“Telegram is not a private messenger. There’s nothing private about it. It’s the opposite. It’s a cloud messenger where every message you’ve ever sent or received is in plain text in a database that Telegram the organization controls and has access to it”
“It’s like a Russian oligarch starting an unencrypted version of WhatsApp, a pixel for pixel clone of WhatsApp. That should be kind of a difficult brand to operate. Somehow, they’ve done a really amazing job of convincing the whole world that this is an encrypted messaging app and that the founder is some kind of Russian dissident, even though he goes there once a month, the whole team lives in Russia, and their families are there.”
" What happened in France is they just chose not to respond to the subpoena. So that’s in violation of the law. And, he gets arrested in France, right? And everyone’s like, oh, France. But I think the key point is they have the data, like they can respond to the subpoenas where as Signal, for instance, doesn’t have access to the data and couldn’t respond to that same request. To me it’s very obvious that Russia would’ve had a much less polite version of that conversation with Pavel Durov and the telegram team before this moment"
There’s a big difference between having confidence in open source code that has been audited by many people, and knowing for a fact that the service collects specific information. In the former case, you can never be absolutely sure that the code is not malicious so there is always a risk, but in the latter case you know for a fact that the service is collecting inappropriate information and you have to trust that people operating the service are not using it in adversarial ways. These two scenarios are in no way equivalent.
It’s a choice to trust the entire open source community around the project and all the security researchers who have been looking at the code.
Frankly, I have trouble believing that you don’t understand the difference here and are making your argument in good faith.
Let’s back up to what I replied to in the first place:
I even took the time to quote that, because it’s important.
Of course there are different levels of trust. But what you said is flatly wrong and misinformation, if you want to get technical about it. Arguing in bad faith? I beg your fucking pardon, friend.
Just becuase it’s less likely to find nefarious code in open source doesn’t mean it doesn’t exist. There ahve been multiple cases of it found in open source code. Blindly trusting something because it’s open source or you host it on your own server is a very very false sense of security, especially in the context of the larger discussion, which came about in regard to what information is exposed by certain messaging clients.
It’s also a matter of the importance of what you’re doing.
I wrote a little CRUD app a while back to track me giving my cat medication. I sanitized inputs, but I left it open without a login on my server, just an obscure URL that didn’t get published anywhere. All you could do was click a button to indicate the cat had been medicated, or another button to delete the latest entry. That was plenty of security for that. If I was writing a banking app, I’d use a bit more.
So yes, in the same way as that, hosting something you use to chat with friends about whatever is one thing; trying to communicate secretly from a country where your comms might lead to being put to death is quite another. And in the latter case, it’s important to know that no matter what you use, unless you wrote it or read all the source code, you are trusting others with your life. Perhaps you feel comfortable doing that, but you should be aware of it.
So no, this is not a discussion in bad faith at all, it is valuable on multiple levels.
What’s important is that you’re quoting me out of context, and that makes all the difference. The actual statement you’re replying to is:
The fact that you proceed to quote me out of context and then accuse me of being wrong shows that you lack even a modicum of intellectual integrity. Then you proceed to make a straw man arguing against something I never claimed.
So yes, this is very clearly a discussion in bad faith, where you’re arguing against a straw man while ignoring what I actually wrote. It’s especially incredible since I even followed up with a more detailed explanation which you just ignored:
Do better.