time, not a norm, and the platform itself was extremely new (less than a year old), and their stated reason for this was to protect against weak client RNG, which in retrospect sounds like a weak reason, but looking back at the news of 2013, this was right around the time the Snowden leaks caused everyone to believe RDRAND could indeed be compromised, so "client having state-compromised RNG" was indeed something on everyone's mind.
Everything you said here was addressed by the OP. The connection to telegram servers is already encrypted, the only adversary this server-side RNG could possibly defend against is one that has access to the server.
So maybe they just made the same mistake I did?
I believe that most of this non-constructive hate is coming from unconscious part of mind and specifically from "us versus them" mentality. Telegram is obviously belong to "them" for the wast majority of people at the West, resulting in negative attitude by default. Moreover, it's socially acceptable among "us" and is encouraged to display negative feeling toward "them"-related things, resulting in what we all can see.
I like Telegram. In my (subjective) view it has the best UX of all messengers. It also has APIs which should give a big plus on here and at least till now they are not doing censorship to my knowledge. What might be problematic is that its reception is generally to be the "rebellish" alternative to WhatsApp etc. and people tend to think that it is more secure and has a better encryption. Another pro Telegram point would be that they at least don't have an as big incentive as FB to capitalise on their users data.
What saddens me is that Signal seems to be the go to alternative. Which is obviously more secure but still centralised and has a terrible UX (e.g. drains the battery of my laptop very fast when I tried it the last time). Why not directly go for Matrix / Element.io for a secure and decentralised (like eMail) approach? Do you really want to upload your contacts?
I view it as marketing trade-offs. Deep in a sub-thread another poster pointed out that they rely on SIM identification which can be spoofed, for example. But IMO somebody had to make the call for the right balance between ergonomy and security.
I quite like Telegram as well but I am under no illusions that it's bulletproof in terms of protecting my chats. I still think it protects them better than WhatsApp though, by the mere virtue of not being hosted in the USA where you can be ordered to give away an unencrypted dump of your database and keep silent about it until your grave.
> Deep in a sub-thread another poster pointed out that they rely on SIM identification which can be spoofed, for example.
You missed the point, again. Not only does Telegram rely on your phone number to identify you, but unlike the competition it’ll happily send out your past conversation history to anyone who manages to take control of your phone number.
Actual encrypted messengers can’t do this.
>hosted in the USA
You think the UAE is better? I live here, it’s not. If the US government wants access to telegram conversation logs, the UAE government will happily retrieve them.
> Not only does Telegram rely on your phone number to identify you, but unlike the competition it’ll happily send out your past conversation history to anyone who manages to take control of your phone number.
Many, myself included, are aware of this. I prefer it because if I get a newer iPhone tomorrow I still want all of my conversations and all history to be there. I question how many people can to a SIM takeover. No, it's not "everyone". Very few will actually do it and it seems it was a marketing tradeoff. Quite a normal practice and Telegram is not an outlier in this case.
> You think the UAE is better? I live here, it’s not. If the US government wants access to telegram conversation logs, the UAE government will happily retrieve them.
Sigh. Suspected, but never knew for sure. Thanks for letting me know. Now "all" that remains is for somebody to both incorporate end-to-end encrypted chats and allow synchronization of history between devices without a central server, in a single app, I suppose. But Telegram isn't that app and I am aware and okay with it.
Telegram has an option to add an additional password to your account precisely for that reason.
Why does Telegram make all important security features opt-in?
Ergonomics. The HN crowd is really quick to forget that many users have no patience to setup several passwords and/or keys after installing an app.
You and I discussed quite a bit already and we can't agree on many things -- but I can still see where Telegram's team is coming from in their security decisions. A balance between ergonomics and security has to be struck if you want wide adoption.
We likely both abhor how quick and easy it is for many users to just say "yeah, sure, get access to my contacts so I don't have to re-add my people one by one" -- I feel that this practice is responsible for trillions of personal data points sitting out there in warehouses waiting to be used for advertising profiling, but what can we do? Seems that this is what the people want.
