Sure, fuck WhatsApp, but Telegram isn’t even end-to-end encrypted most of the time. Their group chats never are, and their “secret chat” encryption for non-group chats must be explicitly enabled and hardly ever is because it disables some features. And when it is encrypted, it’s with some dubious nonstandard cryptography.
It’s also pseudo open source; they do publish source code once in a while but it never corresponds to the binaries that nearly everyone actually uses.
And the audacity to talk about metadata when Telegram accounts still require a phone number today (as they did five years ago when this post was written) is just… 🤯
State-sponsored exploits against WhatsApp might be more common than against Telegram, or at least we hear about them more, but it’s not because the app is more vulnerable: it’s because governments don’t need to compromise the endpoint to read your Telegram messages: they can just add a new device to your account with an SMS and see everything.
(╯° °)╯︵ ┻━┻
Anything claiming to prioritize privacy yet asking for your phone number (Telegram, WhatsApp, Signal, …) is a farce.
i am against paying for DRM streaming services, and i boycott apple products, but i must say this is an impressive hacking effort and a well-executed meme about it. 🥂
I was pretty sure Q-Zar continued to exist well after 1997, so I checked, and yeah, there continued to be Q-Zar locations after the 97 bankruptcy of one of the companies involved.
Since he doesn’t mention it in his ‘fantastic’ reporting, OpenSSH 9.6 was released Monday that will patch this attack.
I am tempted to delete this post just for the article’s stupid clickbait headline, but it still will probably cause some people to go update their OpenSSH installs, so… meh.
Anyone who actually wants to know details of the vulnerability should read the website about it which is obviously much better than this article.
Also, since he doesn’t mention it, if on the Internet, the MITM would have to be installed at both end points (client side and server side) to be effective without the patch.
Huh? No. The attacker doesn’t need to be in two places or even near either end per se, they could be located at any fully on-path position between the client and server.