• dandi8@fedia.io
    link
    fedilink
    arrow-up
    192
    ·
    edit-2
    6 months ago

    There are good reasons to dislike Telegram, but having “just” 30 engineers is not one of them. Software development is not a chair factory, more people does not equal more or better quality work as much as 9 women won’t give birth to a baby in a month.

    Edit:

    Galperin told TechCrunch. “‘Thirty engineers’ means that there is no one to fight legal requests, there is no infrastructure for dealing with abuse and content moderation issues.”

    I don’t think fighting legal requests and content moderation is an engineer’s job. However, the article can’t seem to get it straight whether it’s 30 engineers, or 30 staff overall. In the latter case, the context changes dramatically and I don’t have the knowledge to tell if 30 staff is enough to deal with legal issues. I would imagine that Telegram would need a small army of lawyers and content moderators for that. Again, not engineers, though.

    • Rinox@feddit.it
      link
      fedilink
      English
      arrow-up
      10
      ·
      6 months ago

      I can understand if someone like Google or Microsoft employs lawyers directly, as they have the resources and scale to do so. But someone like Telegram should really not do that. They should use an external legal office when needed. Even keep them on retainer, but definitely not open a legal office inside the company.

    • AwesomeLowlander@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      6 months ago

      30 engineers is startup-sized. 30 engineers to deal with the needs of a sensitive software being used by millions worldwide, and is a huge target for cyberattacks? That’s way below the threshold needed.

      • dandi8@fedia.io
        link
        fedilink
        arrow-up
        3
        ·
        6 months ago

        This sounds like the devs are personally, sword and shield in hand, defending the application from attacks, instead of just writing software which adheres to modern security practices, listening to the Security Officer and occasionally doing an audit.

        • AwesomeLowlander@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          6 months ago

          They’re not just writing the software, they’re responsible for the infrastructure it’s running on. And keeping that running and secure IS a full time job.

          Right now, you sound exactly like one of those C level execs who looks at IT and asks “We haven’t had an issue in years, what do we need to pay them for?”

          • dandi8@fedia.io
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            6 months ago

            Even if you have a full-time role for continuously auditing the infrastructure (which I would say is the responsibility of either a security officer or a devops engineer), you still didn’t show how that needs a 15-person team, and an otherwise-untouched infrastructure should just keep on working (barring sabotage), unless someone really messed something up.

            If CI builds or deployments keep randomly failing at your place, that’s not an inescapable reality, that’s just a symptom of bad software development practices.

      • dandi8@fedia.io
        link
        fedilink
        arrow-up
        3
        ·
        6 months ago

        Interesting! Out of curiosity, what is the source? Is there a breakdown per role?

  • Ghostalmedia@lemmy.world
    link
    fedilink
    English
    arrow-up
    91
    ·
    6 months ago

    To be fair, in a large company, there is usually only about 30 people who are actually good and know what is going on, and hundred of others who are checking in trash.

    • flamingo_pinyata@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      48
      ·
      6 months ago

      It’s not even about the quality of individual people. The organizational structure of large companies encourages pointless work.

      Internal mobility and cross department collaboration are frowned upon. So you get many people doing duplicate work, new ideas don’t propagate, and even if someone has an idea it’s quickly shut down.

      The only way to achieve anything substantial is to be both: 1. assertive and energetic, and 2. at the correct level of hierarchy. And make no mistake even if you pull a miracle there will be no reward. Maybe a 3% raise at the yearly review.

      Sorry for the rant, I currently work in a company like this.

      • Ghostalmedia@lemmy.world
        link
        fedilink
        English
        arrow-up
        23
        ·
        edit-2
        6 months ago

        Yeah. The most secure companies I’ve worked at actually only had a small group, of very competent people, who were paid well, treated with respect, and not presented with a lot of organizational or infrastructural red tape.

        I’ve worked with teams of 10 that had shit locked down tight, and teams of hundreds who had software that was exploding and getting exploited left and right.

        If someone tells you more head count = security, I would not consider them an expert.

      • flames5123@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        6 months ago

        Maybe I’m just lucky in where I am in a FAANG company, because I’ve only been offered mobility in my job, even directly after a promotion! We encourage work across the organization, but we have like 500 devs in this org.

        • flamingo_pinyata@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          2
          ·
          6 months ago

          That’s the correct way to do it.

          The wrong way to to do it is: moving to another team requires you to go through the full hiring process. Any lateral movement, for example backend engineer -> fronted engineer is treated as if you’re a junior starting a completely new career.

    • snooggums@midwest.social
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      Even if every employee was equally competent, decision making needs to be consolidated enough that it can be decisive and shared throughout large companies. Complex systems that need to change rapidly gain no benefit from having too many people wanting to make decisions, you only need most of them to be competent enough to complete the work based on the decisions of a small group or the work will end up getting too convoluted and unmaintainable.