Having stricter -- and thus non-ergonomic in terms of UX -- security as an opt-in is apparently the best we can do in this age. By "we" I mean "all programmers and corporations".
Before you say it: I used Matrix and Riot/Elements for several months. The app itself is hopelessly behind in basically everything: it's not responsive even on a very modern Linux laptop, it often hides messages (and shows them up again a few minutes later after the app somehow force-refreshes its UI by itself), synchronization of chats when logging in from a new device was almost non-existent and took minutes to recover a channel with like 30 messages (although I heard they are working on this)... Even notifications would fire 9 out of 10 times and I had to make it a habit to check the client every 10-15 minutes or so (since it was a work chat).
Very far from convenient. Not to mention part of the time non-functional.
Telegram makes security trade-offs, I have no doubts about it. But it's a damn good app in almost all regards -- and me and many others can forgive their lack of to-the-letter end-to-end encryption implementation.
If there's an app with such a good UX and polish like Telegram that also does end-to-end encryption and doesn't drown you in GPG-like keys and passwords management minutiae, I'll gladly switch tomorrow.
Everyone would shut up about Telegram if they stopped making misleading security claims.
> by the mere virtue of not being hosted in the USA
I don't know where Telegram is hosted, but whenever I fire the desktop app there is always at least a google DNS request, sometimes some additional connections to google hosts. It certainly does seem to partially rely on the USA.
The point was about where is the data hosted.
The answer is that it's distributed, so you would need court orders in an insane amount of countries to get any decrypted data from telegram
This is hilariously out of touch. If the telegram team is based out of UAE, then the UAE government can easily force them to hand over data even if it’s stored on foreign servers.
Fair point, thank you.
Does anyone have any inside info on this? If we don't assume malice, what is the reason Telegram is rolling its own non-standard crypto like this? Were there no widely publicized E2E protocols that would fit the bill at the time Telegram was being developed? (i.e. was it started before Signal had become known, or does that protocol have limitations that Telegram found unacceptable?) Or did the team have someone in charge with a bit of not-invented-here-syndrome that was just gung-ho on rolling their own no matter what? (wouldn't be the first time something like that has happened). And has any effort been made to validate the protocol, despite being a bit weird, so we might eventually trust it as much as Signal?
If i remember correctly, Telegram pre-dates Signal by several months. It was well-established by the time Signal became usable. This said, the relationship between Telegram and the cryptography community has always been rocky, probably because they touted their E2E support as a differentiator from the start (Whatsapp, Messenger, and whatever-Google-had were not e2e at the time) but quite a few people pointed out their implementation was weird and broken (it has since changed).
I think Textsecure[1], the predecessor of Signal, is even older (2010)
And Wikipeida also says that the first version of the Signal Protocol is from 2013[2]
[1] https://en.wikipedia.org/wiki/TextSecure [2] https://en.wikipedia.org/wiki/Signal_Protocol
So Telegram launched by about a month early, but the people behind Signal had released prior art earlier, and merely the protocol a few months later, but the Signal app didn't come out until 2015 according to Wikipedia.
They indeed were one of the first if not the first to come out with a messaging app that can e2e encrypt your chat. This was a time when WhatsApp was found using a plaintext protocol, and right after the Snowden revelations. They did move the needle a bit at the right time.
One of the most vocal critics was Moxie, who later founded Signal. It's ironic that 7 years after Snowden and Telegram, Signal the supposed more secure and privacy focused messaging app still has yet to gain any sizable foothold in the market. I think that says a lot about both Telegram and Signal's product strategies.
The signal protocol is used in WhatsApp, and will be rolled out as a part of Google's latest RCS effort. Signal maybe didn't catch on, but Moxie's goal of making communications encrypted seems to have worked out all right.
>They indeed were one of the first if not the first to come out with a messaging app that can e2e encrypt your chat.
Off The Record showed up in 2004 and was used over multiple instant messaging systems. OpenPGP was used over various IM systems before that...
SCIMP also predates Telegram by several months https://web.archive.org/web/20150402122917/https://silentcir...
