Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not sure hiring a US security firm is a safer approach than crowdsourcing using the power of the global community.

After all, Matasano's tptacek obviously did spend some of his time inspecting and criticizing Telegram this week. However, he overlooked the 100K vulnerability that was later discovered by a Russian guy who considers himself a newbie in cryptography.

The other reason that makes me somewhat reluctant to spend money on hiring Matasano is the recent RSA-gate (and the strange role of tptacek in it).



I understand that you care about Telegram and want to defend it when it is attacked, but comments like this are inappropriate and will damage Telegram's reputation.

It is unfair to imply incompetence on tptacek's part given only that he spent some finite amount of time looking at your protocol and did not find the nonce vulnerability. It is also unfair to say that he didn't find any vulnerabilities despite the potential for a 100k reward as the potential for such a reward (outside of your specific contest) had not been stated clearly.

If you do in fact have evidence that tptacek was involved in RSA's deal with the NSA, you should state your accusations explicitly and provide that evidence. If you do not, I think the accusation is inappropriate and certainly counterproductive.

That said, I very much appreciate the resources you are donating to open source crypto software. It is undeniable that the potential for a 100k reward will send a lot of eyes to your source code. I would encourage you to also consider hiring a security firm (US based or otherwise) and to consider how your comments will affect public perception of Telegram.


Wow, you really are as arrogant as you seemed. I'm sorry I'm normally not rude, but attack tptaeck like that? That's just pathetic mate.

Oh, and the vuln was outside your contest. You gave him 100k, instead of the 200k because of that. No one knew that you'd pay out if they found something outside your competition. So saying that people here looked at it but missed that vuln because they didn't claim the reward is disingenuous -- it was outside the contest.

Nice ad hominem though. smh.


I'm with you on not trusting US companies, fine.

But you somehow expected tptacek to inspect and criticize Telegram with such scrutiny that he finds all of the problems pro bono? That's ridiculous.


What role did tptacek have in "RSA gate"? I think you've misunderstood what he was saying


Hiring a security firm to audit your architecture is safer than crowdsourcing your app's security. Why do you believe otherwise?


> However, he overlooked the 100K vulnerability that was later discovered by a Russian guy who considers himself a newbie in cryptography.

In the software that you said was secure?


So, to make it clear, do you imply that "professionals" are just bragging that they know what's better, but they're not much when it comes to the real deal?


Matasano is known crypto company, why would they volonterouly spend their working time fixing telegram for you? Hire them formfew days to see them in action.


Security crowdsource is best. Look to all big players to understand why. Google, Mozilla, PayPal, Facebook, and so on.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: