Is Telegram's crypto broken?

I'm not a big fan of Telegram. Nor am I a crypto-expert. Yet, I feel compelled to write this, provoked by tirades on the internet, even from people who I otherwise respect for their expertise. There have been many tirades.  The latest one, for me, started with this @kennwhite's tweet where he says "this thread" is "spot on" (which to me, appears to be an endorsement of @bascule's argument; I could be wrong).
https://twitter.com/kennwhite/status/759360544260300805

That conversation had plenty of pronouncements of absolute certainty. So I followed the breadcrumbs (some of which I quote here), and read the papers that Tony (@bascule) quoted.  Like so:

1. "Telegram is *still* using known-to-be-broken crypto..."
   (My take: no, you probably mean "assumed to be breakable")
   https://twitter.com/bascule/status/759090321804230657
   
2. "Telegram is broken..." 
   (My take: No, definitely not based on these papers you quote)
   https://twitter.com/bascule/status/759195089264443392


3. "Here is what duckduckgo ...:
   (My take: WTF? A search engine screenshot!)https://twitter.com/bascule/status/759507261056135168

      
I'll just stop here. I think it shows adequately that @bascule may have been ranting or even deliberately trolling @durov, though many in his timeline were taking it seriously. I can't. Not any more.

Before I get too far off, let me link to the papers.
-  https://eprint.iacr.org/2015/1177.pdf 
-  https://cs.au.dk/~jakjak/master-thesis.pdf

I encourage interested readers to go read them. Pay attention to the attack results - what exactly did the attacks achieve and how they matter. It seems to me that the conclusions imply more damage than the available proof.

In my summary below, for brevity, I'm skipping quoting IND-CCA, INT-CTXT etc., hopefully without altering the essence.

1. Padding Length Extension - summary: Not the message itself, but the padding can be increased by an MITM. Telegram still delivers the message intact.
   Neither confidentiality nor integrity have been violated.
2. Padding Plaintext Collision / Last-Block Substitution - summary: It takes roughly 24 days to alter the last block undetected by Telegram.
   This implies violation of message integrity - except, it doesn't. For it to remain undetected, the message bytes in the last block must remain the same.
3. Replay / Mirroring Attacks - summary: Old versions of Telegram are vulnerable, not the new.
   Thank you for saving us some time.
4. Timing Attacks - summary: If the attacker has another app installed on the client device, (s)he can know whether or not a message decryption succeeded.
   Sounds like a big deal, except - an attacker with such an app on your device could do things that can make you cringe. Someone discovering whether Telegram messages have failed decryption and using that info to painstakingly reconstruct keys (yes, chosen plaintext + padding oracle attacks) is probably the least of their worries.

No Kenn, I'm afraid it's NOT spot on. Not by a mile. It is one thing to impugn motives and imply collusion (as in the case of accusations of Telegram's collusion with Iranian Govt). It is another thing altogether to say crypto is broken based on the above. I must respectfully reject any claim of insecurity -exclusively- on the basis of theoretical arugments.

So let me conclude this part with that venerable InfoSec chant: POC || GTFO

No, I'm not done. Just a few last bits remain.

• Trust is a key component of security. Do I trust Telegram or even Signal for that matter. No. I don't have sufficient basis. When I use them, I use them grudgingly, figuratively looking over my shoulder.
• Even if Telegram's server-side source code were open-sourced (last time I checked, it wasn't), it still wouldn't mean that the specific code running on the servers all the time conforms to what was published. Pretty much like a good percentage of Tor nodes, if you know what I mean. The non-permanent session keys or at a minimum, _all_ the parameters used to generate them, must pass through the servers, however briefly. Even with Signal and WhatsApp. Make of it, what you will. 
• Alt implementations are possible, but they fail usability standards pretty badly. 
• Finally, even if the audited version of Telegram / Signal / <your-fav-app here> were secure, compromise is only one app-update away. Please feel free to trust your vendor not to do it.

So the next time someone tells me Signal is theoretically more secure, I will respectfully nod. I do agree.

If they say that Signal is great and Telegram is broken, I must assume they've been trolled by someone they trust; or, they're trolling me.

However, I will continue to keep an open mind to being wrong in this; and not make absolute statements based on muddled logic.

Intellectual Weak Sauce

Not infrequently, we run into arguments that can be stretched to a point where persistence / loudness decides the winner, not the rationale.

