To be fair, in a large company, there is usually only about 30 people who are actually good and know what is going on, and hundred of others who are checking in trash.
Telegram says it has 'about 30 engineers'; security experts say that's a red flag
Submitted 4 months ago by ForgottenFlux@lemmy.world to technology@lemmy.world
https://techcrunch.com/2024/06/24/experts-say-telegrams-30-engineers-team-is-a-security-red-flag/
Comments
Ghostalmedia@lemmy.world 4 months ago
flamingo_pinyata@sopuli.xyz 4 months ago
It’s not even about the quality of individual people. The organizational structure of large companies encourages pointless work.
Internal mobility and cross department collaboration are frowned upon. So you get many people doing duplicate work, new ideas don’t propagate, and even if someone has an idea it’s quickly shut down.
The only way to achieve anything substantial is to be both: 1. assertive and energetic, and 2. at the correct level of hierarchy. And make no mistake even if you pull a miracle there will be no reward. Maybe a 3% raise at the yearly review.
Sorry for the rant, I currently work in a company like this.
Ghostalmedia@lemmy.world 4 months ago
Yeah. The most secure companies I’ve worked at actually only had a small group, of very competent people, who were paid well, treated with respect, and with not presented with a lot of organizational or infrastructural red tape.
I’ve worked with teams of 10 that had shit locked down tight, and teams of hundreds who had software that was exploding and getting exploited left and right.
If someone tells you more head count = security, I would not consider them an expert.
flames5123@lemmy.world 4 months ago
Maybe I’m just lucky in where I am in a FAANG company, because I’ve only been offered mobility in my job, even directly after a promotion! We encourage work across the organization, but we have like 500 devs in this org.
avidamoeba@lemmy.ca 4 months ago
I see this parroted now and then. Often the people I’ve heard it from are the type of folks who would drastically underestimate the complexity and effort needed to make things. I’ve also seen and worked on codebases made by such folks and usually it ain’t pretty, or maintainable, or extensible, or secure, or [insert fav cut corners here].
snooggums@midwest.social 4 months ago
Even if every employee was equally competent, decision making needs to be consolidated enough that it can be decisive and shared throughout large companies. Complex systems that need to change rapidly gain no benefit from having too many people wanting to make decisions, you only need most of them to be competent enough to complete the work based on the decisions of a small group or the work will end up getting too convoluted and unmaintainable.
There really isn’t a benefit to have everyone understand all of the parts of a large and complex system, if they only have time to work on a portion or to facilitate decisions that take into account the knowledge of the people in the different parts.
maxinstuff@lemmy.world 4 months ago
There’s an aphorism, “give me 10 engineers and I’ll build it in a year, give me a hundred engineers and I can get that down to just five years.”
Magister@lemmy.world 4 months ago
30? Sometimes very less, 2 or 3. It’s incredible that some piece of software used by milions/billions of people, have been written and sometimes maintained by 2 or 3 guys.
prex@aussie.zone 4 months ago
frezik@midwest.social 4 months ago
Headline is terrible. The big red flags are that they don’t do end-to-end encryption by default, the servers are in Dubai, and use a proprietary algorithm.
Last part should be clarified further. They didn’t reinvent AES or anything. It’s more like a protocol that puts together existing algorithms. It means they can use transport layers without TLS or anything else that wraps your messages in crypto otherwise.
I’d still say this is a red flag. How you wrap encryption around your messages has several pits you can fall into. It’s not as bad as reinventing AES, though.
awesome_lowlander@lemmy.dbzer0.com 4 months ago
Headline is terrible
They do explain though that given how below average their headcount is, it means they’re likely understaffed, overworked, and have zero capacity to respond to intrusion attempts.
mostlikelyaperson@lemmy.world 4 months ago
They seem to have 0 clue what they are “explaining “ though. I don’t know if those engineers are overworked or how (in)competent they are, I don’t even use telegram. But they apparently do have other non-engineering people on staff and content moderation and dealing with legal issues aren’t the job of an engineering team.
Manmoth@lemmy.ml 4 months ago
Someone needs to make a browser extension that hides any article with “experts say” in the title
remotelove@lemmy.ca 4 months ago
Experts say that is not possible.
stoy@lemmy.zip 4 months ago
Experts say that hurt their feelings
darklamer@lemmy.dbzer0.com 4 months ago
Someone
We have now selected you to be that person.
arvere@lemmy.world 4 months ago
you can make a custom filter with ublock. I’m not seeing anything with the words trump, biden, us, texas, etc, including us politics related acronyms I have no idea about and that kept popping up 😅
corsicanguppy@lemmy.ca 4 months ago
The security software I maintained had one engineer.
Your move, sec nerds.
maxinstuff@lemmy.world 4 months ago
The count of engineers means absolutely nothing.
Honytawk@lemmy.zip 4 months ago
It does for a bridge, but not for software.
ruse8145@lemmy.sdf.org 4 months ago
No
nao@sh.itjust.works 4 months ago
talking to carlson is a red flag
ForgottenFlux@lemmy.world 4 months ago
[deleted]henfredemars@infosec.pub 4 months ago
proprietary encryption algorithm
Oh God why would you do this.
mozz@mbin.grits.dev 4 months ago
The quote leaves out the best part.
people have cast doubt over the quality of Telegram’s encryption, given that the company uses its own proprietary encryption algorithm, created by Durov’s brother
knightly@pawb.social 4 months ago
So they can implement their own backdoor
catastrophicblues@lemmy.ca 4 months ago
To be fair: someone somewhere has to make algorithms that we use. I honestly don’t know if Telegram’s encryption is strong or how strong based on their white paper, but I’m interested in an unbiased evaluation.
eager_eagle@lemmy.world 4 months ago
“Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.)
good job Remi, that was the main concern lmao
MMNT@lemmy.world 4 months ago
Just use signal ffs.
