Did Telegram's Founder Lose a Million Dollar Bet Over a Prediction for Signal?

While he couldn't even ethically accept the million dollars, PC Magazine's senior security analyst Max Eddy writes that "how this happened in the first place is indicative of some of the information security industry's worst impulses. It doesn't have to be this way." Back in 2017, Telegram founder Pavel Durov and I had a disagreement... Durov tweeted about how the Signal secure messaging app had received money from the U.S. government. This is true; Signal received funds from the Open Technology Fund (OTF) — a nonprofit that previously was part of the US-backed Radio Free Asia. According to the OTF's website, it gave nearly $3 million to between 2013 and 2016. It's entirely legitimate to be suspicious of government funding (even if TOR, OpenVPN, and WireGuard also received OTF money), and even take a moral stand against recipients of money from governments you disagree with.

But Durov went far beyond that. He seemed to think this meant Signal was bought off by the feds and predicted that a backdoor would be found within five years.

That's quite an accusation to make, especially without real proof, and it made me mad. Not because people were mouthing off on Twitter — that seems to be that platform's primary function. It made me mad that companies ostensibly working to better people's lives by protecting their security and privacy were trying to drag each other down publicly. This is not new; the VPN industry is full of whisper campaigns and counter-accusations. I can't tell you how many conversations I've had with VPN vendors that start with "first off, everything you heard is a lie...." But generally the message from companies in this industry is one of cooperation and protecting everyone. It's a common theme to keynotes at the RSA Conference and Black Hat that the people who work in infosec have a higher calling to protect other people first and do business second.
And then this happened (on Twitter):


Max Eddy: It's one thing to point out funding and another to say that a "backdoor will be found within five years."

Pavel Durov: I am certain of what I'm saying and am willing to bet $1M (1:1) on it.


While Eddy didn't have a million dollars, "I knew there was no way I would lose. This would be the easiest million-dollar bet I ever make." I was confident Durov was wrong because Signal, like many companies, has made an effort toward transparency that I can have some confidence in. Signal has made its code available, has registered as a nonprofit, has a fairly comprehensive privacy policy, and has made abundantly clear that it has no information to provide in response to law enforcement requests. Signal's protocol is also used by competitors, such as WhatsApp and Facebook Messenger, which have surely done their homework when selecting a method for encrypting messages. Most recently, a document revealed that even the FBI has been frustrated in its attempts to get data from Signal (and Telegram, too).
It's been five years, and Eddy now writes that Signal "continues to be recommended by advocacy groups of all kinds as a safe and secure way to communicate..."

"Neither Durov nor Telegram responded to my attempts to contact them for this story."

I think he'll weasel out of paying the bet.

[Anonymous Coward]

Maybe Telegram's backdoor is a lack of integrity?

Re:I think he'll weasel out of paying the bet.

[ciaran.mchale]

If you read the article, you will see that no bet was actually made. As such, there is no bet to weasel out of paying.

Re:

[account_deleted]

Comment removed based on user account deletion

Yep

[SomeoneFromBelgium]

(nothing further, Your Honor)

no bodies business but theirs

[ClueHammer]

What is this voyeurism book or twit face etc Where everyone thinks everyone else business is there for their entertainment?

Re:

[waspleg]

It started on Shitter, ergo was public from the start. Why would people not feel like ti's their business when it was announced with a bullhorn in.

Even Mango Mussolini was forced to unblock people as a first amendment violation [reuters.com], because it was ruled as being used as an official gov't communication platform.

telegram security

[RegistrationIsDumb83]

Big accusations from someone who implemented nonstandard encryption....

Re:

[AmiMoJo]

At least Telegram is an open platform though. Marlinspike does not allow other clients to connect to Signal's servers. Telegram does, which makes it possible to write your own client that uses your own encryption with their network providing the infrastructure.

The only really secure messaging app is Cwtch (https://cwtch.im/). It uses Tor. I guess if you don't trust Tor then it's not anonymous, but even then the end-to-end encryption is solid. You can run your own infrastructure, or use other people's anonym

Re: telegram security

[immanentize]

Does anyone really use Telegram though? It's biggest users seems to be spammers and scammers. It might provide useful protections for them but Telegram has always been proprietary so I've never seen anybody use it.

Re:

[thegarbz]

Does anyone really use Telegram though?

Yes. Spammers and Scammers do not use a platform without users otherwise there would be no one to spam or scam. Telegram is hugely popular in many countries.

Telegram has always been proprietary so I've never seen anybody use it.

I've seen plenty including myself and the girlfriend. While Telegram may be proprietary it is very much so far quite interoperable. They don't charge for their bot APIs for one which means that specific groups like the die-hard Pokemon go fans make extensive use of it as it can allow them to setup bots in their group of friends to organise raids, messag

Re:

[JDAustin]

Die hard PGo fan here. I've used both TG and Discord for groups and found the bots are more mature on TG then Discord. The only thing the discord has over TG is different rooms in a server. Makes for better organization.

