81 comments

[ 0.18 ms ] story [ 4779 ms ] thread
What's an action that two people on different sides of a mirror can take in order to demonstrate a common commitment towards progress (despite mistakes)?
(the best I have, so far, is: walk away)
(and downvoting the other appears to be common reaction -- moreso than replying to them, perhaps)
i just don't understand your original comment
Ok - it's possible that I was commenting outside the guidelines[1], which would be a fair reason to downvote.

If that wasn't the case, then please instead ask for clarification next time - people are generally fairly forthcoming as long as you're not dismissive or intimidating (although it can be hard to tell what random strangers on the internet will perceive as such).

As to the explanation: I don't think anyone can claim to be perfect, and we all have to go through various learning phases (in various learning dimensions) throughout life.

Increasingly that process is on record, for most of us -- as it is in the linked article here. It's risky and could stunt growth to call people out for their failures; especially on platforms that have a wide audience. There are often ways to find more constructive, positive and healthy personal development.

[1] - https://news.ycombinator.com/newsguidelines.html

Other opinions are possible though, I suppose. Perhaps we should all be called out on our faults, and that would somehow lead to a more accurate and error-free existence. And it's possible that that is, already, abstractly, somehow what this blog post is doing.
Alternatively we could argue that the HN realm is some kind of weird partially-albeit-loosely rules-based environment that doesn't represent reality more than superficially, and that the little arrows, karma counting, and ladder-climbing (influence or points) are a sad, incomplete replacement for true human connection.

Who's to say, really? Is any other environment much different?

In conclusion: I'm not sure whether I understand my original comment, either. It probably says more about me than expected, and perhaps to boost my ego further, I should follow my own guidance and walk away from that :)

If you're trying to hide a backdoor in a more subtle way than leaving a telnet port open, disguising it as a bug is not a bad way to go. Much less work than, say, finagling your own magic numbers into a new crypto standard.

Anyway, Telegram MTProto backdoored; this never was a surprise to anyone I guess.

I can see a lot of people doing this for plausible deniability.

It would be very difficult to prove the difference between actual incompetence and deliberate ineptitude.

This looks a lot like the Proof of Work from Bitcoin. Super interesting!
Maybe I'm missing something but this doesn't appear have anything to do with PoW beyond adding salt to a hash.
A surprising number of people seem to believe that Bitcoin pioneered all forms of cryptography.
Yeah when you say "crypto" now, people aren't thinking encryption/decryption/private/public/keys/certs/algos, they are appending "currency" in their brains.
You vary a nonce until you get the expected result. Looks like the same principle, except for the details :)
(comment deleted)
Any messaging platform that wants a phone number gets a hard pass for me. Use Matrix instead.
Honest question, how do you make anonymous connections? I'm not talking pseudo-anonymous, but actual anonymous.
ddtaylor never mentioned anything about anonymity. Phone numbers are external IDs, which can be stolen
No, but I think that's the underlying concern between giving out phone numbers. Handing over phone numbers is generally giving away your identity (because it is only pseudo-anonymous). Giving away my username Godelski is also difficult without linking my personal identity because it too is pseudo-anonymous.
If you're communicating with someone over Tor you're not giving them your phone number. In the past people used XMPP but Matrix is easier and doesn't require manually setting up encryption or OTR extensions.
Modern XMPP clients have OMEMO built in and enabled by default.
So how do we translate this to sharing contact information? I find it very limiting if we can only establish contact over TOR.

Maybe I should explain the problem I'm thinking (and I'm honestly curious if there is a solution).

Within one app I want to be able to establish contact with multiple types of people without revealing to others those identities (i.e. anonymously). If I use a username then my friends and family that have my phone number can see my username (similar to Snapchat). This also allows for cross-site deanonymization as I can't use that same username on sites like Reddit or Hacker News where I may actually want to establish private or group communication with other users. The problem here is that usernames are persistent and so identities will be linked (even if multiple usernames are allowed). I want to be able to connect friends, family, internet friends, and others without revealing any PII or letting others knowing who I've established contact with.

As I see it, there needs to be some zero knowledge contact initialization. How do we establish a (persistent) communication channel through untrusted platforms that do not reveal PII? And more importantly, how do we do this in a manner that is usable by an average person?

Almost all of Matrix servers require an email if I recall correctly.
Element doesn't require anything like that and is probably the most popular client.
OK, then use XMPP if the phone number thing is an issue.
This is the way. Been in the process of setting up an XMPP server for me, my friends, and my family, to move away from Telegram. I like Telegram from a UI and functionality perspective, but there's too much trust involved.

If you're a normal person and don't have the knowledge or drive to set up an XMPP server, I would say Signal is probably one of the best secure chat clients at the moment.

