henfredemars@infosec.pub
on 03 Jul 2024 18:16
collapse
proprietary encryption algorithm
Oh God why would you do this.
mozz@mbin.grits.dev
on 03 Jul 2024 18:45
nextcollapse
The quote leaves out the best part.
people have cast doubt over the quality of Telegram’s encryption, given that the company uses its own proprietary encryption algorithm, created by Durov’s brother
knightly@pawb.social
on 03 Jul 2024 19:26
nextcollapse
So they can implement their own backdoor
catastrophicblues@lemmy.ca
on 03 Jul 2024 20:41
collapse
To be fair: someone somewhere has to make algorithms that we use. I honestly don’t know if Telegram’s encryption is strong or how strong based on their white paper, but I’m interested in an unbiased evaluation.
henfredemars@infosec.pub
on 04 Jul 2024 00:22
collapse
Developers should not design encryption algorithms. They should instead implement algorithms that were designed by a mathematician.
henfredemars@infosec.pub
on 04 Jul 2024 22:00
collapse
Interesting! Did not know that. It’s possible he may be qualified, so I’m still skeptical of closed crypto systems.
eager_eagle@lemmy.world
on 03 Jul 2024 17:44
nextcollapse
“Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.)
good job Remi, that was the main concern lmao
MMNT@lemmy.world
on 03 Jul 2024 18:22
nextcollapse
Just use signal ffs.
eager_eagle@lemmy.world
on 03 Jul 2024 18:44
nextcollapse
don’t have to tell me that, I even donate to signal
Signal sucks from a UI/UX standpoint, when they dropped SMS support I lost any ability to convince people to switch, and everyone who had already switched left.
Then there’s the seamless switching between devices…which it doesn’t do.
TheGrandNagus@lemmy.world
on 03 Jul 2024 19:21
nextcollapse
I’m a signal donor and while I disagree with your point regarding UI (have you used in the past couple of years? It’s went from feeling dated to feeling pretty modern), I agree with the rest.
Even worse, though, is that the EU offered them the opportunity to become relevant on a silver platter, by forcing WhatsApp to open up their app and be cross-platform with others who want to. Signal said no thanks.
I get it, WhatsApp stores metadata, and Signal doesn’t like that. But they were fine with (way way worse) SMS for a while? The day Signal chose that path was the day Signal willingly chose to be irrelevant for the vast vast vast majority of people.
I love this app but the way the project is managed baffles me sometimes.
pandapoo@sh.itjust.works
on 03 Jul 2024 20:46
collapse
… agreeing to be directly compatible with Whatsapp would mean they agree to surrender the privacy for every single instance of Signal-WhatsApp communication.
If the whole reason for your foundations existence is privacy, it seems that it would be an existential danger to create a partnership with the implicit understanding that it will destroy privacy.
TheGrandNagus@lemmy.world
on 03 Jul 2024 22:00
collapse
Some level of privacy, yes. Solely in WhatsApp-signal chats. And users can be notified of that, like they were with SMS.
But you know what the alternative is? Nobody using signal. And that’s objectively worse.
Cross-compatibility with WhatsApp would mean way more people on signal, and way more people willing to try, meaning more signal-signal chats. Meta would scrape metadata like when two accounts send messages and the like, but the contents of the chats would of course still be E2EE.
Signal-SMS is FAR less private, but they were fine with that for years, and people are still angry about it being removed.
Cross-compatibility removes the biggest hurdle for Signal - the chicken and egg problem of nobody using signal because they can’t talk to anyone. It would act as a Trojan horse for pushing signal-signal communication.
pandapoo@sh.itjust.works
on 03 Jul 2024 23:51
collapse
Those choices don’t occur in a vacuum.
What do you think happens to the nonprofit foundation built entirely around a fanatical devotion to privacy, if they partnered with Facebook. Not just partnered with, but in doing so, weakened the overall privacy of their platform.
Putting aside adoption rates, how does that impact their organizational sustainment and viability e.g. their ability to draw in donations, retain talent, or stay independent?
TheGrandNagus@lemmy.world
on 04 Jul 2024 04:38
collapse
That all gets better due to having far more users. You can’t just say “let’s ignore adoption rate” - that’s a pretty huge deal. It’s by far and away the main thing that holds them back.
And again, they were fine with SMS, which is far far worse.
