Radsoft
 About | Buy | News | Products | Rants | Search | Security
Home » News

Telegram

Their sensitivities and standard cautions may not be the same as yours.


Get It

Try It

Telegram's all the rage right now. As it should be. Big Media, especially Big Social Media, has completely collapsed. Engineers are fleeing Facebook and other PFY Silicon Valley giants, and consumers are understandably fed up with the authoritarianism they've seen. But is Telegram the answer?

Telegram is a Russian startup. So far so good perhaps. But how does it work?

Most importantly, Telegram forces you to uniquely identify yourself. It's not like Jabber where you can use any identity you want, move from one Jabber server to another, and maintain almost complete protection save for 'man in the middle' attacks that comb your connection metadata instead.

But beyond that? Good question. Introducing Tracker.

Tracker



Utilities similar to Tracker are found on other platforms - Radsoft's E3 Security Kit works with a standalone tracker - but they're too rare. The blissful ignorance of even more sophisticated users is awful.

Tracker tracks what happens when you run an application. That's what we're going to do here, on Apple's OS X, but the results should be similar to what's found on other platforms. As for what happens on mobile platforms: heaven help you. For you'll have no chance to see anything. You'll be completely controlled.

All that's done is the Telegram application is launched and immediately exited. And then we take a peek at what happened.

But there's more to this exercise than just the possibility and magnitude of destruction. There's what's actually found in the ginormous remnants left behind. And again: nothing is actually done. Telegram is simply launched. Nothing else. Thus many questions have to be asked, and the Telegram people - wherever they are - have to answer them.

The FLCCC famously opened an account on Telegram, but they can't be expected to know the ins and outs of this area of expertise. Still and all, they should have been able to contact someone who did know.

Likewise, RT.com now openly pimp for use of Telegram, and, although they can oftentimes be trusted, this is perhaps an example of another type of recommendation on their part.

Telegram is a potential privacy threat.

The App-Zappers



'The utility that Apple forgot', began the tagline for AppZapper, the first of a number of flashy but functionally lacklustre applications that netted their vendors millions. And all they did was Kindergarten spelunking for associated files. They missed the true signs of damage. The below article shows just what deception was at work.

The OmniFocus Project
https://rixstep.com/4/2/20100529,00.shtml

A followup is here.

The OmniFocus Project Revisited
https://rixstep.com/2/20200106,00.shtml

No, true tracking demands one check timestamps for all possible files in all possible directories. FreeBSD Unix today admits of four timestamps: Accessed, Created, Changed, and Modified. The Created field on Apple's OS X is not secure. Only the stamps Accessed and Modified should be influenced by user land, and Changed (inode info updated) only indirectly. But Apple's FreeBSD does stop user land from mucking with Changed as of version 10.4 Tiger, and that's good enough.

And that's what we've done. A screenshot of the Tracker window can be seen above. Its results have been exported as UTF-8 data. Let's look a bit at it now.

Tracker Preamble

Here's the preamble which shows you what was happening.

 Start: Wed Oct  5 23:31:56 2021
  Stop: Wed Oct  5 23:32:41 2021
Target: /Volumes/Telegram/Telegram.app
 Scans: /Library
        /private
        ~
 Skips: /private/var/db/diagnostics
        /private/var/db/systemstats
        /private/var/db/uuidtext
        ~/Library/Developer

So the session lasted less than one minute. Telegram was run from its external mount. All files in the user home area were tracked, along with two public directories, and in those directories and even one location in the home area some portions were skipped. A total of 4,803 files were logged.

The log includes files that were either accessed, changed, or modified. We don't need to look at the accessed files for this exercise. There were no listings for changed files. The bulk is in the category 'Modified'. Let's look.

The following items stand out right away. This group of items was most likely made by the OS itself.

/private/var/folders/.../C/ru.keepcoder.Telegram
/private/var/folders/.../C/ru.keepcoder.Telegram/com.apple.metal
/private/var/folders/.../C/ru.keepcoder.Telegram/com.apple.metal/3902
/private/var/folders/.../C/ru.keepcoder.Telegram/com.apple.metal/3902/libraries.data
/private/var/folders/.../C/ru.keepcoder.Telegram/com.apple.metal/3902/libraries.maps
/private/var/folders/.../C/ru.keepcoder.Telegram/com.apple.metal/Intel Iris Graphics
/private/var/folders/.../C/ru.keepcoder.Telegram/com.apple.metal/Intel Iris Graphics/functions.data
/private/var/folders/.../C/ru.keepcoder.Telegram/com.apple.metal/Intel Iris Graphics/functions.maps

Here comes another clunk in the user 'application support' directory. These are created by the actual application.