I don't think you recall correctly, I can't find anywhere that anyone even asked for one in the Matrix space.
The problem with signal and whatsapp's design with phone numbers is that it's used as your public facing ID. if you give over your number to someone, they put it in their address book on their phone and then Facebook finds common friends etc on their phone, and then you're all of a sudden doxed because of other peoples habits.

A lot of girls on dating apps prefer snapchat because they can just block the person and there's far smaller chance of getting stalked or harassed.

Matrix does not expose your email address or phone number to people you connect with, so you're a lot safer.

True, and I agree that using a phone number is an issue. It is being used to block spam, but doesn't do that great of a job on Telegram still. I am curious what other ways you think could be used to help block spammers.
I remember seeing this bug years ago. As Filippo mentions at the end, I'm still not sure whether to attribute this to malice or incompetence as per Hanlon's razor. I have not really followed what's up with Telegram lately, but I recall they had a rather brusque attitude towards the cryptography community at the time: "we have maths PhDs!", "Here's an encrypted message with no other context whatsoever: 0x459457453494530453409abc74f, $1 million if you can break it. No? Didn't think so!". To be honest, their consistent hubris at the time combined with (as far as I'm aware?) no other suspicious code (in the sense of backdoors, not just weird crypto) since, actually leads me to think it might genuinely be incompetence rather than a deliberate backdoor. I do think it's true that the security community can be a little outraged and not very welcoming to newcomers in the space if they get anything wrong: even Signal, pretty much the gold standard, receives constant (in my opinion, unfair) criticism for not being federated. Though, given the high stakes, I suppose this can be forgiven.
The thing I'm most confused about is why Signal and Telegram are always seen as competing. WhatsApp has better encryption than Telegram, but then again, the bar is so low it's unfair.

The unfederatedness of Signal seems to be a HN phenomena. Though someone did make a feature request that could be something that's kinda middle ground and seems more in line with Signal's philosophy[0]. Personally I think Signal works so well because you don't have to worry about servers, domains, and whatever. It just works. Exactly like texting. It's for the masses, not us nerds. I want to see Matrix grow, but I don't see it being usable by the masses anytime soon.

[0] https://community.signalusers.org/t/signal-airdrop/37402/8

I think it's because Signal and Telegram are the leading non-FAANG, non-SMS options.
Particularly with WhatsApp I think also a big reason is also the metadata. People want to leave it, and are looking for somewhere to go. Any "where" is therefore competing.
> The unfederatedness of Signal seems to be a HN phenomena

No, it's as huge issue. You cannot trust yet another walled garden. Especially when there's no way to verify the servers.

But if the app is working correctly you shouldn't have to trust the servers. I thought that was the whole point.
No, that's a misunderstanding.

Signal is vulnerable to timing correlation. An observer on the servers or on network devices nearby can easily infer the social graph of users: at what time they communicate, with whom and how often.

This is not a minor issue. Quote from the former CIA director: 'We kill people based on metadata'.

So the solution to that is get a lot of people on Signal because then that metadata is noisy. It's impossible to have a system with zero metadata but it's very clear that Signal is the best game in house. Timing attacks aren't solved by federation btw.
> the solution to that is get a lot of people on Signal

Wrong. Do they all use the very same server? No, and therefore timing attacks are still there.

> it's very clear that Signal is the best game in house

Wrong. There are protocols designed to provide good security in the first place, like Briar.

> Timing attacks aren't solved by federation btw

Also wrong. Federation makes timing attacks very difficult, especially when servers are delocalized because it increases the amount of access required by any global observer.

I'm going to stop replying. You clearly are not familiar with the topic.

I don't know what relitigation of this issue has to do with this thread. You can use the search bar below to find probably 100 different dissections of it, starting from Moxie's post about federation that kicked the whole debate off. Let's leave it be, since this thread isn't about Signal at all.
Isn't that why we have collapsible subthreads?
Signals protocol is designed so you don't have to trust the server.

Just look at how much information they hand over to the feds:

https://signal.org/bigbrother/cd-california-grand-jury/

I'm not sure what you mean by walled garden, but I assume you mean that you can't setup your own servers and join the network? What's stopping a federated network from forming a cartel and blocking small players, or servers they deem morally objectionable?

By walled garden I think they mean the servers. Because the app isn't a walled garden. It is open source though centralized (Moxie has argued extensively about how this allows faster development. Though ironically Signal is known for slow development). But the servers are also open sourced so there's nothing stopping people from creating private (or even federated) "Signal" apps. You just couldn't call it Signal in name. And I don't blame Signal for keeping their servers to themselves. They're not a data center and already running a tight ship.

I've never really understood the argument. Just because someone hasn't done something doesn't mean it is a walled garden.