BearOfaTime@lemm.ee 4 months ago
Signal sucks from a UI/UX standpoint, when they dropped SMS support I lost any ability to convince people to switch, and everyone who had already switched left.
Then there’s the seamless switching between devices…which it doesn’t do.
eager_eagle@lemmy.world 4 months ago
don’t have to tell me that, I even donate to signal
corsicanguppy@lemmy.ca 4 months ago
The uae is a huge concern. Their terms demand they get to see your code. When the vPBX company I worked for tried to get into the uae, it was a 10mil boondoggle that ended up ruining them.
eager_eagle@lemmy.world 4 months ago
so it’s a concern for the company, not the users, you’re saying?
fmstrat@lemmy.nowsci.com 4 months ago
This journalist write with the sane amount of confidence as ChatGPT.
Imgonnatrythis@sh.itjust.works 4 months ago
Engineer to lawyer ratio is the best indicator of how worried to be. What’s the demoninator for telegram?
sit_up_straight@lemmy.blahaj.zone 4 months ago
telegram isn’t e2e encrypted by default?! that seems like the major concern here.
i double checked the ui and i had to create a new secret chat to see any indicator of encryption presence or absence
XioR112@lemmy.ml 4 months ago
Yes, e2e encryption in Telegram only works in secret chats.
EngineerGaming@feddit.nl 4 months ago
And only on mobile.
accideath@lemmy.world 4 months ago
The regular chats are encrypted though, just with an (encrypted) server in the middle. Telegram also claims in their FAQ, that no one singular person has the power to decrypt and the keys are stored such that no singular government could force them to give up any data.
How far that is true is a different question though.
cy_narrator@discuss.tchncs.de 4 months ago
What if its not e2e encrypted if they dont care. I know a bunch of chatrooms where you can watch paid movies that was released recently for free and Telegram dont care
mal3oon@lemmy.world 4 months ago
Telegram is basically creating its own “internet”, albeit much less secure and private, but it’s undoubtedly is really useful for finding dev communities (OSS), support, especially for gray areas like library gensis, z-book, a bit like what aaron shwarz envisioned, the only issue is tying everything to your trust in its leadership not to misuss data, which is kinda laughable
knightly@pawb.social 4 months ago
I’m still waiting for the furries to switch to Matrix.
Fitik@fedia.io 4 months ago
As a furry, real
southsamurai@sh.itjust.works 4 months ago
Furries are the ones that have escaped the matrix via their fursona
romp_2_door@lemmy.world 4 months ago
that wasn’t a very good movie, specially matrix 5
helenslunch@feddit.nl 4 months ago
Add it to the pile of reasons not to use Telegram.
broken_chatbot@lemmy.world 4 months ago
After a long-running blogpost holywar between Telegram and Signal, I perceive these “security experts” as Signal/Telegram shills depending on their stance
ruse8145@lemmy.sdf.org 4 months ago
There’s never ever ever been a question of which project is more secure, just whether moxie would be able to extract his head from his ass (he did🎆).
dandi8@fedia.io 4 months ago
There are good reasons to dislike Telegram, but having "just" 30 engineers is not one of them. Software development is not a chair factory, more people does not equal more or better quality work as much as 9 women won't give birth to a baby in a month.
pooberbee@lemmy.ml 4 months ago
And lawyers are pretty likely not staff at all.
Rinox@feddit.it 4 months ago
I can understand if someone like Google or Microsoft employs lawyers directly, as they have the resources and scale to do so. But someone like Telegram should really not do that. They should use an external legal office when needed. Even keep them on retainer, but definitely not open a legal office inside the company.
Badeendje@lemmy.world 4 months ago
30 engineers. You lose half that to people managing the infrastructure alone. That leaves 15 code monkeys. Of 2 are dedicated to deployment and 3 to setting up unit tests (that’s not many btw) you are left with 10 people. If say for a global platform that’s not many at all.
dandi8@fedia.io 4 months ago
If you have separate developers for writing unit tests, and not every developer writing them as they code, something is already very wrong in your project.
Deployment and infra should also mostly be setup and forget, by which I mean general devops, like setting up CI and infrastructure-as-code. Using modern practices, which lean towards continuous deployment, releasing a feature should just be a matter of toggling a feature flag. Any dev can do this.
Finally, if your developers are 'code monkeys', you're not ready for a project of this scale.
ilega_dh@feddit.nl 4 months ago
15 engineers for managing infrastructure?? Are they setting up servers by hand?
awesome_lowlander@lemmy.dbzer0.com 4 months ago
30 engineers is startup-sized. 30 engineers to deal with the needs of a sensitive software being used by millions worldwide, and is a huge target for cyberattacks? That’s way below the threshold needed.
dandi8@fedia.io 4 months ago
This sounds like the devs are personally, sword and shield in hand, defending the application from attacks, instead of just writing software which adheres to modern security practices, listening to the Security Officer and occasionally doing an audit.
vxx@lemmy.world 4 months ago
I checked, Telegram has 1342 employees.
dandi8@fedia.io 4 months ago
Interesting! Out of curiosity, what is the source? Is there a breakdown per role?