电报注册_更秘密的电报

电报注册

We used to think of Telegram as a reliable and secure transmission medium for messages of any sort. But under the hood, it has a rather common combination of a- and symmetric encryptions. Where's fun in that? And anyway, why would anyone trust their messages to the third-party? TL;DR — inventing a private covert channel over users blocking each other.

我们曾经认为Telegram是任何类型消息的可靠且安全的传输介质。但实际上，它具有a-和对称加密的相当普遍的组合。哪里有趣？而且无论如何，为什么有人会信任他们的消息给第三方？ TL; DR —在用户互相阻塞的情况下发明了一个秘密秘密通道。

隐秘渠道 (Covert channels)

There are many workarounds to transmit data between two users avoiding direct contact. You can use middlemen, crypto and steganography methods, broadcasting relay networks, and other extensions of existing protocols. But sometimes it's useful being able to establish secure contact using only officially documented features. Or as one should say, set up a covert channel.

有很多解决方法可以在两个用户之间传输数据，从而避免直接联系。您可以使用中间商，加密和隐写方法，广播中继网络以及现有协议的其他扩展。但是有时仅使用正式记录的功能就可以建立安全的联系，这很有用。或应该说，建立一个秘密通道。

We can see an example of it in a Soviet spy movie "Seventeen Moments of Spring" (this one is, like, really good, try watching it). In it, a flower in the window of the safe house was used to signal if the spy had failed his mission or not. The flower by itself does not mean anything: it can be there and could be not, such symbiosis is a common thing and only telling us about the owner's love for flowers. Only a predetermined interpretation distinguishes the information received by a spy from the one received by a random passerby.

我们可以在苏联间谍电影《春天的十七个瞬间》中看到一个例子(这很不错，尝试观看)。在其中，安全屋窗户上的一朵花被用来暗示间谍是否完成了他的任务。花本身并不意味着任何东西：它可以存在，也可以不存在，这种共生是很平常的事，只告诉我们主人对花的热爱。只有预定的解释才能将间谍收到的信息与随机过路人收到的信息区分开。

Telegram中基于窗口的基于花的通道 (In-Window Flower-based channels in Telegram)

To organize your own covert channel by the same principle you'll need only two things: a window and a flower. The window represents an object you can change the state of seen by others and the flower — possible states and a way of changing them.

按照相同的原理来组织自己的秘密通道，您只需要两件事：一扇窗户和一朵花。窗口代表一个对象，您可以更改其他人和花朵的可见状态-可能的状态以及更改它们的方式。

So what Alice could change in Telegram that Bob can see? Many things, actually: avatars, usernames, last visited time and more. But usually, these things are available to everyone at the same time, limiting dialog privacy — if one possesses the transition method, he could read anything Alice sends. Surprisingly, it is possible to get around this limitation without any kind of encryption involved.

那么，爱丽丝在鲍勃可以看到的电报中会发生什么变化？实际上，有很多东西：化身，用户名，上次访问时间等等。但是通常，这些东西可以同时供所有人使用，从而限制了对话的隐私性-如果一个人拥有过渡方法，他就可以读取爱丽丝发送的任何内容。出人意料的是，无需任何加密就可以解决此限制。

我在阻止你，哈哈 (I'm blocking you, haha)

Every user has its own blacklist, and if the reader was annoying enough, he should have noticed after being blocked that his not-already-a-friend 'last visited' status changed to 'last seen a long time ago'. The truth is, he could have been online just a few seconds ago or even be right now, but Telegram API will not send this information to your app anymore. That way, it is protecting other user's privacy from unwanted ones. In exchange, they can see if they are blacklisted or not.