Well, if you go that far lol. I remember OTR on Pidgin and Adium back in the days. Not sure I'd consider these third party tacked on solutions e2ee messaging app that can e2e encrypt your chat. OpenPGP doesn't come with email and OTR doesn't come with GTalk.
OTR did come with other apps. OpenPGP was a documented XMPP extension.
TextSecure (essentially the old name for Signal) is 3 years older (2010 vs. 2013), isn't it?
The timeline seems to suggest e2e had always been at the heart of the protocol, but I'm not sure if TextSecure and RedPhone were actually apps that people could install after Whisper Systems was acquired by Twitter. Regardless, instant messaging hadn't seem to be introduced until 2014. Tough call.
https://en.wikipedia.org/wiki/TextSecure#/media/File:Signal_...
TextSecure was available from Google Play for years, I've used it since release. The transformation to Signal was pretty seamless.
No amount of effort to validate their protocol will make Telegram trustworthy. Telegram does not encrypt most conversations, you cannot compare it to Signal.
In regards to actually validating the protocol, the OP addresses this
>The current consensus seems to be that the latest version is not broken in known ways that are severe or relevant enough to affect end users, assuming the implementation is correct. That is about as safe as leaving exposed wires around your house because they are either not live or placed high enough that no one should touch them.
> Telegram does not encrypt most conversations, you cannot compare it to Signal.
I wish people will stop repeating this nonsense. Just because they don't do end to end encryption by default, doesn't mean they don't encrypt, which implies messages are sent in plaintext.
There are plenty of reasons why they did what they did, and these questions are all available publicly in their FAQ or the founder's Telegram channel. Whether you agree with the trade-off or their explanations is up to you, but facts are facts.
Do you really consider an "encrypted conversation" if you just do TLS to a central server that has everything in plaintext? Is Facebook Messaging encrypted messaging? Because that's the kind of thing we already had before this wave of apps and Telegram is marketed within this new wave but doesn't have any more security than what the previous wave already had, even if you trust their homegrown protocol.
Edit, first things first:
> Is Facebook Messaging encrypted messaging?
Facebook messaging is not "encrypted messaging" AFAIK.
But if you say it sends the messages unencrypted like people claim Telegram does I will probably point out that you are wrong even if I don't like Facebook at all.
end Edit.
--------
Tell me then: If you call point-to-point-encrypted "unencrypted", what do you call the old WhatsApp protocol from before Moxie helped them, which actually sent messages unencrypted? [1]
What do you call the files that Whatsapp store on my phone (messages.db or something) that I can transfer to my computer and open without any tooling besides a zip tool and SQLite?
Unencrypted -- ?
Even more unencrypted?
There is a reason why we keep repeating our plea to differ between unencrypted, point-to-point-encrypted and end-to-end-encrypted and it is not because we adore all of Telegrams decisions, at least not for all of us.
It is because precision often matters in engineering and I think especially for security work.
[1]: Irony over irony, I used to love them back then. I knew fixing the crypto part would be doable and they were such a nice company with such a nice business model which aligned so nicely with our interests as users.
> Unencrypted
Yes?
Sending plaintext in a secure transport is not what they do either. They do have e2e encrypted secret chat on day one, and the ends are bound to the devices, so even if you login from your desktop app, you won't see the secret chats on your phone, unlike Signal.
Seriously, please educate yourself first.
> They do have e2e encrypted secret chat on day one
I was specifically replying to your complaint that non-E2E encrypted chats should not be called unencrypted because they had encryption in transit to the server. You're now shifting the conversation back to the E2E encryption they do have.
Non-E2E encrypted chats should not be called unencrypted because they had encryption in transit to the server.
The contradiction is right there in the sentence.
This is stupid pedantry.
Yes, they have opt-in e2e secret chats.
Oh, except the Windows and Linux clients don’t even support those.
If any clients had been logging that nonce, we could retrospectively catch any person in the middle.
Far too few services do strategic logging of data useful to catch attackers like this. Many attackers won't attack if they know traces will be left which can point to them.