Re:

[Jrabbit05]

Russians and terrorists.

Re:

[Meneth]

There's also Briar [briarproject.org], which seems technically similar to Cwtch but is only available for Android so far.

Re:

[bill_mcgonigle]

> Telegram does, which makes it possible to write your own client that uses your own encryption with their network providing the infrastructure.

And then all of your group chats are handed over to the Swiss police when they ask for then.

Telegram *is* the intelligence honeypot - that's why the guy was sowing distrust in Signal. Exactly Lenin's technique.

> The only really secure messaging app is Cwtch (https://cwtch.im/). It uses Tor.

So does Briar.

And Quiet.

And TorMessenger.

And several other ones run by

Re:

[AmiMoJo]

Telegram offers end-to-end encryption. They also claim that they store keys in different jurisdictions, but I'm sceptical that will actually help.

Re:

[locater16]

That's because he knows he's a fake, a fraud, all the "security" telegram has is for marketing purposes. They've handed over info to Russian authorities, info they're not supposed to have, for years. They skipped E2E encryption then claimed they had it. There's certainly a backdoor in whatever little security the platform even has. Hundreds of millions of people have fallen for this complete fraud, even the US government officially acknowledges it's an insecure platform, and this dude knows it and just want

Telegram founder bet isn’t slam dunk yet

[ElitistWhiner]

https://www.cnbc.com/2022/01/1... [cnbc.com]

The lede: Federal investigators say they used encrypted Signal messages to charge Oath Keepers leader

So headers are actionable?

Re:Telegram founder bet isn’t slam dunk yet

[waspleg]

Itâ(TM)s not clear how investigators gained access to the messages used in the arrest of the far-right group leader, Stewart Rhodes, and other defendants.

Seems pretty obvious they got somebody's phone. I've never used Signal, but unless it's wiping messages after they're received, presumably there is a conversation log on multiple phones and they only needed one that they could read.

Re:

[The-Ixian]

I have been using Signal for years and one of the features of Signal that I love is that you can create a full backup of all of your conversations.

So, yes, if someone gave up access to their phone, all messages are sitting right there.

They also could have compelled someone to give up their encryption key(s) to their Signal backup(s).

Re:

[Orlando]

"complelled"

Re:

[JDAustin]

You can do this w/ telegram also.

Re:

[trawg]

I've never used Signal, but unless it's wiping messages after they're received, presumably there is a conversation log on multiple phones

Signal does have a "disappearing messages" mode, where messages can be automatically deleted after a set time period. I assume this is a secure deletion and leaves no trivial recoverable trace of the messages.

Re:

[Srin Tuar]

> So headers are actionable?

It wasnt only headers, they had whole threads

There are many ways to get signal content, even outside the scope of cryptography:

* One traitor in the group simply shared all the communications
* They failed to exchange keys in person, got MITM'd by their phone company
* One person's phone had a backdoor app installed, or was remotely exploited, allowing someone to watch the screen remotely
* One person in the group failed to choose a good password (signal doesnt require it) and th

Re:

[aRTeeNLCH]

Though obviously many if not all of your points are valid, Signal never claimed to offer full secrecy. It merely claims to offer a secret pathway between devices, indeed only as secure as the setup is done (MITM). Regarding MITM, if a Telco would do that, and someone would check the keys and find out, that would hit the news in relevant circles. It would also come out when one uses other channels (WiFi without said Telco), since then the channel wouldn't work anymore. This hasn't happened afaict...

Re:

[q4Fry]

an airgapped linux machine

An airgapped computer... for a... communications... network. Hmmm. I think I see a problem with your "basic 101" plan.

How to Train your Security Monkey

[geekmux]

(Security Salescritter) "first off, everything you heard is a lie...."

(Potential Customer) "fantastic, thanks for confirming why I shouldn't stand in front of you and waste my time...."

Negative sales tactics, is how we choose our leaders. Perhaps we learn something from that already.

There was never a bet

[enriquevagu]

From the article: In fairness to Durov, he did not respond to my offer to set the terms for the bet in 2017.

Durov said he was willing to bet $1M (1:1) on it, but for a bet to happen, both parties need to confirm it. I might be willing to bet on a football match, but simply mentioning my will does not actually confirm my bet (or your implication in such bet). Nonstory; just a reporter seeking attention.

Re:

[registrations_suck]

"No call bets"

Re:

[null etc.]

Nonstory; just a reporter seeking attention.

I disagree this is a non-story. If someone is willing to publicly make strong claims backed by a similarly strong wager, but then fails to actually enter into the wager, that person is a braggart full of hot air, who cannot be trusted to put their money where their mouth is. In this case, the braggart is the founder of a company who is criticizing a competitor.

Can you guess what I think of executives who are also braggarts?

Betteridge's law of headlines

[dada21]

The answer is no.

Re:

[ArchieBunker]

I was waiting for someone to post that in the story asking if social media was bad. Not a peep about it for some reason.

No!

[nospam007]

Next question?