Feddit.online
rysiek, [email protected]
Instance: szmer.info
Joined: 4 years ago
Posts: 8
Comments: 53
Posts and Comments by rysiek, [email protected]
rysiek
c/technology
Comments by rysiek, [email protected]
PrivacyHi, author here. First of all, in that piece I don't happen to recommend using any specific piece of software. I mention Signal and WhatsApp for comparison, as tools that are considered similar, and yet avoid making the same weird protocol choices.
Secondly, if you have any proof that any specific communication tool is used to "spy" on people, I am sure I am not the only person who would love to hear about it. That's the only way we can keep each other safe online. Surely you wouldn't be making unsubstantiated claims and just imply stuff like that without any proof, would you?
And finally, I've spent a good chunk of time and expertise on analyzing Telegram's protocol before I made my claims. I provided receipts. I provided code. I explained in detail my testing set-up. You can yourself go and verify my results.
Instead, you claim it's "propaganda", while mischaracterizing what I say in that post. Classy!
Thank you, that's really great to hear!
AMA is AMA
What have I done.
What lead you to dive into examining Telegram?
I do information security work, and I used to work closely with investigative journalists hailing from Russia, Kazachstan, Ukraine, and other places in that general area. Telegram is massively popular there. Because of this Telegram has been on my radar for a very long time as a serious security threat – not just because its protocol and management are suspect, there are plenty of other IMs like that, but also because of how many people I worked with had used it.
I've written about Telegram before, on amore general level (linked in the blog post), so when IStories reached out to me for comment on this it was a good inspiration to dive deeper.
How would you use it if abandoning it is not an option, safety-wise, on android? Like, opening it in browser instead, killing app from the background, or using some app\tool? Not using it for anything sensitive is obvious.
I would not use it. I refuse to accept that abandoning it is not an option. There are plenty of options. It's always a decision one can make.
Please remember that even if hypothetically you could use it in a way that protects you from the spying – something I am very, very doubtful of! – the mere fact you are using it sucks other people into using it. You personally become one more reason for someone to start using or keep using Telegram. You personally become one more "user" of Telegram, justifying another media organization or NGO to set up or maintain a presence there – which in turn pulls in even more users into the dragnet.
In other words, your decision to use Telegram anyway, even though you know what the issues are, becomes one of the many things that make other people feel that "abandoning is not an option". I refuse to be a part of that. The only thing I can recommend is to stop using it.
What are other potential worms is in there you may think of? Recently, Yandex and Meta analytics tools got caught in sending browsing data to phone’s localhost - where their locally installed apps caught it and sent back home. If the FSB conection is that deep, there is no end to what they’d want to mine from users.
I think this hits the nail on the head: If the FSB conection is that deep, there is no end to what they’d want to mine from users.
I don't want to speculate. The possibilities are vast. But I will say what I said in the blogpost: Telegram is indistinguishable from an FSB honeypot.
I don't trust Telegram the company, I don't trust Telegram the software, I don't trust MTProto. I certainly do not trust Pavel Durov. I don't think we need to speculate on what more could possibly be hiding there, what is already known about Telegram should really be enough to stop using it.
Heh, thanks. AMA I guess.
Best I can tell it originated from a satire website. It is still hilarious.
This is a memes community. Take anything and everything posted here with a grain of salt. Or glitter.
memesy@szmer.info
You do realize this was posted to a memes-focused community, right?
memesy@szmer.info
funny you should mention that...
https://arstechnica.com/health/2025/06/trumps-epa-to-reconsider-ban-on-cancer-causing-asbestos/
Do consult your lawyer before throwing glitter bombs at masked, not uniformed kidnappers that might or might not be ICE agents.
ekonomia, kapitał, gospodarkaA linka do artykułu dasz, czy tylko do obrazka?
wolny internetNie mówię, że te zapisy nie są gówniane, bo totalnie są, ale: w jaki dokładnie sposób miałyby wspierać akurat "monopolizację" fedi?