Hellmo_Luciferrari@lemm.ee
on 03 Jul 2024 20:13
collapse
Using SMS through signal defeats the purpose of signal…
The UI is fine, what more do you expect out of it? It has a list of chats, a menu button with menu options, like it’s a messaging app not a social media platform akin to discord or telegram.
corsicanguppy@lemmy.ca
on 03 Jul 2024 21:59
collapse
The uae is a huge concern. Their terms demand they get to see your code. When the vPBX company I worked for tried to get into the uae, it was a 10mil boondoggle that ended up ruining them.
eager_eagle@lemmy.world
on 03 Jul 2024 22:04
collapse
so it’s a concern for the company, not the users, you’re saying?
Ghostalmedia@lemmy.world
on 03 Jul 2024 18:14
nextcollapse
To be fair, in a large company, there is usually only about 30 people who are actually good and know what is going on, and hundred of others who are checking in trash.
flamingo_pinyata@sopuli.xyz
on 03 Jul 2024 18:30
nextcollapse
It’s not even about the quality of individual people. The organizational structure of large companies encourages pointless work.
Internal mobility and cross department collaboration are frowned upon. So you get many people doing duplicate work, new ideas don’t propagate, and even if someone has an idea it’s quickly shut down.
The only way to achieve anything substantial is to be both: 1. assertive and energetic, and 2. at the correct level of hierarchy. And make no mistake even if you pull a miracle there will be no reward. Maybe a 3% raise at the yearly review.
Sorry for the rant, I currently work in a company like this.
Ghostalmedia@lemmy.world
on 03 Jul 2024 20:33
nextcollapse
Yeah. The most secure companies I’ve worked at actually only had a small group, of very competent people, who were paid well, treated with respect, and not presented with a lot of organizational or infrastructural red tape.
I’ve worked with teams of 10 that had shit locked down tight, and teams of hundreds who had software that was exploding and getting exploited left and right.
If someone tells you more head count = security, I would not consider them an expert.
flames5123@lemmy.world
on 05 Jul 2024 06:11
collapse
Maybe I’m just lucky in where I am in a FAANG company, because I’ve only been offered mobility in my job, even directly after a promotion! We encourage work across the organization, but we have like 500 devs in this org.
flamingo_pinyata@sopuli.xyz
on 05 Jul 2024 08:19
collapse
That’s the correct way to do it.
The wrong way to to do it is: moving to another team requires you to go through the full hiring process.
Any lateral movement, for example backend engineer -> fronted engineer is treated as if you’re a junior starting a completely new career.
snooggums@midwest.social
on 03 Jul 2024 18:56
nextcollapse
Even if every employee was equally competent, decision making needs to be consolidated enough that it can be decisive and shared throughout large companies. Complex systems that need to change rapidly gain no benefit from having too many people wanting to make decisions, you only need most of them to be competent enough to complete the work based on the decisions of a small group or the work will end up getting too convoluted and unmaintainable.
There really isn’t a benefit to have everyone understand all of the parts of a large and complex system, if they only have time to work on a portion or to facilitate decisions that take into account the knowledge of the people in the different parts.
Magister@lemmy.world
on 03 Jul 2024 19:17
nextcollapse
30? Sometimes very less, 2 or 3. It’s incredible that some piece of software used by milions/billions of people, have been written and sometimes maintained by 2 or 3 guys.
avidamoeba@lemmy.ca
on 03 Jul 2024 20:51
nextcollapse
I see this parroted now and then. Often the people I’ve heard it from are the type of folks who would drastically underestimate the complexity and effort needed to make things. I’ve also seen and worked on codebases made by such folks and usually it ain’t pretty, or maintainable, or extensible, or secure, or [insert fav cut corners here].
maxinstuff@lemmy.world
on 05 Jul 2024 03:07
collapse
There’s an aphorism, “give me 10 engineers and I’ll build it in a year, give me a hundred engineers and I can get that down to just five years.”
helenslunch@feddit.nl
on 03 Jul 2024 18:25
nextcollapse
Add it to the pile of reasons not to use Telegram.
knightly@pawb.social
on 03 Jul 2024 18:27
nextcollapse
I’m still waiting for the furries to switch to Matrix.
romp_2_door@lemmy.world
on 03 Jul 2024 18:44
nextcollapse
that wasn’t a very good movie, specially matrix 5
southsamurai@sh.itjust.works
on 04 Jul 2024 00:30
nextcollapse
Furries are the ones that have escaped the matrix via their fursona
There are good reasons to dislike Telegram, but having "just" 30 engineers is not one of them. Software development is not a chair factory, more people does not equal more or better quality work as much as 9 women won't give birth to a baby in a month.
