this post was submitted on 17 Apr 2024
80 points (98.8% liked)

Technology

971 readers
30 users here now

A tech news sub for communists

founded 2 years ago
MODERATORS
 

Key points:

Russian-born IT entrepreneur Pavel Durov said that he was “pressured” by the FBI during his stays in America

The US government had wanted a backdoor to Telegram in order to potentially spy on its users, the social media platform’s founder Pavel Durov said in an interview with American journalist Tucker Carlson. The attention from the FBI was one of the reasons Durov dropped the idea of setting up the company in San Francisco, he said.

In an interview published on Wednesday, Durov said that he visited the US several times and even met with former Twitter CEO Jack Dorsey. He was under the watchful eye of the FBI, which made his stays in America uneasy, he said.

According to Durov, one of his top employees once told him that he had been approached by the US government. “There was a secret attempt to hire my engineer behind my back by cybersecurity officers,” the businessman said.

“They were trying to persuade him to use certain open-source tools that he would then integrate into Telegram’s code that, in my understanding, would serve as backdoors,” Durov said. He added that he believes the employee’s account. “There is no reason for my engineer to make up (such) stories.”

Extremely alarming that there is a claim here certain open-source tools act as back-doors for the western intelligence agencies but it makes perfect sense. Engineered bugs in upstream libraries and tools used by tons of commercial and open source software would always get you your best bang for the buck compromising lots of things. Unlike for example the recent xz debacle I expect these are likely much more well hidden and engineered to hide their nature as nothing but mistakes. There are multiple ways to accomplish this from having NSA/GCHQ employees working directly on these projects as core contributors to paying off or blackmailing core contributors.

I expect this particular revelation to likely be ignored by many of the usual privacy people and spaces just because Tucker Carlson (who has grown funnily more hated for interviewing Putin than anything else he's done among liberals) was the interviewer and of course because Durov is a Russian.

(Archive link)

top 22 comments
sorted by: hot top controversial new old
[–] cfgaussian@lemmygrad.ml 30 points 7 months ago (1 children)

This is an extremely serious issue and unfortunately not many people know about or understand it. Too many still believe that if something is open source then it can't have malicious code and backdoors in it, but unfortunately that's just not the case. We already knew that the mainstream platforms and western made hardware all have built in backdoors and co-operate with the intelligence agencies, but that this is now extending to the more fringe alternative platforms and OSS as well is very worrisome.

And there is nothing that guarantees that just because they managed to fend off one attempt at infiltration that no further attempts were already made and maybe even successful. I think that where this is all heading toward is that at some point people for who privacy and security against western governments is essential will have no choice but to use exclusively Russian and Chinese made products. Yes those will undoubtedly have backdoors for their respective states as well, but as long as they do not share their intelligence with the West i frankly couldn't care less if they know what i'm up to. The main government that you need to be worried about is always the one in your own country, doubly so if you live in the imperial core.

[–] gila@lemm.ee 18 points 7 months ago (1 children)

I don't think FOSS is being targeted in spite of being fringe, it's being targeted because it powers the internet. It isn't fringe at all in an enterprise server context, and I think it stands to reason that the gathered data from this kind of source would be significantly more valuable on average than that gathered from end-user desktops. But in turn, so long as there is a legal means for private companies to safeguard their privacy generally against any external actor, there is a significant vested interest in safeguarding FOSS against backdoors. Indeed the xz backdoor was disclosed by an employee of a company whose own enterprise server software product is proprietary.

[–] itsraining@lemmygrad.ml 3 points 7 months ago

Totally agree with that. Also good to note that in general it it easier to create a backdoor for FOSS because of the general code availability. For a proprietary product, you'd have to somehow gain access to the closed source, which is harder. Also, many FOSS projects have few maintainers doing a great amount of job for free, so with a bit of social engineering you can pressurise them into accepting code they don't entirely understand.

On the other hand, many FOSS projects have more than one maintainer, so more eyes watching the code. Also, you have to find a way to conceal the backdoor, so that it can't be easily identified.

All in all, open-source is certainly better, because you don't have to blindly trust some company, but there are many factors which come to play in both camps. Ultimately, trust is not the only thing that matters since even a trusted repository can be compromised/hacked. Then you can only rely on fast mitigation of consequences, that is hope that the compromised code hasn't been there for long.

[–] bunbun@lemmygrad.ml 13 points 7 months ago

PSA - remember to pin versions of the dependencies your software uses. Just recently there was a 0day vulnerability in libwebp with CVE severity score 10/10, and that library is extremely widely used.

[–] yogthos@lemmygrad.ml 13 points 7 months ago (1 children)
[–] orcrist@lemm.ee 7 points 7 months ago

Yeah you know it's really obvious, isn't it.

Sometimes people forget that the police and the spy agencies often don't want what's good for you. They want what's good for them. Stories like this are a nice reminder.

[–] boyi@lemmy.sdf.org 5 points 7 months ago

Extremely alarming that there is a claim here certain open-source tools act as back-doors for the western intelligence agencies but it makes perfect sense.