The more I work with production systems, the more I appreciate healthy logs. We've solved at least a dozen big issues this past year with "just scan the logs and rebuild the historical data, we can pretend like we were monitoring that issue the whole time".
You run debug level logging on prod?
“debug level” and “prod level” logs are pretty arbitrarily drawn lines from organisation to organisation. If they’re intentionally running that logging level on prod, it’s prod level
Not the OP, but: kind of, yes. Enough logging for someone with access to the source code to stand a good chance of reverse engineering what happened (code trace) when something goes wrong, without having the user reproduce. This capability is built into the product and involves significant development effort in itself.
It's amazing to me that people still consider Telegram a legitimate contender in choosing a messenger.
This blog post is far too charitable.
> It's amazing to me that people still consider Telegram a legitimate contender in choosing a messenger.
It's still likely better than WeChat FB Messenger in terms of privacy. You just get to choose the devil, and some consider Russia no worse than Facebook (and all that it represents) or China.
Considering the founder of Telegram more or less had his previous startup VK (Russian competitor to Facebook) stolen by Putin after his refusal to hand over info about Ukrainian protestors [1], and has left the country with no interest in returning, I'd be inclined to trust that Telegram is not a front for the Russian state, quite the contrary in fact.
[1] https://en.wikipedia.org/wiki/Pavel_Durov#Dismissal_from_VK
Telegram was developed in the VK offices for a long time after VK was supposedly "stolen" from Durov.
>left the country with no interest in returning
Well, except for when he does
https://tjournal.ru/tech/52954-durov-back-in-ussr
http://uip.me/2016/04/dark-side-of-the-telegram/
https://lenta.ru/news/2017/03/20/durov/
https://medium.com/@anton.rozenberg/friendship-betrayal-clai...
https://theoutline.com/post/2348/what-isn-t-telegram-saying-...
Thanks for the background info!
well, any messaging service, you're only on it for the people. Certainly the only reason I use Telegram is a few favourite chat groups.
The problem with Telegram's crypto is that Nikolai Durov is super-smart - he has two Ph.Ds in mathematics - but he thinks he's smarter than everyone else in the world put together, so Telegram roll their own crypto all the time, and keep being a worked example of why "don't roll your own crypto" is a saying.
And it's amazing to me that any Telegram coverage on HN is met with extremely hostile reactions. All they did was not invent the best encryption in the world... like you, me, and 99.9% of the world. Mortal sin, right?
So please stick to facts and what can be reasonably proven, please. The rest is meaningless noise and mindless hate.
The author himself admits it's much more likely this was an amateurish mistake than some man-in-the-middle conspiracy. Did you make it until the end of the article?
I don’t think your paraphrase is an accurate representation of the article.
It's not. (I'm the author.)
As said in another comment of mine, putting a generic "hey I might be wrong" at the end is pure fluff. Stick to what you believe in, you are not in front of a court.
Case in point: the Hanlon's Razor mention definitely did mislead me in terms of your stance.
My position is that this looks like a backdoor but there is no way to know for sure, and I stand by it. If you find it too nuanced that's ok.
I found it ambiguous, nothing more. And I expressed an opinion to which half I subscribe to. Maybe that's valuable feedback for you as a writer, maybe it's not.
In any case, no hard feelings were intended anywhere.
The situation is (slightly) ambiguous. It looks like a backdoor. Anyone competent writing that code would be doing so because they wanted the backdoor. But there's no reason to assume Telegram's authors are competent unnecessarily, and competence in UI design doesn't imply competence in security. And it's also a rather obvious-looking backdoor, anyone competent would presumably try to hide it better. Then again, the NSA backdoor in Dual-EC-DRBG was pointed out before anyone started using the spec and not that well hidden, and the NSA are generally considered competent.
Oh, I am not firmly claiming that it's not a backdoor. It very well might be!
But that's what mostly what I was saying (granted, I got worked up at one point because the blind stereotyping puts a black mark on HN's reputation in my eyes) is that indeed the situation is ambiguous and both possibilities are [mostly] equally likely.
