
'Hush,' anonymous messaging app from developers in Myanmar - ngamau
http://www.globalpost.com/article/6529176/2015/04/26/myanmars-new-anonymous-messaging-app-kind-revolutionary
======
zmanian
It would be awesome to see more technical discussion of the anonymity
mechanism.

How do you ensure that users accounts are not linked Personally Identifying
Information?

We've seen that when folks implement weak anonymity technologies, disaster
quickly ensues.

~~~
swanhtet1992
Hi, great point. Currently, users have to use their phone numbers to login.
However, user's phone number is encrypted in the db.

To ensure that everyone's comfortable with it, we're adding a new feature
which doesn't require the user to login.

~~~
tyho
This worries me. What exactly do you mean by encrypted in the DB?

If you actually mean hashed using a one-way function, it would be very easy to
hash every possible phone number (there are not that many) to build a lookup
table to deanonymise your users instantly. Even if you individually salt each
hash it would not take very long at all to find the phone number for each
entry.

If you do mean encrypted, then authorities could compel you to turnover the
database and the key.

Why do you need to store the phone number in any way at all?

~~~
derpleplex
Perfect security does not currently exist. A trusted source must store the
information somewhere, to authorize and validate users without spreading that
information elsewhere.

You can't get around this problem unless you invent magic psychic computers.
What is the point in finding every possible flaw with security here? There is
a gradient of complexity, the time it takes to break these things. Currently,
everything that exists is susceptible to being broken, misused, or modified.

If you assume that your attackers know everything, and have the ability to
immediately find and apply that knowledge, then yes, it can seem scary. But I
tend to think that the more capacity a person has to do, it's really just a
bigger intellectual burden.

~~~
mc808
So it sounds like messages are associated with accounts, and accounts are
linked to phone numbers, and those phone numbers are easily recoverable from a
centralized database. If htat's accurate then it's not simply imperfect
anonymity. It's not even pseudo-anonymous. It's about as _not-anonymous_ as it
gets, which is fine for a casual messaging/chat app where no anonymity is
expected. But users should not be misled into thinking it's safe to use it for
anything they wouldn't say to a government official's face.

~~~
derpleplex
You are right, I was reacting to a pattern of argument, which is not the point
that I should have been focused on. That creates more noise over more
important issues.

------
rdl
This is amazing (that someone is doing this). If there's anything the global
tech community can do to help this team, I suspect it would be freely
available -- anything to make Myanmar people better able to communicate safely
is a huge win.

------
ape4
I got autostart video and audio ads that you can't pause :( And they repeat.

~~~
yemyat91
Hey, I think you downloaded the wrong app. The article somehow is linked to a
wrong website. Our website is [http://letshush.com](http://letshush.com)

~~~
ape4
It was on the globalpost.com site - ie the article.

------
UserRights
How can the source be checked if it is really anon?

------
johnbenwoo
For those intrigued by the state of tech in Myanmar, there was a very
interesting a16z podcast about it - [http://a16z.com/2014/12/09/a16z-podcast-
technology-and-the-o...](http://a16z.com/2014/12/09/a16z-podcast-technology-
and-the-opening-of-myanmar/) .

------
dheera
Great idea, but I don't get why they are _based_ in Myanmar. This is almost
asking for trouble from authorities. For something whose direct purpose and
sales pitch is to do something that an authoritarian government is against, I
would have based the entire company outside the country.

~~~
knd775
Exactly what I was wondering. What is registering the company in Singapore
going to do when the police/military/whoever come to your door?

~~~
swanhtet1992
Our country is somehow moving to a little good side, we don't really have to
worry about the govt (at least for now 😁).

~~~
notahacker
Do you think most of your users are outside Burma? Your website seems to be
advertising the app in English and Chinese but not Burmese?

~~~
swanhtet1992
Which site are you referring to? If it is www.letshush.com, it is in English
and Burmese.

~~~
notahacker
The article links to a Facebook page for imhush.com which also appears to be a
social network.

Looks like it could be their mistake, unless you are also launching a
different app with public identities.

------
higherpurpose
So is this like some sort of Secretly and Tinder mix?

So then it's not anonymous, only pseudonymous.

~~~
drdaeman
IIRC, those are "partially weakly anonymous". There are no pseudonyms in
Secretly for the "main" posts - they are anonymous, even though the anonymity
isn't even remotely strong. Machine-generated pseudonyms (identicons) are used
only for discussion comments there -- don't know about Hush, though.

Either way, there's nothing revolutionary about this sort of apps, but
marketing statements. Anonymous BBSes are there for decades, and this app has
exactly the same concept except for being a mobile app instead of a website or
desktop one. The only relatively novel part here is location-awareness.

------
aw3c2
Please update the title to "This new messaging app from developers in Myanmar
is kind of revolutionary", the submitted site uses that now. The original was
very misleading.

~~~
ngamau
You can update a title? I didn't realize that was possible.

~~~
aw3c2
Sorry, I forgot "dear mods" :)

