68 comments

[ 3.3 ms ] story [ 131 ms ] thread
Is it possible Apple is considering a legal challenge? I know the system in Russia is horribly corrupt, but at least they seem to care about pretending to have a functioning legal system.
(comment deleted)
Russia has no relation here. Apple now is imposing sanctions upon a British company (Telegram is registered there). By the way Russian users are only 7% of Telegram's userbase.
> It is possible that, as a result, the app is not GDPR compliant

As a result of what? And this is between Russia/USA which has nothing to do with GDPR.

And moreover, company has to be GDPR compliant and not an app. An app may include stuff that helps to be GDPR compliant, but is only a subset of what is required to be compliant.

The prior sentence explains that because users haven’t been able to update the app, it would potentially be an older version which does not include any changes they have implemented since then for compliance.
FWIW, from the man/Durov himself:

"as a result, we’ve also been unable to fully comply with GDPR for our EU-users by the deadline of May 25, 2018. We are continuing our efforts to resolve the situation and will keep you updated."

To be fair, they had fully two years to do this before the May 25th "deadline".
I'm curious to know if Russia's a big enough market for Apple to give a shit. It's not China. Also, does Putin really want to upset the middle-class iPhone users in Russia, over an app written by Russians? Seems risky.
Putin does not care about middle-class iPhone users in Russia. Blocking Telegram is just another form of censorship for him. He got away with blocking half the Internet in Russia already.

https://www.independent.co.uk/news/world/europe/russia-inter...

For those who read this, "half of the Internet" is not an exaggeration. I legitimately cannot access about half of websites I get linked to without a proxy.
I had a couple of questions about this. First does attempting to access the site simply time out? For instance in the UAE you get an official message saying that the content is blocked. Second what has the coverage of this been like in the local media?
Yes, it times out. If a site uses HTTP, there can be a notification about it being blocked, for HTTPS sites it is not possible. Some ISPs block packets by inspecting SNI field and such blocks can be bypassed by playing with TCP packet size either from client or server side. Some ISPs just block traffic to blacklisted IPs without inspecting the packets.

> Second what has the coverage of this been like in the local media?

All major media in Russia are controlled by the government. They reported that Telegram is used by terrorists and drug dealers and Durov refused to comply with russian law and provide decryption keys that are needed for the invesigation (Durov says that accounts in question are long deactivated and that he was required to provide keys allowing to decrypt the traffic of any user, and that those terrorists used WhatsApp as well).

Putin's advisor on Internet development also suggested that russian users can switch to messengers made by russian companies.

There also was a small rally in Moscow against internet censorship. Only about 12000 people from 12-million city took part in it.

Thanks for the response.

>"Yes, it times out. If a site uses HTTP, there can be a notification about it being blocked, for HTTPS sites it is not possible."

Why wouldn't it be possible to get a notification for HTTPs though since the domain part of the URL is still unencrypted? How does manipulating the packet size help steer around the blocking?

Also I am curious what the media coverage has been regarding the state HTTP filtering?

> Why wouldn't it be possible to get a notification for HTTPs

Because you need a valid certificate to break SSL connection.

> How does manipulating the packet size help steer around the blocking?

The filtering hardware looks for SNI field at specific offset. If you break packet into two it will let the packet through because it doesn't reassemble IP packets (probably because it would require more resources).

> what the media coverage has been regarding the state HTTP filtering?

When the law was discussed initially, I think somewhere around 2012, after large protests against falsifying parlament election results and Putin's third term, media explained that there is many illegal information on the net, for example, terrorists' sites, sites selling drugs, sites that promote homosexual relations or suicide among minors. So the government needs a law to protect children from this. Sometimes they also add that some western countries censor Internet access too.

Several years later new causes to block sites were added, such as sites with pirated movies, casino sites, sites that allow to view blocked content or provide VPN services, or pages that call for an unauthorized rallies.

It is somewhat ironical that when Ukraine blocked russian social networks, media explained how to bypass the block.

for the first 5 or so years, iphones were not officially available for sale in russia. Russian cellular carriers didnt want to play by Apple's tough rules but iphones were still getting very popular as people were still asking anybody traveling to overseas to buy an iphone for them. Putin may still play a similar card but I hope Russia doesnt go as far as preventing registration of new iPhone IMEI numbers on its networks, that would be the Putin's lowest move.
> that would be the Putin's lowest move.

Irritating, yes, but his regime does have a fair collection of dark events. I struggle to think of a current world leader in the same league.

Nah, let's not jump into conclusions.

Russia wants to ban Telegram, the reasons are their own (not providing CALEA-like access to communication network proven to be used by terrorists is a biggie). They do not have any mean to block just Telegram in the Apple Appstore, but they do have the means to block entire Appstore. Anyone would go for minimal impact: ask Apple to cooperate; if they do, fine. If they don't, pull the nearest gun that achieves the result.