Zadziałał chyba tylko w kontekście "binding arbitrage waiver". W ogóle dość śmieszne, że linia Gargrona to w zasadzie "no nie przeczytaliśmy własnego regulaminu".
they already who which user is which IP from the servers they control
(...)
when they already control Telegram’s servers
Who is "they" here?
If you meant "the compromised provider" here, then no, we cannot assume they know which IP address is used by which user. Full disk encryption exists, you can rent a (physical, dedicated, as is the case here) server from a provider and set it up in such a way that you can be reasonably sure that the provider does not have access to the data on the server.
So in that case the provider would only see the traffic without the ability to connect easily IP addresses with actual devices or users. That is not enough to reliably track anyone long-term, as IP addresses change in ways that often make it difficult to figure out if some traffic comes from the same user/device or not – especially when you travel. But add an identifier visible directly on the wire, like the auth_key_id, and you can pretty easily say "yes, this new IP address is now used by the same device".
If you mean "Telegram", and assume Telegram cooperates fully with the FSB, to the point of providing unfettered access to data on Telegram's servers, then sure. But I cannot prove that, and neither could the IStories team. Can you? You can of course make any assumption you want to (and I am not saying your assumption here is necessarily wrong – only that I cannot prove it), but when I publish I can only work on things that I or somebody else can prove.
And in this story, I can prove that Telegram's protocol has a very weird, unexpected "feature" that combined with IP address allows anyone with sufficient access to track Telegram users. I can show that this feature is not necessary in such a protocol – other protocols used by other similar tools do not have that issue. And IStories team seem to be able to prove that all Telegram traffic flows through a single infrastructure provider that has ties to the Russian FSB.
That's all we got currently, but that's already plenty. Because both of these are decisions made by Telegram, and they strongly reinforce one another.
It just seems like an incompetent implementation.
If that was the only weird technological decision by Telegram with strong consequences for privacy of its users, I could agree.
But as I discuss at length in that blogpost, Telegram has a long, long history of such "incompetence"; they also tend to react badly to anyone pointing this kind of thing out. The auth_key_id issue has been pointed out years ago and not only is it not fixed, there is no indication that Telegram even considers fixing it.
Can you imagine the veritable shitstorm if Signal pulled something like that?
As I wrote in my blogpost, in the end it does not matter if this is incompetence or malice – the end result is exactly the same.
wolna PalestynaI oczywiście ani słowa o tym, że:
1. Izrael jest jedynym krajem w regionie, który posiada broń jądrową.
2. Jak wojna się skończy i Netanyahu przestanie być premierem, możliwe, że pójdzie do więzienia.
So, you drop into a thread about a pretty technically involved analysis of one protocol (MTProto), and in response to a post linking to another pretty technically involved analysis of another protocol (Matrix/Olm) all you have to offer is "that softheaded blog"?
I mean I would expect some finesse with the insults. I understand that diving into the technical nitty-gritty might not be your thing, and that's totally fine, but at the very least don't deny us the entertainment factor of a well-rounded invective!
I can only hope neoliberalism dies as soon as possible, it brought us to this sorry moment in time.
So what’s your explanation if Russia follows through on this messenger development?
That would be a first for Russia to actually follow through on and complete anything of consequence, really. Would love to see it.
I don't "dislike this point", I have exactly zero emotions about it. I said it "might" be a red herring. It might not. I don't have a formed opinion on it as I simply don't know much about it. It might also be a reaction to Durov now cooperating also with "Western" law enforcement, for example. Who knows.
It does not change anything in the story.
Is the scandal just that it isn’t exclusive to the USA?
You seem to be under the impression that anyone who has a problem with the Russian authoritarianism and imperialism must necessarily be a supporter of USA's authoritarianism and imperialism. I can assure you a lot of people in the world are able to walk and chew gum. And that imperialism's reach is not measured solely in imperial units.
Signal would be a good replacement for private messages and groups. I'm in groups of hundreds of people there, I'm sure larger groups exist.
