>[Line] fixed it by adding a random number to the user's destination
This is a imperfect solution. There's two possibilities: the offset (aka "random number") is dynamic, or it's fixed. If it's the former all you have to do is sample enough times to get through the noise. If it's the latter, it's not vulnerable to the previous attack, but if you have a known point of reference (so you can deduce what the offset is), then you can still stalk them (forever?). IMO the only way to do is "properly" is to quantize people into map cells, like how apple does it with their coarse location feature[1].
[1] "Apple doesn't reduce the accuracy of location fixes by adding noise. Instead, they've carved up the world into regions, allowing approximate locations to preserve the user's current city when possible." https://radar.io/blog/understanding-approximate-location-in-...
Map cells are the best solution available for 90% of locations, but they don't help with the 10% that's close to map borders. If an user randomly jumps between two map cells you know they live at the boundary. Generally there is often noise in GPS signals so it's likely that person will jump around.
Furthermore, if a person uses multiple services, and each service has its own cell layout, you can check all services a user is member of and then find the intersection. Ideally services would standardize to one single cell layout. So Apple's idea of doing this cell partitioning at the OS level is really good.
I think the boundary concern can be resolved by some inertia system, so a person doesn't switch cells unless they are deeply enough in the new cell, at which point they won't switch back unless they have moved back deeply enough.
- smooth region borders (based on distance to one or multiple region centers with some the client being reluctant to report you in a new region until you are far enough from your current regions center point(s) to not "jump" back and force.)
- smoothing of reported regions on the client side (might incur some delay)
- user setting of region size (show that I'm in <large city> or show that I'm in <region of large city> or <small km² grid in region in large city>)
- white list which users can see the position (allow all, potential with 2 or 3 groups of precision).
I think by combining all of this a reasonable system can be created, but I would never go with a system which can report (explicit or implicit) the exact position (without a lot data and work) or which doesn't allow you to whitelist who can see you tbh.
Anyway this also means that the area would need to be calculated by the client (phone) and then send to the server which then might apply further smoothing/filtering based on the regions it's put in relation with.
Huh? Not the way I understood it. Inertia implies the world is divided into cells numbered 1 to N, and people don’t move from X to X + 1 unless they report, say 5, consecutive times from X + 1. Overlapping systems remap the cells 1,2,3 to 1; 2,3,4 to 2 and so on. So if someone oscillated between new no. 1 and new no. 2, you’d still have no of knowing whether they were in old style cells no 2 or 3.
Inertia could well be understood to mean what you described as "overlapping". That's how I understood their comment and it appears that's how they intended it. It makes sense given the literal meaning of interia, relating to resistence to physically move an object. I don't get why you think it necessarily implies the frequency thing.
> Not the way I understood it. Inertia implies the world is divided into cells numbered 1 to N, and people don’t move from X to X + 1 unless they report, say 5, consecutive times from X + 1. Overlapping systems remap the cells 1,2,3 to 1; 2,3,4 to 2 and so on. So if someone oscillated between new no. 1 and new no. 2, you’d still have no of knowing whether they were in old style cells no 2 or 3.
Hmm yeah I meant overlapping cells then, not inertia based ones.
Inertia would just reduce the frequency of the jumps, not eliminate them completely. E.g. if you randomly get the new cell 6 times in a row you'll still oscillate, just slower.
It should be hysteresis, to jump to another cell you have to be pass some threshold of distance from it's border.
This way if you live on the border you will just stick to some of cells.
Apple's solution to this seems pretty good, here's a snippet of the transcript from a WWDC 2020 talk:
> It might be tempting to think that reduced accuracy locations are simply your true location with some noise added in.
> But that is not the case. Simply adding some random noise on top of the user's true location is actually not that secure against someone who might wish to disambiguate the true location. Instead it's better to think of what happens under the hood as a quantization of sorts. Let me explain further.
> Let's look at an example area. Consider different users going on a drive in the vicinity of El Paso, Texas and Juarez, Mexico. Note that this is near an international boundary, with the US being in the northern half of the map, and Mexico being in the southern half, bordered by this pink line you see here. The true position of the user is represented by the cars while the reported position, that is to say what an app would see if it had reduced accuracy, will be shown by a circle. Again as I mentioned earlier in this presentation, these reported locations will contain the user's true location.
> As these users drive down Interstate 10 the location snaps to within different quantize regions of varying sizes. Both the red and yellow users are going to be quantized or "snapped" into the same regions as they drive along the road.
> But the amount of snapping will vary. In denser urban areas, this amount of quantization can be a couple of kilometers, but in less dense places like rural areas, it can be 10 kilometers or a bit more. A typical value for this quantization radius is around five kilometers. Note that despite the cars continuously driving along the road the region to which the true position quantities will not continuously update. This is because Reduced Accuracy locations are recomputed about 4 times per hour. So depending on exactly how fast these cars are moving there might be some lag between quantized snaps. The actual semantics of the quantization are intended to replicate what the user would expect to hear if they were to ask for an approximate answer to the question "Where am I"? We tried to ensure that the resultant reduced accuracy location is still going to be somewhere that the user actually expects to be. We use a location we have for you to place your approximate location on the appropriate side of the border here.
> Again though remember that the center point does not represent the location of the user. It only represents the center of a region where they approximately are. Approximate location snapping however might put you in a neighboring city especially if there are cities close together. To reiterate the bit about quantization around borders, let's see what happens to someone driving on the other side of the border in Juarez and what they might expect to see.
> Note that the blue car is quantized into regions whose centers are on the Mexican side of the border.