Whenther some random Ivan uses iPhone or not, nobody really cares.

The problem with the app store is that it is a great control point. We may appreciate the safety it provides but it is a tempting target for regulators. More diversity in the ecosystem would help here.
People are only now realizing this?
They've realized this many times, only to forget the next day.
People have been saying this for years. For the 98% of non technical users, the App Store is suitable for them because its GUI is incredibly easy to use and understand. For the 2% of people who want to be able to sideload apps and to truly do things with root privilege on their android or ios phones, enforced app stores are a terrible thing.
> For the 2% of people who want to be able to sideload apps and to truly do things with root privilege on their android or ios phones, enforced app stores are a terrible thing

Not even that: for the 2% who want to install software that hasn't annoyed {Apple, the local government}.

2% is being incredibly generous. If I asked my entire office of 200 people what rooting their phone meant, I'd be flabbergasted if 4 of them knew what I was even saying. HN and forums like it really live in a tiny, tiny bubble of vocal minorities. I've been in this industry for twenty years, and I have absolutely no interest in monkeying around with my phone. I just want it to work.
200 people is a very small sample size, and since you all work in the same office, it's likely you all have similar backgrounds and experiences. In short, probably not representative enough of the total population (on top of being a small sample size).
A sample size of 200 is a 93% confidence level. The company is international, and so is the diversity. I guarantee we don't all have the same experiences and backgrounds.
Here's a counter anecdote to yours: the organization I work in has around 1000 people, I'd say about 30% easily know what 'rooting your phone' means, and at least 5% (probably closer to 10%) do it. Also an international organization here. Your sample group, like mine, is not good enough to come to any conclusions.
Sounds like your organization is not diverse, but more of a technical one.
In addition to what others said, side loading apps is definitively possible on both platforms without a lot of effort (and doesn’t require JBs either).
Is not this anti-competitive? Apple prevents Telegram from updating while allowing it to competing messengers.

By the way legally Telegram is not a russian company (British company if I remember correctly) so Apple cannot get away with "who cares, they are from Russia". Is it ok that at Russian government's request American company is restricting a British company?

Not allowing them to update their app globally is truly evil. Apple has been positioning as a champion of privacy but it's all rubbish. They truly are as bad as Google.
It's like the ceo[0] of the world's most profitable company lying[1] to every person in america about their most intimate device they own.

I don't care what you say. I don't believe for a second that vault 7 is an exploit and not a built in backdoor.

[0]:https://www.apple.com/customer-letter/ [1]:https://wikileaks.org/ciav7p1/

EDIT - this is going to get downvoted to oblivion cause it goes against the grain but it is an opinion and people should at least be open to it. Especially with the fact that news[2] like this is coming out everyday.

[2]:https://www.eff.org/

Uh, so what you’re saying is that you have no idea at all what “vault 7” is?
If you read my link you would see that the fbi,cia, and nsa have "exploits" that they can be used to gain (root)access to iphones,android phones, samsung tvs etc. [hello george orwell]

I can't believe for a second that the government can merely send a magic packet to an iphone and have it exploited as it does. It must a built in backdoor they can only access or else alot of other people would have it as well.

Essentially everything in that list affects old versions of iOS…
Are you seriously doubting they still don't have that type of access?
…yes?
picks up magic eight ball "Will there be another leak of exploits for the latest version of ios in the next year" Shakes magic eight and revealing the answer to be "ARE YOU DAFT! YES!!!" "The magic eight has spoken"

putting aside hubris, take a look through eff.org and see for yourself. If you care enough about privacy and the future, take a look at fightforthefuture.org to see which candidates are funding these programs and the ones who are actively fighting the surveillance state.

(comment deleted)
Not banning Telegram from the app store is truly evil.
Feel free to extrapolate on this comment...?
If you truly value privacy, perhaps you’d ban the “secure messaging” app with a history of obvious crypto backdoors?

https://habr.com/post/206900/

I’d love to see any credible explanation as to how this could have happened by accident.

Have you actually read the post you linked to?

He found a flaw, they fixed it. The flaw itself is of a kind common to a home-brewed crypto and it was lying on a surface. Saying that Telegram made this mistake on purpose is, if you pardon my French, making shit up.

Do you actually understand the nature of the “mistake” they made here?

Yes, they fixed it.

No, you can’t accidentally write code that pulls DH nonces from your server.

>The flaw itself is of a kind common to a home-brewed crypto

You can’t say things like this and then proceed to accuse others of making up shit.

This is way too crude and obvious to be an intentionally planted protocol weakness.

Telegram doesn't have reproducible builds, do they? So if they really wanted to fuck people over, all they had to do is to ship a build that uses predictable PRNG. The vast majority of users will use vendor-supplied binaries, so chances are that for any pair of peers you will be able to fully recover all their secrets and eavesdrop on the traffic. You don't even have to be Telegram to do that. In fact, this works against any protocol... unless client binaries are routinely audited and matched against their source, which is never the case with any of the clients. The only example I am aware of was Zimmerman's PGPfone back in mid-90s.

