[tucson]

> They use the broken SHA1 hash function

They answer this point on the website: "Q: Why do you use SHA-1 in the place of a MAC? [...] since this means still requiring at least 2^128 operations (instead of 2^256 with, say, SHA-2) to even begin trying to break this scheme, the trade-off seems fair."

Why not break the crypto (and take the money) if it's so amateurish?

[testing12341234]

The easiest to understand response to this question that I've seen so far is from this comment [0]:

The contest limitations rule out most of the likely attack vectors for breaking the protocol in the real world. It's like saying "Our bank vans are 100% secure. Just try stealing money from them without puncturing our tires or bribing one of our employees."

[0] - https://news.ycombinator.com/item?id=6936949

[simias]

In particular none of the attacks described in TFA (Known Plaintext, Chosen Plaintext and Chosen Ciphertext) are possible within the frame of their contest (since Telegram controls all inputs).

Yesterday someone blogged an example of a completely broken cryptosystem that would still pass Telegram's challenge with the same limitations: http://www.thoughtcrime.org/blog/telegram-crypto-challenge/

[StavrosK]

That's Moxie Marlinspike, developer of TextSecure.

[Beltiras]

With a very valid challenge.

[raverbashing]

It may even be possible to factor the RSA Key

More to the point, KPA,CPA, etc are very important, and systems should be definitely tested against them, but in real attacks, they may not be available