> > The actual semantics of the quantization are intended to replicate what the user would expect to hear if they were to ask for an approximate answer to the question "Where am I"?
I'm just spitballing here, but couldn't this be resolved by using coarse sampling and a moving average? As in infrequently sampling locations. I guess you could get fancier and adjust this with the speed at which the user is moving. I'd also imagine that just using low precision GPS would help add ambiguity so a person can't be exactly located. Of course, there's a relevant xkcd[0]. In the "neighborhood" seems like the most precision you'd want for something like this (of course you could expose this to the user), but I'm also not even interested in this feature so there's a bias.
To use the approximate location feature on iOS, you have to have Location Services on in the first place, which divulges your (precise) location to Apple (via the wifi-mac-address location lookups to augment GPS).
We're right back to the neofeudalist setup: Apple will protect your privacy from everyone except Apple (and the US military, to whom they are legally
obliged to provide the data without a warrant).
> If it's the latter, it's not vulnerable to the previous attack, but if you have a known point of reference (so you can deduce what the offset is)
It sounds like this approach could be prevented by having a random fixed offset for each user, so that you have no point of reference unless you already know where that specific user is. [Removed bit about regenerating this offset infrequently.]
EDIT: You could even do this in conjunction with the quantization mitigation, which sounds like it would shore up the slight weaknesses with that approach (where being on a quantization boundary makes it obvious where you are in that dimension) for the best of both worlds, as long as you're okay with further decreasing accuracy.
As a random secret in the reporting device. The secret can then be used with a cryptographic hash to produce a deterministic but unpredictable offset, based on the current location.
Hm that will essentially behave like random noise though, assuming that the position is sufficiently high resolution. So you'll need to round it in any case, and once you do that heavily enough, there is no need for this crypto magic.
If it's a fixed offset for a particular person, then isn't that just another variable in a simultaneous equation? You'd just need one more sample to solve for it.
With a fixed offset, a person who walks around outside and makes at least a few turns could easily have their fixed-offset location trace template-matched to OSM or other street data to determine the offset. (If you live in NYC it might take slightly longer.)
No, because your solution will be off by that offset. eg. if the offset is 1KM to the north, and you tried the method mentioned in the blog post then your final solution will also be 1KM to the north. You can still use the information for limited stalking purposes (eg. has the person moved or not), but it's not nearly as useful as knowing their exact location.
Do this a couple of times, plot the locations, and you'll see a subset of the town's map. You might be able to identify prominent shapes like interestingly shaped roads or bridges. Then drag the points layer so that the roads/bridges etc align.
If you can ever determine their exact location at any time that you have the data for, you can determine the offset and then determine their exact location at all other times you have data for.
Depending how it works, probably not. If it's just a rounded value computed from the distance, you'd just have to do a small amount more spoofed queries. Each one would give you a thin donut of possible locations instead of a circle, if that's easy to picture. So ~3 attempts would usually give you a quite small area, and then you could narrow it arbitrarily from there.
Isn't this the same thing? The problem I see in the telegram screenshot is it says the first user is 863 meters away. Even 10m is fairly revealing and if you're max range is 7mi, 1m is extremely precise. Though this seems like programmers using the maximum precision they have but not necessarily the maximum meaningful precision (an all too common event).
Personally my preferred approach would be to bucket users into names of countries and states and just publish that as a string. Less vulnerable to sampling, triangulation, and other attacks.
A user does not show up in “People nearby” unless they enable the function. Doing so triggers a warning from Telegram informing you your location is about to be published and it may lead to undesired attention so it really can’t happen by accident.
I’m also using the app on iOS, the operating system asks periodically if I want to continue sharing location in the background (in case I forget to turn it off) or I can just choose to enable it while using the app (which is what I usually do).
Yeah, it seems pretty explicit that you're making your location public when you press this button. I'd say the 'bug' is in people not realising that pushing their location to a 'show users near me' function inherently reveals their location to some degree of accuracy.
it's a privacy issue. Users who enable the feature don't understand that are basically publishing thier latitude longitude online. Which can be resolved into a home address.
Blanket stating that users don't understand is pretty dismissive and frankly quite patronising. I'm a big privacy advocate, so I don't personally like volunteering location info, but personally know lots of people who will happily do so for all sorts of reasons (e.g. seeing each other on snapchat maps), they understand what they're doing. Simple fact is, plenty of people just _don't care_ and that is their right to do so.
I think most people (including myself) may not have a good understanding what nefarious things this could be used for exactly. I don't have a stalker, and I don't think the risk of a targeted burglary is all that high in my case, what else could someone do with this to harm me?
The message posted upthread (https://i.imgur.com/PDnMmQV.png) definitely does not say it will publish your location/address. It says people will be able to view your "profile".
Does the message say “everyone in the world” or just “people nearby”? I think my parents would assume that “nearby” meant people physically in the vicinity!
Well, same pitfall: if someone is nearby is determined by the client and can be spoofed. Technically you could check a GeoIP database and also usecell phone + wifi information to make it harder. All of which can be chosen by the client (apart from the IP, but thats also not a big deterrent)
User explicitly shares location to all people nearby, discovers it is accessible to all people. Feature is disabled by default, and user must find this and enable it. They are not even prompted to enable it unless they seek it.
Most users will not conclude from "sharing how nearby" people are, that someone could pinpoint exactly where they live by triangulating.
Unless Telegram does some extra steps to prevent exact locations (see other threads here), they should name it "share my location" instead of "show nearby users".
People nearby.
Quickly add people nearby who are also viewing this section and discover local group chats.
Please allow on location access to enable this feature.