      There really isn’t a benefit to have everyone understand all of the parts of a large and complex system, if they only have time to work on a portion or to facilitate decisions that take into account the knowledge of the people in the different parts.

    • maxinstuff@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      There’s an aphorism, “give me 10 engineers and I’ll build it in a year, give me a hundred engineers and I can get that down to just five years.”

    • Magister@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      30? Sometimes very less, 2 or 3. It’s incredible that some piece of software used by milions/billions of people, have been written and sometimes maintained by 2 or 3 guys.

    • Avid Amoeba@lemmy.ca
      link
      fedilink
      English
      arrow-up
      8
      ·
      6 months ago

      I see this parroted now and then. Often the people I’ve heard it from are the type of folks who would drastically underestimate the complexity and effort needed to make things. I’ve also seen and worked on codebases made by such folks and usually it ain’t pretty, or maintainable, or extensible, or secure, or [insert fav cut corners here].

  • frezik@midwest.social
    link
    fedilink
    English
    arrow-up
    87
    ·
    6 months ago

    Headline is terrible. The big red flags are that they don’t do end-to-end encryption by default, the servers are in Dubai, and use a proprietary algorithm.

    Last part should be clarified further. They didn’t reinvent AES or anything. It’s more like a protocol that puts together existing algorithms. It means they can use transport layers without TLS or anything else that wraps your messages in crypto otherwise.

    https://core.telegram.org/mtproto

    I’d still say this is a red flag. How you wrap encryption around your messages has several pits you can fall into. It’s not as bad as reinventing AES, though.

    • AwesomeLowlander@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      17
      ·
      6 months ago

      Headline is terrible

      They do explain though that given how below average their headcount is, it means they’re likely understaffed, overworked, and have zero capacity to respond to intrusion attempts.

      • mostlikelyaperson@lemmy.world
        link
        fedilink
        English
        arrow-up
        8
        ·
        6 months ago

        They seem to have 0 clue what they are “explaining “ though. I don’t know if those engineers are overworked or how (in)competent they are, I don’t even use telegram. But they apparently do have other non-engineering people on staff and content moderation and dealing with legal issues aren’t the job of an engineering team.

  • Eager Eagle@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    6 months ago

    “Without end-to-end encryption, huge numbers of vulnerable targets, and servers located in the UAE? Seems like that would be a security nightmare,” Matthew Green, a cryptography expert at Johns Hopkins University, told TechCrunch. (Telegram spokesperson Remi Vaughn disputed this, saying it has no data centers in the UAE.)

    good job Remi, that was the main concern lmao

      • BearOfaTime@lemm.ee
        link
        fedilink
        English
        arrow-up
        16
        ·
        6 months ago

        Signal sucks from a UI/UX standpoint, when they dropped SMS support I lost any ability to convince people to switch, and everyone who had already switched left.

        Then there’s the seamless switching between devices…which it doesn’t do.

        • Hellmo_luciferrari@lemm.ee
          link
          fedilink
          English
          arrow-up
          10
          ·
          6 months ago

          Using SMS through signal defeats the purpose of signal…

          The UI is fine, what more do you expect out of it? It has a list of chats, a menu button with menu options, like it’s a messaging app not a social media platform akin to discord or telegram.

  • Josie
    link
    fedilink
    English
    arrow-up
    10
    ·
    6 months ago

    telegram isn’t e2e encrypted by default?! that seems like the major concern here.

    i double checked the ui and i had to create a new secret chat to see any indicator of encryption presence or absence

    • accideath@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      6 months ago

      The regular chats are encrypted though, just with an (encrypted) server in the middle. Telegram also claims in their FAQ, that no one singular person has the power to decrypt and the keys are stored such that no singular government could force them to give up any data.

      How far that is true is a different question though.

    • cy_narrator@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      What if its not e2e encrypted if they dont care. I know a bunch of chatrooms where you can watch paid movies that was released recently for free and Telegram dont care

  • broken_chatbot@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    6 months ago

    After a long-running blogpost holywar between Telegram and Signal, I perceive these “security experts” as Signal/Telegram shills depending on their stance

    • ruse8145@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      There’s never ever ever been a question of which project is more secure, just whether moxie would be able to extract his head from his ass (he did🎆).

  • rob200@lemmy.cafe
    link
    fedilink
    English
    arrow-up
    3
    ·
    6 months ago

    There was a post about this on lemmy awhile ago, I’m not sure which specific community it was i’m subscribed to a few tech related ones, but it was atleast a week or 2 or more ago about this same story.

    I do agree that there should be more workers than 30 on one of the most known encrypted messaging apps.