每个用户都有自己的黑名单，如果读者感到非常烦恼，那么在被阻止后，他应该已经注意到，他的尚未好友的“上次访问”状态已更改为“很久以前见过”。事实是，他可能在几秒钟前甚至现在就已经在线，但是Telegram API不会再将此信息发送到您的应用程序。这样，它可以保护其他用户的隐私免受不必要的侵犯。作为交换，他们可以查看是否将其列入黑名单。

So what are seeing a flower and being blocked have in common? Both could be checked at a given moment, allowing to receive one bit of information depending on if you are blocked or not. Another advantage is a fact that Telegram probably does not store logs of users blocking each other (at most for short periods in journaling purposes).

那么看花和被遮挡有什么共同点呢？两者都可以在给定的时刻进行检查，从而允许您接收一点信息，具体取决于您是否被阻止。另一个优点是，Telegram可能不会存储互相阻塞的用户日志(最多仅在短期内用于日志记录目的)。

组织位 (Organizing bits)

Possibility to send and receive bits is fun and all, but we still need to describe its exploitation mechanism. Telegram refuses to notice you when blocked, so every 'receive bit' action should be initialized by the recipient (let's call him Bob) and not depend on the sender (and she will be Alice), i. e. by independent. It also follows that Alice and Bob should do requests at the same frequency.

发送和接收位的可能性很有趣，但是我们仍然需要描述其利用机制。当被阻止时，Telegram拒绝通知您，因此每个“接收位”操作应由收件人初始化(我们称他为Bob)，而不依赖发件人(她将是Alice)，即独立。同样，爱丽丝和鲍勃应该以相同的频率发出请求。

Bit exchange algorithm on every clock looks like this:

每个时钟上的位交换算法如下所示：

A checks sending a bit and if has different from the previous value changing it depending on a value:

A检查发送位，如果与先前的值不同，则根据值进行更改：
- A -> T: block B if bit is 1;A-> T：如果位为1，则块B；否则为0。
- A -> T: unblock B if bit is 0.A-> T：如果位为0，则取消阻止B。
B receives a bit:

B收到一点：
- B -> T: resolve A;B-> T：解决A；
- T -> B: available to B information about A;T-> B：B可获得有关A的信息；
- B: checks if the received information has a status it:
  
  B：检查接收到的信息是否具有以下状态：
  - B: if it is -> he is not blocked and the bit is 0B：如果是->他没有被阻止并且该位为0
  - B: if it is not -> he is blocked and the bit is 1B：如果不是->他被阻止，该位为1

Most modern PCs have good frequency generators (a system clock, for example) so we can synchronize our clocks with them while not using the channel to transmit anything except for the message bits. Only worth noticing that Telegram API requests, both (un)blocking and user status resolving, are network calls and do not tend to work quickly, especially if you are using proxies or VPN. This produces a limitation: clock length should be longer, than an average response time (since we need to fit one into another) and that's why our data transmission speed will be limited.

大多数现代PC都具有良好的频率发生器(例如系统时钟)，因此我们可以与它们同步时钟，而无需使用通道来传输除消息位以外的任何内容。仅值得注意的是，Telegram API请求(取消阻止)和用户状态解析都是网络调用，并且往往无法快速工作，尤其是在使用代理或VPN的情况下。这就产生了一个局限性：时钟长度应该比平均响应时间更长(因为我们需要使响应时间适应)，这就是我们的数据传输速度受到限制的原因。

编码信息 (Encoding messages)

Texts in natural languages have pretty high redundancy, and messages received with errors will still be mostly readable by a human. And since Telegram is a messenger (ignoring some crazy stuff), we can neglect error correction limiting possible transmitting data to simple text messages.

自然语言的文本具有很高的冗余度，并且收到的带有错误的消息仍将大部分为人类可读。而且由于Telegram是使者(忽略一些疯狂的东西 )，所以我们可以忽略纠错，将可能的数据传输限制为简单的文本消息。

Our channel has extremely low bandwidth, so why we need to use the most effective message encoding available for possible messages. Lucky us, the name of the messenger is reminding about times such problem was a common one.