"Allow in settings" (a button)
Then you see a system location access dialog. iOS allows to choose between (always, when in use, nope) and optionally to turn off "high precision" setting (not sure how much, but it covers entire city when off).
Then you may tap another button named "Make myself visible". I didn't, but a list of nearby users/groups was populated regardless.
They also say you need root to software spoof your location, but I thought you could do this without root using Mock Locations in developer options. I'm not sure if that's just an oversight, but it makes me think they aren't exactly familiar with Android as a whole.
If you just want to spoof location, you only need to use the setting in developer options, but this is detectable by apps. For example, Ingress or Pokemon GO will refuse to work when it is enabled, so to actually spoof location on some apps, root is needed.
The ability to find user locations via triangulation is overlooked in a lot of products - it's easy to not think twice when showing a user the distance between themselves and someone else.
In my own products I fix this by aggressively rounding/adding noise before the distance calculation is performed, and then rounding again afterwards, or quantizing into ranges (e.g. '0-10 miles'). Other solutions can be storing locations imprecisely to begin with, using pre-defined geobuckets, and so on, although remember that randomness by itself can be bypassed with enough queries since it will average out. It's rare that you need to know exactly how far away someone is from you rather than a rough approximation. Telegram is definitely not the only product with this issue, but hopefully they fix it even so.
Quantizing is much safer. Adding random noise is useless because one can just average multiple samples.
If you want to be extra safe, quantize the user's lat/lon before computing the distance, and then quantize the distance again.
(Quantizing only the distance can theoretically allow an attacker to travel in one direction until they see the transition from one bucket to the other which would tell them exactly when they are precisely 10 miles from the target.)
Yeah, it's important to put a lot of thought into it if users can query often like this. Removing more information generally won't hurt most use cases a ton, so it's better to err on the side of caution with good quantization as you note suggest here.
It does, but you can keep trying until you get an accurate location. In the simplest version you can just watch the distance and play warmer/colder until you physically track them down.
Triangulation is often used incorrectly instead of trilateration as in this article. Since the author is dealing with distances and not angles it’s trilateration.
On the "People Nearby" page in the Telegram app it specifically says
Quickly add people nearby who are also viewing this section ...
If a user is not specifically on that page, they are not listed in the section. The user most likely wants the world (or strangers) to know his position.
This case shows precise localization can be a double-edge sword. But instead of fuzzing the returned location, we should educate the people on privacy implications of showing their position to the public.
It's a shame that every time that Telegram is mentioned, Signal advocates feels the need to let everybody else know how superior Signal is supposed to be compared to everything else.
I don't have anything against Signal itself, but this aggressiveness and arrogance is really putting me off.
Has this became some kind of religion? Do you people realize that you are not the exclusive bearer of Truth, and that maybe, just maybe people that use Telegram chose to do so for a reason and are not poor clueless persons that need to be indoctrinated?
To be extra clear, my complaint is about whoever insists on spreading the falsehood that Signal is objectively better than anything else [and maybe also adds a bit of compassion on top ("it's a shame") for the rest of us unenlightened].
I would have no problem, and would actually be more inclined to switch to Signal, if you tried something a bit more modest and honest. Dunno, for example something along the lines of "If you would like an alternative to Telegram that has E2E enabled by default and on all chats, you could maybe be interested in Signal!".
But what kind of discussion can we have if the argument is always "Signal is so much better, it's a shame that you people don't realize it" ?
How was my statement arrogance? Stating a fact isn't arrogance, no matter what people say. It's a fact. Saying "it's a shame that people litter when trashcans are available" shouldn't merit a response of "I really hate how these anti-littering people say it's a shame that people litter. I would rather they appeal to my sense of equanimity." Give me a break, please.
Telegram has been implicated in a number of privacy scandals, and then their responses critique the authors of the indictment rather than actually criticizing the arguments themselves. Signal, even up to the recent critiques by Cellebrite, immediately responds and them discusses the merits of the claim.
Signal is terrible. I use the app still, but it’s horribly buggy. The disappearing messages, a hallmark feature, is fundamentally broken in some way that I can’t fully comprehend. Totally unreliable.
Telegram is better in every way... except security.
I'm curious as toileting what you see as "horribly buggy" and what brokenness you see in disappearing messages?
I use Signal on iOS, and it's pretty much flawless. Extremely rare for me to even hear friends (many of which I communicate with using Signal) talking about problems, I vaguely recall having something go wrong a long time back, but can't even recall what it was now, only that it went away and started working properly fairly quickly/easily.
(I disagree with Moxie's choice to use real phone numbers as an underlying hard requirements, and also with the choice to notify people when other people from their contact lists start using Signal - but I understand why he made those choices (to piggyback pre existing social graphs) and respect how he implanted it without needing to grab my contact list and have it vulnerable on their servers...)
I use signal on Android and an iPad. On the iPad, sharing photos etc to signal doesn't work, it looks like the touch input coordinates get translated incorrectly with the input location of the send button being somewhere off the screen.
The expiring messages fail in hilarious ways, all the time. Things like a few random messages from a prior day that are funny out of context all by themselves.
If I open signal on my laptop sometimes it does this ridiculous “time lapse” where it strolls through messages one at a time.
Sometimes all the messages just randomly wiggle on my screen. No idea why.
I get that security verification thing all the time. All the time.
Got a new phone late last year and it wouldn’t sync.
Sticker packs will rearrange themselves at random.
I keep hearing people day that Signal is horribly buggy, but I've never even experienced one bug in the (Android) app. I've used it moderately for 3-4 years now.
(I haven't used the disappearing messages feature, though, so I can't speak to any possible bugs there.)
