https://www.schneier.com/crypto-gram-9812.html
$300,000 isn't a whole lot more than it would cost to get n entire novel cryptosystem for a complex application built out of idiosyncratic components assessed professionally. They should just retain Riscure or Rambus to do that for them instead of the PR stunt.
Previous thread about Telegram on HN, featuring Moxie Marlinspike:
–$300 000, and good publicity among security experts.
What's the mathematical expectation of "Let's start a contest with $300K for dealing with our crypto on our terms (assuming 5% of success)"?
–$15 000, and much larger PR effect. ($300K-resistant crypto, yay!)
Seems to be an easy choice, unfortunately.
> They should just retain Riscure or Rambus to do that for them instead of the PR stunt.
I'd love to go back through either of the previous threads and count to see how many people were saying "well, if no one can successfully win the challenge, they can use the money for a security audit!" like they are right now.
Telegram is pretty clearly a bad player that should be avoided.
https://konklone.com/post/why-google-is-hurrying-the-web-to-...
From the contest: "This can happen if a security check is failed, or in the case that the first 128 bits of the SHA-1 of the newly created encryption key don‘t match on both parties’ clients when this stage is completed (this corresponds to Paul and Nick comparing the key visualizations for the Secret Chat in their Telegram apps)."
https://www.schneier.com/blog/archives/2012/10/when_will_we_... "211 * 28.4 = 219.4 ~ $700K by 2015"
The cost of brute forcing the answer is greater than the prize for the contest.
"This can happen if a security check is failed, or in the case that the first 128 bits of the SHA-1 of the newly created encryption key don‘t match on both parties’ clients when this stage is completed (this corresponds to Paul and Nick comparing the key visualizations for the Secret Chat in their Telegram apps)."
No? Doesn't this fit the definition of a contest? http://en.wikipedia.org/wiki/Advanced_Encryption_Standard_pr...
Yes, the fairness of the contest plays an important part, and a fair context where only the algorithm is analysed goes a long way.
"Just because no one wins a contest doesn't mean the target is secure...it just means that no one won."
Of course. But the fact that it passed revision by experts means it is (probably) safe today (and for what it is known, it might be trivially breakable "behind closed doors")
"Our Twofish cryptanalysis contest offers a $10K prize for the best negative comments on Twofish that aren't written by the authors. "
Ah ok, so contests suck, except for the ones we throw. Nice.
"There are no arbitrary definitions of what a winning analysis is." No? So what is "best negative comment"? It's still subjective. And the 2nd best gets nothing? Who determines that?
The Twofish bounty was a bounty that guaranteed payment to the best technical critique of a very specific, well-defined cryptographic primitive.
All you are getting is the over-the-wire exchanges which makes it kinda a joke.
The part that is actually vulnerable to attack is the way the client functions and handles keys.
MitMing after a key exchange isn't helpful since its like getting the PGP text after its encrypted. You have to brute force the keys at that point.
That's not too dissimilar to suggesting hiring an ISO-certified shop to redo your beautiful hand-optimized assembly code in an industry-standard Java. It's a simplification, but I'm pretty sure a large chunk of HN can relate to how much of a killjoy letting others do the interesting parts is.
In the end all these not-so-subtle backstabs and innuendos that they are just a bunch of annoying f#cking amateurs is counter-productive. They won't be using SSL and $300K is not enough to run their custom crypto through an audit that will be good for all the "experts". Besides, the main issue with the Telegram is not their crypto, is not the contests, it's the fact that they got off the wrong foot with the public applied crypto community. In theory, they should be fixing that, but in reality they don't seem to give a flying f#ck about it, which to me actually looks more like a show of a backbone rather than of an ignorance.
Ultimately they want the same thing as this Moxie person. They want less surveillance. Now pray tell why they should have their head repeatedly dunk in a toilet bowl every time their project gets a mention?
Great! I like to scribble out sponge functions while eating lunch. I've made a few toy stream ciphers. Crypto is fun as all hell, and it's a great way to learn things!
But novelty isn't really a good thing when it comes to actually depending on crypto. You want something that's been well studied by lots of smart people. To paraphrase Schneier (I believe), anyone can design an encryption process that they can't break - the real challenge is keeping the people who are smarter than you from breaking it as well.
Novelty is an _extremely_ bad reason to design and deploy cryptography.