Edit:
Galperin told TechCrunch. “‘Thirty engineers’ means that there is no one to fight legal requests, there is no infrastructure for dealing with abuse and content moderation issues.”
I don't think fighting legal requests and content moderation is an engineer's job. However, the article can't seem to get it straight whether it's 30 engineers, or 30 staff overall. In the latter case, the context changes dramatically and I don't have the knowledge to tell if 30 staff is enough to deal with legal issues. I would imagine that Telegram would need a small army of lawyers and content moderators for that. Again, not engineers, though.
pooberbee@lemmy.ml
on 03 Jul 2024 23:28
nextcollapse
I can understand if someone like Google or Microsoft employs lawyers directly, as they have the resources and scale to do so. But someone like Telegram should really not do that. They should use an external legal office when needed. Even keep them on retainer, but definitely not open a legal office inside the company.
Badeendje@lemmy.world
on 04 Jul 2024 11:07
nextcollapse
30 engineers. You lose half that to people managing the infrastructure alone. That leaves 15 code monkeys. Of 2 are dedicated to deployment and 3 to setting up unit tests (that’s not many btw) you are left with 10 people. If say for a global platform that’s not many at all.
ilega_dh@feddit.nl
on 04 Jul 2024 16:20
nextcollapse
15 engineers for managing infrastructure?? Are they setting up servers by hand?
Badeendje@lemmy.world
on 04 Jul 2024 16:49
collapse
I would not want you as my boss, that’s for sure.
Try covering a 24/7 global service window. I’d think this is on the low end.
And you als need full infra stack knowledge: Server, database, Network, connectivity.
And probably some of these schmucks will get stuck managing the corporate environment too.
If you have separate developers for writing unit tests, and not every developer writing them as they code, something is already very wrong in your project.
Deployment and infra should also mostly be setup and forget, by which I mean general devops, like setting up CI and infrastructure-as-code. Using modern practices, which lean towards continuous deployment, releasing a feature should just be a matter of toggling a feature flag. Any dev can do this.
Finally, if your developers are 'code monkeys', you're not ready for a project of this scale.
Badeendje@lemmy.world
on 04 Jul 2024 21:11
collapse
Infra setup and forget… this is a large system with plenty of stuff that cyclicly needs to be deployed updated and such. Even with automation the sheer volume and tech in use requires bredth of knowledge. Sure you could do it with less I guess. But with changes on supplier side etc it’s still much work.
And for tests, sure you do it as you go along, but usually it helps to have people going over this and making sure it all stays functional, meets standards and fix things.
I have never, in my decade as a software dev, seen a role dedicated to "making sure unit tests stay functional, meet standards and fixing them". That is the developer's job, and the job of the code review.
The tests must be up to standards and functional before the functionality they're testing gets merged into main. Otherwise, yes, you may actually need hundreds of engineers just to keep your application somewhat functional.
Finally, 30 engineers can be a vast breadth of knowledge.
Badeendje@lemmy.world
on 05 Jul 2024 07:00
collapse
So cool that you got to work with teams of devs that where able to do that. Was it for software used in a OT environment? Cause stuff like telegram seems a lot more like that imho.
And the bredth… 30 people can cover it all, yes. Doing that in a 24/7 global environment means 3 of several competences, in shifts, covering timezones. It’s not as if you can just click out at 5 and come back tomorrow.
I have no idea why you're even bringing up OT. We're not talking about PLCs or scientific equipment here, we're talking about glorified web apps.
Web apps that need to be secure and highly available, for sure, but web apps all the same. It's mainly just a messenger app, after all.
So cool that you got to work with teams of devs that where able to do that.
Just because, as I assume from this quote, you weren't able to work with teams like that, does not mean that there are no teams like that, or that Telegram doesn't operate that way. Following modern practices, complex projects can be successfully done by relatively small teams. Yes, a lot of projects are not run that way, but that just means that it's all the more a valid point of pride for Telegram.