So, yes, I think that you are seeing things that are not there and it's yet another case of stupidity rather than malice on part of Telegram's devs.

>Telegram doesn't have reproducible builds, do they? So if they really wanted to fuck people over, all they had to do is to ship a build that uses predictable PRNG.

This doesn't really matter that much, the source code isn't very helpful while auditing a RNG.

Most of the time Telegram doesn't even encrypt conversations, yet this is their main selling point.

>So, yes, I think that you are seeing things that are not there and it's yet another case of stupidity rather than malice on part of Telegram's devs.

No. I just don't think it matters whether this was stupidity or malice, sufficiently advanced stupidity is indistinguishable from malice. This was not your typical crypto fail. You suggested that this is a common kind of error, can you point at someone else that did this?

I think it's fair to assume malice in the case of Telegram, their "secure encrypted messaging" application still doesn't even encrypt most conversations.

(comment deleted)
Regarding SMS interception, you can do it with every other messenger that uses this technique, which is basically every messenger that doesn't use passwords.

Regarding the nonce attack, it looks like the devs responded and said it was because of poor random numbers source on the client, which I personally don't understand as a justification. However, they said they'll remove it in the next update and that nonce has been "0" up until now.

Regardless, all of these messengers for cell phones aren't great if you are paranoid. That's because the hosting company's servers have all kinds of data on you as it is. Your contacts, access to SMS, access to location, camera, mic, photos, and all the files on the device.

This is true for all the messengers that are currently in widespread use.

If you are paranoid, use Pidgin with OTR plugin.

>If you are paranoid, use Pidgin with OTR plugin.

Don't do that, this is a super bad idea. If you really have to go that way, at least use coyim or something. Definitely not anything libpurple based.

Keybase.io chat is quite good too.
Why? Because they had a code exec vuln in 2017?

On the CoyIM site it says: "Not yet audited. Do not use for anything sensitive."

So who audited pidgin and libOTR?

>Because they had a code exec vuln in 2017?

No. Look at the code, it’s scary! Pidgin and libPurple were not built with security in mind.

Coyim is being built ground up in an effort to avoid the numerous issues surrounding Pidgin/libOTR.

I think you absolutely should not use either, but if you’re going to use one at least use Coyim.

I don't think that home-made crypto in Telegram is a problem. As long as it cannot be easily broken, it is fine. The real problem is that it requires a phone number (read: your ID) to use it and tries to steal your contact list to its servers. Also, it keeps your messages on their servers forever.

A messenger that really cares about privacy would never require user to provide a phone number and would not keep decrypted messages on the server.

Listen, I get what you are saying. But the fact that Russian wants it off means they are not easily able to get the data they want, so that must mean that Telegram is sort of doing something right even tho those in crypto circles are not confident on their implementation of cryptography.
>Apple has been positioning as a champion of privacy

I wonder who has anything to gain from this position of Apple outside of Apple itself? No one in their right mind can both know Apple's history and believe they are a bastion of privacy. I'd be surprised if they aren't worse than Facebook.

> No one in their right mind can both know Apple's history and believe they are a bastion of privacy.

What history are you referring to?

> They truly are as bad as Google

One of the reasons privacy activism has a hard time getting any traction is because of this all-or-nothing attitude. Apple clearly does more than Google for users’ privacy. But they drop the wall in one case and suddenly they’re “truly as bad as Google.”

All-or-nothing hardball works if one has leverage. (Even then, it is a costly strategy.) If one is in the minority, however, it virtually guarantees being ignored. The world exists in shades of grey.

I'd say they do as little as possible to keep the privacy PR going. It's more than Google, but still very very little.
> It's more than Google, but still very very little

Perfect is the enemy of good. My point is it’s possible to criticise a company without being (falsely) hyperbolic.

Strangely, the desktop version in the Mac App Store seems to be getting updates just fine.
Not even Apple remembers the Mac App Store exists to interfere with it.
Russian Govt asked to remove telegram from App Store, not Mac App Store. Apple will try their best to do the minimum required from them. (Which is nothing since they still didn't remove telegram from app store)
I wonder how would have Apple have reacted if it was a Chinese request considering they have blocked VPN apps from the China Store.
Since they have blocked VPN apps in China, the cat is out of the bag: they have proved to every country that they have the technical means to block a whatever app they like in a given country, and that they'd cave to local regulations to prevent being blocked. That's the cost of doing business anywhere, whether a dictatorship or not.

They might stall for a time, but they'll end up blocking Telegram in Russia as well. And other apps will follow.

As I understand, Apple has blocked updates for all countries, and Telegram is a British company, not Russian, and russian users are only 7% of its userbase.
(comment deleted)
(comment deleted)