Telegram is giving away FREE Premium subscriptions! All they need from you is to use your cell phone as a relay to text out their OTP codes! And the recipient of the OTP sees your phone number! What could POSSIBLY go wrong with this deal?

PLEASE don’t use Telegram! I personally recommend Matrix as it’s totally FOSS, you can self host, there are tons of front end clients to choose from. Or even use Signal. I have my own issues with Signal, the fact they don’t allow third party clients, you can’t self-host, they have a proprietary shim in their stack that only they know what it does, they were pushing crypto, etc, but at least Signal is better than this garbage.

  • headroom@lemmy.ml
    link
    fedilink
    English
    arrow-up
    62
    arrow-down
    3
    ·
    8 months ago

    People in the privacy community need to get over the unrealistic dream that regular people will adopt Matrix when we can’t even get them to use Signal. The only way Matrix will have mass adoption is through getting a lot of corporate clients. Then the workers might choose to use it personally too after being familiar with it.

    • Blaze@discuss.tchncs.de
      link
      fedilink
      arrow-up
      24
      ·
      8 months ago

      Matrix still doesn’t have a multi account client with threads.

      I don’t mind Matrix, but every time I bring this up to a hard core Matrix defender to how the clients are lacking, they don’t have much to counter.

      • AMDIsOurLord@lemmy.ml
        link
        fedilink
        arrow-up
        11
        ·
        8 months ago

        I’m writing a new Matrix client that’s focused specifically on being a Discord-like dead simple experience for professional people – it’s under GPLv3 and written in pure Dart

        Probably will have the first actual release in one to two months – please tell me what you would like in terms of features so I can shove it into my already massive backlog

        • bay400@thelemmy.club
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          8 months ago

          A client that is basically a ripoff of Telegram would be ideal for me, for what it’s worth

          Main features I like are replies, reactions to messages (also double tap to react with a default emoji), and that view where you can open a chain of replies like it’s its own conversation (I’m assuming this is what is meant by “threading”/“threads”)

          Lastly, maybe the uncompressed and compressed photo/video options if that’s not already a thing

          If it had the above I would probably like Discord style too

          • AMDIsOurLord@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            8 months ago

            Most of that is already covered by an existing Matrix client called FluffyChat too, if you want something right now

            And sure, I mean I never saw any usage in threading but I guess some people really do be liking their threads

      • toastal@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Gajim, Dino, Conversations support multi-account clients. Threading doesn’t tend to work the same way tho.

  • elgordino@fedia.io
    link
    fedilink
    arrow-up
    52
    arrow-down
    1
    ·
    8 months ago

    I imagine SMS authorisation texts are Telegrams biggest single expense, they are for Signal https://signal.org/blog/signal-is-expensive/

    Telcos know that authentication is about the only remaining use case for SMS and are not going to turn down the revenue stream.

    That said this idea from Telegram sounds absurd. Not least I expect most contracts prevent reselling free SMS’s like this. The security implications have got to be significant too.

    • suppenloeffel@feddit.de
      link
      fedilink
      arrow-up
      25
      arrow-down
      1
      ·
      8 months ago

      Telcos know that authentication is about the only remaining use case for SMS and are not going to turn down the revenue stream.

      And it can’t die fast enough, as it’s essentially the same as broadcasting your sensitive information over unencrypted radio.

      Apart from security, phone number based user identification is such a half-assed approach and I still don’t get why Signal wants to die on that hill. It’s inconvenient, yet trivial, for anyone to register a second, third or tenth phone number. With a bit more knowledge and inconvenience, even anonymously. It adds so little.

      • Vash63@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        It’s pretty drastically harder to register 100 phone numbers, especially in your target region, than 100 email addresses. Major spammers and such work with automation across many accounts, this isn’t designed around someone with 10 accounts.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    arrow-up
    35
    arrow-down
    2
    ·
    edit-2
    8 months ago

    Wow, that’s super sketchy.

    I’m trying to get my wife to use something decent, and I think Signal is the way to go. It’s focused on P2P communication so it’s a better replacement for SMS and whatnot, but it also has groups so it can also replace MMS. She likes Discord, but I don’t think she’ll be as keen to try out Matrix since she’ll just wonder why I don’t just use Discord.

    • keyez@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      8 months ago

      My wife and a few family members use telegram, it’s perfectly fine for using as just a regular chat app, you can join spam or sketchy groups but if you don’t join premium or enable contact access, and generally be smart about using it, etc you will be fine.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            arrow-up
            1
            ·
            8 months ago

            Yeah, it looks like a centralized service that behaves like a distributed one. I may even (re)learn Haskell to properly understand it.

            It also looks like it’s intended to be used for applications, so that’s pretty cool too.