Badeendje@lemmy.world
on 05 Jul 2024 09:22
collapse
A point of pride sure, also a risk. Responding to incidents requires coverage. And the OT comparison was just more on the uptime requirements and redundancies than anything else.
It's no more a risk than throwing more developers at it when they're not needed.
“Too many devs“ can, and often is, a significant bottleneck in and of itself. The codebase may simply not be big enough to fit more.
Besides, I still don't see what all those additional engineers would actually be doing. "Responding to incidents" presupposes a large number of incidents. In other words, the assumption is that the application will be buggy, or insecure enough, that 30 engineers will not be enough to apply the duct tape. I stand by the claim that an application adhering to modern standards and practices will not have as many bugs or security breaches, and therefore 30 engineers sounds like a completely reasonable amount.
Badeendje@lemmy.world
on 05 Jul 2024 11:49
collapse
Fair enough, we can disagree there. It’s impressive telegram pulls it off. I’d be worried for burning out people and losing them to that. And there is a lot between working flawless and buggy mess. Fixing issues in the operational system usually takes time.
Maintenance vs new functionality. Infra vs application. A lot to spread out across.
awesome_lowlander@lemmy.dbzer0.com
on 04 Jul 2024 11:23
nextcollapse
30 engineers is startup-sized. 30 engineers to deal with the needs of a sensitive software being used by millions worldwide, and is a huge target for cyberattacks? That’s way below the threshold needed.
This sounds like the devs are personally, sword and shield in hand, defending the application from attacks, instead of just writing software which adheres to modern security practices, listening to the Security Officer and occasionally doing an audit.
awesome_lowlander@lemmy.dbzer0.com
on 04 Jul 2024 23:48
collapse
They’re not just writing the software, they’re responsible for the infrastructure it’s running on. And keeping that running and secure IS a full time job.
Right now, you sound exactly like one of those C level execs who looks at IT and asks “We haven’t had an issue in years, what do we need to pay them for?”
Even if you have a full-time role for continuously auditing the infrastructure (which I would say is the responsibility of either a security officer or a devops engineer), you still didn't show how that needs a 15-person team, and an otherwise-untouched infrastructure should just keep on working (barring sabotage), unless someone really messed something up.
If CI builds or deployments keep randomly failing at your place, that's not an inescapable reality, that's just a symptom of bad software development practices.
Interesting! Out of curiosity, what is the source? Is there a breakdown per role?
Imgonnatrythis@sh.itjust.works
on 03 Jul 2024 19:55
nextcollapse
Engineer to lawyer ratio is the best indicator of how worried to be. What’s the demoninator for telegram?
rob200@lemmy.cafe
on 03 Jul 2024 20:58
nextcollapse
There was a post about this on lemmy awhile ago, I’m not sure which specific community it was i’m subscribed to a few tech related ones, but it was atleast a week or 2 or more ago about this same story.
I do agree that there should be more workers than 30 on one of the most known encrypted messaging apps.
corsicanguppy@lemmy.ca
on 03 Jul 2024 21:15
nextcollapse
The security software I maintained had one engineer.
Your move, sec nerds.
RagingRobot@lemmy.world
on 04 Jul 2024 03:39
collapse
That’s a red flag!
Scolding7300@lemmy.world
on 04 Jul 2024 06:48
collapse
sit_up_straight@lemmy.blahaj.zone
on 03 Jul 2024 22:45
nextcollapse
telegram isn’t e2e encrypted by default?! that seems like the major concern here.
i double checked the ui and i had to create a new secret chat to see any indicator of encryption presence or absence
XioR112@lemmy.ml
on 03 Jul 2024 22:53
nextcollapse
Yes, e2e encryption in Telegram only works in secret chats.
EngineerGaming@feddit.nl
on 04 Jul 2024 07:33
collapse
And only on mobile.
cy_narrator@discuss.tchncs.de
on 04 Jul 2024 03:41
nextcollapse
What if its not e2e encrypted if they dont care. I know a bunch of chatrooms where you can watch paid movies that was released recently for free and Telegram dont care
Telegram is basically creating its own “internet”, albeit much less secure and private, but it’s undoubtedly is really useful for finding dev communities (OSS), support, especially for gray areas like library gensis, z-book, a bit like what aaron shwarz envisioned, the only issue is tying everything to your trust in its leadership not to misuss data, which is kinda laughable
accideath@lemmy.world
on 04 Jul 2024 04:57
collapse
The regular chats are encrypted though, just with an (encrypted) server in the middle. Telegram also claims in their FAQ, that no one singular person has the power to decrypt and the keys are stored such that no singular government could force them to give up any data.