That could explain how a backdoor almost get into the mainstream Linux distribution through xz Utils if not because of a bad actor sloppiness.

[–] Oneser@lemm.ee 2 points 7 months ago (1 children)

I think people will ignore this because it is on RT before even seeing that it involves Tucker Carlson.

I would be surprised if any country with a functioning spy agency doesn't try and put as many back doors into software as possible. Every single person on this planet should be pissed at the corruption of F/OSS and it's modules (if as widespread as suspected)... this is not an east vs west issue.

[–] darkcalling@lemmygrad.ml 17 points 7 months ago* (last edited 7 months ago) (2 children)

this is not an east vs west issue.

It really is though and I think it's a little naive to be saying that or buying the propaganda of the Eyes agreement nations frankly which of course has an inherent interest in portraying all its enemies as just as bad as it. Just as they did when they justified MKultra and every other heinous shitty thing they've done. Yet when the USSR archives opened after their fall we found out they weren't doing half of the things the CIA said they were and using to justify their own abhorrent behavior.

If it wasn't East vs West China wouldn't have gotten caught with their pants down with the USA mass mail intercepting Cisco devices and putting hardware implants into them. I think one of the reasons they even allowed Cisco to help China with the great firewall is because they knew they could use it to spy. Because they would have thought along similar lines and known to look harder.

Fact is America, NATO, Eyes agreements countries spy more, more pervasively, they violate norms, business agreements, etc.

I fully believe that the Chinese and Russians hack but I don't think they play dirty like the US does.

They don't have global intercept networks, they don't globally tap fiber lines, they don't implant malware in as many places as possible, they don't put backdoors in their hardware which could get caught and get them banned (notice how western accusations are never backed up with any kind of solid proof smoking gun stuff? Yet we have Snowden as proof of how far the US and its vassals go). They don't do this kind of mixing of trade and spying, hurting, using their industries and private companies as weapons. They see it as separate business which was historically how spying was seen.

And I further know this because we know from NSA whistleblowers that they had in the early 2000s a choice. Two paths advocated by alternative factions. One path was the one they took, spy on everyone, everywhere, all the time without exception, gather every ounce of data you can, invade everyone's private lives, spy on allies and enemies alike and then sift through the data after. The other which this whistleblower advocated was selective spying, getting warrants basically, getting mandates for spying for specific purposes. Targeted operations, targeted malware. So it's hardly hard to see the idea that these other countries might take another path, even if you think they're evil and worse than the US, you have to admit, pragmatically they have less resources, less ability to do these kinds of things even if they wanted to.

Fact is one of these two groups of nations is in a position to do all this stuff, is an empire, was the global hegemon after the fall of the USSR and decided to invade everyone's privacy in an attempt to maintain that power at all costs. And it isn't China or Russia. Equivocating here simply does not fit the facts of the global situation as we know them.

[–] tarbeez@lemmygrad.ml 8 points 7 months ago* (last edited 7 months ago) (1 children)

Eyes agreement nations frankly which of course has an inherent interest in portraying all its enemies as just as bad as it.

Fact is America, NATO, Eyes agreements countries spy more, more pervasively, they violate norms, business agreements, etc.

I think this is on point. It (Western imperialism) projects the truth of what it really is on others, and pretends to fight it.

Yet we have Snowden as proof of how far the US and its vassals go

Possibly limited hangout?

[–] darkcalling@lemmygrad.ml 5 points 7 months ago (1 children)

I've seen this called a limited hang-out but I really don't see the point of it.

Unless the US has somehow developed some super secret beyond next generation sci-fi level hacking capabilities that no one else could possibly see coming and is trying to distract with these old school methods to redirect I just don't see the point of doing this and alarming everyone, putting them on guard and creating pushes at the national level in key enemies like Russia and China to try and protect themselves with domestic production and at the level of the EU to attempt to see American tech as threatening.

I think the safer explanation is the US is somewhat sloppy, their capitalist nature led them to outsource some of this stuff and eventually someone like Snowden who had these beliefs came into contact with it after not being screened well enough or developing them and did what he did. It's like saying the scientists who leaked atomic secrets to the Soviets were acting at US government behest as a limited-hang-out.

I just don't see the point as I don't think there was any vast exposure of this kind of thing coming from meaningful quarters. Like if the Chinese had come out with a big explosive accusation, even with evidence it would have been ignored by the western media, brushed off as propaganda and an intelligence ploy and I'm not aware of any thing in the works that would have been a bigger and more explosive exposure.

What would be the point? More things are encrypted, more private companies and individuals take pains to use encryption less likely to be backdoored. What to push people onto Signal which is backdoored or something? When before this most people would have just used unencrypted messengers that could be subpoenaed in open court without the issues of parallel construction?

I don't really buy it and I haven't seen a good argument for it.

