rysiek

Soatak

Soatok. At least get the name right.

The simplest thing for [Soatok] to have done would be to ignore the message

Which also happens to be the simplest thing you could have done, even simpler as none of the toots you quote were addressed to you. Instead, you are dragging this one random exchange into this thread about something else entirely.

There were reports (claims I suppose) that the fsb were using telegram to organise the stochastic gig job sabotage across Europe

No no, reports: https://www.msn.com/en-in/news/world/russia-uses-telegram-to-recruit-spies-and-saboteurs-in-europe/ar-AA1xshqO

Does what has been found here shed any more light on that?

Not really/not directly, I would say. What you are describing is FSB using Telegram for recruitment. That does not require network-level observability and surveillance. That's a different "feature", so to speak.

I hate it when I don’t know an acronym, but this one is particularly hurtful to my brain since everyone is saying “yeah, that link to the FSB was obvious glad someone demonstrated it.” So… I will just assume FSB=KGB and be done.

Russian FSB is the successor of the Soviet KGB, so yeah, that works.

Take for example Tor network (high number of exit nodes are controlled)

I substantiated my claims about Telegram by a pretty deep technical analysis. Mind at least providing a link for your pretty strong claim about Tor?

Except those apps or protocols that are truly decentralized (e.g. OMEMO in XMPP), these are good.

Nope. Decentralization is important from power dynamics standpoint, but can actually be detrimental to information security due to (among others) metadata and complexity.

(I defend infrastructure and perform hacks against cryptograph & protocols for a living)

If you need to say it…

Regarding Soatok, I am prone to completely ignore impolite individuals.

Please feel free to ignore me as well then, because saying that technical analysis by an expert can be outright ignored just because the expert happened to be impolite that one time might make me become somewhat impolite.

Imagine getting dozens of randos in your replies asking about dozens of random chat apps. At some point I am pretty sure you'd also reach a breaking point. Some would call that kind of behaviour a bit impolite, I'd wager.

After reading the article, my understanding is that what was sent in “private chat” was in fact encrypted (for the most part) and can be considered secured (to the degree - something is off and, maybe we didn’t find out yet, how the encryption is compromised).

"Secret Chats", but otherwise spot-on, yes.

I am making a point of clarifying here because Telegram thrives on ambiguity. "Private chat" might mean anything in that system. "Secret Chat" is a specific feature that almost nobody uses but gives Telegram cover to claim they do end-to-end encryption.

But it would wise to treat all other conversations as something that is compromised. Is this a fair summary?

Yes, that's what I would say.

Telegram has access to everything that is not a "Secret Chat". They are responding to data requests. It's unclear what they include in these responses. They are also linked to FSB, through the same Vedeneev guy that owned GNM (the infrastructure provider).

Thank you, that means a lot. For people working in information security it really feels sometimes that a). a lot of stuff is obvious, b). people just don't listen and don't care.

Your comment shows how incorrect this is. That really helps keep motivated.

I would most definitely not recommend Matrix for private or sensitive communication, no.

https://soatok.blog/2024/07/31/what-does-it-mean-to-be-a-signal-competitor/
https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/

Matrix is fine as IRC replacement, it might also be a decent replacement for Telegram's channels thingy, sure. But I would not trust my family photos to it. Much less anything actually important.

For the internet messenger functionality that would be Signal.

For other things (channels, mostly), anything that does not pretend to be end-to-end encrypted when it is not. A website with an RSS feed would be one trivial choice for channels that are open to anyone. Public communication like that has no business going through "platforms".

Thank you!

Also, AMA I guess.

I know, right? That's why investigative journalism is such a thankless, frustrating job. You need to prove beyond any doubt things that are often pretty obviously true.

Roman Anin and the rest of the IStories team did an absolutely amazing job. Found court documents going years back. Dug up signed statements and contracts. They did something nobody in the infosec community seemed to have done: actually looked at the IP addresses used by Telegram and followed that lead to its logical conclusion. And then published all of the receipts!

And still people will say this is "unsubstantiated" or find other ways to wave this off.

And yet this does move the needle. There is now proof of things we kinda sorta knew was probably true for years. It doesn't sound like much perhaps, but it's really important.