Telegram is a business. Ads are coming this year. Signal is basically a non profit (so far).
Thats all I need to know to make a choice given the track record of the robotic buffoon class that believe everything that momentarily scales up needs to be monetized asap to shit out one mindless billionaire here and there.
Ads are only coming to public channels were channel owners already publish ad messages. Signal is located in USA, so it's quite easy for NSA et al to pressure Signal to implement backdoors.
This comment is downvoted but as a person in the EU I can wholly agree with it. It's not that I never use american made/hosted products but it is definitely a consideration when making a choice. It's not that I don't like Americans, but your government and government agencies have verifiably proven that they don't care about the things I care about.
I mean haven't we learned time after time, leak after leak the EU countries just shove data on their own citizens over to the USA? I feel like you comment is ignoring decades of history.
Telegram is not a business in a sense that it didn’t have any intelligible business model prior to this ads thing (which is not even live yet and this HN thread is the first time I heard about it).
For more than 7 years since its launch, the slick app, servers that instantly synchronize non-secret chats, and basically unlimited file storage were provided for free to use. Really free, no ads, no paid services. If you think about the amount of money that it all cost, it’s _insane_. So it begs the question: are Telegram’s founders really that kind of people willing to donate hundreds of millions for people’s messaging privacy with an additional option of maybe returning some of these money 7 years later with ads, or Telegram is just an elaborate FSB honeypot?
I guess we’ll never know for sure, but I’m more cautious about services that offer too much for free, not too little.
> Telegram is better in every way... except security.
Which is why anyone bothers with these type apps in the first place, I'd like to say I'm dissapointed with the sentiment towards Signal, especially given how many here work in tech and understand how leaky these apps are designed to be and how hard development can be with a bare bones team (I experienced this first hand), but it never fails to bank on the notion that convenience will always win against security. regardless of expectation(s).
Shrug... I like Signal more: and I think Telegram has many useless features that are not of any interest to me and only create needless bloat at the expense of security/privacy which is untenable, so while I hope some bugs get sorted in Signal as I run both I know why I side with Signal.
I also understand that Signal runs on a thin donation based hacker budget and Moxie Marlinspike's podcast on Joe Rogan is a really cool watch that made it clear to me it's just a hacker project that scaled really well and is in need of funding and staff. I think Joe revealed himself to be a part of the money-centric Corpo class to Moxie's dismay when he refused to have that rock, paper, scissor match and you could see the disappointment in his eyes when Joe reacted almost offended at the idea that Moxie had anything worth his stake and could so quickly ascribe a dollar value to it.
It reminded me that it's okay to care about the messenger (guest) that his podcast attracts rather than Joe or the brand he's created around himself, even though I agree with may of his points I struggle to think its nothing more than hook or gimmick most times. I don't really enjoy any of his standup and find a lot of his quips to be childish and immature reactions to what seem like feckless attention grabbing that can derail a guest's conversation or train of thought, much like uninvited fart jokes would amongst otherwise fascinating discussion and in depth arguments: then again he is a comedian first and foremost.
With all that said, donate to help get those fixes on Signal sorted here [0]!
The problem is, even if I can be OK with bugs and problems with Signal UI, I cannot make my friends (or my 80-year-old Mom) be OK too. I personally know literally nobody who uses Signal (and a number of my friends are geeks:-)). Network effect, you know... :-(
Moved my grandma and some family over to it. Zero complaints after ~2 years of using it, and that's the best part about it. You don't need to be a "geek" to use it. Knowing everyone's data (at least in transit) is secure is pretty great.
I'm curious what bugs you've experienced? The only ones I've seen are on my friends' phones and they are because those phones have extremely aggressive battery optimizations that essentially block Signal from running in the background. Once it is turned off then things work smoothly. I imagine this is a network effect related issue and that apps like WhatsApp are getting special presets because their popularity.
> he refused to have that rock, paper, scissor match
What I thought was the funniest part (strangest) is that Moxie walked back to "I'll give you a suggestion of people and you don't even have to have any of them on" and Joe still treated it like Moxie could dictate who was going to be on the podcast. But what's the difference between that and any other guest being like "hey, you should check out ________!" which happens all the time. It was literally a nothing bet. I do think Moxie forcing the week's lineup is a bit much. A single person? Not that bad, but I could see it being used against Joe (though unlikely). But "hey you should check these people out" is nothing. Guests suggest guests all the time and so does his fanbase.
As far as Signal goes, they've almost completed every major feature I've wanted. Usernames look like they're rolling out in a few months or less and group calling works (just needs to scale). Only issues I have are that sometimes there's some latency (this seems to be more related to 1. specific peoples' phones' battery optimization settings and 2. when there are large upticks in user enrollment. So neither of these are that big of an issue for me) and I can't use markdown (essentially a non-issue). Only things I want are fairly fluffy and features I would use fairly irregularly anyways. I don't understand the distaste of UI and it hasn't been properly explained to me yet. UI looks almost identical to WhatsApp except WA is far more busy in the background (which I actually dislike) ¯\_(ツ)_/¯
> I do think Moxie forcing the week's lineup is a bit much.
Maybe, but I saw it more as a way to try to have a little fun in what had been a stalled conversation due to Joe's lack of understanding on why cryptology has become vital and the implications of its need in modern Society.
