Speaking of the actual story, how come they put all of this effort into unmasking this guy, discussing the consequences of his actions to the integrity of democracies... but then he says "I hack into Telegram accounts by using an SS7 vulnerability", and they just copy and paste that verbatim into the story, not even bothering to explain it in the slightest?
Obviously it's because they themselves don't know what it means, so it just gets filtered by their brain as nonsense tech words. But is it really that hard for them to reach out to a tech person and ask them "hey, what does it mean that they use an SS7 vulnerability to hack into Telegram accounts?", so that they can explain "Oh, that means they're impersonating your phone number, so that when Telegram sends you an SMS to verify that it's you, they receive that SMS on your behalf and can log in to your Telegram account"?
It baffles me, because it would take so little effort for them to provide this additional context into how the actual hacking is done, in a way that is understandable and interesting for the average non-tech person, and yet... they just don't bother to?
Somehow this seems to only be acceptable for tech stuff. If when they found out that this guy was involved in the Nigerian elections, the reporter shrugged and said "Huh, Nigeria. I wonder what a Nigeria is. Anyway, not worth Googling it or checking whether it has any relevance to the story whatsoever" then everyone would agree he's doing a disservice to the story and to the public. Yet somehow this is routinely done with technical terms, the public is worse off because basic things are hidden to them behind inscrutable acronyms by lazy reporters, and no one bats an eye.
I monitor Russian war channels and some people there insist on using Telegram only for Russian military people. If you use Whatsapp, Ukrainian officers will get all chats from NATO.
Telegram accounts of opposition were hacked by belarus police as well. It's known and documented.
My takeaway is that for truly private chat one should write his own software using simple crypto without all those fancy clients. Ideally just use one time keys and xor everything. Can do it with pen and paper.
Signal might be safe, but I think it's a honeypot.
> Telegram accounts of opposition were hacked by belarus police as well. It's known and documented.
No, not really _hacked_. You give your phone unlocked to the police, and they access your Telegram account. You can't refuse, and you probably can imagine why.
> My takeaway is that for truly private chat one should write his own software
That's the only way to make sure you're using software you trust, but rolling your own crypto implementations is often not so secure (because of the many pitfalls).
If you and your group chat friends can meet up in person once to input an agreed upon a ~1Gb one-time-pad then you can exchange uncrackable text messages for years on any insecure channel I’ve long felt that this is the ideal solution for anything super super secret
> Telegram accounts of opposition were hacked by belarus police as well. It's known and documented.
These were cases when cops either were able to access the device, or were able to intercept sms messages. Notice that that did not happen to those belarus related channels whose admins left the country. For example an ongoing issue [1][2] with one of the admins who left the country, but his identity was found out and now cops are using his brother, who was still in the country, as a lever to make him delete the channel.
They can't delete/hack your channel unless you let them.
Before doing anything related to security, you should always understand what your threat profile is. If you don't have a real probability that a state actor will go after you, most likely your threat model will include scams and criminals. And unless you're a wealthy individuals, most of these scams will be automated, not hand-tailored.
So, the twitter post alludes to SS7, but it is not clear how it is (ab)used to do the Telegram-related exploitation.
Presumably, SS7's design flaws are being used intercept Telegram's registration verification messages, placing the resulting Telegram accounts under control of the bad actors while appearing to be real, independent users (and so aiding in establishing their credibility, which leads to other things), but that is a bit... handwave-y.
Telegram allows logins per SMS code (they will be rolling out changes in two days). So as long as you knew the number of your victim and have the ability to re-route SMS, you were able to login to other people’s accounts.
Of course this can be easily mitigated by setting a “cloud password”, but I guess most people don’t do that.
> If you can reroute SMS auth codes, it's game over.
Except it's absolutely trivial to do so, just bribe a low ranking employee of the phone company, and it's done. This has been done thousands/millions of times, usually targeting Bitcoin holders. Just google "Simjacking"
I absolutely loathe when companies make me use SMS as 2FA. I flat out refuse to use the service if they force SMS for account recovery, because at that point you might as well just be sending plaintext passwords over the internet, because you clearly don't care about your customers safety.
Oh, and the amount of hoops you have to jump through to make Gmail NOT use SMS for account recovery is insane.
From what I've heard from my Russian colleagues quite a lot of people have an alternative number they register telegram with. The SIM card is never stored in the main phone. Also it was popular to buy a phone number in countries like Finland and keep it alive by making small payments. Obviously you never use this number directly in Russia. The was a method to read the SMS messages online.
The biggest risk of any encrypted chat is that the op-sec of the recipient isn't as good as yours. No matter what steps you take, you can't prevent the other person from being dumb.
"Here he is demoing access to the #Gmail of a purported key political insider in #Kenya just days before the election."
Odd choice of title when the subject of the thread is exposing compromise of elections using vulnerabilities not necessarily native to Gmail or Telegram.
For me personally, the main argument against Telegram is that its development and operations team is physically located in Russia. This means that they can very easily be bribed and/or intimidated into any type of collaboration with their state.