How far that is true is a different question though.
Manmoth@lemmy.ml
on 04 Jul 2024 03:28
nextcollapse
Someone needs to make a browser extension that hides any article with “experts say” in the title
remotelove@lemmy.ca
on 04 Jul 2024 05:09
nextcollapse
arvere@lemmy.world
on 04 Jul 2024 08:11
nextcollapse
you can make a custom filter with ublock. I’m not seeing anything with the words trump, biden, us, texas, etc, including us politics related acronyms I have no idea about and that kept popping up 😅
darklamer@lemmy.dbzer0.com
on 05 Jul 2024 01:25
collapse
Someone
We have now selected you to be that person.
broken_chatbot@lemmy.world
on 04 Jul 2024 09:11
nextcollapse
After a long-running blogpost holywar between Telegram and Signal, I perceive these “security experts” as Signal/Telegram shills depending on their stance
ruse8145@lemmy.sdf.org
on 05 Jul 2024 20:50
collapse
There’s never ever ever been a question of which project is more secure, just whether moxie would be able to extract his head from his ass (he did🎆).
frezik@midwest.social
on 04 Jul 2024 09:53
nextcollapse
Headline is terrible. The big red flags are that they don’t do end-to-end encryption by default, the servers are in Dubai, and use a proprietary algorithm.
Last part should be clarified further. They didn’t reinvent AES or anything. It’s more like a protocol that puts together existing algorithms. It means they can use transport layers without TLS or anything else that wraps your messages in crypto otherwise.
I’d still say this is a red flag. How you wrap encryption around your messages has several pits you can fall into. It’s not as bad as reinventing AES, though.
awesome_lowlander@lemmy.dbzer0.com
on 04 Jul 2024 11:20
collapse
Headline is terrible
They do explain though that given how below average their headcount is, it means they’re likely understaffed, overworked, and have zero capacity to respond to intrusion attempts.
mostlikelyaperson@lemmy.world
on 05 Jul 2024 09:05
collapse
They seem to have 0 clue what they are “explaining “ though. I don’t know if those engineers are overworked or how (in)competent they are, I don’t even use telegram. But they apparently do have other non-engineering people on staff and content moderation and dealing with legal issues aren’t the job of an engineering team.
maxinstuff@lemmy.world
on 05 Jul 2024 03:01
nextcollapse
threaded - newest
.
Oh God why would you do this.
The quote leaves out the best part.
Durov’s brother = FSB?
So they can implement their own backdoor
To be fair: someone somewhere has to make algorithms that we use. I honestly don’t know if Telegram’s encryption is strong or how strong based on their white paper, but I’m interested in an unbiased evaluation.
Developers should not design encryption algorithms. They should instead implement algorithms that were designed by a mathematician.
agree with the notion that any homebrew business is questionable but he is a mathematician
en.wikipedia.org/wiki/Nikolai_Durov
Interesting! Did not know that. It’s possible he may be qualified, so I’m still skeptical of closed crypto systems.
good job Remi, that was the main concern lmao
Just use signal ffs.
don’t have to tell me that, I even donate to signal
Signal sucks from a UI/UX standpoint, when they dropped SMS support I lost any ability to convince people to switch, and everyone who had already switched left.
Then there’s the seamless switching between devices…which it doesn’t do.
I’m a signal donor and while I disagree with your point regarding UI (have you used in the past couple of years? It’s went from feeling dated to feeling pretty modern), I agree with the rest.
Even worse, though, is that the EU offered them the opportunity to become relevant on a silver platter, by forcing WhatsApp to open up their app and be cross-platform with others who want to. Signal said no thanks.
I get it, WhatsApp stores metadata, and Signal doesn’t like that. But they were fine with (way way worse) SMS for a while? The day Signal chose that path was the day Signal willingly chose to be irrelevant for the vast vast vast majority of people.
I love this app but the way the project is managed baffles me sometimes.
… agreeing to be directly compatible with Whatsapp would mean they agree to surrender the privacy for every single instance of Signal-WhatsApp communication.
If the whole reason for your foundations existence is privacy, it seems that it would be an existential danger to create a partnership with the implicit understanding that it will destroy privacy.
