this post was submitted on 03 Jul 2024
229 points (87.1% liked)

Technology

55734 readers
2729 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
229
Telegram says it has 'about 30 engineers'; security experts say that's a red flag (techcrunch.com)
submitted 4 days ago by ForgottenFlux@lemmy.world to c/technology@lemmy.world
84 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] maxinstuff@lemmy.world 42 points 2 days ago (2 children)

The count of engineers means absolutely nothing.

load more comments (2 replies)
[–] fmstrat@lemmy.nowsci.com 12 points 2 days ago* (last edited 2 days ago)

This journalist writes with the same amount of confidence as ChatGPT.

[–] frezik@midwest.social 85 points 3 days ago (1 children)

Headline is terrible. The big red flags are that they don't do end-to-end encryption by default, the servers are in Dubai, and use a proprietary algorithm.

Last part should be clarified further. They didn't reinvent AES or anything. It's more like a protocol that puts together existing algorithms. It means they can use transport layers without TLS or anything else that wraps your messages in crypto otherwise.

https://core.telegram.org/mtproto

I'd still say this is a red flag. How you wrap encryption around your messages has several pits you can fall into. It's not as bad as reinventing AES, though.

[–] awesome_lowlander@lemmy.dbzer0.com 15 points 3 days ago (1 children)

Headline is terrible

They do explain though that given how below average their headcount is, it means they're likely understaffed, overworked, and have zero capacity to respond to intrusion attempts.

[–] mostlikelyaperson@lemmy.world 8 points 2 days ago

They seem to have 0 clue what they are “explaining “ though. I don’t know if those engineers are overworked or how (in)competent they are, I don’t even use telegram. But they apparently do have other non-engineering people on staff and content moderation and dealing with legal issues aren’t the job of an engineering team.

[–] dandi8@fedia.io 195 points 4 days ago* (last edited 4 days ago) (20 children)

There are good reasons to dislike Telegram, but having "just" 30 engineers is not one of them. Software development is not a chair factory, more people does not equal more or better quality work as much as 9 women won't give birth to a baby in a month.

Edit:

Galperin told TechCrunch. “‘Thirty engineers’ means that there is no one to fight legal requests, there is no infrastructure for dealing with abuse and content moderation issues.”

I don't think fighting legal requests and content moderation is an engineer's job. However, the article can't seem to get it straight whether it's 30 engineers, or 30 staff overall. In the latter case, the context changes dramatically and I don't have the knowledge to tell if 30 staff is enough to deal with legal issues. I would imagine that Telegram would need a small army of lawyers and content moderators for that. Again, not engineers, though.

[–] pooberbee@lemmy.ml 34 points 3 days ago

And lawyers are pretty likely not staff at all.

[–] vxx@lemmy.world 2 points 2 days ago (1 children)

I checked, Telegram has 1342 employees.

[–] dandi8@fedia.io 2 points 2 days ago

Interesting! Out of curiosity, what is the source? Is there a breakdown per role?

[–] Rinox@feddit.it 10 points 3 days ago

I can understand if someone like Google or Microsoft employs lawyers directly, as they have the resources and scale to do so. But someone like Telegram should really not do that. They should use an external legal office when needed. Even keep them on retainer, but definitely not open a legal office inside the company.

load more comments (17 replies)
[–] Manmoth@lemmy.ml 57 points 3 days ago (3 children)

Someone needs to make a browser extension that hides any article with "experts say" in the title

[–] remotelove@lemmy.ca 53 points 3 days ago (1 children)

Experts say that is not possible.

[–] stoy@lemmy.zip 8 points 3 days ago

Experts say that hurt their feelings

[–] darklamer@lemmy.dbzer0.com 10 points 2 days ago

Someone

We have now selected you to be that person.

load more comments (1 replies)
[–] Ghostalmedia@lemmy.world 87 points 4 days ago (6 children)

To be fair, in a large company, there is usually only about 30 people who are actually good and know what is going on, and hundred of others who are checking in trash.

[–] maxinstuff@lemmy.world 8 points 2 days ago

There’s an aphorism, “give me 10 engineers and I’ll build it in a year, give me a hundred engineers and I can get that down to just five years.”

[–] flamingo_pinyata@sopuli.xyz 50 points 4 days ago (2 children)

It's not even about the quality of individual people. The organizational structure of large companies encourages pointless work.

Internal mobility and cross department collaboration are frowned upon. So you get many people doing duplicate work, new ideas don't propagate, and even if someone has an idea it's quickly shut down.