The author disagrees they're equally likely. They seem more qualified than you.
From the article:
> Anyway, it’s been a while, the world is a different place now, and maybe Hanlon’s razor cuts deeper than I thought.
How else would you interpret it?
“This looks like a backdoor but if I think really hard maybe I can consider it to be incompetence?”
Neither is a good look for a security team, of course.
Yes, it's not, but my (and his) point stands: it's likely incompetence. It's very biased and uncharitable to immediately assume malice.
>(and his) point stands: it's likely incompetence
That’s not what the post is saying.
> It's very biased and uncharitable
It’s not “very biased”, if you actually look at what Telegram did the balance of probabilities leans heavily towards “backdoor” and not “not backdoor”
So, give me your definition of Hanlon's Razor then (mentioned at the end of the article by the author).
I think you’re completely missing the nuance in the words surrounding the authors mention of “Hanlon’s razor”.
Besides, look at Pavel Durovs flagkilled reply here. The lady doth protest too much, methinks.
That's not saying anything of substance unless you offer your own interpretation. "You're wrong" is not a discussion, it's a kick in the gut.
> The lady doth protest too much, methinks.
Solid criticism with well laid-out arguments from you, no doubt.
> Besides, look at Pavel Durovs flagkilled reply here.
Since when do upvote / downvote count mean anything at all about somebody's opinion or statements? (I haven't read the comment though.)
Look, it's obvious you have a beef with Telegram / Durov. But you are not giving any arguments, only snark. That's breaking HN's guidelines last I checked.
>I haven't read the comment though
Maybe do that. Not being snarky, you’re missing important context.
I did read it now. It's not constructive, that's a fact, but have you never got worked up by unrelenting criticism?
Still, he's an official public face and should know better. That I fully agree with.
I certainly hope that’s not the real Pavel Durov…
Their account is 7 years old. They used to post substantive things about Telegram. Looks like him.
The author is saying "maybe things that look A WHOLE LOT like malice are actually incompetence". It's pretty clear that he thinks it's a backdoor, even though he basically says "maybe in actually wrong, but I really don't think so".
Sure, sadly that's how human languages betray us. Plus, him emphasising "a whole lot" doesn't make it a fact.
I am no cryptography expert. I judge by all the times I've seen programmers imagine they could do professional cryptography by themselves. Literally every time they fail. Thus, in my eyes it is more likely that Telegram's coders fell victim to the same illusion.
But I am not denying that it's possible it's the [beginnings of a] backdoor. The whole sub-thread is (a) my opinion on what's more likely and (b) calling out people who act snarky, offer no facts and demonstrate general negative bias.
It looks a whole lot more likely to me that this is a backdoor, as they added their own thing to a very standard algorithm (the easy and better thing to do would have been to not add anything), and all that thing did was mess with the key exchange.
It's really, really fishy.
But is it really that unlikely that it's a misguided attempt to increase entropy?
The fact that a cryptographer might scoff and laugh at the proposition doesn't mean that a normal programmer couldn't fall victim to that illusion?
In any case -- yes. Both things are likely and you made a strong point for the "malice" side.
Still, it makes me wonder why would Durov run from Russia if he was willing to backdoor Telegram? Why not remain in Russia and backdoor it while being there? Why the extra trouble? Or maybe he didn't want to backdoor it for Russia but for other nation(s)?
I don't think "people who design a cryptosystem" and "people who send randomness from the server" overlaps a lot, yeah. I don't see how anyone remotely familiar with cryptography would think that sending randomness from an untrusted party is a good idea. It's this bad.
Well, a bug I filed to Telegram eventually got closed on petty bureaucratic grounds (wrong repo but nobody moved the issue [I did copy it to the right repo], then X months without action etc.) so this might say something about the average competence and motivation of their technical staff. :)
Thanks for being one of the few to discuss constructively in this sub-thread. It's much appreciated.
No problem, your reply did show that you wanted to discuss but was frustrated, so I just continued the discussion.
s/likely/unlikely but possibly/
Well, that's how probabilities work and I am not seeing your rephrasing as adding anything valuable to that discussion.