> They want less surveillance. Now pray tell why they should have their head repeatedly dunk in a toilet bowl every time their project gets a mention?
Because the applied crypto community points out issue after issue after issue with their product and is met with variations of "nuh uh, it's fine!"
Bad crypto is worse than no crypto because either way the NSA is watching you, but when you use no crypto you're at least forced to admit to yourself that your adversary has you in their crosshairs.
Not that it proves anything very much if it's not claimed.
If I find a few small flaws that are problematic, but not enough to claim the prize, I'll definitely keep them to myself until the contest ends. Instead of incentivizing people to share vulnerabilities with them, they incentivize hoarding bugs.
We know for a fact that most people aim for better known than just better.
Not so many news stories about simple OTR.
WhatsApp thrives because in many places, SMS costs are prohibitive (so TextSecure is not an option). In addition, it requires no registration and doesn't rely on external services (so ChatSecure is also out of the question).
It's just that I heard some concerns about key exchange (that triple Diffie-Hellman exchange) not having a formal security proof, although I'm completely incompetent to evaluate whenever those were valid concerns or just some chatter.
Or, what they do now: Get good PR and if someone manages to win the competition, it means they found flaws which the pros would, hopefully, also have found. If no one wins, they can then use the $300k to get pros on it. Win-win if you ask me.
For the company, maybe.
If you're a user of their half-baked crypto you're playing a high stakes game with a partner that isn't actually interested in keeping you safe.
"Your email must contain: . . - Your bank account details to receive the $300,000 prize."
> "But Clarkson admitted he was "wrong" after he discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK."
For big prize payout contests, I'd get a lot more serious if they provided proof that the funds were waiting in escrow until end-date/winner.
But I'm probably unnecessarily suspicious of the depth of a startup's pockets...
But as is shown by the fact that they are running this contest, plenty of people who are not here see the contest and believe it is an indication of the trust they should have in Telegram. Otherwise, they wouldn't have run another contest after the response on HN to the last one.
The contest is a bad idea because for the people who don't see our discussion here, they will be tempted to trust their sensitive data to Telegram. For lots of people around the world, that trust could put them at risk of serious harm.
...this time contestants can not only monitor traffic, but also act as the Telegram server and use active attacksBut contests like this are a bad idea for another reason: people will hoard bugs instead of disclose, sometimes for years. For example, the Pwn2Own contest boosted the discovery and disclosure of bugs in browsers for the first few years, but now companies have co-opted it into a marketing event. They sit on exploits in order to win two or three years from now.
I noticed a bug in one of the Telegram clients when the first contest was announced, but it wouldn't have qualified. Now the reward has tripled, and the scope expanded. As the user base grows, the reward will go up again (and again), and I'm sure no one will claim the bug since real experts have better things to do, so maybe it's smart to wait, maybe not...
Telegram, and other projects thinking of doing this: think small. In the lottery model, there is one big winner; you should prefer a model with many (smaller) winners. Pay for patches that improve the quality of the code base, fix compiler warnings, improve documentation, etc. Many grains of sand will sink a ship.
I like how Telegram is truly cross-platform with the clients being open source and available on every platform. They usually look great and are simple to use, which is why Telegram is the only non-whatsapp IM that more than 3 of my contacts use. It also works with multiple devices connected*, which is another pro against many other IMs.
What I dislike is that even though Telegram advertises their messages as "private" and "heavily encrypted" on their landing page, secure chats are NOT the default, do not work in group chats and do not work across multiple devices. I am aware that this requires encryption for every recipient, but that shouldn't be an issue. TextSecure actually came up with a great solution [1] for this. What I also do not understand is why they are rolling their own crypto. They say it's for speed and stability [2], but don't provide any facts or measures. The fact that the server is closed source and the founders coming from VK (a russian Facebook alternative) doesn't make this any better.
All in all I consider Telegram a great alternative to WhatsApp, but I wouldn't rely on it for secure messaging.
1: https://whispersystems.org/blog/private-groups/
2: https://core.telegram.org/techfaq#q-why-are-you-not-using-x-...
So, using a bug-prone process (software development) we will alter the software after the fact to introduce a feature which, if it escapes the sandbox and gets into the wrong build, will potentially reveal the secret keys of all users.
Am I reading that right?
The rules seem much more liberal this time, to my uneducated eyes...
Even if it's still a contest in bad faith, why not break it and claim the money?
Uh, no.