And E2EE is only available on phones, circa a couple of years ago anyways

Telegram’s servers are located in US, Singapore, Netherlands (and maybe some other countries) from what I’ve gathered. And all chats that are not E2EE’ed are stored there, encrypted at rest at best with keys in the same database, or somewhere else that can still be accessed in automated way. Maybe it is not even encrypted at rest.

The point is, all those countries are either in 5 eyes or have information sharing agreements with 5 eyes countries. So as far as I’m concerned, TLAs can still have their fingers in those pies, in addition to Telegram’s overall shadiness and Russian ties. So maybe you get KGB strongman keeping a watch over your chats too.

This is not something I’d have much confidence in to be honest.

Switch to Telegram

You know it’s not even E2EE by default, and when it is it uses a homegrown algo that is not exactly well spoken of? (at least V1)

It is reasonable yet subpar under a threat model where you do not trust any single provider, which is a model I find appropriate most of the time.

You should not assume your password manager is unhackable.

That’s my main point. Perfect is an enemy of good indeed, but I feel that doing things properly the first time is a good idea in general, especially when it as easy as using a different app for your TOTP tokens. It’s a low hanging fruit really.

Please don’t use your password manager for TOTP tokens. It is called two factor authentication for a reason.

Until next time they try to push through something similarly stupid. Now it’s EU’s turn to make their mind too.

As a rule of thumb, do not put all your eggs into one basket. No software is infallible and vulnerabilities can be uncovered and exploited in both open and closed sourced applications.

That’s being said, as long as you don’t store all information necessary for a successful login in your password manager, you should be fine.

So storing credentials for your bank account is fine, as long as it is also protected by MFA and you do not use the same password manager for handling that.

You can store PIN codes from your debit cards in the password manager as long as you do not store card number / expiration / CVV2 there too.

Personally, I keep passwords in a password manager, MFA tokens in a separate authenticator, MFA recovery codes go to FIPS 140-2 certified encrypted USB sticks (3 separate copies). I do store debit card PIN codes in my password manager, but only alongside the last 4 digits of the card number.

Type hints are cool. Runtime enforced type hints are cooler.

https://github.com/beartype/beartype

I’ve never heard of that project, looks pretty cool! To be clear, I do not say that “one guy” cannot possibly make great software. Passion projects are a thing. What differentiates them from the Abode situation, in my opinion, is that passion projects rarely have strict deadlines and paying backers who expect software that is Adobe-level in terms of quality and polish in a roughly 1 year.

I’m highly sceptical of this shipping in a state that can compete with Adobe at the end of it all. The branding itself is asking for trouble, which is just plain stupid if you are serious about long-term and sustainable development of the whole suite, and 180k is not enough to even put together a competent alternative to Illustrator, not to mention Photoshop and InDesign.

And before people start claiming that you can fund this by outsourcing to Eastern Europe / India etc, please bear in mind that you usually get what you pay for. A competent developer with enough experience to actually make this happen won’t come cheap, and opportunistic juniors with big ambitions won’t deliver.

I wish this project all the luck it can get, but I’m personally banking on Graphite and Inkscape from the FOSS world and Affinity suite from (as of yet) less corpo commercial offerings.

Done

The last paragraph doesn’t have to be a problem though

It is not yet, but the trajectory implies it may become a problem down the road. We’re, sadly, living this decade, where you can no longer ignore where a certain service is heading and how it monetises itself.

Mandatory “don’t put Signal and Telegram in the same sentence” notice. Not to be a snob, but Telegram is not “secure and private”, all chats are not end-to-end encrypted by default, everything is stored on Telegram’s servers with “forever-ever” retention. The end-to-end encryption is opt in, uses a dodgy encryption algorithm and has some limitations in terms of who you can contact and from what device etc.

Telegram is owned by Pavel Durov who also created the largest Russian social media platform VK, which later was overtaken by Russian state as a tool for crowd control and propaganda. Even if we assume that Pavel no longer has any ties with Russia and its “government”, his biography should still raise at least some questions around whether one should trust Telegram.

And finally, Telegram seems to be going the “everything app” route lately, which makes it a one stop shop of personal communication, public channels, news, bots, stories etc. (you name it). While it is not a bad thing in objective terms, these features are not built with privacy in mind, as that would pose quite a technical challenge. This means that Telegram’s privacy and security will only be sacrificed more and more to get more of the social features out of the door.

/rant over/

The enshittification of the internet shall continue.

We will fight and we will lose, as depressing as it sounds. The vast majority of people just don’t and won’t care.