There's a broader question I've been raising for a number of years now, about how major online service providers address the brownshirt threat. I'd first raised that in 2016 on the now-defunct Google+, entirely coincidentally on the anniversary of Kristallnacht:
Telegram seems to either have turned or been compromised from the start. Given transitions closer to HN's home, Twitter's userpation by an alt-right zottanaire would be another case in point. Ironically, Yonatan Zunger and Lea Kissner (to whom I'd addressed much of that post's message) were both at Twitter when Musk acquired it, though both have since left. (Zunger was G+'s chief architect, Kissner lead a security team there. For all its various faults, G+ had relatively little co-option by fascists, something I had an opportunity to assess during the site's shutdown, by way of the 8-million-odd Communities that existed, some with clearly white nationalist / antisemitic, or other bents, virtually all of which were inactive for years by the time I looked at them (late 2018 / early 2019), whilst at the same time legitimate use of terms such as "Aryan" in an Indian/Hindu context were generally active. Google+ managed to avoid the Scunthorpe Problem.
Mediated communications, particular the electronic / digital / AI variants ... are seeming increasingly fraught. The Telegram story is a bump on that node.
Thought as I write this: Telegram's namesake, the original telegraph, was itself notably used to intercept and alter communications back in the day, notably news of the outcome at Waterloo and by agents of Standard Oil.
All fine and dandy but so far I have lost entire conversations on signal, whatsapp and matrix while this never happened to me on telegram, which is the number one thing that matters to me.
I'm in China, and I just see people learning about this the very hard way. There were many unusual unrests and crackdowns recently.
SMS is definitely a weak spot without a second thought. The state actor can easily analyse and reroute then pull off a massive list of names straight to gulag.
Ironic to see a thread on Twitter (of all platforms) complaining about "political activity happens on a handful of platforms [sic] makes the tooling for political manipulation really interoperable."
[+] [-] mellosouls|3 years ago|reply
https://www.theguardian.com/world/2023/feb/15/revealed-disin...
Covered already on HN:
https://news.ycombinator.com/item?id=34800157
https://news.ycombinator.com/item?id=34803779
Etc
[+] [-] sdiacom|3 years ago|reply
Obviously it's because they themselves don't know what it means, so it just gets filtered by their brain as nonsense tech words. But is it really that hard for them to reach out to a tech person and ask them "hey, what does it mean that they use an SS7 vulnerability to hack into Telegram accounts?", so that they can explain "Oh, that means they're impersonating your phone number, so that when Telegram sends you an SMS to verify that it's you, they receive that SMS on your behalf and can log in to your Telegram account"?
It baffles me, because it would take so little effort for them to provide this additional context into how the actual hacking is done, in a way that is understandable and interesting for the average non-tech person, and yet... they just don't bother to?
Somehow this seems to only be acceptable for tech stuff. If when they found out that this guy was involved in the Nigerian elections, the reporter shrugged and said "Huh, Nigeria. I wonder what a Nigeria is. Anyway, not worth Googling it or checking whether it has any relevance to the story whatsoever" then everyone would agree he's doing a disservice to the story and to the public. Yet somehow this is routinely done with technical terms, the public is worse off because basic things are hidden to them behind inscrutable acronyms by lazy reporters, and no one bats an eye.
[+] [-] vbezhenar|3 years ago|reply
Telegram accounts of opposition were hacked by belarus police as well. It's known and documented.
My takeaway is that for truly private chat one should write his own software using simple crypto without all those fancy clients. Ideally just use one time keys and xor everything. Can do it with pen and paper.
Signal might be safe, but I think it's a honeypot.
[+] [-] lxgr|3 years ago|reply
That‘s actually pretty secure in practice, because you won‘t be communicating with anybody.
> Ideally just use one time keys and xor everything.
How do you generate the keys? How do you share them? And you only care about encryption, authentication does not matter to you at all?
The chance of getting this right as an individual developer, especially given this level of understanding of cryptography, is next to zero.
[+] [-] benhurmarcel|3 years ago|reply
Telegram smells a lot more like a honeypot than Signal
[+] [-] orphea|3 years ago|reply
No, not really _hacked_. You give your phone unlocked to the police, and they access your Telegram account. You can't refuse, and you probably can imagine why.
[+] [-] WolfeReader|3 years ago|reply
Based on what?
Signal documents its own encryption process, and you can check the app source code to verify it. https://signal.org/docs/specifications/doubleratchet/
Signal is the best choice I know of when I'm looking for the union of 1. True e2e encryption, and 2. Ease of use by non-technical people.
[+] [-] VincentEvans|3 years ago|reply
https://www.themoscowtimes.com/2022/12/23/critics-slam-16-ye...
[+] [-] xdennis|3 years ago|reply
That's the only way to make sure you're using software you trust, but rolling your own crypto implementations is often not so secure (because of the many pitfalls).
[+] [-] acc_297|3 years ago|reply
[+] [-] proxysna|3 years ago|reply
These were cases when cops either were able to access the device, or were able to intercept sms messages. Notice that that did not happen to those belarus related channels whose admins left the country. For example an ongoing issue [1][2] with one of the admins who left the country, but his identity was found out and now cops are using his brother, who was still in the country, as a lever to make him delete the channel.
They can't delete/hack your channel unless you let them.
[1] https://mediazona.by/article/2023/02/15/blackmail
[2] https://mediazona.by/news/2023/01/22/belzd
[+] [-] ShowalkKama|3 years ago|reply
[+] [-] golergka|3 years ago|reply
[+] [-] spapas82|3 years ago|reply
Non standard solutions are a recipe for disaster.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] baynoob|3 years ago|reply
[+] [-] grumple|3 years ago|reply
[+] [-] anonym29|3 years ago|reply
[+] [-] YourDadVPN|3 years ago|reply
[+] [-] grapesurgeon|3 years ago|reply
[deleted]
[+] [-] T3OU-736|3 years ago|reply
Presumably, SS7's design flaws are being used intercept Telegram's registration verification messages, placing the resulting Telegram accounts under control of the bad actors while appearing to be real, independent users (and so aiding in establishing their credibility, which leads to other things), but that is a bit... handwave-y.
[+] [-] super256|3 years ago|reply
Of course this can be easily mitigated by setting a “cloud password”, but I guess most people don’t do that.
[+] [-] baybal2|3 years ago|reply
[deleted]
[+] [-] throwaway13337|3 years ago|reply
If you can reroute SMS auth codes, it's game over.
It's too bad that most 2FA rely on this method (or use it as a fallback).
I don't see how it is directly related to telegram, though.
[+] [-] valdiorn|3 years ago|reply
Except it's absolutely trivial to do so, just bribe a low ranking employee of the phone company, and it's done. This has been done thousands/millions of times, usually targeting Bitcoin holders. Just google "Simjacking"
I absolutely loathe when companies make me use SMS as 2FA. I flat out refuse to use the service if they force SMS for account recovery, because at that point you might as well just be sending plaintext passwords over the internet, because you clearly don't care about your customers safety.
Oh, and the amount of hoops you have to jump through to make Gmail NOT use SMS for account recovery is insane.
[+] [-] notdang|3 years ago|reply
[+] [-] lxgr|3 years ago|reply
[+] [-] b4je7d7wb|3 years ago|reply
Do not let sms 2fa slide for anyone.
[+] [-] jedberg|3 years ago|reply
[+] [-] NayamAmarshe|3 years ago|reply
Maybe replace Telegram with SS7 and it would make more sense.
[+] [-] lxgr|3 years ago|reply
[+] [-] washadjeffmad|3 years ago|reply
Odd choice of title when the subject of the thread is exposing compromise of elections using vulnerabilities not necessarily native to Gmail or Telegram.
[+] [-] kozak|3 years ago|reply
[+] [-] brink|3 years ago|reply
[+] [-] lallysingh|3 years ago|reply
[+] [-] dredmorbius|3 years ago|reply
<https://web.archive.org/web/20170604101018/https://plus.goog...>
Telegram seems to either have turned or been compromised from the start. Given transitions closer to HN's home, Twitter's userpation by an alt-right zottanaire would be another case in point. Ironically, Yonatan Zunger and Lea Kissner (to whom I'd addressed much of that post's message) were both at Twitter when Musk acquired it, though both have since left. (Zunger was G+'s chief architect, Kissner lead a security team there. For all its various faults, G+ had relatively little co-option by fascists, something I had an opportunity to assess during the site's shutdown, by way of the 8-million-odd Communities that existed, some with clearly white nationalist / antisemitic, or other bents, virtually all of which were inactive for years by the time I looked at them (late 2018 / early 2019), whilst at the same time legitimate use of terms such as "Aryan" in an Indian/Hindu context were generally active. Google+ managed to avoid the Scunthorpe Problem.
Mediated communications, particular the electronic / digital / AI variants ... are seeming increasingly fraught. The Telegram story is a bump on that node.
Thought as I write this: Telegram's namesake, the original telegraph, was itself notably used to intercept and alter communications back in the day, notably news of the outcome at Waterloo and by agents of Standard Oil.
[+] [-] jcelerier|3 years ago|reply
[+] [-] sangnoir|3 years ago|reply
[+] [-] celestialpeasan|3 years ago|reply
SMS is definitely a weak spot without a second thought. The state actor can easily analyse and reroute then pull off a massive list of names straight to gulag.
[+] [-] unyttigfjelltol|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] wkat4242|3 years ago|reply
[+] [-] rejectfinite|3 years ago|reply
[+] [-] est|3 years ago|reply
[+] [-] stiltzkin|3 years ago|reply
[+] [-] thehonest|3 years ago|reply
[+] [-] prhrb|3 years ago|reply
[+] [-] skrowl|3 years ago|reply
[deleted]