As to channels… seriously just set up a simple website with an RSS feed? That's the simplest. A lot of providers have free DDoS protection now as well. If you're worried about privacy and whatnot, choose a provider like 1984.is or FlokiNET.
The broader point is: we really need to get people out of centralized platforms and onto less gate-kept spaces. Because with centralized platforms it is always possible they enshittify or turn out to be bad in some important way, and when that happens, the network effects hold us and our audience ransom. Moving back to web is one way of doing that. Joining the Fediverse (hullo!) is another.
And yes, I am waiting for truly decentralized end-to-end encrypted internet messaging tools to become usable enough to replace Signal eventually. One thing I am looking at – and again, it is not ready yet! – is Cwtch. Another thing I am really hopeful for is the Veilid protocol. But these are still ways off from being ready for prime time and widespread non-techie use. One day though!
Do you think that Telegram can continue to be used for this purpose while taking additional security precautions?
No. Their very existence on Telegram is drawing more people to Telegram, and helping keep on Telegram people who might already be thinking of leaving it. Publishing on Telegram helps the FSB spy on more people. In this case, people who are anti-Putin.
In other words, by continuing to use Telegram and thus by drawing more people onto that platform and keeping them there through network effects these organizations are drawing people opposed to Putin's regime directly into FSB's dragnet.
I cannot see this as anything but massively irresponsible.
Or do you think the risk is too great, and no amount of precautions can justify using the service?
In my opinion the only somewhat justifiable way to use their Telegram presence today would be to try and get people who are on Telegram out of Telegram. But that's a very tall order, and would have to be done thoughtfully, carefully, and with a plan.
As long as they’re not using Russian-purchased sims to manage and post to the channels, how does this change their security model going forward?
If IStories' reporting on GNM's connection to FSB and GNM's access to Telegram's traffic is correct – and I have no reason to believe otherwise, this has gone through two rounds of fact-checking and these are people who had been sued for "defamation" in the most journalist-hostile, oligarch-friendly jurisdiction in the world (UK) and have repeatedly won – then this means the threat model now includes the FSB potentially being able to:
- figure out where a user is in the world just by observing their Telegram network traffic, live or close to live;
- with some additional analysis, based on timing and packet sizes correlation, probably figure out who that user is communicating via Telegram.
Both of these globally, regardless of what SIM card was used to register any of accounts involved, and without having to ask Telegram for any data.
I don't know if FSB is actually using this capability, and to what extent, and against whom. But based on IStories' reporting and on my own packet captures analysis it is entirely possible for them to do so if they choose to.
I guess the xAI thing might just be a money grab for Telegram and Durov.
The Russian MPs thing might be a red herring, there's been plenty of stuff recently aimed at distracting from this Telegram story – including a brand new interview by Tucker Carlson with Durov.
Telegram and Durov knew for weeks this is coming, as the investigative journalists had tor each out for comment. So they had time to prepare their little games.
Hi, author here. First of all, in that piece I don't happen to recommend using any specific piece of software. I mention Signal and WhatsApp for comparison, as tools that are considered similar, and yet avoid making the same weird protocol choices.
Secondly, if you have any proof that any specific communication tool is used to "spy" on people, I am sure I am not the only person who would love to hear about it. That's the only way we can keep each other safe online. Surely you wouldn't be making unsubstantiated claims and just imply stuff like that without any proof, would you?
And finally, I've spent a good chunk of time and expertise on analyzing Telegram's protocol before I made my claims. I provided receipts. I provided code. I explained in detail my testing set-up. You can yourself go and verify my results.
Instead, you claim it's "propaganda", while mischaracterizing what I say in that post. Classy!
Thank you, that's really great to hear!
What have I done.
I do information security work, and I used to work closely with investigative journalists hailing from Russia, Kazachstan, Ukraine, and other places in that general area. Telegram is massively popular there. Because of this Telegram has been on my radar for a very long time as a serious security threat – not just because its protocol and management are suspect, there are plenty of other IMs like that, but also because of how many people I worked with had used it.