I wish Joe had done some basic research and mentioned the first crypto wars himself and the fallout with Zimmerman had with PGP and Moxie would have probably opened more about how that pertains to erosion of privacy and security on the internet and the implications of the Surveillance Economy that has grown like a deadly tumor on Society since the Patriot Act and why Signal was created in the first place. He's had Snowden, Glenn Greenwald and Andreas Antonopolous on several times now, there is no excuse for not being some what informed given his general curiosity on the topic by now and making the most of those podcasts and having Moxie speak on such a large platform.
Honestly, I wish he had let him request Laura Poitras to come on as she can bring the topic to the massess in a relatable manner better than anyone I've seen so far--hell I remember first seeing CCC and Defcon videos being totally overwhelmed by the speakers so much I couldn't follow any of it. This may be because she comes from a non-technical background as a film maker that has been around Cypherpunks for decades now but has also been at the center of so much of the polemics (Assange, Snowden, Wikileaks, Intercept etc...) of it all and likely saw how valuable it is in life and death situations very quickly.
My issue is with the dropped calls and poor call quality, but given how few people use the voice based calls they because Signal knows how vital to optimize for low bandwidth things like messages given its prime demographic in places with real reasons to use this app for its intended purpose. Again, totally understandable to me and something that they will eventually get to.
My only problem with signal is they way it announces when a contact gets it. It should be opt in. Many people might not want every contact they've put into their phone over the last decade to know that they got or have signal. It's a nice idea to think that everyone has only contacts they would want to share signal with bit that's not the reality on the ground.
Aside from that, it's really gotten pretty good. I've been running it since the red phone days or what ever that app was called before signal.
That was an awkward moment, and Joe’s reply sounded bad, but what he meant was that he wouldn’t give up creative control of his show for anything. Spotify reportedly just paid him $100M, and one of his conditions for that deal was that they get no say whatsoever, and he said he wouldn’t agree to any deal where he has to answer to someone else. So when he said that Moxie had nothing to offer, it was intended to mean that there is nothing that anyone could offer (which he has emphasized before), not so much that Moxie personally had nothing of value.
Signal has a terrible terrible ux - most people don’t care as much as the HN-er when it comes to security - they want a chat app that just works and is feature rich
I really don't get what people mean when they say this. To me, Signal is pretty indistinguishable from WhatsApp, FB Messenger, even the default SMS app. What about the UX specifically bothers you?
> Signal is pretty indistinguishable from WhatsApp, FB Messenger, even the default SMS app. What about the UX specifically bothers you?
That's part of the problem, all those you listed have poor to terrible UX and are just not great chat clients, Telegram is just better - in terms of speed ( compared to FB Messenger), features such as location sharing("where are you?", "Next to Restaurant XX " or "On the corner of A and B street" sucks, you can just share precise location via Telegram - a friend even sent me the location of a beautiful lake while on vacation because i was going in the area soon after), polls ( great for groups), message editing, search, stickers, gif integration, bots. I've used FB Messenger and Whatsapp extensively and Telegram is absolutely much better than both of them.
What features are Signal missing? I think there's this weird dichotomy where people are complaining about a terrible UX and others not understanding what the issues are (me for one). Only features I've wanted have rolled out in the last few months or are about to roll out (>5 group calling and usernames).
Missing features:
- your friends doesn't use it
- there is no public channels you like
- there is no bots you use every day
- your code have no integration with messenger API
I definitely agree with this. Getting people to use Telegram instead of SMS or other random chat apps can be difficult but getting them to switch to Signal is basically a "not going to happen" until Signal ups their usability. Even people I've gotten to try out Signal all abandoned it. At least with Telegram, they stuck with it and still use it to this day. It'd honestly probably be easier to get Telegram to adopt Signal's protocol than it would be to get users to adopt [current] Signal.
Telegram's protocol itself isn't necessarily a weakness - recently, a paper was published claiming to have proved the MTProto 2.0 protocol correct. Perhaps because of how recent this was, it doesn't seem to have garnered any discussion or review anywhere.
My above post was more of a complaint of the Signal UX rather than a critique of either protocol but thanks for the link! I would be interested to hear whether people still perceive MTProto to have weakness... but that likely won't change with how much people seem to complain about it, seemingly without much/any rationale. Either way I'll probably still be using Telegram since that's where the users are :)
Signal has better encryption; I would not trust anything really confidential to Telegram. but Telegram has a vastly superior user interface and experience. It's one of the few pieces of software I can unreservedly say I love using.
Telegram has way better: UI, search, bots, and all kinds of other juicy quality of life stuff that Signal doesn’t have. It all comes down to what you are using it for though, there’s a sliding scale that goes from the least secure app to “don’t use computers for this at all”, just like with medication, it’s all about juggling symptoms and risk.
Well, I tried to set it up ob my parents iPad and it demanded that they also own a smartphone with the same phonenumber.
They owned feature phones so they've been blocked. Telegram paired just fine and works on any number of devices without linking them together and worrying about connectivity/battery for the main device.
Yes. It uses the phone number as the user identifier, and the non-phone versions assume that you have a phone that you're using as the primary device, and any other devices are secondary. The primary device is mostly because tablets and desktops don't have a phone number to use as an identifier. The battery/connectivity status of that device doesn't matter a whit after the secondary devices are setup.
There is person who put their 5c about Signal in every post about Telegram. Signal have terrible UI. And doesn't provide any additional value since your friends doesn't use it.
You can hide your phone numbers from other Telegram users and still chat with them (this is the default). On Signal, anyone you chat with will have your phone number.
Now that I think of it, my comment was unnecessary.
> your number is only visible to people who you've added to your address book as contacts
Means they already have my number.
There is still a tiny difference. I can pick a username and chat with people who have my phone number (without them knowing it is me). It's a very small difference.
Well not quite, since you might have had their number but they not yours. But if you just talk to someone on Telegram, they are not automatically added to your address book, and thus can't see it by default (as I understand it)
a sim card or a reliable dedicated voip number cost money and leak your identity. it is just a bit harder to trace (one more step involved).
what telegram could do to allow private use and still avoid spam would be selling phone-less accounts for crypto.
And maybe mark these anonymous accounts for other users to make them suspicious of potential scammers.
I use it all the time. I don't do group chats much, but I use it for 1-on-1 communication. It's so much better in my opinion because 1) it satisfies my needs and 2) I trust the provider, based on the reputation that has been developed around Moxie Marlinspike and the fact that all facets of Signal are open source. Telegram is not. Furthermore, Telegram tried to pull a quick 1 billion quasi-raise with their TON bs platform, which was a joke from the very beginning. Seriously, pull up the initial whitepaper for that platform system - total cash grab.
So yeah, @arthurcolle has used Signal, and likes it.
I use Signal for 1:1 messaging and some small groups, but Telegram is much better for large groups and communities. Admin tools, UX, performance, and discoverability are all far better on Telegram. I'm quite happy to use different tools for different purposes, and I'm glad they both exist.
It's crazy to me how few people remember that, prior to its launch, Telegram was endlessly hyping up how it would be the most secure protocol ever, while trash-talking competitors and explicitly refusing to have their hand-rolled crypto examined by security professions... and then it was broken within days of launch by an admitted amateur [0]. I don't understand why this didn't immediately tank their credibility, but here we are.
Please change title so that it reflects that shared location is only for those who explicitly enabled feature to do so and not implicitly that all users location is shared.
"Telegram publishes users' locations online only for those who explicitly enabled feature to do so and not implicitly that all users location is shared" is a bit long for a title.
While you're right, the title is accurate although it comes with bunch of caveats of course, some of them outlined in the article. That's why we read the full article instead of just titles. More caveats are that they are using a smartphone, has GPS location on, are using Telegram, have allowed the app to access the location and finally shared their location in Telegram.
Hmm...So I have Telegram installed via F-Droid (so presumably without Google Play Services). I do NOT have the "People Nearby" feature. I am curious if that means my location is not published?
I can't find the feature at the described location either, but apparently if you go to contacts there is a "find people nearby" button. If I click it it asks me to share the location, which I have disabled. So I guess I'm safe?
It usually takes some time for Telegram to be published on F-Droid, so the newest version on F-Droid is 7.2.1 while the newest one on Android is 7.3.1. It might contain such a menu on the newer version like in that screenshot. Or the button only appears at that place if you have enabled location sharing.
Same, I don't see this feature either on iOS Telegram app.
Edit: I turned enabled location sharing under iOS settings for Telegram app and "Find People Nearby" is now showing as the first list item under the Contacts tab.
It took me a while to find it on iOS, it’s under the contacts tab called “find people near by”. It doesn’t seem to work without location enabled so hopefully that would keep you safe.
To be fair, it doesn't ask for permissions until you click on it, and (on iOS at least) the permission isn't automatically granted. This all looks above board IMHO
People do that so they do not have to type by hand all their friends using the app. Granted, most people probably don’t have a lot of friends using Telegram... but that’s not what Telegram is hoping.
I wouldn't call it helplessly outdated, at most it's a version behind. But there's a number of reasons for this. For starters Telegram themselves lag behind in releasing the source code for the app[1]. Then the volunteers who make the FOSS version[2] have to update their fork and make sure it works. Then finally it's submitted to F-Droid, where it's compiled by their build servers (of which the build process occasionally breaks and needs to be fixed).
I think the assurances that this offers (entirely FOSS, reproducible builds, better privacy and security[3]) outweighs being sometimes days or weeks behind the releases they upload to the Google Play Store.
More systems need to truncate location data. It is relatively "easy" to solve this particular issue by just not returning highly specific data. Instead of saying "896m", return "<1km" or "1km-3km" etc. Can you still abuse the data to some extent? Yes in theory, but it's significantly harder and takes a lot more work to get anything reasonable.
You can also truncate the data you have on users. 2 digits of Decimal_degrees precision is +/- 1KM. If you're doing an Uber-like service, knowing where a user is down to a few feet makes a different (which side of the street). But if you're just concerned with "Hey people nearby you are using this app too" (which is all too common).. Do you really need to know/save/keep where a user is beyond 1 sq km? No, you don't.
Yes, Apple has a coarse data that does something like this, but take it that one step farther. Don't need the info? Don't collect it (your app doesn't need to send it) and don't store it.
Yes, you just have to spoof locations near the boundaries of the quanta. If they are less than 1km then test locations until they are in the 1km-3km group but you will know they are actually 1km away. Repeat between 3 and a dozen times at different angles and you can still determine a location.
Now that my phone supports it, I just installed Wire. I wish their desktop version had more options regarding appearance, for one. Honestly, it would not take much to implement giving us, users the choice to change a couple of things.
I hate it how I cannot make the left bar less wide, for example, and there are a couple of more complains, all of which have been reported a long time ago. They are easy to add/fix!
I also wish the desktop version supported sending audio messages just like the Android version does, similarly to WhatsApp. No need for these fancy audio filters, just let me record and send an audio message from the desktop version!
so i know some people around me who are using telegram and very likely most of them did not change anything about their privacy settings as usual. However, i do not see any of them in the list and it even shows me users some 10km away. When viewing this list on the top it has a button to make yourself visible so i assume if you don't do it voluntarily its not broadcasted at all which appears to be a non issue then, like he was already told.