The only way to achieve anything substantial is to be both: 1. assertive and energetic, and 2. at the correct level of hierarchy. And make no mistake even if you pull a miracle there will be no reward. Maybe a 3% raise at the yearly review.

Sorry for the rant, I currently work in a company like this.

[–] flames5123@lemmy.world 3 points 2 days ago (1 children)

Maybe I’m just lucky in where I am in a FAANG company, because I’ve only been offered mobility in my job, even directly after a promotion! We encourage work across the organization, but we have like 500 devs in this org.

[–] flamingo_pinyata@sopuli.xyz 2 points 2 days ago

That's the correct way to do it.

The wrong way to to do it is: moving to another team requires you to go through the full hiring process. Any lateral movement, for example backend engineer -> fronted engineer is treated as if you're a junior starting a completely new career.

[–] Ghostalmedia@lemmy.world 24 points 3 days ago* (last edited 3 days ago)

Yeah. The most secure companies I’ve worked at actually only had a small group, of very competent people, who were paid well, treated with respect, and not presented with a lot of organizational or infrastructural red tape.

I’ve worked with teams of 10 that had shit locked down tight, and teams of hundreds who had software that was exploding and getting exploited left and right.

If someone tells you more head count = security, I would not consider them an expert.

load more comments (4 replies)
[–] corsicanguppy@lemmy.ca 56 points 3 days ago (1 children)

The security software I maintained had one engineer.

Your move, sec nerds.

[–] RagingRobot@lemmy.world 23 points 3 days ago (1 children)

That's a red flag!

[–] Scolding7300@lemmy.world 12 points 3 days ago (1 children)

Are you an expert tho

[–] vxx@lemmy.world 2 points 2 days ago

Sorry, our expert died in a car crash.

[–] nao@sh.itjust.works 16 points 4 days ago

talking to carlson is a red flag

[–] Imgonnatrythis@sh.itjust.works 13 points 4 days ago

Engineer to lawyer ratio is the best indicator of how worried to be. What's the demoninator for telegram?

[–] ForgottenFlux@lemmy.world 15 points 4 days ago (1 children)

Summary:

  • Telegram founder Pavel Durov claimed in an interview that the company only employs "about 30 engineers."
  • Security experts say this is a major red flag for Telegram's cybersecurity, as it suggests the company lacks the resources to effectively secure its platform and fight off hackers.
  • Telegram's chats are not end-to-end encrypted by default, unlike more secure messaging apps like Signal or WhatsApp. Users have to manually enable the "Secret Chat" feature to get end-to-end encryption.
  • Telegram also uses its own proprietary encryption algorithm, which has raised concerns about its security.
  • As a social media platform with nearly 1 billion users, Telegram is an attractive target for both criminal and government hackers, but it seems to have very limited staff dedicated to cybersecurity.
  • Security experts have long warned that Telegram should not be considered a truly secure messaging app, and Durov's recent statement may indicate that the situation is worse than previously thought.
[–] henfredemars@infosec.pub 31 points 4 days ago (6 children)

proprietary encryption algorithm

Oh God why would you do this.

[–] mozz@mbin.grits.dev 27 points 4 days ago (1 children)

The quote leaves out the best part.

people have cast doubt over the quality of Telegram’s encryption, given that the company uses its own proprietary encryption algorithm, created by Durov’s brother

load more comments (1 replies)
load more comments (5 replies)
[–] eager_eagle@lemmy.world 13 points 4 days ago (3 children)

“Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.)

good job Remi, that was the main concern lmao

[–] MMNT@lemmy.world 12 points 4 days ago (2 children)

Just use signal ffs.

[–] BearOfaTime@lemm.ee 12 points 4 days ago (6 children)

Signal sucks from a UI/UX standpoint, when they dropped SMS support I lost any ability to convince people to switch, and everyone who had already switched left.

Then there's the seamless switching between devices...which it doesn't do.

load more comments (6 replies)
load more comments (1 replies)
load more comments (2 replies)
[–] sit_up_straight@lemmy.blahaj.zone 9 points 3 days ago (4 children)

telegram isn't e2e encrypted by default?! that seems like the major concern here.

i double checked the ui and i had to create a new secret chat to see any indicator of encryption presence or absence

[–] XioR112@lemmy.ml 19 points 3 days ago (1 children)

Yes, e2e encryption in Telegram only works in secret chats.

[–] EngineerGaming@feddit.nl 5 points 3 days ago

And only on mobile.

load more comments (3 replies)
load more comments
view more: next ›