I've written about Telegram before, on amore general level (linked in the blog post), so when IStories reached out to me for comment on this it was a good inspiration to dive deeper.
I would not use it. I refuse to accept that abandoning it is not an option. There are plenty of options. It's always a decision one can make.
Please remember that even if hypothetically you could use it in a way that protects you from the spying – something I am very, very doubtful of! – the mere fact you are using it sucks other people into using it. You personally become one more reason for someone to start using or keep using Telegram. You personally become one more "user" of Telegram, justifying another media organization or NGO to set up or maintain a presence there – which in turn pulls in even more users into the dragnet.
In other words, your decision to use Telegram anyway, even though you know what the issues are, becomes one of the many things that make other people feel that "abandoning is not an option". I refuse to be a part of that. The only thing I can recommend is to stop using it.
I think this hits the nail on the head: If the FSB conection is that deep, there is no end to what they’d want to mine from users.
I don't want to speculate. The possibilities are vast. But I will say what I said in the blogpost: Telegram is indistinguishable from an FSB honeypot.
I don't trust Telegram the company, I don't trust Telegram the software, I don't trust MTProto. I certainly do not trust Pavel Durov. I don't think we need to speculate on what more could possibly be hiding there, what is already known about Telegram should really be enough to stop using it.
Heh, thanks. AMA I guess.
Best I can tell it originated from a satire website. It is still hilarious.
This is a memes community. Take anything and everything posted here with a grain of salt. Or glitter.
You do realize this was posted to a memes-focused community, right?
funny you should mention that...
https://arstechnica.com/health/2025/06/trumps-epa-to-reconsider-ban-on-cancer-causing-asbestos/
You must be super fun at parties!
Do consult your lawyer before throwing glitter bombs at masked, not uniformed kidnappers that might or might not be ICE agents.
Glitterati strike again!
Text: ICE agents are complaining that every time they go out wearing masks in unmasked cars with no uniforms or identification, protesters keep dumping pounds of glitter on them so that everyone can tell they're ICE for days afterwards.
Glitterati strike again!
Text: ICE agents are complaining that every time they go out wearing masks in unmasked cars with no uniforms or identification, protesters keep dumping pounds of glitter on them so that everyone can tell they're ICE for days afterwards.
A linka do artykułu dasz, czy tylko do obrazka?
Edit: już mam: https://scribe.rip/@hrnews1/blackrock-is-suing-unitedhealth-for-giving-too-much-care-to-patients-after-the-ceo-was-murdered-4af185038a62
Nie mówię, że te zapisy nie są gówniane, bo totalnie są, ale: w jaki dokładnie sposób miałyby wspierać akurat "monopolizację" fedi?
Zadziałał chyba tylko w kontekście "binding arbitrage waiver". W ogóle dość śmieszne, że linia Gargrona to w zasadzie "no nie przeczytaliśmy własnego regulaminu".
Who is "they" here?
If you meant "the compromised provider" here, then no, we cannot assume they know which IP address is used by which user. Full disk encryption exists, you can rent a (physical, dedicated, as is the case here) server from a provider and set it up in such a way that you can be reasonably sure that the provider does not have access to the data on the server.
So in that case the provider would only see the traffic without the ability to connect easily IP addresses with actual devices or users. That is not enough to reliably track anyone long-term, as IP addresses change in ways that often make it difficult to figure out if some traffic comes from the same user/device or not – especially when you travel. But add an identifier visible directly on the wire, like the
auth_key_id, and you can pretty easily say "yes, this new IP address is now used by the same device".If you mean "Telegram", and assume Telegram cooperates fully with the FSB, to the point of providing unfettered access to data on Telegram's servers, then sure. But I cannot prove that, and neither could the IStories team. Can you? You can of course make any assumption you want to (and I am not saying your assumption here is necessarily wrong – only that I cannot prove it), but when I publish I can only work on things that I or somebody else can prove.
And in this story, I can prove that Telegram's protocol has a very weird, unexpected "feature" that combined with IP address allows anyone with sufficient access to track Telegram users. I can show that this feature is not necessary in such a protocol – other protocols used by other similar tools do not have that issue. And IStories team seem to be able to prove that all Telegram traffic flows through a single infrastructure provider that has ties to the Russian FSB.
That's all we got currently, but that's already plenty. Because both of these are decisions made by Telegram, and they strongly reinforce one another.
If that was the only weird technological decision by Telegram with strong consequences for privacy of its users, I could agree.
But as I discuss at length in that blogpost, Telegram has a long, long history of such "incompetence"; they also tend to react badly to anyone pointing this kind of thing out. The
auth_key_idissue has been pointed out years ago and not only is it not fixed, there is no indication that Telegram even considers fixing it.Can you imagine the veritable shitstorm if Signal pulled something like that?
As I wrote in my blogpost, in the end it does not matter if this is incompetence or malice – the end result is exactly the same.
I oczywiście ani słowa o tym, że:
1. Izrael jest jedynym krajem w regionie, który posiada broń jądrową.
2. Jak wojna się skończy i Netanyahu przestanie być premierem, możliwe, że pójdzie do więzienia.
So, you drop into a thread about a pretty technically involved analysis of one protocol (MTProto), and in response to a post linking to another pretty technically involved analysis of another protocol (Matrix/Olm) all you have to offer is "that softheaded blog"?
I mean I would expect some finesse with the insults. I understand that diving into the technical nitty-gritty might not be your thing, and that's totally fine, but at the very least don't deny us the entertainment factor of a well-rounded invective!
I can only hope neoliberalism dies as soon as possible, it brought us to this sorry moment in time.
That would be a first for Russia to actually follow through on and complete anything of consequence, really. Would love to see it.
I don't "dislike this point", I have exactly zero emotions about it. I said it "might" be a red herring. It might not. I don't have a formed opinion on it as I simply don't know much about it. It might also be a reaction to Durov now cooperating also with "Western" law enforcement, for example. Who knows.
It does not change anything in the story.
You seem to be under the impression that anyone who has a problem with the Russian authoritarianism and imperialism must necessarily be a supporter of USA's authoritarianism and imperialism. I can assure you a lot of people in the world are able to walk and chew gum. And that imperialism's reach is not measured solely in imperial units.
Signal would be a good replacement for private messages and groups. I'm in groups of hundreds of people there, I'm sure larger groups exist.
As to channels… seriously just set up a simple website with an RSS feed? That's the simplest. A lot of providers have free DDoS protection now as well. If you're worried about privacy and whatnot, choose a provider like 1984.is or FlokiNET.
The broader point is: we really need to get people out of centralized platforms and onto less gate-kept spaces. Because with centralized platforms it is always possible they enshittify or turn out to be bad in some important way, and when that happens, the network effects hold us and our audience ransom. Moving back to web is one way of doing that. Joining the Fediverse (hullo!) is another.
And yes, I am waiting for truly decentralized end-to-end encrypted internet messaging tools to become usable enough to replace Signal eventually. One thing I am looking at – and again, it is not ready yet! – is Cwtch. Another thing I am really hopeful for is the Veilid protocol. But these are still ways off from being ready for prime time and widespread non-techie use. One day though!
No. Their very existence on Telegram is drawing more people to Telegram, and helping keep on Telegram people who might already be thinking of leaving it. Publishing on Telegram helps the FSB spy on more people. In this case, people who are anti-Putin.
In other words, by continuing to use Telegram and thus by drawing more people onto that platform and keeping them there through network effects these organizations are drawing people opposed to Putin's regime directly into FSB's dragnet.
I cannot see this as anything but massively irresponsible.
In my opinion the only somewhat justifiable way to use their Telegram presence today would be to try and get people who are on Telegram out of Telegram. But that's a very tall order, and would have to be done thoughtfully, carefully, and with a plan.