[liberationtech] About Telegram

[Maxim Kammerer]

On Fri, Feb 21, 2014 at 2:52 AM, Steve Weis <steveweis at gmail.com> wrote:
> Hi Maxim. There was a man-in-the-middle attack against Telegram's
> algorithm published back in December:
> http://habrahabr.ru/post/206900/ (Russian)

That's interesting, thanks. I now remember reading that writeup at the
time, as well.

> If I understand the translation of this link, Telegram gave him
> $100,000 for the break:
> http://vk.com/wall-52630202_7858 (Russian)

Yes, Pavel Durov gave him the money, sort of outside the contest.

> That's an expensive crypto lesson, but apparently Telegram put their
> money where their mouth is.

Exactly, that's something to respect. This approach also goes both
ways — note how Durov refers to “respectable American cryptographers
on HackerNews” with contempt, as contrasted with some guy who got his
hands dirty. Words are cheap.

All I see is snobbishness of people who have typical Western fear of
steering from “authorized” engineering approaches. The people are
quick to judge some unknown foreign developers incompetent, whereas,
for instance, a company like Google didn't even manage to properly fix
their Android security fiasco, for instance — they still ship the
garbage PRNG code, because apparently no one there can understand how
that code (which they copied as-is from another project without any
tests) works, or is integrated into anything. [1] Yet, Google products
(like chat) are often recommended as secure enough for activists.

[1] https://android.googlesource.com/platform/libcore/+/master/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte