Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 15 submissions in the queue.
posted by Dopefish on Sunday February 23 2014, @06:00PM   Printer-friendly
from the there-is-no-viable-alternative dept.
girlwhowaspluggedout writes:

"A mere three days after Mark Zuckerberg announced Facebook's acquisition of Whatsapp, the popular smartphone messaging app suffered a major service outage that lasted three and a half hours. Left to their own devices, Whatsapp users worldwide went rushing to its rival apps, including secure chat provider Telegram. The surge in new users quickly turned into a tidal wave that brought Telegram's service to its knees:

The SMS gateways we use to send registration codes are overloaded and slow 100 SMS per second is too much. Trying to find a solution.

In its official twitter, Telegram announced that more than 1.8 million new users had joined on Saturday, Feb 22. Four hours later, it reported an additional 800 thousand.

Telegram's messaging service, which uses 256-bit symmetric AES encryption, RSA 2048 encryption and Diffie-Hellman secure key exchange, began enjoying a spike in popularity after Whatsapp's acquisition. Although it has released the source code for its java libraries and all its official clients, its server software is still closed source."

Related Stories

Apple Briefly Removed Telegram App From App Store Due to Child Pornography 19 comments

Telegram iOS app removed from App Store last week due to child pornography

The encrypted messaging app Telegram was mysteriously removed from Apple's App Store last week for a number of hours. At the time, little was known about the reason why, except that it had to do with "inappropriate content." According to a 9to5Mac report, Apple removed Telegram after the app was found serving up child pornography to users.

A verified email from Phil Schiller details that Apple was alerted to child pornography in the Telegram app, immediately verified the existence of the content, and removed the app from its online stores. Apple then notified Telegram and the authorities, including the National Center for Missing and Exploited Children. Telegram apps were only allowed to be restored to the App Store after Telegram removed the inappropriate content and reportedly banned the users who posted it.

[...] Since Telegram is a messaging app with end-to-end encryption, it's unlikely that the content in question originated from direct messages between users. It's possible that the child pornography came from a Telegram plugin, but neither Apple nor Telegram has revealed the source of the inappropriate content.

Telegram is an instant messaging service with at least 100 million monthly active users.

Also at The Verge and Apple Insider.

Related: Former Whatsapp Users Bring Telegram to its Knees
Hackers Compromised Telegram Accounts, Identified 15 Million Users' Phone Numbers
Open Source Remote Access Trojan Targets Telegram Users
Russia Targets Telegram App After St Petersburg Bombing


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by d on Sunday February 23 2014, @06:05PM

    by d (523) on Sunday February 23 2014, @06:05PM (#5251)

    As in title. Why shift your security to a third party if you could have an end-to-end encryption?

    • (Score: 1) by jamesbond on Sunday February 23 2014, @06:32PM

      by jamesbond (2383) on Sunday February 23 2014, @06:32PM (#5257)

      Because you friends aren't using it ...

    • (Score: 3, Funny) by Debvgger on Sunday February 23 2014, @06:32PM

      by Debvgger (545) on Sunday February 23 2014, @06:32PM (#5258)

      Because that's not "cool".

      I just smile when I see the people who back then thought I was a bit weird for using IRC using their phones even on the toilet because they have received "a whatsapp" that couldn't wait until their pants were on their place again.

      So, now there's a 3.5 hour outage and, hey, they can't receive the same videos they see on Youtube! Then millions of sheep install that program a friend told them it was so cool, and life continues happily ever until a new fad arrives to distract them from their miserable existence.

      All said, fuck Whatsapp.

      • (Score: 3, Interesting) by Nerdfest on Sunday February 23 2014, @06:40PM

        by Nerdfest (80) on Sunday February 23 2014, @06:40PM (#5263)

        It's a pretty flimsy thing to pay 16 billion dollars for when a three hour outage sends millions of your customers off to a superior competing service. It does certainly put a lot of pressure on the infrastructure support people at least.

        • (Score: 3, Insightful) by Debvgger on Sunday February 23 2014, @06:51PM

          by Debvgger (545) on Sunday February 23 2014, @06:51PM (#5268)

          That's the problem with fads. There's zero loyalty from your users, because they only want the same their sheep friends have, and don't really care about it or even what it is or how good it is. So, here's an idea for you Microsoft: Give free Windows Phones to the alpha guys out there! :-) ... Try to at least make them like the phone a bit, of course, if that's even possible.

          • (Score: 3, Interesting) by maxim on Sunday February 23 2014, @07:18PM

            by maxim (2543) <maximlevitsky@gmail.com> on Sunday February 23 2014, @07:18PM (#5283)

            Won't work. The hate toward Microsoft is too high among general public.
            They might use Windows but only because they have to.

            Well, if give any advice to MS is maybe somehow be very careful and not mention anything Windows
            when selling a product.

            Btw, that did work with the XBOX, even thought it also probably runs something windows derived.

            Also, btw, the same sadly applies to Linux brand, peoples also scare the hell out of them when they hear 'Linux',
            thats why Google tries not to mention that Android is Linux based....

            Its our fault, can't not admit this.

        • (Score: 5, Interesting) by girlwhowaspluggedout on Sunday February 23 2014, @07:44PM

          by girlwhowaspluggedout (1223) on Sunday February 23 2014, @07:44PM (#5294)
          Actually, it might not matter whether Whatsapp's current users will stay faithful to it. Even if Whatsapp remains userless, Facebook owns their personal data. That is, this was perhaps not about the users at all, but about the easily monetizable userlist. Facebook has finally acquired the commodity it had hoped to acquire these past few years -- cellphone numbers; an advertiser's boon.
          --
          Soylent is the best disinfectant.
          • (Score: 1) by c0lo on Sunday February 23 2014, @09:10PM

            by c0lo (156) Subscriber Badge on Sunday February 23 2014, @09:10PM (#5321) Journal

            Facebook owns their personal data.

            Which rots quickly with every minute that passes. If not refreshed, two years down the road will make the data next to useless (unless FB switches its business profile to an archive institution).

            Does a snapshot in time really worth $16B? I doubt it, but... hey... what do I know?

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 2, Interesting) by shodan on Sunday February 23 2014, @06:53PM

        by shodan (2745) on Sunday February 23 2014, @06:53PM (#5270)

        All true. It's really sad that such superior technology like IRC is not popular anymore. I mean come-on: 10, 15 years ago I was often speaking on IRC with 50 friends on channel.

        Nowdays - people of facebook era and other fancy apps - doesn't even know that it's fun to talk to many people at once in REAL-tiME, beasue that feature is not avalible on facebook...
        It's so sad. :(

        • (Score: 3, Interesting) by Debvgger on Sunday February 23 2014, @06:58PM

          by Debvgger (545) on Sunday February 23 2014, @06:58PM (#5274)

          Attending university in my thirties, a few months ago I was talking with a fellow student and told him something on that line, about how useful IRC was and what a crappy experience Facebook delivers in comparison.
           
          His answer was: Well, but I HAVE ONE THOUSAND FRIENDS ON FACEBOOK!! :-)
           
          Let me guess, he has probably installed Telegram this weekend, too.

          • (Score: 3, Insightful) by clone141166 on Sunday February 23 2014, @10:49PM

            by clone141166 (59) on Sunday February 23 2014, @10:49PM (#5349)

            24 hours in a day, minus a modest 8 hours a day for sleep, leaves 16 hours. If your friend spends 100% of that time communicating with his friends on Facebook that gives him 57.6 seconds each day to talk to each of his 1,000 "friends".

            It kind of worries me the way Facebook turns friendship into a collectible item. People should value their friends more than just as part of some competition for who-has-the-most-friends. I'm sure your friend has a core group of people who are actually his close friends, but the whole concept of collecting friends just feels wrong to me.

        • (Score: 2) by frojack on Friday March 07 2014, @08:44PM

          by frojack (1554) on Friday March 07 2014, @08:44PM (#12917) Journal

          The problem is that multi-person chats in general end up being a huge waste of everyone's time. The tendency to do so increases proportional to the number in the chat. Group chat, of any variety, invariably leads to an average maturity level of a 13 year old. One need only look in on #soylent to watch the endless stream of bacon banalities that go on literally for days on end without a single intelligent thing being said for hours.

          People don't want that anymore. The novelty wore off somewhere around 1996.

          People use messaging apps mostly for quick short conversations, questions, etc.

          --
          No, you are mistaken. I've always had this sig.
    • (Score: 3) by Nerdfest on Sunday February 23 2014, @06:37PM

      by Nerdfest (80) on Sunday February 23 2014, @06:37PM (#5262)

      Secure key exchange is still hard or inconvenient for most people.

      • (Score: 5, Informative) by Fnord666 on Sunday February 23 2014, @07:30PM

        by Fnord666 (652) on Sunday February 23 2014, @07:30PM (#5290) Homepage

        Secure key exchange is still hard or inconvenient for most people.

        Really? From the telegram FAQ:

        When a secret chat is created, the participating devices exchange encryption keys using the so called Diffie-Hellman key exchange. After the secure end-to-end connection has been established, we generate a picture that visualizes the encryption key for your chat. You can then compare this image with the one your friend has. If the two images are the same, you can be sure that the secret chat is secure and no man-in-the-middle attack can possibly succeed.