    • youmaynotknow@lemmy.ml
      link
      fedilink
      arrow-up
      2
      arrow-down
      7
      ·
      8 months ago

      My wife knows that if she doesn’t use Session, she needs to call me and hope I pick up. Granted, she only uses it with me, but that’s already a win in my book.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        arrow-up
        6
        ·
        8 months ago

        IDK, forcing someone to use a certain app to contact you seems a bit extreme, and something that could cause conflict in a relationship. But that’s just me, I obviously don’t know your situation.

        • youmaynotknow@lemmy.ml
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          8 months ago

          Could be the case. But we agree that she doesn’t have to use it if she doesn’t want to, and I don’t have to use any of the mainstream stuff if I don’t want to. We trust each other to no end, to the point that our biometrics are in each other’s devices, and we leave them laying around regularly. I can see how that could be a sure way to bring issues into a relationship, but thank God, that’s not our case. As for other people, I couldn’t care less. My kids have no access to devices yet (except their Linux PCs built by themselves), so all is great in my life.

          • toastal@lemmy.ml
            link
            fedilink
            English
            arrow-up
            6
            ·
            8 months ago

            My girlfriend said she prefers it knowing I couldn’t get other girls to talk with me over XMPP 😂

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            arrow-up
            2
            ·
            8 months ago

            Cool. I mostly wanted to warn others in case they tried to do this without the proper consent.

            My kids also only use Linux PCs (mine, they’ll likely get their own when they get older), have no personal devices, etc, though we’re getting close to the point where they’ll want them. I also refuse to use any of the mainstream stuff, and I try to persuade my wife to use it too.

            • youmaynotknow@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              8 months ago

              I appreciate the thought. Each of us should do what we can while making sure it’s not detrimental to our lives in any way, shape or form. We’ve been married almost 14 years now, and I’ve been asked by some guys sometimes if she was my girlfriend by the way my wife and I treat each other. This comes from being fully open with each other, and both of us willing to go over every disagreement with research and evidence only. This has led to her moving her password manager to my self-hosted Vaultwarden, her getting Yubikeys and me having Signal on my phone’s secondary profile to send/receive messages and info to/from her side of the family. You have the right idea, probably more spot on than my ideas, for sure. From what you say, I think you’ve struck a better balance than I have. As for my kids (10 and 8 years old right now), my boy wanted a PC when he was 5 nearing his 6th birthday (2 years ago), he told me that he wanted his gift to be a PC. So we went out over the course of 2 months or so to buy each of the parts. The day before his BD, which was a Saturday, he had to put it all together (under my supervision and directions, of course). It took him 12 hours 😁. He chose ZorinOS (against my better judgment) as his OS, and I walked him through the whole process of installing, from downloading the ISO to final first boot (that was on his birthday, almost 4 more hours 🤣). Totally worth it. My daughter was 7 going in 8, and when she saw that she asked me for the same for her BD. Same process, only with her it took just short of 10 hours for the whole thing, and she chose PopOS. But in my boy’s defense, at those ages boys do tend to be lazier than girls, and take more breaks, plus he was 2 years younger. My mother-in-law wanted to murder me, saying it was abusive. But my kids now know the basics of building a PC. The gift is not the computer, but the knowledge. I think every nerd with children should do the same (keep the geek going for generations, lol).

  • Detective'@slrpnk.net
    link
    fedilink
    arrow-up
    18
    ·
    8 months ago

    Man this is so scuffed! Offering free subscriptions in exchange for using your personal phone as a relay for OTP codes is a recipe for disaster.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      9
      ·
      8 months ago

      XMPP doesn’t support modern features and the protocol is older than some of the people here

      • wildbus8979@sh.itjust.works
        link
        fedilink
        arrow-up
        7
        ·
        edit-2
        8 months ago

        Define “modern features”?

        HTTP is old too, what’s your point? It get’s constant updates via XEPS, and currently runs: WhatsApp, Messenger, Zoom, iMessage, and more. It’s perfectly capable. And offers federation out of the box.

        The single reason XMPP died off in the tech crowd is that Signal killed it.

        • d2k1@feddit.de
          link
          fedilink
          arrow-up
          2
          ·
          8 months ago

          I was wondering about that the other day. Why did Jabber/xmpp not evolve further into the mainstream? For a while there were multiple good-enough clients and running ejabberd was not very difficult. I thought it would become ubiquitous (and in a way it has, just not interoperable), and the clients would evolve to become great. Instead it feels like the whole ecosystem kinda just faded away.

          I remember why we switched away from Jabber (running ejabberd) in our company: the biggest issue was no server-side history, so using multiple clients on multiple devices was basically impossible, just like MUCs without history to browse and search were useless for our use cases. Has that gotten better over the last 10 years?

          We switched to self-hosted Rocketchat, so which sucks in many, many ways but feature-wise it offers everything we were missing from xmpp.

          • wildbus8979@sh.itjust.works
            link
            fedilink
            arrow-up
            1
            ·
            8 months ago

            Prosody is also a great server with a ton of functionality.

