Keep Pavel Durov LOCKED UP

Keep Pavel Durov LOCKED UP

·

6 min read

Pavel was not arrested because he criticised Macron. He was arrested because he (allegedly) facilitates a wide range of crimes, including drug trafficking and ransomware groups.

He should have also been arrested for LYING to the community and for his connection to the Kremlin.

Anyone who is wilfully and knowingly LYING to the citizens about security should be locked up. #NoSnakeOil

  1. Telegram is NOT encrypted. All your chat history is stored on TG's servers. IN CLEAR. FOREVER (see below).

  2. Telegram is a shady company (see below).

  3. My gut says Telegram is an FSB operation.

I don't trust Telegram. Let's talk about my feelings:

In 2022, we took a look at Telegram's API. There is an undocumented API that allows an attacker (or the FSB) to DOWNLOAD any GROUP CHAT (where a bot is present). The attacker (or FSB) does not need to be in the group chat and does not need own the BOT. More so, the API smells like "lawful interception" all over the place.

  1. This is possible even if the BOT is configured to have "NO access to messages".

  2. Telegram's Disappearing Messages / Auto-Delete is a marketing farce. We exfiltrated ALL messages. Years and years of messages.

  3. All usernames, meta-data, media, voice recordings, join-messages...it's all there and nicely curated as HTML.

Example:

TG developed a fancy looking data exfiltration API? With all the bells and whistles? Nicely curated output - and then not document it? FOR WHOM? Smells fishy to me.

NOTE: The attacker does not need to OWN the BOT. The attacker does not need to be inside the group chat either. The EXFILTRATION is possible unknowingly to the BOT's owner.

(Above example: THC did not own the BOT. THC was not in the group chat either. THC is not affiliated to the group. Yet, THC exfiltrated the entire chat history, using a series of undocumented API requests and cURL. The concern here is that such an exfil-API exists. Not how we exploited it. The image above is just from an innocent group chat of some random people....)

What else smells fishy

  1. Russia banned Signal and designated WhatsApp (Meta) as "extremist organisation". Russians flock to Telegram instead - a NON-encrypted messaging App that has a government-style undocumented Data Exfiltration API. Go figure.

  2. There was a "fake news" that TG got banned in Russia. That's not true. Instead, third parties were "temporarily" banned for using TG's API. All users (in Russia) were using TG just fine. No ban. No restrictions.

  3. Pavel claims he left Russia because of his conflict with the Russian State. I think, in time, we will learn that Pavel left Russia so that he is in a better negotiation position with the FSB (He is harder to control while living abroad and less likely to commit "window suicides").

  4. OSINT of Aeroflot shows that Pavel traveled to Russia 50 times between 2015 and 2021 (no leaks available after 2021). That's almost ONCE EVERY MONTH. Why does he claim he 'lives in Exil'?

  5. Where are the white-papers of their engineers? Why don't we see them more often in the public? Like we see Moxie Marlinspike, Meredith Whittaker, Phil Zimmermann, ....

  6. Why are TG's engineers missing at every IETF meeting where strong encryption and privacy is shaped?

  7. Why is TG not open about their encryption? Why don't they allow peer-review? Or at least partly open it for public scrutiny?

  8. Pavel applauded a smear campaign targeting SIGNAL - claiming that Signal is 'in bed with the government'. Bulkshit. We know the people who work at Signal since when we were kids. They have earned our trust - they have fought relentlessly to make encryption available to the masses - and fought relentlessly in many other arenas to help people escape authoritarian reach. (Russia bans Signal because it can not be intercepted🖕🖕🖕. TG gets promoted instead. Go figure.).

  9. WhatsApp reported 1,5 MILLION cases to the NCMEC (Centre for Missing and Exploited Children). TG reported...a staggering...0 (ZERO) cases. Refused to join ANY international or non-gov organisation or charity to stop the exploitation and abuse of children. NOT ONE.

  10. In June 2020, Putin praised TG as an example of "constructive cooperation". Meanwhile, Russian Anti-War bloggers on Telegram are disappearing like the flies.

  11. On 20th of August 2024, Pavel traveled to Azerbaijan to meet Putin. Go figure.


Telegram wants to be a "Secure Messaging App" and "fight repressive governments"? Here are my tips:

  1. Implement p2p encryption by default.

  2. Open your source. Stop hiding your encryption. It's not secure unless it's peer-reviewed. What do you have to hide?

  3. Your Data-Exfiltration API smells SORM/FSB compliant. DISABLE IT.

  4. TG is the C2 of choice for (mostly) Russian ransomware groups. Be better at moderating it.

  5. Be truthful that you store all messages, regardless of "auto delete"-settings forever on your servers. STOP LYING TO THE USER.

  6. Make it obvious to non-tech users that TG is NOT secure. Not secure by default. That you keep and record every message ever sent - even if deleted by the user.

  7. Stop this shady hiding. Be in the open. Show us who you are. Meet us at conferences. Come to the IETF. Show us what you got. Your skill-set beyond data-mining, data-retention and data-exfiltration.

  8. Disclosure where your money comes from. Be open about your business plan. Show your accounts, beneficiaries, corporate structure and let's shine a light into every director's past.

  9. Be more like SIGNAL or the EFF.


Other:

  1. Who is funding Telegram?

  2. The Kremel has entered Telegram

  3. Telegram and the criminal connection

  4. BBC: Telegram is a dark web

Note: Is it a bit harsh that we think Pavel should be locked up? Yes. Thanks for not just reading the headline. TG needs to fix their approach to Security, Privacy and Freedom. Imagine a car manufacture saying "That airbag works" when it ain't. When it never worked as promised. Get our drift here? TG is not secure. TG logs every message you send - forever, regardless if you delete the message or not. TG has some work to do.

Note: THC has a public channel on Telegram. Yes. We don't seek privacy for our public channel. You (or your favourite government) can shine a light up our arses and see that we ain't criminals. It is a PUBLIC channel.

❤️ For all else, find us on SIGNAL ❤️


Addendum

  1. IMHO, the French reasons for the arrest are (all?) bogus (for now). It feels like they arrested him for nonsense so that they can 'talk' and hope to find out more about the (alleged) Pavel/Kremlin link or if Pavel benefits from the ransomware groups/Cartels either directly (TG's premium feature) or indirectly via bribes and benefits-in-kind (?). This does not set a good precedence.

  2. I will release the API calls within 4-6 weeks (PM me if I forget). Let's give the TG users some time to disable their bots. Meanwhile, one researcher has contacted me privately, saying that he found the same API and used it to exfil TG data in the past. I'm not sure who was first or that it matters.

  3. The attacker needs to know the BOT-Token (but does not need to be the owner of the BOT and does not need to have had any interaction with the BOT). We wanted to show that TG stores all messages in clear. TG of course has all BOT Tokens (and they dont need to use the TOKEN to access all messages in clear). We demonstrated that this is not just messages to and from the BOT but all messages of any group chat the BOT is in, even if the BOT is configured with "has_access_to_messages: false". We needed the BOT token to demonstrate this. TG does not need the BOT Token to access all messages in clear.

  4. We contacted TG. Maybe they allow us to be part of the solution.