Not only Signal refuses to have any 3rd party server federate with theirs, but they also refuse 3rd party clients. This is exactly the definition of walled garden.
There's also risk to letting others host servers. We know about bad tor nodes. Federation doesn't solve the problem you're looking to solve
> Signals protocol is designed so you don't have to trust the server.

That's not true, see the other reply.

> The thing I'm most confused about is why Signal and Telegram are always seen as competing.

Well, this is a good question. Telegram is an allround day-to-day messenger with channels, massive groups, broadcasts etc that also works as a login provider while Signal is a research project to create a secure messenger and also something about crypto coins ;-)

Yet, while Telegrams encryption scheme has left a lot to be wished for and their communication has been arrogant:

- Signal has had more than one really bad security problems like remotely exploitable XSS in desktop app and that rather long time span when Signal sometimes sent images to wrong recipients

- Meanwhile Telegram hasn't seen such problems since they were starting out

And WhatsApp? Why it is even mentioned in a discussion about secure messaging after all the blunders they've made I don't know:

- Sending deliberately unencrypted backups to Google with the intention that Google could datamine them.

- Lately there has also been talk about "filtering content on the edges". So much for E2E-encryption when the endpoints report your content through a separate channel.

I believe in Signal and E2E-encryption, but, as I have said a number of times and a number of ways before:

There is a lot more to security than just cool algorithms and buzzwords.

All the E2E-encryption in the world doesn't save you when the service provider gets away with the abuses WhatsApp have been caught red handed with and no algorithm saves you when you can get remotely exploited by receiving a message.

Some might think I am extremely pro Telegram. I have one place where I want a lot less of it:

It really scares me when I see police use it. For any kind of communication that needs to be super secure: stay far away!

Can you keep elaborating about the abuses that WhatsApp has been caught red handed with?

You mentioned only unencrypted OS backups (which were a major issue, but also industry standard, affecting everything but Signal which takes a severe usability hit over it, and apparently fixed https://faq.whatsapp.com/general/chats/about-end-to-end-encr...). "Filtering content on the edges" is a whole debate but not something that ever materialized.

It sounds there's a list, what are the others?

> Meanwhile Telegram hasn't seen such problems since they were starting out

There is no point of even looking into Telegram's code - it is not encrypted. Why would researchers waste their time?

Encrypted one-to-one chats is not really a feature. It is rarely used since parties need to explicitly request such session. And even than it's clunky as hell.

And yet WhatsApp encryption has literally defeated my country's justice system. Judges demanded that the content of the messages be revealed and they didn't get what they wanted. I'll never forget that day. This was years ago before all this client-side content filtering nonsense but still.

WhatsApp is a Facebook product and obviously cannot to be fully trusted. However, I'm still really happy that nearly everyone in my country is using something this secure. There's no point in having the perfect system if nobody uses it.

Here are some cases of mass 'hacking' of Telegram. The problem with Telegram is these 'hacks' give attackers access to entire Telegram chat histories, unlike E2E apps like Signal, WhatsApp, Wire etc.

[1] Brazil politicians' Telegram 'hack' of 2019

https://www.wired.com/story/brazil-hacker-bolsonaro-car-wash...

[2] Iran Telegram 'hack' of 2016

https://www.reuters.com/article/us-iran-cyber-telegram-exclu...

[3] Israeli cryptocurrency executives' 'hacked' on 2020 including their Telegram

https://www.haaretz.com/israel-news/tech-news/.premium-exclu...

[4] Moxie Marlinspike of Signal app on Telegram

https://twitter.com/moxie/status/1474067549574688768

Hack is in quotes because all involve SMS interception.

WhatsApp’s Biggest problem is the lack of a default ENCRYPTION-ENABLeD for group chat.
Doesn’t Telegram not even support e2ee for group chats?
That’s right, nothing like default-EE2E-enabled group chat, viewable and auditable server code, AND encrypted-data-at-rest; like Signal, unlike Telegram.
WhatsApp group chats are E2E. I actually worked on this. It is true (unless they’ve changed it) that the precise security guarantees of the group protocol are different, but it is still ends-to-ends encrypted.
It doesn't really matter whether it was incompetence vs deliberate weakening. The end result is the same: not secure.

They're a russian-HQ'd and staffed company which alone makes them suspect, and the government seems to have no problem with them, which doubles the suspicion given it's a perfect tool for anti-government groups and terrorists and if the FSB couldn't read everything, they'd be harassing the company, its founders, etc.

> The Telegram key exchange is described in the "Key Generation" section of Telegram's end-to-end API docs. Concretely, Alice requests the DH parameters (p, g) from Telegram, painstakingly verifies them, computes a random a value, and sends g^a mod p to Telegram. Bob receives (p, g, g^a mod p), similarly computes b and g^b mod p, and sends the latter back (along with a truncated hash of the derived key, for some reason).