        Seems pretty simple to me.

        • (Score: 2) by Nerdfest on Sunday February 23 2014, @08:17PM

          by Nerdfest (80) on Sunday February 23 2014, @08:17PM (#5298)

          This assumes that the initial key exchange was secure, and I'm guessing that it's done thought Telegram. If Telegram does the initial key exchange, can't it still happen?

          • (Score: 0) by Anonymous Coward on Sunday February 23 2014, @10:35PM

            by Anonymous Coward on Sunday February 23 2014, @10:35PM (#5344)

            According to your friendly neighbor Wikipedia, the Diffie-Hellman key exchange method [wikipedia.org] "allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel".

            • (Score: 1) by TheLink on Monday February 24 2014, @06:17AM

              by TheLink (332) on Monday February 24 2014, @06:17AM (#5599) Journal
              Doesn't prevent MITM. You may think you are talking to B but actually you are talking to C and C is talking to B. So you to C is "secure" and C to B is secure. But you to B is not.

              But if you can trust your software clients the picture stuff does give some sort of plausibility if you verify them over a different channel (or you directly verify the keys over that channel).
            • (Score: 1) by chromas on Monday February 24 2014, @06:36AM

              by chromas (34) Subscriber Badge on Monday February 24 2014, @06:36AM (#5608) Journal

              There, fixed Slash's misteak (blame β)

        • (Score: 1) by TheLink on Monday February 24 2014, @06:42AM

          by TheLink (332) on Monday February 24 2014, @06:42AM (#5613) Journal
          A talks to B but C MITMs them.

          A -> C "hey my pic is a 'cow' what's yours?"
          C -> A "my pic is a cow too"
          A -> C "all secure then!"
          C -> B "hey my pic is a 'pig' what's yours?"
          B -> C "my pic is a pig too"
          C -> B "all secure then!"

          Much easier if it's text messages. Harder for voice - since delays become more noticeable.

          And if B started telling bacon jokes regarding the pig pic it becomes a lot more work, but C might be able to tell B to focus on stuff that's easier to "pass-through" without rewrites.

          Of course you could use another channel to do the verification, but how would you arrange that without being MITMed again? :)
          • (Score: 1) by LM-Els on Monday February 24 2014, @07:59AM

            by LM-Els (2466) on Monday February 24 2014, @07:59AM (#5666)

            The image they use is actually closer to a QR thing than a describable image. You'll have to send screenshots.
            Not saying that a MITM can't alter those, but it does become a little less easy than simply cow vs pig. And you could send the screenshots via email to bypass a Telegram MITM.

            • (Score: 1) by TheLink on Tuesday February 25 2014, @06:47AM

              by TheLink (332) on Tuesday February 25 2014, @06:47AM (#6437) Journal
              If it's closer to a QR thing MITMing it might actually be easier to automate than the cow/pig thing. Assuming you don't do checking via other channels.
    • (Score: 1) by scourge on Sunday February 23 2014, @08:53PM

      by scourge (942) on Sunday February 23 2014, @08:53PM (#5311)

      Look into psyc. Doesn't use xmpp for good reasons. It's the solution but needs a bit of extra dev help.

  • (Score: 5, Informative) by drac on Sunday February 23 2014, @06:36PM

    by drac (1723) on Sunday February 23 2014, @06:36PM (#5261) Journal

    I like Telegram. Installed their client on both Android and iOS, it looks nice and it just works. The problem is - I've read things about their custom protocol and now I'm no longer sure if they're truly safe.

    This [telegram.org] covers most of Telegram's rebuttals to a host of experts. They awarded a cash prize early on after their crypto was broken. More embarrassingly, for a brief time a couple of days ago - complete strangers could add others and send messages to them, a fact they acknowledged in a broadcast message a few hours ago.

    Call these teething troubles and that's fair enough - Whatsapp has had their share of security problems too. But I'm not sure anyone should bet the farm (or anything else) on how secure they are just yet.

    As a postscript: a minor UI niggle that people (including myself) do not like - secret chats (their term for private, end to end encrypted conversations) are NOT the default, although not using a secret chat is conceivably a mistake you'd only make once (a padlock icon appears next to all secret conversations).

    • (Score: 3, Insightful) by spiritplumber on Sunday February 23 2014, @06:57PM

      by spiritplumber (238) on Sunday February 23 2014, @06:57PM (#5273)

      every two-three years people inexplicably move to a different IM platform. I'd like something like Pidgin on android, personally.