Unless you put concrete % numbers on both sides then your replace is identical with the original.
Oh, please, this is not a math inequality where we compare with numbers. It is plain to any English speaker that what was written in the article and how you represented it differ significantly in the confidence that they communicate. As such, your continued insistence that there is no major difference between the two comes off as extremely poor faith.
You might be missing that many people here might not be native English speakers. As such, being crystal clear on what the author believes might be beneficial. Just putting "hey I might be wrong" in the end of an article is just word-padding and since I assumed the author doesn't do that, I entertain the possibility they mentioned seriously.
...Bad faith? Most of HN has bad faith when it comes to Telegram. This place devolves to Reddit / 9GAG levels of childishness when Telegram is mentioned.
I think that's quite fascinating and it's a strange outlier. Yes -- strange, as in "not justified". They did nothing more wrong than a ton of other, much more widely used software, yet any mention of Telegram on HN brings about a big bandwagon of haters. Why do you think that is?
Hanlon’s Razor says to never assume malice where stupidity suffices as an explanation. The only way I read this sentence is to say that Hanlon’s Razor applies here, in-spite of how malicious the bug looks.
Same for me. While others argue that it's "obvious" that the author believes much more strongly that this find is a backdoor and not a dumb mistake (a very easy one to make for a non-cryptographer programmer), I am still unconvinced.
Would be curious to read a statement from Telegram's team though -- not that any team would ever admit to putting a backdoor...
Paraphrasing Clarke, "Any sufficiently advanced incompetence is indistinguishable from a backdoor."
>All they did was not invent the best encryption in the world.
They shipped a backdoor. It's pretty clear that Telegram is actively malicious. They haven't been caught again? They probably realized that the front door of not encrypting chats was sufficient.
>The author himself admits it's much more likely this was an amateurish mistake than some man-in-the-middle conspiracy
This is not at all what the author is saying.
> Anyway, it’s been a while, the world is a different place now, and maybe Hanlon’s razor cuts deeper than I thought.
Unless you have another interpretation of the Hanlon's Razor, it seems that he is saying this is a mistake and not a backdoor.
> They shipped a backdoor.
Did they? Might be. I am 50/50 about it, people do dumb mistakes with self-rolled crypto all the time and that's a sad reality. But who knows, it might be the first try to embed a backdoor.
My point is: being too sure one way or the either makes you biased. I err on the side of incompetence but I am open to the possibility that it was a first sloppy attempt at backdooring Telegram. Sadly we have no proof of either, so we speculate based on what's available.
If someone says "so this guy killed himself with three shots in the back, but maybe that's a common method of suicide" doesn't mean you think it's suicide. It's a turn of phrase to accentuate how much you don't think it was suicide.
I suppose I missed his sarcasm then. Happens pretty easily over text.
As said in another comment, I am no cryptography expert. I simply argue against the very visible negative bias against Telegram which is accentuated even more by very childish snarks on almost any Telegram HN thread. That gets to me and it's not how HN should be.
I never argued that my opinion is a fact. I said how I arrived at my opinion and debate with people whether that's plausible or not [based on limited info]. The rest can be proven/rebuked by specialists.
Have you considered that perhaps Telegram deserves that negative bias due to their own behavior?
I would consider it... if I ever see any other criticism in HN besides "they don't have massively peer- and pro-reviewed encryption" and very childish snark with zero facts interspersed.
What's this "Telegram behaviour"? Seriously, enlighten me -- this is not a snark. I've been following HN Telegram threads for a long time and I've only seen the two things I mentioned above.
It's really puzzling, especially in a world where a ton of very public and everyday software has much more flaws than Telegram. The whole very directed and non-HN-esque hate towards it does stands out.
Telegram positions itself as a secure messenger but does not encrypt most conversations, that's simply dishonest on their part. Until they start to clearly communicate to their users that "Hey! This conversation is not encrypted" they deserve nothing but negativity.