我们的频道带宽极低，因此为什么我们需要对可能的消息使用最有效的消息编码。幸运的是，使者的名字提醒着我们这种问题是一个普遍的问题。

That's why we, living in the 21st century, will encode our texts with one of the most efficient available to telegraphers a hundred years ago encodings — the Baudot code. More precisely, its final variation ITA-2 created by Donald Murray to perform fewer API calls at the most frequent symbols of the language.

这就是为什么我们生活在21世纪的人将使用一百年前电报工作者可用的最有效的编码之一- 鲍多(Baudot)编码来编码文本。更确切地说，由Donald Murray创建的ITA-2最终版本是在语言的最常用符号上执行较少的API调用。

The only left to successfully transmit a message is to find boundaries of a transmission session so the recipient could find a sent one among the continuous bit stream. Before the transmission has started, Bob is either blocked or not, and his state is not changing by itself anytime soon. That's why Alice can signal about session start by swapping it to an opposite for only one clock. At the successful end of the session, she will unblock him and leave with peace. He, on the other side, will continue to receive zero bits until decides they are not a part of the message — the Baudot code has no 00000 symbol.

成功发送消息的唯一剩下的就是找到传输会话的边界，以便接收者可以在连续的比特流中找到已发送的消息。在开始传输之前，Bob是否被阻止，并且他的状态不会很快改变。这就是为什么Alice可以通过将会话交换到对端仅一个时钟来发出有关会话开始的信号的原因。在会议成功结束时，她将解除对他的封锁，并和平离开。另一方面，他将继续接收零位，直到确定它们不是消息的一部分为止-Baudot码没有00000符号。

Drawbacks of the method are a practical impossibility to connect (you can, but it will likely require manual error correction due to the bit shift) to ongoing translation and a need to separate null symbols received with errors from ones been sent. But there all problems of implementation.

该方法的缺点是无法将正在进行的转换连接(可以，但是由于位移位可能会需要手动纠错)，并且需要将收到的带有错误的空符号与已发送的空符号分开。但是存在实施的所有问题。

高科技 (High tech)

After several hours spent trying to use an official library to use the API, I got tired and wrote everything with a Python using more human-friendly Telethon library. It even has a synchronous-style API for some odd reasons rare today. Message encoding with ITA-2 I wrote by myself since have found nothing useful on the Internet.

在花了几个小时尝试使用官方库来使用API之后，我很累，并使用更加人性化的Telethon库用Python编写了所有内容。出于某些奇怪的原因，它甚至还具有同步样式的API，这种情况今天很少见。自从我自己写的ITA-2消息编码以来，在Internet上没有发现任何有用的信息。

Clock synchronization made with system clocks (and yes, it sleep()s! in between) since it is precise enough considering the time required on every network API call is more than a tenth of a second in most cases. User can set transmission speed as he wants to, but I recommend to follow 'no more than a request per second' rule if you don't want to both see errors on the other side and find yourself banned by a flood prevention system. Telegram turned out to be very picky about API usage, freezing my access for a day from even a few simple (successful!) authorization attempts in a row and just random blocking for a flood during the transmission for an unknown reason. You should always declare your API usage limits, guys.

考虑到大多数情况下每个网络API调用所需的时间都超过十分之一秒，因此使用系统时钟进行时钟同步(是的，它在两者之间处于sleep()s！)，因为它足够精确。用户可以根据需要设置传输速度，但是如果您不想同时看到对方的错误并发现自己被防洪系统禁止，则建议遵循“每秒不超过请求数”的规则。事实证明，Telegram对API的使用非常挑剔，甚至连连续几次简单(成功！)的授权尝试都冻结了我一天的访问权限，并且出于未知的原因，在传输过程中只是随机阻止了泛滥。伙计们，您应该始终声明API使用限制。

If the user decided to use such a weird channel to exchange messages, he should not care about any graphical user interface features. And not all systems have it anyway, that's why I wrote my application in the form of terminal tool. It allows to both send and receive messages via a channel by a given in command-line arguments user id, but only one operation per launch. Of course, no one will limit you to running only one copy of a program at ones and use multiple channels simultaneously in both ways, you'll just need to run several copies of the same script with different parameters.