ru.keepcoder.Telegram
ru.keepcoder.Telegram/com.microsoft.appcenter
ru.keepcoder.Telegram/com.microsoft.appcenter/crashes
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/0.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/1.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/10.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/11.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/12.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/13.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/14.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/15.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/16.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/17.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/18.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/19.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/2.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/20.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/21.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/22.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/23.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/24.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/25.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/26.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/27.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/28.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/29.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/3.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/30.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/31.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/32.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/33.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/34.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/35.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/36.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/37.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/38.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/39.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/4.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/40.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/41.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/42.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/43.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/44.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/45.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/46.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/47.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/48.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/49.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/5.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/50.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/51.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/52.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/53.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/54.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/55.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/56.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/57.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/58.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/59.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/6.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/7.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/8.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/crasheslogbuffer/9.mscrasheslogbuffer
ru.keepcoder.Telegram/com.microsoft.appcenter/Logs.sqlite

65 items for things that haven't even been used. Note: there were no crashes. But the above files were created anyway - on application launch.

Now note the mention of Microsoft. com.microsoft.appcenter? What app centre? And what is Telegram doing with Microsoft technology? Shouldn't users know?

Here comes another clunk.

.../6N38VWS5BX.ru.keepcoder.Telegram
.../6N38VWS5BX.ru.keepcoder.Telegram/stable
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/.tempkeyEncrypted
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/network-stats
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/db
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/db/db_sqlite
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/db/db_sqlite-guard
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/db/db_sqlite-shm
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/db/db_sqlite-wal
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/media
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/media/cache
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/account-11992064173168606851/postbox/media/short-cache
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/atomic-state
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/db
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/db/db_sqlite
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/db/db_sqlite-guard
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/db/db_sqlite-shm
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/db/db_sqlite-wal
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/guard_db
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/guard_db/db_sqlite
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/guard_db/db_sqlite-guard
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/guard_db/db_sqlite-shm
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/guard_db/db_sqlite-wal
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/media
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/media/cache
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-metadata/media/short-cache
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/accounts-shared-data
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/logs
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/logs/critlog-2021-10-6_03-31-58.706.txt
.../6N38VWS5BX.ru.keepcoder.Telegram/stable/trlottie-animations

Another 33 items.

Finally we have the saved settings file ru.keepcoder.Telegram.plist.

These are the key entries. Take a look.

<key>MSAppCenter310AppCenterUserDefaultsMigratedKey</key>
<key>MSAppCenter310CrashesUserDefaultsMigratedKey</key>
<key>MSAppCenterInstallId</key>
<key>MSAppCenterPastDevices</key>
<key>MSAppCenterSessionIdHistory</key>
<key>MSAppCenterUserIdHistory</key>
<key>window_saver_TGUIKit.Window</key>

Sure looks like Microsoft technologies have a lot to do with Telegram.

Conclusions

Can one draw any conclusions from this data? We think we can. When we're dealing with unknowns, suspicion is paramount. It's only when we don't see anything suspicious that we can relax - for a little bit.

Telegram isn't peer-to-peer. (Neither is Signal which Snowden likes.) All your data goes through their servers.

Telegram's domain t.me can redirect to telegram.org. The Telegram messenger network is registered in Great Britain.

inetnum:        149.154.164.0 - 149.154.167.255
netname:        Telegram_Messenger_Network
country:        GB

The owner is registered in the BVI.

person:         Nikolai Durov
address:        P.O. Box 146, Road Town, Tortola, British Virgin Islands

The name 'Telegram Messenger Amsterdam Network' is registered with an AS.

descr:          Telegram Messenger Amsterdam Network
origin:         AS62041

Further info on AS62041 is found here.

https://ipinfo.io/AS62041

TELEGRAM.ORG, unbelievably enough, is registered with GoDaddy. And its name servers are run by - Google.

Domain Name: TELEGRAM.ORG
Registry Domain ID: D103450826-LROR
Creation Date: 2003-12-15T14:48:05Z
Registrar: GoDaddy.com, LLC

Name Server: NS-CLOUD-B1.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-B2.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-B3.GOOGLEDOMAINS.COM
Name Server: NS-CLOUD-B4.GOOGLEDOMAINS.COM

Pavel and Nikolai created VK, then went on to create Telegram. Millions upon millions use VK and Telegram, and they like them. Nothing here should be construed to imply that there's anything suspicious about the Durov brothers. On the contrary. But their sensitivities and standard cautions may not be the same as yours.

Pavel's wealth is mostly due to Telegram. He's listed by Forbes as one of the richest in the world.

https://www.forbes.com/profile/pavel-durov

Telegram gained 70 million users during the 4 October Facebook BGP outage. See here.

There's more on Pavel here at RT.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.