[pdimitar]

And it's amazing to me that any Telegram coverage on HN is met with extremely hostile reactions. All they did was not invent the best encryption in the world... like you, me, and 99.9% of the world. Mortal sin, right?

So please stick to facts and what can be reasonably proven, please. The rest is meaningless noise and mindless hate.

The author himself admits it's much more likely this was an amateurish mistake than some man-in-the-middle conspiracy. Did you make it until the end of the article?

[saagarjha]

I don’t think your paraphrase is an accurate representation of the article.

[FiloSottile]

It's not. (I'm the author.)

[pdimitar]

As said in another comment of mine, putting a generic "hey I might be wrong" at the end is pure fluff. Stick to what you believe in, you are not in front of a court.

Case in point: the Hanlon's Razor mention definitely did mislead me in terms of your stance.

[FiloSottile]

My position is that this looks like a backdoor but there is no way to know for sure, and I stand by it. If you find it too nuanced that's ok.

[pdimitar]

I found it ambiguous, nothing more. And I expressed an opinion to which half I subscribe to. Maybe that's valuable feedback for you as a writer, maybe it's not.

In any case, no hard feelings were intended anywhere.

[SAI_Peregrinus]

The situation is (slightly) ambiguous. It looks like a backdoor. Anyone competent writing that code would be doing so because they wanted the backdoor. But there's no reason to assume Telegram's authors are competent unnecessarily, and competence in UI design doesn't imply competence in security. And it's also a rather obvious-looking backdoor, anyone competent would presumably try to hide it better. Then again, the NSA backdoor in Dual-EC-DRBG was pointed out before anyone started using the spec and not that well hidden, and the NSA are generally considered competent.

[pdimitar]

From the article:

> Anyway, it’s been a while, the world is a different place now, and maybe Hanlon’s razor cuts deeper than I thought.

How else would you interpret it?

[saagarjha]

“This looks like a backdoor but if I think really hard maybe I can consider it to be incompetence?”

Neither is a good look for a security team, of course.

[pdimitar]

Yes, it's not, but my (and his) point stands: it's likely incompetence. It's very biased and uncharitable to immediately assume malice.

[ryanlol]

>(and his) point stands: it's likely incompetence

That’s not what the post is saying.

> It's very biased and uncharitable

It’s not “very biased”, if you actually look at what Telegram did the balance of probabilities leans heavily towards “backdoor” and not “not backdoor”

[pdimitar]

So, give me your definition of Hanlon's Razor then (mentioned at the end of the article by the author).

[saagarjha]

s/likely/unlikely but possibly/

[pdimitar]

Well, that's how probabilities work and I am not seeing your rephrasing as adding anything valuable to that discussion.

Unless you put concrete % numbers on both sides then your replace is identical with the original.

[ycombinete]

Hanlon’s Razor says to never assume malice where stupidity suffices as an explanation. The only way I read this sentence is to say that Hanlon’s Razor applies here, in-spite of how malicious the bug looks.

[pdimitar]

Same for me. While others argue that it's "obvious" that the author believes much more strongly that this find is a backdoor and not a dumb mistake (a very easy one to make for a non-cryptographer programmer), I am still unconvinced.

Would be curious to read a statement from Telegram's team though -- not that any team would ever admit to putting a backdoor...

[ncmncm]

Paraphrasing Clarke, "Any sufficiently advanced incompetence is indistinguishable from a backdoor."

[FDSGSG]

>All they did was not invent the best encryption in the world.

They shipped a backdoor. It's pretty clear that Telegram is actively malicious. They haven't been caught again? They probably realized that the front door of not encrypting chats was sufficient.

>The author himself admits it's much more likely this was an amateurish mistake than some man-in-the-middle conspiracy

This is not at all what the author is saying.

[pdimitar]

> Anyway, it’s been a while, the world is a different place now, and maybe Hanlon’s razor cuts deeper than I thought.

Unless you have another interpretation of the Hanlon's Razor, it seems that he is saying this is a mistake and not a backdoor.

> They shipped a backdoor.

Did they? Might be. I am 50/50 about it, people do dumb mistakes with self-rolled crypto all the time and that's a sad reality. But who knows, it might be the first try to embed a backdoor.

My point is: being too sure one way or the either makes you biased. I err on the side of incompetence but I am open to the possibility that it was a first sloppy attempt at backdooring Telegram. Sadly we have no proof of either, so we speculate based on what's available.

[StavrosK]

If someone says "so this guy killed himself with three shots in the back, but maybe that's a common method of suicide" doesn't mean you think it's suicide. It's a turn of phrase to accentuate how much you don't think it was suicide.

[pdimitar]

I suppose I missed his sarcasm then. Happens pretty easily over text.

As said in another comment, I am no cryptography expert. I simply argue against the very visible negative bias against Telegram which is accentuated even more by very childish snarks on almost any Telegram HN thread. That gets to me and it's not how HN should be.

I never argued that my opinion is a fact. I said how I arrived at my opinion and debate with people whether that's plausible or not [based on limited info]. The rest can be proven/rebuked by specialists.

[FDSGSG]

Have you considered that perhaps Telegram deserves that negative bias due to their own behavior?

[pdimitar]

I would consider it... if I ever see any other criticism in HN besides "they don't have massively peer- and pro-reviewed encryption" and very childish snark with zero facts interspersed.

What's this "Telegram behaviour"? Seriously, enlighten me -- this is not a snark. I've been following HN Telegram threads for a long time and I've only seen the two things I mentioned above.

It's really puzzling, especially in a world where a ton of very public and everyday software has much more flaws than Telegram. The whole very directed and non-HN-esque hate towards it does stands out.

[FDSGSG]

>Unless you have another interpretation of the Hanlon's Razor, it seems that he is saying this is a mistake and not a backdoor.

It just sounds like the author simply doesn't want to get sued, after all it's generally impossible to prove that a backdoor is actually a backdoor.

>people do dumb mistakes with self-rolled crypto all the time

I've seen a plenty of those, this one just happens to look rather different than the typical implementation mistakes you see. There's no possible reason for this code to exists except to allow Telegram to decrypt secret chats.

In the end, we've got nothing to gain and a plenty lose by giving Telegram the benefit of the doubt.

[pdimitar]

Well, sure. It's very possible indeed. I am still wondering why though -- Durov fled Russia, settled in UAE and then backdoored Telegram? Don't know. If a conspiracy becomes too complex then we all know what the other razor law says, right (Occam's)?

[sneak]

Nothing about my comment could reasonably be described as "extremely hostile".

You seem to be exposing a bias.

[pdimitar]

Your whole comment is a simple middle-brow dismissal. Maybe not "extremely hostile" indeed, but not constructive by any measure.

If by calling out people who break HN's guidelines I am exposing a bias then okay, I am exposing a bias then.

[3np]

I don't think anybody's hating on the authors of Telegram - just that it's not one of the better options today.

[pdimitar]

I am not sure I can agree with that either (unless your definition is "does it strictly adhere to end-to-end encryption standards", in which I'll agree with you that it's not the best).

Last I used Riot/Elements (the app the uses the Matrix network), I almost pulled my hair out. It was slow and buggy. Felt like I was using an alpha version of a software from the late 90s.

Telegram and WhatsApp are two very positive outliers in a sea of very bad messaging apps IMO.

[3np]

This whole thread is about security. That your priorities differ from other commenters doesn't make the criticisims "mindless hate" (and, again, not directed at individuals, just that we think the product and service is garbage from a security perspective. Don't conflate the creation with the creators)