Multiple official Telegram clients do not even support the "secret chats".
Right from their own website https://telegram.org/
>Private
>Telegram messages are heavily encrypted and can self-destruct.
This is a lie.
>Secure
>Telegram keeps your messages safe from hacker attacks.
This is a lie, you can even pull someones telegram message history by sim swapping them FFS.
As far as being able to put a timer on a message and see it disappear for both sides, how do you know that the "self-destructing" messages claim is a lie? Genuinely curious, I am likely missing something.
> This is a lie, you can even pull someones telegram message history by sim swapping them FFS.
Well, the mobile telecoms still have no solution for SIM swapping and most software uses SIMs as a way to uniquely identify users. I've heard of -- and used -- messengers like Signal and Matrix and the added inconvenience for not using a SIM is definitely off-putting even for me as a techie. So I can't blame Telegram or any other app for using SIM identification -- it's flawed, that's well-known in the tech community, but I suppose somebody made the call to risk this because they wanted adoption and didn't want to make onboarding too hard?
---
I can agree on a generally somewhat misleading marketing being a reason for negativity. Even a functioning backdoor might still mean that messages are safe from most hacker attacks though; the backdoor is only used on demand (it's infeasible to use it all the time, that would take too much server resources and would put the onus on the eavesdroppers to provide extra infrastructure I think?) and the unencrypted data is served to whoever asked for it behind closed doors. That does not mean that any hacker can get their hands on it though, right?
But even a somewhat misleading marketing can't explain the violent reaction of most of HN when Telegram is mentioned -- at least it can't explain it to me. There's so much popular and very shady software out there and somehow Telegram eats all the flak while many other software packages receive very generous benefits of the doubt.
>Unless you have another interpretation of the Hanlon's Razor, it seems that he is saying this is a mistake and not a backdoor.
It just sounds like the author simply doesn't want to get sued, after all it's generally impossible to prove that a backdoor is actually a backdoor.
>people do dumb mistakes with self-rolled crypto all the time
I've seen a plenty of those, this one just happens to look rather different than the typical implementation mistakes you see. There's no possible reason for this code to exists except to allow Telegram to decrypt secret chats.
In the end, we've got nothing to gain and a plenty lose by giving Telegram the benefit of the doubt.
Well, sure. It's very possible indeed. I am still wondering why though -- Durov fled Russia, settled in UAE and then backdoored Telegram? Don't know. If a conspiracy becomes too complex then we all know what the other razor law says, right (Occam's)?
Nothing about my comment could reasonably be described as "extremely hostile".
You seem to be exposing a bias.
Your whole comment is a simple middle-brow dismissal. Maybe not "extremely hostile" indeed, but not constructive by any measure.
If by calling out people who break HN's guidelines I am exposing a bias then okay, I am exposing a bias then.
I don't think anybody's hating on the authors of Telegram - just that it's not one of the better options today.
I am not sure I can agree with that either (unless your definition is "does it strictly adhere to end-to-end encryption standards", in which I'll agree with you that it's not the best).
Last I used Riot/Elements (the app the uses the Matrix network), I almost pulled my hair out. It was slow and buggy. Felt like I was using an alpha version of a software from the late 90s.
Telegram and WhatsApp are two very positive outliers in a sea of very bad messaging apps IMO.
This whole thread is about security. That your priorities differ from other commenters doesn't make the criticisims "mindless hate" (and, again, not directed at individuals, just that we think the product and service is garbage from a security perspective. Don't conflate the creation with the creators)
> Most backdoor looking bug
While a backdoor is not a bug but a feature, it helps to disguise a backdoor as a bug (i.e. plausible deniability). I know of one instance (in MS Windows) where the backdoor feature was not even hidden so much:
https://en.wikipedia.org/wiki/NSAKEY
That's why we need opensource. It's a hedge against tyranny.
The NSAKEY backdoor claim should be trivial to prove with a debugger, until someone does so I think we can safely dismiss it as a lie.
It’s been two decades, and nobody has been able to explain how it would’ve been used.
