Key points:
Russian-born IT entrepreneur Pavel Durov said that he was “pressured” by the FBI during his stays in America
The US government had wanted a backdoor to Telegram in order to potentially spy on its users, the social media platform’s founder Pavel Durov said in an interview with American journalist Tucker Carlson. The attention from the FBI was one of the reasons Durov dropped the idea of setting up the company in San Francisco, he said.
In an interview published on Wednesday, Durov said that he visited the US several times and even met with former Twitter CEO Jack Dorsey. He was under the watchful eye of the FBI, which made his stays in America uneasy, he said.
According to Durov, one of his top employees once told him that he had been approached by the US government. “There was a secret attempt to hire my engineer behind my back by cybersecurity officers,” the businessman said.
“They were trying to persuade him to use certain open-source tools that he would then integrate into Telegram’s code that, in my understanding, would serve as backdoors,” Durov said. He added that he believes the employee’s account. “There is no reason for my engineer to make up (such) stories.”
Extremely alarming that there is a claim here certain open-source tools act as back-doors for the western intelligence agencies but it makes perfect sense. Engineered bugs in upstream libraries and tools used by tons of commercial and open source software would always get you your best bang for the buck compromising lots of things. Unlike for example the recent xz debacle I expect these are likely much more well hidden and engineered to hide their nature as nothing but mistakes. There are multiple ways to accomplish this from having NSA/GCHQ employees working directly on these projects as core contributors to paying off or blackmailing core contributors.
I expect this particular revelation to likely be ignored by many of the usual privacy people and spaces just because Tucker Carlson (who has grown funnily more hated for interviewing Putin than anything else he’s done among liberals) was the interviewer and of course because Durov is a Russian.
This is an extremely serious issue and unfortunately not many people know about or understand it. Too many still believe that if something is open source then it can’t have malicious code and backdoors in it, but unfortunately that’s just not the case. We already knew that the mainstream platforms and western made hardware all have built in backdoors and co-operate with the intelligence agencies, but that this is now extending to the more fringe alternative platforms and OSS as well is very worrisome.
And there is nothing that guarantees that just because they managed to fend off one attempt at infiltration that no further attempts were already made and maybe even successful. I think that where this is all heading toward is that at some point people for who privacy and security against western governments is essential will have no choice but to use exclusively Russian and Chinese made products. Yes those will undoubtedly have backdoors for their respective states as well, but as long as they do not share their intelligence with the West i frankly couldn’t care less if they know what i’m up to. The main government that you need to be worried about is always the one in your own country, doubly so if you live in the imperial core.
I don’t think FOSS is being targeted in spite of being fringe, it’s being targeted because it powers the internet. It isn’t fringe at all in an enterprise server context, and I think it stands to reason that the gathered data from this kind of source would be significantly more valuable on average than that gathered from end-user desktops. But in turn, so long as there is a legal means for private companies to safeguard their privacy generally against any external actor, there is a significant vested interest in safeguarding FOSS against backdoors. Indeed the xz backdoor was disclosed by an employee of a company whose own enterprise server software product is proprietary.
Totally agree with that. Also good to note that in general it it easier to create a backdoor for FOSS because of the general code availability. For a proprietary product, you’d have to somehow gain access to the closed source, which is harder. Also, many FOSS projects have few maintainers doing a great amount of job for free, so with a bit of social engineering you can pressurise them into accepting code they don’t entirely understand.
On the other hand, many FOSS projects have more than one maintainer, so more eyes watching the code. Also, you have to find a way to conceal the backdoor, so that it can’t be easily identified.
All in all, open-source is certainly better, because you don’t have to blindly trust some company, but there are many factors which come to play in both camps. Ultimately, trust is not the only thing that matters since even a trusted repository can be compromised/hacked. Then you can only rely on fast mitigation of consequences, that is hope that the compromised code hasn’t been there for long.