      • (Score: 1) by Marand on Monday February 24 2014, @07:47AM

        by Marand (1081) on Monday February 24 2014, @07:47AM (#5658) Journal

        I'd like something like Pidgin on android, personally.

        IM+ is a multi-protocol messenger on Android, similar to how Pidgin is on other platforms. Full version costs a few bucks and it works well enough, but I don't think it's open source so it may not be trustworthy enough for anyone that requires high security.

    • (Score: 5, Informative) by Geotti on Sunday February 23 2014, @07:29PM

      by Geotti (1146) on Sunday February 23 2014, @07:29PM (#5289) Journal

      They awarded a cash prize early on after their crypto was broken.

      Here's [cryptofails.com] some [thoughtcrime.org] food [hackapp.com] for [soylentnews.org] thought [ewdn.com].

  • (Score: 2, Interesting) by Xerxes on Sunday February 23 2014, @07:03PM

    by Xerxes (2800) on Sunday February 23 2014, @07:03PM (#5277) Homepage

    I had no clue those messaging services were so popular before the aquisition and this article - Somebody who doesn't text

    • (Score: 1) by sibiday fabis on Sunday February 23 2014, @08:22PM

      by sibiday fabis (2160) on Sunday February 23 2014, @08:22PM (#5301)

      I had no clue those messaging services were so popular before the aquisition and this article - Somebody who doesn't text

      You're not alone. I have never texted and have no desire to start. My cellphone is used as a phone. I hate "typing" with my thumbs.

  • (Score: 5, Informative) by mtrycz on Sunday February 23 2014, @07:16PM

    by mtrycz (60) on Sunday February 23 2014, @07:16PM (#5282)

    The problem I have with Telegram, and the reason I haven't installed it (yet?) is that the project has been sponsored by Pavel Durov, russian millionaire and "philantrope", the person behind VKontakte (the russian equivalent of Facebook) that has beed dubbed "russia's Zuckeberg".

    I'm not fleeing one corporate overlord for another.

    Also, as many already stated, the E2E encryption is not the default (but still possible?), when can we have that?

    --
    In capitalist America, ads view YOU!
    • (Score: 3, Interesting) by beckett on Sunday February 23 2014, @09:05PM

      by beckett (1115) on Sunday February 23 2014, @09:05PM (#5316)

      good point about swapping corporate overlords.

      However, we might be optimistic about the people that are choosing to leave Whatsapp for what is supposedly a service with better privacy policies. At least this indicates people in the Whatsapp demographic are aware of and sensitive to wholesale surveillance, and will take action to preserve personal privacy. If the general public are aware of these issues to digital privacy, metadata, and data mining the next generation of killer apps will have to consider these issues seriously.

    • (Score: 1) by hash14 on Monday February 24 2014, @05:49AM

      by hash14 (1102) on Monday February 24 2014, @05:49AM (#5588)

      They have an open API, so you could conceivably patch/fork the existing client (or write your own) with that as the default setting.

  • (Score: 4, Informative) by Fnord666 on Sunday February 23 2014, @07:24PM

    by Fnord666 (652) on Sunday February 23 2014, @07:24PM (#5286) Homepage
    On the telegram FAQ page [telegram.org] they provide a rationale [telegram.org] for not open sourcing everything right now.

    Q: Why not open source everything?

    For the moment we are focusing on open sourcing the things that allow developers to quickly build something using our API. We started with Android and Linux, since these platforms are the most open, recently we published the iOS app code as well. We will be releasing more code eventually.

  • (Score: 5, Informative) by girlwhowaspluggedout on Sunday February 23 2014, @07:28PM

    by girlwhowaspluggedout (1223) on Sunday February 23 2014, @07:28PM (#5288)

    OP here - while writing the submission I came across a critique of Telegram's encryption [cryptofails.com]:

    • They use the broken SHA1 hash function.
    • They include a hash of the plaintext message in the ciphertext. Essentially, they are trying to do “Mac and Encrypt†which is not secure. They should be doing "Encrypt then Mac" with HMAC-SHA512.
    • They rely on an obscure cipher mode called "Infinite Garble Extension."
    • Some really weird stuff about factoring 64-bit integers as part of the protocol.
    • They do not authenticate public keys.

    If their protocol is secure, it is so by accident, not because of good design. They claim [ycombinator.com] the protocol was designed by "six ACM champions" and "Ph.Ds in math." Quite frankly, the protocol looks like it was made by an amateur. The tight coupling between primitives suggests the designer was not familiar with basic constructs, like authenticated encryption, that you can find in any cryptography textbook.

    I am not a cryptographer and so I have no idea if this criticism is valid or not. Is there a cryptographer in the house who cares to comment?