Yeah its very much opt in so Im not sure what the real issue is apart from being somewhat granular. How granular telegram makes it is the question. From the article the way they asked didn't sound like it was "do you live at 123 something st" but instead are you by, which even if you were a few blocks off someone might say yes.
For all we know Telegram is doing some rounding. Gonna need to test some more to see I guess.
If they don't want to fix this issue (maybe they find it's advantageous to let benign users find each other precisely), some kind of warning when you opt-in like "Warning: By enabling this setting, anyone around the world may be able to determine your location, such as your home address, even if they live in a different region or country." would be nice.
Not sure of the best way to word it, but making it clear that someone in a different continent may be able to see your location and address would at least make the full implications clear. Most users probably assume the risk is limited to people in their city (or a smaller area within it) seeing their location, and also may not necessarily be thinking about the address disclosure (even if that's arguably already obvious to some).
Gay Dating Apps Promise Privacy, But Leak Your Exact Location
Researchers in Kyoto demonstrate for WIRED how they can precisely track the locations of people using Grindr, Hornet, and Jack'd despite features meant to hide them.
- Of course this shouldn't be possible, what is up with Telegram? At last make publishing your precise location optional (within that feature) with a good warning!
This is less of an issue in highly dense urban areas, such as typical east-asian metropolises. If you live in a building with 2000 other people, it becomes less concerning.
It seems like it would be rather easy to create an automated tool for triangulating users locations; by spoofing the GPS location of ones phone say 33 times, it should be very easy to triangulate every single person in the 'nearby' section.
So in the article, the author was able to find the x- and y- coordinates of the other user. What if the target user lives in a high rise building, is there any technique you can get the height of the said user? Makes me wonder how the law enforcement is able to tri-angulate the suspect's exact location.
My somewhat educated guess would be that, firstly, cell tower triangulation includes altitude by necessity of measuring directly the reach of electromagnetic waves, whereas Telegram advertises the subset of users' GPS data that they choose to advertise, which is likely just lat-long. Secondly, law enforcement also likely has the cooperation of the administration of said high-rise building.
You can certainly triangulate in three dimensions, IF the distance displayed is the 3-dimensional distance rather than just the distance between two lat/long locations. You just need to sample an additional point that's not collinear with the first two.
Maybe this would be a little to confusing for users, but perhaps apps that have an option to publish your location should have an option to automatically disable location publishing when you are near home, or even better when you are near any location on a user-specified list of locations.
Signal puts your safety first because of the organization behind it.
Telegram will continue to expose its most sensitive users over novel features while they try to capitalize on use of the Signal protocol. The profit motivation predicted this.
Telegram uses the Signal protocol? How do you propose Telegram give their users the ability to expose their location to other people without exposing their location to them?
How do you propose that users trust in their secure messaging app, when safety is the priority? Nothing stops you from putting your location into Telegram to send it. The issue is code that does it for you.
The code is not an issue. Users shouldn't trust that their messaging app does not share their location when they ordered their messaging app to share their location, that makes no sense.
That completely misses the point that there are users for whom location sharing is a strict no-go. Having the feature exist to pose a risk of accidental enabling or default enabling could result in death.
That is not a reason to cripple the default client. Fortunately, unlike Signal and WhatsApp Telegram is not a walled garden and you can use a different client.
There is no problem with location sharing being enabled by default because location sharing is not enabled by default.
Signal is not a garden at all. It is a secure communication app that doesn't risk failing its primary mission by accident or accidental misuse. It's not trying to be a social network.
Please explain what's the relevant difference between a social network and a communications app in this context. I'm not going to argue about the exact definition of walled garden, I think my point was clear.
Yes, this failure mode is not literally impossible. It also isn't literally impossible that Signal accidentally logs all communications to a central server. And as I said: If you want or need to be that careful, just use a different client.
I've asked family to switch to Telegram because I didn't want Facebook to read my data. What shall I do then? Revert to WhatsApp, which I still have for those who can't be bothered by choosing a different tool?
I used the "people nearby" feature once, and I kept getting random messages from random people 2 months later. I could not figure out how the hell to turn it off.
Telegram has so many anti features and dark patterns that I really wish it was less popular. I honestly use WhatsApp over Telegram because at least I know WhatsApp is insecure while people sometimes act like Telegram is a secure platform.
I didn’t know that the described functionality even exists, and it is off on my phone. TG is one of the apps that implements 0 dark patterns, imo.
By comparison, whatsapp regularily tries to cloud-ize me by making a backup and re-enter my personal data. I just tap “never”, “done” once a month, but it is annoying af when it happens at the incoming call. It also forced users to enter a status (but there was a bug that allowed to enter empty one). And if you have a sim-less device, it is such pita to install it there. No updates will be available, ofc.
The rich irony here is that Telegram, in fact, way less secure than WhatsApp, yet, it's users (wrongly) perceive it to be magically more secure.
The reason why WhatsApp is more secure is simple: it uses e2ee for all chats, and consequently has issues with multudevice usage and chats syncing, while Telegram just stores all chats in its servers, sans so-called "Secure chats". (I'm yet to see one person who is using them to contact me)
I believe why Telegram is considered more secure is the source code for it's clients are open source. Which means it's possible to ascertain what the app is and isn't sending. You're not able to confidently verify that WhatsApp isn't doing more that it claims including verifying it's E2EE implementation.
Not really. It's just marketing push that 'Telegram is the most secure messenger' that somehow does the job, and the unwitting public is happy to accept it as a fact.
As of source code... do you really need a source code if you can login with just your username/password and instantly see all your chats? For anyone who has some remote understanding of the matter it clearly tells that chat history is stored on servers without meaningful encryption and that server owner can access all chat history at will.