Some level of privacy, yes. Solely in WhatsApp-signal chats. And users can be notified of that, like they were with SMS.
But you know what the alternative is? Nobody using signal. And that’s objectively worse.
Cross-compatibility with WhatsApp would mean way more people on signal, and way more people willing to try, meaning more signal-signal chats. Meta would scrape metadata like when two accounts send messages and the like, but the contents of the chats would of course still be E2EE.
Signal-SMS is FAR less private, but they were fine with that for years, and people are still angry about it being removed.
Cross-compatibility removes the biggest hurdle for Signal - the chicken and egg problem of nobody using signal because they can’t talk to anyone. It would act as a Trojan horse for pushing signal-signal communication.
Those choices don’t occur in a vacuum.
What do you think happens to the nonprofit foundation built entirely around a fanatical devotion to privacy, if they partnered with Facebook. Not just partnered with, but in doing so, weakened the overall privacy of their platform.
Putting aside adoption rates, how does that impact their organizational sustainment and viability e.g. their ability to draw in donations, retain talent, or stay independent?
That all gets better due to having far more users. You can’t just say “let’s ignore adoption rate” - that’s a pretty huge deal. It’s by far and away the main thing that holds them back.
And again, they were fine with SMS, which is far far worse.
Using SMS through signal defeats the purpose of signal…
The UI is fine, what more do you expect out of it? It has a list of chats, a menu button with menu options, like it’s a messaging app not a social media platform akin to discord or telegram.
The uae is a huge concern. Their terms demand they get to see your code. When the vPBX company I worked for tried to get into the uae, it was a 10mil boondoggle that ended up ruining them.
so it’s a concern for the company, not the users, you’re saying?
To be fair, in a large company, there is usually only about 30 people who are actually good and know what is going on, and hundred of others who are checking in trash.
It’s not even about the quality of individual people. The organizational structure of large companies encourages pointless work.
Internal mobility and cross department collaboration are frowned upon. So you get many people doing duplicate work, new ideas don’t propagate, and even if someone has an idea it’s quickly shut down.
The only way to achieve anything substantial is to be both: 1. assertive and energetic, and 2. at the correct level of hierarchy. And make no mistake even if you pull a miracle there will be no reward. Maybe a 3% raise at the yearly review.
Sorry for the rant, I currently work in a company like this.
Yeah. The most secure companies I’ve worked at actually only had a small group, of very competent people, who were paid well, treated with respect, and not presented with a lot of organizational or infrastructural red tape.
I’ve worked with teams of 10 that had shit locked down tight, and teams of hundreds who had software that was exploding and getting exploited left and right.
If someone tells you more head count = security, I would not consider them an expert.
Maybe I’m just lucky in where I am in a FAANG company, because I’ve only been offered mobility in my job, even directly after a promotion! We encourage work across the organization, but we have like 500 devs in this org.
That’s the correct way to do it.
The wrong way to to do it is: moving to another team requires you to go through the full hiring process. Any lateral movement, for example backend engineer -> fronted engineer is treated as if you’re a junior starting a completely new career.
Even if every employee was equally competent, decision making needs to be consolidated enough that it can be decisive and shared throughout large companies. Complex systems that need to change rapidly gain no benefit from having too many people wanting to make decisions, you only need most of them to be competent enough to complete the work based on the decisions of a small group or the work will end up getting too convoluted and unmaintainable.
There really isn’t a benefit to have everyone understand all of the parts of a large and complex system, if they only have time to work on a portion or to facilitate decisions that take into account the knowledge of the people in the different parts.
30? Sometimes very less, 2 or 3. It’s incredible that some piece of software used by milions/billions of people, have been written and sometimes maintained by 2 or 3 guys.
xkcd.com/2347/
I see this parroted now and then. Often the people I’ve heard it from are the type of folks who would drastically underestimate the complexity and effort needed to make things. I’ve also seen and worked on codebases made by such folks and usually it ain’t pretty, or maintainable, or extensible, or secure, or [insert fav cut corners here].
There’s an aphorism, “give me 10 engineers and I’ll build it in a year, give me a hundred engineers and I can get that down to just five years.”
Add it to the pile of reasons not to use Telegram.