As a country with both claims as well as aspirations of greatness, it is important for us to be able to spot weak logic and overcome it to focus on results. Here is how I spot them.

• Recommendations of inaction or delay. e.g., 
• "let's wait for some more time, I'm sure X is doing something about it", 
• "this is not the solution, let's find an alternative", 
• "we need all the facts, let's get them first", etc.

The dead giveaway here is that a timeline or specific replacement action is missing. Often, the action is also someone else's responsibility (who is not present there) or better still, a collective responsibility!

• Role-playing someone else (esp., the judiciary or police)
• "we need proof.. where is the proof?"

• Shifting the responsibility
• "Let someone take the lead, I'll support",
• "It's not our job, let's mind our business", etc.

• And finally, the cost of action / benefit of action pseudo arguments
• "We can't change everybody" (huge effort / impossible),
• "This whole system is corrupt, there is no use of even trying", etc.

These actually sound reasonable since they are valid in certain other circumstances. They assuage any guilt feelings and avoid immediate unpleasantness. This is why they're so difficult to spot as well as overcome.

This is a follow up on what I wrote a few days ago - on the wrong kind of tolerance.

The post evoked a lot of strong responses. Mostly along the above lines.

The wrong kind of tolerance

This is about the recent violence we've witnessed in the context of the Jat Reservation Agitation in Haryana. Clearly a lot of the vandalism, looting, arson and raping was done by people and for reasons that have nothing to do with Reservation for Jats.

Who are these perpetrators?

Are they not someone's sons, brothers, fathers, husbands and neighbors? If they are, then how are they able to get away with such behavior? When they return to their homes and villages, doesn't anyone know or censure what they did?

That brings me to the topic of silence. Of tolerance of the wrong kind. 

For far too long, we've tolerated and rationalized bad behaviors from people too close to us. It's only youthful energy. How could we complain about our neighbors or their sons when the rest of their family are close friends? What if they come and attack our own family? We should mind our own business!

The reasons are many. As we shake (or nod) our heads indulgently, these perpetrators grew up among us, continued in their evil ways and have now come to shape the brand of Haryana.

This is a deep-rooted malaise.

It cannot be rooted out by mere police action, even though such action is required as a corrective measure. If we are to prevent recurrence at some time, we need to re-examine our values and systems that have shaped the lives of the perpetrators as well as entire societies that have allowed them to go this far. We need to make fundamental adjustments in aspects of our social fabric. We need to learn to consciously and actively discourage anti-social behaviors.

Meanwhile, there is a price to pay. Everybody pays it, not just the perpetrators. This is the price of the wrong kind of tolerance/indulgence. The price of being silent - either out of fear or indulgence.

Some people will move out. Some will remember their scars for life and let those scars influence their decisions. There is a "Global Investor's Summit - for Haryana" being planned in a few weeks. How many investors will reconsider their plans for Haryana?

Haryana will pay for what its sons did. 

It is unfortunate that ordinary Haryanvis should pay, but it is the only long-term sustainable way to mobilize the society to apply long-term corrections.

Haryana has been close to my heart for many reasons. Yet, today I have decided to withdraw from all things Haryana. It is likely to hurt me more than Haryana - at least in the short term. But I'm not going to stand by and watch silently. I'm not going to rationalize away the sufferings of the victims - they're not my relatives or friends; but they're fellow human beings. I'm not an activist, but I'm not going to let that stop me from expressing my distress in a material way.

Will you join me? Will you express your intolerance of this in a material way (not mere words)?

How many more shops should be looted and burned before you will be moved to act? How many more daughters and sisters should be raped before your heart will move sufficiently for you to express more than mere moral support?

IoT meets Advertising meets OTT

It is the year 2016. Yes, it is near future.

Your toilet seat is a thing on the Internet!

It comes with "enhanced visual discovery of new products". That's right. It inserts ads on to your phone as you're reading, well... in the morning.

Twitter introduces an enhanced advertising version of tweet tags that won't cut into your 140 chars of awesomeness. Your toilet seat uses this to now intercept your tweets with strategically placed "tweeted from the awesome ItsaThing toilet seat" tag. At first you try to opt-out, but the advertising lobby is clever. You give up.

After a few friends' toilet seats auto-retweet, you begin to like it too.

You make new friends through retweeted conversations from the toilet seat.