My entire company and tg-part of a friend circle uses them when needed. E.g. to discuss issues that contain private/financial details or something personal that is undesirable to leak to "third parties who ruin parties". Otoh, I wouldn't mind if my mile-long chat with IT buddy went entirely public, because we mostly discuss Web-tech, BTC and other sick jokes there.
Personally I'd never bother to start a secret chat with a person that I don't trust enough anyway. Neither do I trust an e2e messenger that my country didn't even bother to "pucker" legally.
>users (wrongly) perceive it to be magically more secure
This is claimed often, but I'm yet to see these users. Do they really believe that, is it just tg opponent's agenda that became popular, or both?
> This is claimed often, but I'm yet to see these users
I often see these users. Most tend to just blindly trust a vendor. Also, I recall a talk at a Secure Messaging Summit 2020 given by Nikolas Unger [1], where he referred to a study about this (mis)perception.
WhatsApp lets you upload your chat history to either icloud or google's cloud offerings. Those backups are accessible to Apple/Google. Many people have enabled it, so if you are in any decently sized group chat you can basically assume it's available to Apple/Google, the people who hack them, and whomever they have data sharing contracts with.
Personally I use Telegram because they don't mind non-official clients like the FOSS builds. Whatsapp on the other hand is known to ban non-official clients. API access isn't available either unless you are a big corporate user, at which point you need a facebook ads account and cooperate with some API reseller... no joke lol.
Like... Facebook can read all your messages? The encryption only protects you from entities that are not Facebook. With that out of the door, it's not really worth it to even consider other angles of attack, since you now depend on the goodwill of a billion dollar company whose sole purpose and reason for existence is to extract and monetize your data. WhatsApp is a nice chat tool, but it's nothing you should ever use for secure communication. Sending a letter via mail is more safe.
that's incorrect. WhatsApp is end to end encrypted using the signal technology as confirmed by moxie.
are you suggesting Facebook tricked the signal team into believing that WhatsApp is using end to end encryption when it isn't?
a source: https://signal.org/blog/there-is-no-whatsapp-backdoor/
Honest question, then: outside of things like ethical concerns about supporting Facebook, and some missing features like enabling a passphrase to open the app, why should anyone use Signal over WhatsApp? Given that WhatsApp has a better UI/UX and that the people you want to talk to are much more likely to have it, and it supports some things that Signal is known for like disappearing messages (though limited to 7 day expiry).
I love Signal and all the work Moxie and his team have put into it and the protocol, so this isn't a diss to them, but just wondering what the disadvantages would be for someone just looking for an E2EE communication app.
One difference I suppose would be that Facebook would have all the message metadata; just not the contents.
If they can, then either Facebook boldly lied about implementing end-to-end encryption[0], or found significant attack against the Signal protocol, which is considered quite safe.
They do have access to the metadata, i.e. whom you messaged and when.
Whatsapp still does E2E encryption. (Same as Signal) Facebook can't read your messages. (There's still the scenario of you getting a special version of the app with that functionality disabled of course) You can also enable notification for changed signatures, which I do see changing as people replace their phones.
Hmm, that's pretty interesting. Especially since even Matrix public channels (not sure if only by default or required but it seems like all public groups are plain text) are unencrypted.
I would really prefer any location sharing feature to be something that ran on top of the communication platform rather than be a feature baked into the app. Create a generic information syncing mechanism for groups and let clients build features like location sharing on top of that. Location sharing seems so niche that bundling it into the client encourages poor opsec/privacy behavior.
As I have heard, Telegram is unencrypted by default. Both WhatsApp and Telegram are poor at making this 100% clear 100% of the time despite privacy being a major purpose of the apps. I'll admit I really haven't used telegram much but WhatsApp encourages backing up chats to cloud storage. WhatsApp also only provides a single alert that a contact's security code has changed. It also doesn't encourage verifying the security code on the initial contact. i.e if someone out of the blue contacts you on WhatsApp the only security is the phone number.
It’s a good first step but not enough. I was scammed a while back on Telegram and wish I had been able to also see the persons real identity to recover my money. Location is not enough to go on.
Perhaps TG should publish an API to allow people to see any users government ID if they are scammed.
This is like choosing to deal with cash and then complaining that you can't do a chargeback.
You didn't learn your lesson. The lesson wasn't that Telegram should require a government ID (then nobody would use it much less the scammer who scammed you). The lesson was that you need to consider the impact of being scammed when you're open to using a channel with no recourse.
Yeah. Where I live people are already getting picked up for being in a WhatsApp group, for sharing something on WhatsApp or even being a WhatsApp group admin. Do you know how they are caught? Their phone number is kyc compliant so its a cake walk.
While I use telegram, I use it to only communicate essential stuff with family. Same for signal and other stuff.
Matrix is interesting as it does not require a phone number...
To think a government ID card would be needed to talk to family....shudders
This is a imperfect solution. There's two possibilities: the offset (aka "random number") is dynamic, or it's fixed. If it's the former all you have to do is sample enough times to get through the noise. If it's the latter, it's not vulnerable to the previous attack, but if you have a known point of reference (so you can deduce what the offset is), then you can still stalk them (forever?). IMO the only way to do is "properly" is to quantize people into map cells, like how apple does it with their coarse location feature[1].
[1] "Apple doesn't reduce the accuracy of location fixes by adding noise. Instead, they've carved up the world into regions, allowing approximate locations to preserve the user's current city when possible." https://radar.io/blog/understanding-approximate-location-in-...