I beg to differ. This stuff is called reverse engineering and it's all but trivial.
The debugging symbols and most of the source is out there, this really isn’t a particularly difficult task.
If you can’t do this, then you certainly aren’t qualified to claim that such a backdoor exists.
It amazes me that Telegram is still a contender.
One thing that always puzzled me about telegram was seeing maps being loaded from yandex when sharing locations with friends
I think it uses Google by default because Google Maps is the best in almost all regions. It gives you an option to change
Maybe Yandex in Russia only?
For me it was using Yandex in Denmark
For me it uses Apple Maps?
I never share my location with anyone other than by telling them in normal language than I am at some specific location ("the ferry terminal at Marstrand" or something like that). I don't give the few apps I still use - I try to use self-hosted web services where possible - access to location data, other than those which need it to function (OsmAnd~ etc.). To use some WWII-related terms, "Feind hört mitt" (seen om german-language equipment, it means "the enemy is listening in"), "En svensk tiger" (a Swede stays silent (so that the enemy can't listen in)) or, more tangentially related "loose lips sink ships".
How to give points for a good post?
And obligatory reference to Backdoored Streebog cipher : https://eprint.iacr.org/2016/071 https://www.sstic.org/media/SSTIC2019/SSTIC-actes/RussianSty...
The backdoor was hidden in the plain sight: the s-box was said to be randomly picked, but years long evasive answers of authors about cryptographic properties of the box made people to think that there was something really not right with it.
If not for that specifically putting aim at the s-box, there would have been no chance anybody found that.
3 years later, and Perrin's paper comes, and it is discovered that almost a new domain of math is buried in that s-box.
Nobody yet discovered what unusual math properties of that s-box do, but nobody now doubts it being a backdoor of some kind.
This story is eerily reminiscient of the s-box in DES, except in that case there was no backdoor, the researchers had simply discovered a novel attack method, crafted their s-box to protect against that method, and then kept the attack unpublished for decades:
> The eight S-boxes of DES were the subject of intense study for many years out of a concern that a backdoor (a vulnerability known only to its designers) might have been planted in the cipher. The S-box design criteria were eventually published (in Coppersmith 1994) after the public rediscovery of differential cryptanalysis, showing that they had been carefully tuned to increase resistance against this specific attack. Biham and Shamir found that even small modifications to an S-box could significantly weaken DES.
I find it such a shame that such amazing mathematical research was pumped into ultimately producing such a backward-minded result.
At the very least I suppose we will be able to glean more knowledge out of it in the end.
Is there a layman version of this? Something non cryptographers can grasp?
here is a quote:
> designers of Streebog and Kuznyechik purposefully hid a structure in this component. This structure is very strong, very uncommon and interacts in a non-trivial way with the other main component of Streebog.
> In light of these results, we urge security professionals to avoid these algorithms.
It's like this: imagine some government released plans for super-secure safe, and for some reason, deep in those plans, there is an instruction to make an 1/4" hole in the door, at the specific exact position. There is no justification or explanation for this hole, just a mention that it must be present or the safe is not going to be certified.
So people wonder why it was placed on the plan. If there were a good reason, why not tell it? Perhaps NSA/FSB has some new method to crack safes, and this hole is needed for it? Better be careful, and avoid using that specific safe model.
Sorry, I should've been clearer. I was asking if there was a mathematical treatment aimed at a generally educated audience. I understand elliptic curves even if I don't fully know the ins and outs of the diffie hellman and how it is used there. So like non cryptographers but generally technical people.
TL;DR
A TG server was sending a "salt" to clients in order to randomize keys (telegram claim) when in fact the "salt" turned out useless in terms of encryption and the only reasonable explanation for the "nonce" was using it as a backdoor to perform MITM attack.
You decide whether it was done intenionally or because of lack of sleep/understanding
PS. an original author got 100k$ for finding/exposing a potential backdoor.
Another libelous post by US government affiliated "cryptographer". Perhaps next we will see other familiar faces chipping in like tptacek from matasano )
Impossible to succeed at this level without making a few enemies.