    --
    Soylent is the best disinfectant.
    • (Score: 3, Interesting) by tomtomtom on Sunday February 23 2014, @11:42PM

      by tomtomtom (340) on Sunday February 23 2014, @11:42PM (#5375)

      I'm not a cryptographer by any means but I do know enough to spot some of the red flags here - plain SHA1 with no key as a MAC, poor KDF, perhaps MAC and encrypt, using an obscure cipher mode, etc are design choices which are unusual and would need some better justification than the company has given (and that justification should have been there upfront); therefore what is clear to me is that whoever designed this protocol does not have enough experience in the crypto field to do it right.

      The issues identified there may or may not create problems for people in the real world (especially if you accept the limitations of basically no MITM protection/authentication) but the red flags they raise are enough to convince me not to trust it any more than I would a system which sent messages in the clear via a third-party server (which given the third party here is less than I would trust SMS). Quite apart from the direct issues here, there may well be other implementation issues or flaws caused by inexperience.

      This is quite apart from the biggest privacy issue (to my mind) with any of these types of service which is that they upload your entire phonebook to the operator's server, which then uses it to work out who else you know is on the network. Even TextSecure only partially solves this (through the use of Bloom filters). I suppose you could also delay the lookup until you try to message someone but that gives a worse user experience. Without a technical solution to that problem, you fall back to "how much do you trust the operator?". WhatsApp had built up a reputation of sorts of not selling/mining this data; Facebook is almost the polar opposite. Telegram was founded by a group who also founded a Facebook competitor which seems to be a bad start, and when you add on rumours about their closeness to the Russian government that's enough to convince me to stay well away and advise my friends to do the same.

      Incidentally, if you do leave WhatsApp you should delete your account from the Settings dialogue, not just uninstall the app, otherwise they look more likely to retain your address book data and hand it on to Facebook. By deleting your account there's at least some chance they delete your addressbook (although I think their T&Cs/privacy policy wouldn't require it).

  • (Score: 5, Funny) by Buck Feta on Sunday February 23 2014, @08:08PM

    by Buck Feta (958) on Sunday February 23 2014, @08:08PM (#5296) Journal

    The name reminds me of the slightly obnoxious Budweiser commercial of a few years ago. I imagine Zuck and Brin one the phone saying "Whatsaaaaaaapp?" back and forth to each other like a pair of morons.

    --
    - fractious political commentary goes here -
  • (Score: 1) by knorthern knight on Monday February 24 2014, @12:55AM

    by knorthern knight (967) on Monday February 24 2014, @12:55AM (#5410)

    1) Set up messsaging app and service
    2) Wait for Facebook to buy competitors
    3) People flee bought-up competitors, turn to your app/service
    4) You sell out to Facebook
    5) Profit

    • (Score: 1) by isostatic on Monday February 24 2014, @07:16AM

      by isostatic (365) on Monday February 24 2014, @07:16AM (#5638) Journal

      Interestingly, WhatsApp was written by a road warrior for the road warrior [flyertalk.com].


      i am actually flying to Barcelona for MWC right now using the M&M miles award ticket (i am posting this from LH455 flight)... i obviously got these tickets many months ago - i prefer to fly using miles when i can to save company money. as you know, award ticket inventory is limited and last minute changes are nearly impossible... and this is where it gets cute:

      we announced the deal with Facebook on wednesday after the market closed. during the process, we realized there was a chance we might not be able to get the deal wrapped up and signed on wednesday and it could delay.

      when the risk of the delay became real, i said: "if we don't get it done on wednesday, it probably wont get done. i have tickets on thursday to fly out to Barcelona which i bought with miles and they are not easily refundable or even possible to change. this has to be done by wednesday or else!!!" ...and so one of the biggest deals in tech history had to be scheduled around my M&M award ticket

  • (Score: 3, Funny) by Boxzy on Monday February 24 2014, @01:06AM

    by Boxzy (742) on Monday February 24 2014, @01:06AM (#5417) Journal

    Even the least technical are taking my advice to move to Telegram when I type out what $19,000,000,000 looks like on a phone screen. Then I explain that because everyone seems to be leaving those left behind are going to be sold SO HARD their noses will bleed.

    --
    Go green, Go Soylent.
  • (Score: 4, Interesting) by lennier on Monday February 24 2014, @02:59AM

    by lennier (2199) on Monday February 24 2014, @02:59AM (#5475)

    Mashable is reporting 4.95 million more users just signed up on Telegram today. So over 6 million by now?

    Just wow. How's Facebook stock looking?

    --
    Delenda est Beta