Just yesterday I was trying to get a bot working on the TextSecure platform. A vastly disappointing experience: almost not existing libraries, sparse and incomplete documentation, unstable protocol breaking without any kind of notice (<a href="https://github.com/JavaJens/TextSecure/issues/6" rel="nofollow">https://github.com/JavaJens/TextSecure/issues/6</a>, for example). And still no way to register without a phone, which would be amazing for this kind of project: <a href="https://github.com/WhisperSystems/TextSecure/issues/1085" rel="nofollow">https://github.com/WhisperSystems/TextSecure/issues/1085</a><p>I think Telegram is succeeding in what TextSecure is failing: attracting a widespread community of developers. This is only a confirmation, in my opinion.<p>EDIT: and, by the way, while Telegram security is no good, I wonder why we cannot have both (security & developer-friendliness)
I briefly looked at Telegram's crypto code a couple months ago. Here's a few funny things I spotted:<p>Telegram's message format uses ambiguous padding, so they have to try all padding lengths when validating a message:
<a href="https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/HandshakeAction.java#L346" rel="nofollow">https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...</a><p>That loop leaks timing information, as does the "Utilities.arraysEquals" method it uses. I'm not sure if it opens up a timing attack, but it's suspect:
<a href="https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/Utilities.java#L283" rel="nofollow">https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...</a><p>There is another spot where they pad with zero bytes without any authentication. This may leave room to mess with the protocol:
<a href="https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/HandshakeAction.java#L261" rel="nofollow">https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...</a><p>There are also some weird things throughout the code, like using SecureRandom.nextDouble() all over:
<a href="https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/android/SecretChatHelper.java#L1531" rel="nofollow">https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...</a>
<a href="https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/src/main/java/org/telegram/messenger/HandshakeAction.java#L164" rel="nofollow">https://github.com/DrKLO/Telegram/blob/master/TMessagesProj/...</a>
I've beeing developing this <a href="https://github.com/yagop/telegram-bot" rel="nofollow">https://github.com/yagop/telegram-bot</a> for a year. Currently most Telegram Bots uses my proyect for building bots.<p>Now it's deprecated and I'm really sad about that.
OT:<p>Awesome, great, APIs are good.<p>Know what's better? Open specifications and federated services. It's called XMPP and if it's not enough, then something better should be developed.<p>Is this the replacement of SMS? Not sure what people would have thought at the time if they could not send SMS to other mobile carriers. It saddens me even more to see public institutions moving their SMS infrastructure to the new 'carriers'.<p>Protocols are not a new thing. Let's not go back to the time were computers could not talk to each other.
This is nice, but I really wonder why they don't focus on more important things. For example this issue I opened over a year ago, asking them to use end-to-end encryption by default and for group chats: <a href="https://github.com/DrKLO/Telegram/issues/156" rel="nofollow">https://github.com/DrKLO/Telegram/issues/156</a><p>Probably because features are more important than security, sigh.
> Telegram is about freedom and openness – our code is open for everyone, <i>as is our API</i>.<p>Open <i>for usage</i> I guess. It's a pity that the API (and server) source is still closed. The Bot Platform is a cool initiative anyways, so good luck!
Telegram is not truly open source. They utilize a pre-compiled library for the actual messaging code, as seen here:<p><a href="https://github.com/DrKLO/Telegram/tree/master/TMessagesProj/libs" rel="nofollow">https://github.com/DrKLO/Telegram/tree/master/TMessagesProj/...</a><p>They would like to have you believe otherwise through their PR efforts, but I wouldn't trust them simply on the fact that they claim they are open source when they are not, and it's not clear what's going on in that binary lib. If they never claimed to be open source in the first place, it would be a different story.
I believe this an amazing move by Telegram. I firmly believe that open platforms tend to win in the long run.<p>Whatsapp should take the hint and open up their platform for developers... Curiously I was thinking about building bot-based services on their platform (largest user base in my country), but basically gave up after seing how closed they are to any initiative like this. Felt even worse after reading things like this: <a href="https://twitter.com/gcmartinelli/status/605776036358291456" rel="nofollow">https://twitter.com/gcmartinelli/status/605776036358291456</a>
Telegram is really cool. I have long thought about what additions and modifications I could make to my mobile texting program. Now I have to convince all my friends to move from Whatsapp.
Great news ! Check out Github bot for sure people . I am already in love ! This feature is making me remember my own simple telegram bot that helped me to convey 1000 Happy birthdays to my friend in 15 mins. <a href="https://gist.github.com/scriptnull/7877b404f33de2b7445a" rel="nofollow">https://gist.github.com/scriptnull/7877b404f33de2b7445a</a>
I woke up one night with the idea that if WhatsApp allowed API integration, it would so awesome : you could message DHL or UPS with your waybill tracking number, and they could push updates to you.<p>More interestingly, the WhatsApp text box then effectively becomes a REPL shell to a remote API : you could ask for stopping updates, updates only once a day, etc; If the remote server implements a DSL, you could do a LOT.<p>The possibilities were endless and exciting.<p>But I have a feeling WhatsApp / their new owner are going to just let the opportunity pass by. If anyone at FB is reading this : guys, Business integration with WhatsApp is where the next $250 billion is. That's how FB will get a permanent, maybe even irreversible, grip on mobile. Imagine every service business providing updates via WhatsApp by integrating with their backend.
All the comments on this news item made me really want to try this out and see how it works.<p>I downloaded and installed the desktop version. Created an account with my phone number (okay: if I ever lose my phone, I'll permanently lose access to my account!).<p>I see how to add contacts. I need their phone number. I don't know my friend's numbers. We use facebook, xmpp, email, lots of shit, but nobody still relies on SMS nowadays, and my phonebook is literally under 10 entries long (and I'm sure mum and dad won't be using Telegram).<p>This reliance on old networks really kills it for me. IMHO, linking an account to a device that <i>can</i> get stolen or lost is also something I'll never really understand.
Telegram is the company that ignores proven crypto standards, rolls their own crypto without any verification or audit, then offers a $200k bounty to "break" their crypto by requiring developers to work with an arm tied behind their back by reducing the types of attacks that could be made in the real world.<p>Seems MTProto is the same as its always been<p><a href="https://news.ycombinator.com/item?id=6931457" rel="nofollow">https://news.ycombinator.com/item?id=6931457</a><p><a href="http://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest" rel="nofollow">http://www.cryptofails.com/post/70546720222/telegrams-crypta...</a>
I really like that they embrace HATEOAS, e.g., "what can this bot do?", even though the API might not be strictly RESTful (they call it an "HTTP-based interface").
Can telegram be considered safe? I looked at eff's guide to secure chat earlier today and was quite confused that it seeming,y scores full marks and not-full marks.<p><a href="https://www.eff.org/secure-messaging-scorecard" rel="nofollow">https://www.eff.org/secure-messaging-scorecard</a>
I've always been surprised something like this never really got going. I think the issue here is that it needs to be on message platforms that people actually use (iMessage, WhatsApp, Gchat, etc). Is it really not possible to hook in to those platforms?
Create you own bot with Node.js!
<a href="https://github.com/orzFly/node-telegram-bot" rel="nofollow">https://github.com/orzFly/node-telegram-bot</a>
I made a simple bot plugins based in Node.js.
<a href="https://github.com/dlion/smagenBot" rel="nofollow">https://github.com/dlion/smagenBot</a>