I assume the reason is that the recipient of the truncated hash can validate that they've derived the same key without exposing it. This makes it way more straightforward to reject invalid keys. Truncating the hash is pointless but I get why they'd do it - it doesn't "hurt" since ultimately decryption will (hopefully) fail with an invalid key and this is just a shortcut to commit to a specific key.

Otherwise, a really interesting example of thinking "I'll add a nonce here, that'll make things safer!" and getting the exact opposite result.

My naïve take on the hash truncation was that they didn't want to potentially expose an exact hash -> key map that could be analyzed after the fact, but wanted enough information about it to work as a likely-enough validation.
Eschew flamebait. Avoid unrelated controversies and generic tangents.
I'm not trying to bait anything, and I don't have any afterthought. I genuinely find it baffling that something ever got the idea of trying to change a term that's so engrained in IT culture, to the point I use it outside of English. Isn't it a point that's interesting to discuss ? I think it is, and trying to have it brushed aside is vexing.

NB: I remembered seeing your name somewhere, and indeed I have. I really enjoy your blog posts @ fly.io. I even have « Sandboxing and Workload Isolation » saved up somewhere as a note.

I don't think it's especially interesting to discuss, but either way: it's not important on this thread, where it is an off-topic tangent. We all share responsibility for making sure we're talking about the meat of an article on its thread, and not burying the thread under a relitigation of some past rhetorical controversy. It's as much about predicting what responses your comment will generate as it is anything else.

Thank you for the kind words about the blog posts! I'm particularly happy with the sandboxing post.

Hanlon's razor:

"never attribute to malice that which is adequately explained by stupidity."

When it comes to security such razor is dull.
I've seen lots of "experts" write really insecure code. While it is certainly possible someone did this maliciously. Devs often don't understand the code they write and repeat until they get something that "works" and call it good. With an app that touts security I would hope for better.
That's not the point.

Around security you have to assume "malicious until proven otherwise", unlike in law.

While that's true, products from Telegram, Cisco, Dell etc etc are targeted by nation states with infinite budgets who employ the best coders and cryptographers in the world. They have track records of selling bogus/backdoored products via fake companies, hacking companies to plant malware, planting/bribing employees etc. That changes the balance pf probabilities between stupidity and malice a lot for me.
>In a normal PitM, the server negotiates two separate Diffie-Hellman sessions with Alice and Bob, who end up with different shared keys, which they could detect by comparing fingerprints.

I think that normally A and B would compare whatever they were using for long term identity and not the shared key they got from a DH exchange. So that would be the fingerprint of some sort of public key from some signature scheme. There is a tendency to throw away the results of the DH exchange as part of a forward secrecy scheme and the users would not want to have to compare fingerprints constantly.

Does Telegram do something different?

Edit: Sort of answering my own question. Apparently each secret chat is self contained. You are supposed to verify your fingerprints when you start one. If you start another one you then would have to check the fingerprint again. This suggests that Telegram secret chats are indefinite and can stick around for a long time. I guess that is one way to simplify identity management. That also suggests that the forward secrecy is per secret chat session. It only kicks in when you end the secret chat.

> Can we talk about how cool the Wayback Machine Compare feature is?

I consider myself an Internet Archive power-user; I spend hours playing with CDX queries, t̶r̶o̶l̶l̶i̶n̶g̶ trawling the archive for interesting tidbits that have been lost to time. I have spent countless evenings building scripts based on the internetarchive (https://github.com/jjjake/internetarchive) and iamine (https://github.com/jjjake/iamine) tools (along with a host of others).

I am utterly ashamed I had never heard of the /diff/ feature between pages until I read your article. Thank you for bringing this to my attention! I am continuously impressed by the work they do at IA.

Did you mean trawling the archive?
Yes, yes I did. I'm not even sure I can blame that on autocorrect.

EDIT: As an aside, I didn't realize there's no strikethrough option for text on HN. For anyone else who wants to hide their shame without ninja editing, I found this site which does the same in unicode:

https://yaytext.com/strike/

"Trolling: Carefully and systematically search an area for something."

I think your subconscious did just fine.

It's polite, pedantic, and incredibly useful digressions like this which keep me coming back to HN. I had no idea this homonym could describe two separate actions (i.e. casting a broad net to grab whatever is in the path vs. a systematic search covering a specified area) that both still work perfectly to describe how I interact with the Internet Archive.

I'd say it was intentional, but that'd be a bald-faced lie.

While trawling is more idiomatic, trolling is also a verb, and actually quite similar: it's fishing with a moving vessel except that it uses lines rather than nets.

In my headcanon, trolling is a slower, less directed process. So I might idly troll for bugs to fix on a bug tracker, rather than a trawl which would aim to gather everything matching some criteria.

(comment deleted)