I’m still waiting for the furries to switch to Matrix.
that wasn’t a very good movie, specially matrix 5
Furries are the ones that have escaped the matrix via their fursona
As a furry, real
talking to carlson is a red flag
There are good reasons to dislike Telegram, but having "just" 30 engineers is not one of them. Software development is not a chair factory, more people does not equal more or better quality work as much as 9 women won't give birth to a baby in a month.
Edit:
I don't think fighting legal requests and content moderation is an engineer's job. However, the article can't seem to get it straight whether it's 30 engineers, or 30 staff overall. In the latter case, the context changes dramatically and I don't have the knowledge to tell if 30 staff is enough to deal with legal issues. I would imagine that Telegram would need a small army of lawyers and content moderators for that. Again, not engineers, though.
And lawyers are pretty likely not staff at all.
I can understand if someone like Google or Microsoft employs lawyers directly, as they have the resources and scale to do so. But someone like Telegram should really not do that. They should use an external legal office when needed. Even keep them on retainer, but definitely not open a legal office inside the company.
30 engineers. You lose half that to people managing the infrastructure alone. That leaves 15 code monkeys. Of 2 are dedicated to deployment and 3 to setting up unit tests (that’s not many btw) you are left with 10 people. If say for a global platform that’s not many at all.
15 engineers for managing infrastructure?? Are they setting up servers by hand?
I would not want you as my boss, that’s for sure.
Try covering a 24/7 global service window. I’d think this is on the low end.
And you als need full infra stack knowledge: Server, database, Network, connectivity.
And probably some of these schmucks will get stuck managing the corporate environment too.
This comment smells of outdated software development practices.
If you have separate developers for writing unit tests, and not every developer writing them as they code, something is already very wrong in your project.
Deployment and infra should also mostly be setup and forget, by which I mean general devops, like setting up CI and infrastructure-as-code. Using modern practices, which lean towards continuous deployment, releasing a feature should just be a matter of toggling a feature flag. Any dev can do this.
Finally, if your developers are 'code monkeys', you're not ready for a project of this scale.
Infra setup and forget… this is a large system with plenty of stuff that cyclicly needs to be deployed updated and such. Even with automation the sheer volume and tech in use requires bredth of knowledge. Sure you could do it with less I guess. But with changes on supplier side etc it’s still much work.
And for tests, sure you do it as you go along, but usually it helps to have people going over this and making sure it all stays functional, meets standards and fix things.
I have never, in my decade as a software dev, seen a role dedicated to "making sure unit tests stay functional, meet standards and fixing them". That is the developer's job, and the job of the code review.
The tests must be up to standards and functional before the functionality they're testing gets merged into main. Otherwise, yes, you may actually need hundreds of engineers just to keep your application somewhat functional.
Finally, 30 engineers can be a vast breadth of knowledge.
So cool that you got to work with teams of devs that where able to do that. Was it for software used in a OT environment? Cause stuff like telegram seems a lot more like that imho.
And the bredth… 30 people can cover it all, yes. Doing that in a 24/7 global environment means 3 of several competences, in shifts, covering timezones. It’s not as if you can just click out at 5 and come back tomorrow.
I have no idea why you're even bringing up OT. We're not talking about PLCs or scientific equipment here, we're talking about glorified web apps.
Web apps that need to be secure and highly available, for sure, but web apps all the same. It's mainly just a messenger app, after all.
Just because, as I assume from this quote, you weren't able to work with teams like that, does not mean that there are no teams like that, or that Telegram doesn't operate that way. Following modern practices, complex projects can be successfully done by relatively small teams. Yes, a lot of projects are not run that way, but that just means that it's all the more a valid point of pride for Telegram.
A point of pride sure, also a risk. Responding to incidents requires coverage. And the OT comparison was just more on the uptime requirements and redundancies than anything else.
It's no more a risk than throwing more developers at it when they're not needed.
“Too many devs“ can, and often is, a significant bottleneck in and of itself. The codebase may simply not be big enough to fit more.
Besides, I still don't see what all those additional engineers would actually be doing. "Responding to incidents" presupposes a large number of incidents. In other words, the assumption is that the application will be buggy, or insecure enough, that 30 engineers will not be enough to apply the duct tape. I stand by the claim that an application adhering to modern standards and practices will not have as many bugs or security breaches, and therefore 30 engineers sounds like a completely reasonable amount.
Fair enough, we can disagree there. It’s impressive telegram pulls it off. I’d be worried for burning out people and losing them to that. And there is a lot between working flawless and buggy mess. Fixing issues in the operational system usually takes time.
Maintenance vs new functionality. Infra vs application. A lot to spread out across.
30 engineers is startup-sized. 30 engineers to deal with the needs of a sensitive software being used by millions worldwide, and is a huge target for cyberattacks? That’s way below the threshold needed.
This sounds like the devs are personally, sword and shield in hand, defending the application from attacks, instead of just writing software which adheres to modern security practices, listening to the Security Officer and occasionally doing an audit.
They’re not just writing the software, they’re responsible for the infrastructure it’s running on. And keeping that running and secure IS a full time job.
Right now, you sound exactly like one of those C level execs who looks at IT and asks “We haven’t had an issue in years, what do we need to pay them for?”
Even if you have a full-time role for continuously auditing the infrastructure (which I would say is the responsibility of either a security officer or a devops engineer), you still didn't show how that needs a 15-person team, and an otherwise-untouched infrastructure should just keep on working (barring sabotage), unless someone really messed something up.
If CI builds or deployments keep randomly failing at your place, that's not an inescapable reality, that's just a symptom of bad software development practices.
.
I checked, Telegram has 1342 employees.
Interesting! Out of curiosity, what is the source? Is there a breakdown per role?
Engineer to lawyer ratio is the best indicator of how worried to be. What’s the demoninator for telegram?
There was a post about this on lemmy awhile ago, I’m not sure which specific community it was i’m subscribed to a few tech related ones, but it was atleast a week or 2 or more ago about this same story.
I do agree that there should be more workers than 30 on one of the most known encrypted messaging apps.
The security software I maintained had one engineer.
Your move, sec nerds.
That’s a red flag!
Are you an expert tho
Sorry, our expert died in a car crash.
telegram isn’t e2e encrypted by default?! that seems like the major concern here.
i double checked the ui and i had to create a new secret chat to see any indicator of encryption presence or absence
Yes, e2e encryption in Telegram only works in secret chats.
And only on mobile.
What if its not e2e encrypted if they dont care. I know a bunch of chatrooms where you can watch paid movies that was released recently for free and Telegram dont care
Telegram is basically creating its own “internet”, albeit much less secure and private, but it’s undoubtedly is really useful for finding dev communities (OSS), support, especially for gray areas like library gensis, z-book, a bit like what aaron shwarz envisioned, the only issue is tying everything to your trust in its leadership not to misuss data, which is kinda laughable
The regular chats are encrypted though, just with an (encrypted) server in the middle. Telegram also claims in their FAQ, that no one singular person has the power to decrypt and the keys are stored such that no singular government could force them to give up any data.
How far that is true is a different question though.
Someone needs to make a browser extension that hides any article with “experts say” in the title
Experts say that is not possible.
Experts say that hurt their feelings
you can make a custom filter with ublock. I’m not seeing anything with the words trump, biden, us, texas, etc, including us politics related acronyms I have no idea about and that kept popping up 😅
We have now selected you to be that person.
After a long-running blogpost holywar between Telegram and Signal, I perceive these “security experts” as Signal/Telegram shills depending on their stance
There’s never ever ever been a question of which project is more secure, just whether moxie would be able to extract his head from his ass (he did🎆).
Headline is terrible. The big red flags are that they don’t do end-to-end encryption by default, the servers are in Dubai, and use a proprietary algorithm.
Last part should be clarified further. They didn’t reinvent AES or anything. It’s more like a protocol that puts together existing algorithms. It means they can use transport layers without TLS or anything else that wraps your messages in crypto otherwise.
core.telegram.org/mtproto
I’d still say this is a red flag. How you wrap encryption around your messages has several pits you can fall into. It’s not as bad as reinventing AES, though.
They do explain though that given how below average their headcount is, it means they’re likely understaffed, overworked, and have zero capacity to respond to intrusion attempts.
They seem to have 0 clue what they are “explaining “ though. I don’t know if those engineers are overworked or how (in)competent they are, I don’t even use telegram. But they apparently do have other non-engineering people on staff and content moderation and dealing with legal issues aren’t the job of an engineering team.
The count of engineers means absolutely nothing.
It does for a bridge, but not for software.
No
This journalist writes with the same amount of confidence as ChatGPT.