A Telco launches a ZeroTariff plan for a competing ItsaDifferentThing toilet seat - and starts silently blocking all other seats. You choose to buy those ItsaDifferentThing toilet seats. Out of your own free will, of course.

Welcome to 2016.

Freedom, Independence, Education and Literacy

In a free world, we are all free to be just the kind of idiots (I mean "perfect people", of course) we like to be.

Not your definition of perfection or hers. To each of us, just our individual, personal and intensely "right" perspective of perfection. I mean we each are free to be the perfect idiots of our choice. Free to even scorn the other perfect-but-different idiots.

Provided, we are independent enough to be really free.

As in, for example, my NGO (no, I don't really have an NGO) needs funds from this particular source, but "hey, we haven't sold our souls, you know... we are being pragmatic, looking at the larger picture, being apolitical, neutral.. " and so forth.

Now that (if) we are independent, what could we do with our freedom?

I know! We could eat up as much as we can at the buffet table, and for good measure throw away the rest (tragedy of the commons). But hey, we are free, right?

However, if we were educated (not to be confused with being literate), we would have a bit of enlightened self-interest. Not just self-interest, but enlightened (worth the emphasis) self-interest.

On that happy note, I propose that we rename all our "Education Departments" as "Literacy Departments".

I mean, who are we fooling? Though I know a few enlightened people trying to guide syllabi towards education, we are indeed chasing metrics and reaping the... benefits. The metrics are biased towards literacy. Period.

Pitfalls in chasing success

We've all read about "sustainable growth". Many Management Pundits have warned us (yes, on HBR too) quite often that chasing quarterly results exclusively could lead to unpleasant things.

Chasing a metric is quite tempting. Choosing a metric to chase is far more difficult. Often, we choose and chase only those metrics that are easy to measure / understand.

This afflicts nearly everyone. Project Managers, Consultants, Sales Persons, CEOs, Governments, Non-Profits, ... the list goes on.

How many new customers? How many sales dollars?

How many Conference Speaker assignments? How many followers?

How many members? What funds collected so far?

The problem is that they actually look like the right metrics to chase. May be they are, for some.

It might be worthwhile to step back and ask: "What exactly are we trying to achieve?" and resist answering in the same terms as the metrics above. Validate that answer. Then chase that vision or goal... not the metrics.

Let the metrics be an indicator of how you are progressing towards the goal. Not become the goal by themselves.

I should perhaps give some examples. But I wonder whether "being clear" is what I want to do. Perhaps I should just let you find your path.

Innovation is dangerous

Yes, innovation is sexy, but only after it succeeds and gains some popularity.

Until then it is not just hard, it can be downright dangerous to your morale.

It is easy to mistake innovation to be merely coming up with a new idea, new design or a new way of doing something. Yes it is the starting point, but for it to succeed, the idea/design should be implemented and shown to be delivering the promised results. Often, it is a proposition fraught with unforeseen complexities and stiff resistance that tests your mettle.

Surely there are design and implementation complexities to be overcome. The bigger the problem you are trying to solve, the longer it takes (usually) and the harder you've to work.

Then there are the status-quo-ists and doubting thomases aplenty. They question your ability to deliver and the veracity of the idea. Why not simply let things be? Where is the need to change? How do we know that the result will be better?  If all else fails they can always fall back on this popular argument (familiar to UID proponents & opponents as well):

"Has any one else in the world done it before? If it were such a good idea, obviously someone else would've done it. It wasn't. Ergo, it is a bad idea!"

The situation is indeed loaded in favour of the critics. Predictions of doom and gloom are often self-fulfilling. They demotivate the innovators, erect barriers through misguided followers and in general make the innovators' life tougher than it already is. Either the innovators give up; or redirect energy from solving problems to countering the critics. Either way the critics win often enough - for the environment to foster more critics than innovators.

Tough as it is, when you do reach the goal, the rewards are most satisfying. This applies to entrepreneurship too. The similarities are many, though the two are not entirely the same.

The question for the innovators therefore is:

Do you have sufficient self-belief, resolve and inner-strength to persist against all odds and reach the exalted state of success and sexiness?

Then there is a challenge for all us:

How can we turn the environment around, build a culture that forgives failures and encourages the innovators and positivists during their work -- not just after?

No doubt, there is a need for checks and balances. Just that it is far too skewed against our good at this time. It is time we restored a semblance of balance in favour of progress.