            For the tech crowd I think Signal was just very enticing as it was easy to convert non techies with smart phones. That’s the discovery arguement, but I find that point moot since a properly configured setup should allow one to use the same address as ones email address for XMPP (much like gtalk). Now signal claimed to have social graph anonimity, but for the longest time that was not true at all for a state sponsored adversary (it has technically improved but I’m not 100% sure that is true in practice).

            There is a XEP for server side history, it’s been around since 2012: https://xmpp.org/extensions/xep-0313.html

  • rdri@lemmy.world
    link
    fedilink
    arrow-up
    15
    arrow-down
    2
    ·
    8 months ago

    What could POSSIBLY go wrong with this deal?

    No jokes, I’d like to know. How is it different from sending sms to random numbers?

      • rdri@lemmy.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        8 months ago

        No but what exactly stops anyone from doing that? A privacy consideration? I’d think it’s just a waste of time at best.

    • Mubelotix@jlai.lu
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      8 months ago

      The issue here is that you could potentially read the content of a 2FA sms that wasn’t intended for you. It makes it easy too break 2FA if you have many devices

      • rdri@lemmy.world
        link
        fedilink
        arrow-up
        3
        arrow-down
        1
        ·
        8 months ago

        Logic suggests OTPs are locked to login sessions of corresponding users and also expire. Besides telegram would be able to tell if OTPs meant to be sent through you tend to not reach the recipients.

        • Mubelotix@jlai.lu
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          Yes but you can login on an account and hope you will be the one selected to send the code

          • rdri@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            edit-2
            8 months ago

            You mean you can try to guess someone’s number before they get an OTP through you in order to be the first to log into their account?

            Well then you’ll also going to need their cloud password in order to find anything worth of your effort.

            But anyway this is an improbable scenario, considering how vast the user base is, and if we assume telegram implemented some precautions.

            Malicious service providers and cloned sim cards pose a much more serious risk if you ask me.

  • SteveCC@lemmy.world
    link
    fedilink
    arrow-up
    12
    ·
    edit-2
    8 months ago

    Reading the discussion here. I’d never heard of xmpp. Probably just never registered as a messaging alternative. Just checked out https://xmpp.org/. Wow! Tons of apps. Even some android apps on fdroid. Guess I’ve got some exploring to do.

  • SteveCC@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    8 months ago

    I’d be interested to hear people’s thoughts about Signal and DeltaChat for messaging

    • suppenloeffel@feddit.de
      link
      fedilink
      arrow-up
      6
      ·
      8 months ago

      Signal and DeltaChat, as well as Simplex and some others e2e communication solutions, are adequate from a technical point of view.

      The main issue is always adoption. You can have the most convenient way to safely communicate with people, it’ll be useless if nobody you’re talking to wants to use it.

      So, since Signal is very easy to set up and use as well as the most adopted, it’s currently the best pick for regular conversations.

    • communism@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      8 months ago

      Signal is fine for a drop-in WhatsApp replacement. I use it for chatting to my friends casually. For something you need more security for you could do encrypted emails as that doesn’t require exchanging phone numbers, or ideally just arrange to meet up in-person and discuss things so you don’t leave any kind of digital or paper trail.

        • communism@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          Obviously you don’t have your phones on you. Otherwise what’s the point of meeting up in person.

            • communism@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              8 months ago

              Not if I don’t need to, like if I need to have a conversation with someone that doesn’t need to be overheard. In any case turning your phone off and putting it in a faraday bag then putting it somewhere relatively noiseproof should be more than enough if you need to bring your phone with you.

    • gaael@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      8 months ago

      Been using Deltachat for about a year, so far so good. I dunno how secure it really is (never took the time to check) but it’s been reliable. Multi-device was kinda quirky at first but has gotten better.

    • toastal@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 months ago

      Signal is pretty broken. A chat app shouldn’t require a SIM card & an iOS/Android device just to create & maintain an account (too bad Linux or KaiOS users or folks that otherwise don’t want a smart phone). Multi-devdice setups seem to have issues. The desktop app being Electron is a waste of resources. They still don’t want to support UnifiedPush while highly encouraging you download the app from the Google Play Store & send notification data thru Google-controlled FSM. There’s also the missing history of the server code which is probably has something to do with US intelligence injecting code.

      Is it better than a lot of things, sure, but it should be put on a pedestal nor seen as exemplary for private chat in UI or philosophy.

  • progettarsi@feddit.it
    link
    fedilink
    arrow-up
    13
    arrow-down
    3
    ·
    edit-2
    8 months ago

    ok but, why don’t use telegram for this? scammers are everywhere but how is this telegram’s fault

  • Dark ArcA
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    4
    ·
    8 months ago

    I think this is a bit panicky… am I going to use it? Nah.

    But also, my phone number has been leaked by plenty of entities… some random person getting a text from it wouldn’t even be that weird considering SMS spoofing. Someone could be using my number for a nasty spam attack right now and I wouldn’t know.