[–] tarbeez@lemmygrad.ml 2 points 7 months ago* (last edited 7 months ago) (1 children)

I think this is sound reasoning and mostly I tend to agree. At the same time, there is this strange inverted sense of sincerity or honesty about Western Imperialism, where it seems to need to make real its caricatures of the "Enemy" in order to substantiate its worldview and justify its actions. This often makes it hard for me to know what the play (or even the Game) is. The US Empire wants world hegemony, sure, but it also can't get too far ahead while keeping the "Enemy" image realistic. It is worth considering how much of this plays out consciously, and to which extent, and in which (controlling or not) elements of society.

Maybe "limited hangout" is the wrong term and overly implies direct strategic action, but there is this need, for the system to work, for things to be in constant conflict, this "Enemy" following you beat for beat, always threatening to surpass you.

In some way, alarming everyone to the realities of mass wholesale spying, when combined with the ability to gaslight, deflect, distort, and invert and invent blame, ends up legitimizing it as a form of necessary or reasonable action. Again, not necessarily a classical "limited hangout" but it has similar normalizing effects.

An interesting thing about Snowden is that he seems to be or have been a pretty run of the mill "US master of the world" type moron, scared of the latest muslim/chinese/russian ideological threat, willing to do anything to stop this (to his mind) legitimate threat, and then had his wordlview challenged by seeing how seeing how the sausage is made. I think he still believes in that greatness and superiority, just doesn't think it's enacted correctly. The base is still rotten.

Some peripheral arguments I've seen made wrt limited hangout are along the lines of:

  • The encrypted services people flock to (like Tor and Signal) are developed by US int and may be backdoored

  • Migration to these services are signs of critical thinking/politicial dissidents/criminal activity, and makes it easy to filter and target those elements of society, even if all you get from those services is metadata (contact webs/networks, times, etc)

  • Having people go to these platforms and use encrypted software gives a sense of false security as the communications data is still being sent through controlled/owned/surveilled entitities, continues to create value for the Empire (data collection and just regular business), and stops true political action -- controlled op basically

  • The encrypted services allows CIA etc to operate covertly more easily, same with crypto to finance operations etc

Things of this nature. It gets a bit inviolved and conspiratorial, but worth considering, if not necessarily as actual strategically implement action, but in the sense that the society shaping effects are still there, and we are clearly far away from freely associating, speaking candidly, organizing politically etc.

Even if directly fighting surveillance through using encrypted, decentralized platforms and so on (all of which I support), is positive change, it still has the potential to neutralize and redirect potential political action due to a sense of achievement and intellectual satiafaction when it can be argued that the fact that a tiny fraction of a percentage of peoplr bother with it just underscores the futility of it.

[–] darkcalling@lemmygrad.ml 1 points 7 months ago

Too many if's to my mind for my thinking personally. They can't control everything. If I was a ghoul and was presented with this speculative limited hang-out plan I'd immediately object that they can't assure that some other country or genuine privacy actors wouldn't develop and deploy some run-away popular app or platform that's not backdoored and cause headaches.

As to false sense of security, hardly needed. Look how many people think discord is private and secure and use it to openly do crime, to openly do other ridiculous stuff and get caught with their pants down despite discord never making any claims anywhere that it was e2e. Lots of criminals still don't use these services, it's hardly pushed them onto them entirely. After that encrochat affair that turned out to be a police op many of them are very suspicious of these things as well.

If anything I think doing this would flood their fish in a barrel strategy with unwanted fish. Before this came out who used strong encryption privacy services? Pedophiles, terrorists, some small amount of political dissidents, criminals, a handful of extreme privacy practitioners and info-sec experts and followers. Who uses these services now? The above plus little Johnny who heard something about spying and is afraid of someone telling his mom he's looking at pictures of naked women online. The above plus some corpo guy doing minor uninteresting white collar crime who thinks the extra precautions are worth it. And on and on. In other words I think if the goal was a watering hole attack type thing to get interesting types all they've done is pollute it with more noise.

I just don't see them going out of their way to sabotage the police in the way they have because even if all the major privacy services are backdoored or ops, the police still can't get them with warrants whereas before they could. Before the police could get certain zucker-book chat data, not so much anymore now that they turned on chat encryption for some of their services. The only way I could see this making sense is if they want to use it as a part of a push to regulate and outlaw encryption entirely, to push up criminal use of these services even incidentally and get a push to bring them all under control but that's also an if and as we see as of yet 10 years later that hasn't materialized.

The chilling effects argument is the only other one besides the encryption accelerationist one I think that has real merit, if they thought silencing and intimidating the populace was important given rising tensions I wouldn't be shocked. Though the problem I have with that is why expose everything? Why expose the hardware implants via mail intercept in Cisco devices shipped to China when blowing that has nothing to do with letting Americans know of US metadata collection programs like Prism which are spying on them? That's blowing a major foreign intelligence op and not just that making it so other countries you could have spied on won't trust to buy these things from you given your past behavior constraining your future actions as well.

[–] Aria@lemmygrad.ml 2 points 7 months ago

Really wish they would've named all the compromised libraries.