如果用户决定使用这样一个怪异的通道来交换消息，则他不应该在意任何图形用户界面功能。而且并非所有系统都具有它，这就是为什么我以终端工具的形式编写应用程序的原因。它允许通过命令行参数用户ID中给定的通道通过通道发送和接收消息，但是每次启动仅一次操作。当然，没有人会限制您只运行一个程序的副本，并且同时使用两种方式同时使用多个通道，您只需要使用不同的参数运行同一脚本的多个副本。

使用东西 (Using the stuff)

You can read more about using this thing as both command-line utility and a python3 library through the API at the GitHub (repository linked at the end). The only problem is to acquire your own API credentials (simple manual is helpful enough) since Telegram does not allow to disclose mine and set according values in your local copy of a script. Everything passed through the command line arguments except for the authorization part which by default made through the stdio) and looks like this:

您可以通过GitHub上的API(最后链接到存储库)来阅读有关将其用作命令行实用工具和python3库的更多信息。唯一的问题是获取您自己的API凭据(简单的手册就足够了)，因为Telegram不允许公开我的API并根据脚本的本地副本中的值进行设置。除了授权部分(默认情况下是通过stdio制作的)之外，所有通过命令行参数传递的内容都如下所示：

For Alice:                                  For Bob:Enter your phone number: XXX        |       Enter your phone number: XXX
Enter auth code: YYY                |       Enter auth code: YYY
Started message transmission...     |       Listening for the message...
---++ ('O', '9')                    |       ---++ ('O', '9')
--+-+ ('H', '#')                    |       --+-+ ('H', '#')
+++++ (1, 1)                        |       +++++ (1, 1)
--++- ('N', ',')                    |       --++- ('N', ',')
--+-- (' ', ' ')                    |       --+-- (' ', ' ')
++-++ (0, 0)                        |       ++-++ (0, 0)
--+-+ ('H', '#')                    |       --+-+ ('H', '#')
-++-- ('I', '8')                    |       -++-- ('I', '8')
--+-- (' ', ' ')                    |       --+-- (' ', ' ')
--+++ ('M', '.')                    |       --+++ ('M', '.')
++--- ('A', '-')                    |       ++--- ('A', '-')
-+-+- ('R', "'")                    |       -+-+- ('R', "'")
++++- ('K', '(')                    |       ++++- ('K', '(')
+++++ (1, 1)                        |       +++++ (1, 1)
+-++- ('F', '!')                    |       +-++- ('F', '!')
--+++ ('M', '.')                    |       --+++ ('M', '.')
--+++ ('M', '.')                    |       --+++ ('M', '.')
Done, exiting...                    |       ----- ('', '')|       ----- ('', '')|       Automatically decoded: OH, HI MARK!..

Received message decoded automatically, but if you want to correct some errors manually or to track progress could do it looking at the command line output.

接收到的消息会自动解码，但是如果您想手动更正某些错误或跟踪进度，可以通过查看命令行输出来完成。

电报之外 (Outside of the Telegram)

Worth notice that such channel could be implemented over any messenger and/or social network in which one can detect if blocked or not by other users. Similar interfaces can be easily replaced in the existing code, so if you want to do it, just use mine groundwork. Low python's performance (compared to usual for such things C/++) will not be a limiting factor due to low transmission speed and API calls response time.

值得一提的是，可以在任何可以检测是否被其他用户阻止的信使和/或社交网络上实施这种渠道。在现有代码中可以轻松替换相似的接口，因此，如果要这样做，只需使用我的基础即可。由于传输速度低和API调用响应时间短，因此python的低性能(与C / ++相比，通常情况下)不会成为限制因素。

P.S. Special thanks to my passion's unusual love for blocking me

PS特别感谢我的激情对我的不寻常爱

Russian version

俄语版
Medium mirror

中镜
GitHub

的GitHub

翻译自: https://habr.com/en/post/452434/

电报注册