For some context, you can't live in South Korea and not use Kakao, even your grandma has it.
So the fact that they have so many holes in their security is a cause for concern.
You grandma isn't going to know a fishy link when she sees one, especially with this exploit where domain looks legitimate.
A contributing factor is the hierarchical work culture in Korea. You boss gives you a deadline for a feature which is treated an non-negotiable so you cut corners to get it out. Your boss can't 'see' security vulnerabilities, but can see a UI. So you get told "good job" and then get given the next unachievable deadline.
This all amounts to an app full of security holes, and until Kakao stock drops because of it, they're not going to address it.
I actually don't use Kakaotalk (or LINE or Facebook, to be comprehensive) even though I'm a Korean. That does make me some kind of weirdo, but many enough services have an SMS fallback so I can live without it.
On the security side though: I don't think it is a work culture at the play because major IT companies in South Korea---often referred as to the initialism 네카라쿠배, for Naver, Kakao, LINE, Coupang and Baemin operated by Woowa Bros---are known for much better work culture and higher compensation than the nation average [1]. It is probably more like that these apps are domestic and hadn't been scrutinized enough compared to globally popular apps.
[1] But still lower than US or even some Korean startups in my experience.
it was the same in other places. it's only a matter of time.
south America and most of Africa was taken over by metabook whatsapp. you can't even schedule government appointments without one (which then require a mobile phone number, which then require all the data each govt require for a mobile phone sim purchase)
Europe requires sms plus a apple/google validated app and stock phone. you can't access most eu or eu commission or local gov services without it.
but it all started with "it's fine, i still have X fall back working". but we only cry about china dystopian techno state...
> Europe requires sms plus a apple/google validated app and stock phone.
Which European central government services require you to use an online service or app, with no voice, paper on in-person fallback. I can think of one in the UK - my council's resident's parking permit system
you have the option of two badly coded apps, which refuse to run on android without stock rom and google play services. it gatekeeps both internal services as well as access to public grant offers and financial help.
it used to accept sms, and it still show in some flows, but is forbidden on most common cases now.
The GP comment said "Europe" not the EU and the UK is in Europe so a valid counter example.
The main govt services I know of that require mobile apps are lcoal govt ones for parking. Everything else works in a web browser. As far as private sector services go I know of Virgin Money and supermarket loyalty cards.
Thank you, yes I was aware that the UK wasn't in the EU. Looking at that page, I can see that you are also apparently able to log in with EiD, Google or Facebook.
> Europe requires sms plus a apple/google validated app and stock phone. you can't access most eu or eu commission or local gov services without it.
I haven't interacted with the EU sites other than just looking up random things (so no login required).
But French government services (both national and local) work perfectly on my Firefox/Linux PC without any kind of interaction with my phone. I've never actually tried this, but I don't see why they wouldn't work on any phone browser, stock or otherwise.
I haven't tried them all, obviously, but I'm thinking vehicle registration, voter registration and tax service (both personal and corporate).
They have an SSO scheme, France Connect, which is used for multiple services, so I expect that if it worked for the ones I've used, it'll work for the others, too.
The private sector can be more of a clow show, though, especially some banks.
Didn't Japan just buy(back) line and pledge better operational security a while back? Samsung is famous for frequently reinventing things on their own and leaving it full of security holes as a result. Somehow it's just part of the culture.
You can find hierarchical work cultures with impossible deadlines all around the world, not just SK. The difference seems to be that the government sector and the chaebol take up such a huge share of the "IT" market in SK, that there really isn't much space left for startup culture to make a difference.
Kakao used to be a cool startup, but they've been trying hard to emulate the chaebol once they became successful.
> Startups are quite big in SK because the government gives them lots of funding.
Exactly. All that funding and the associated paperwork, not to mention the adverse incentives it brings to the table, help to turn the Korean startup ecosystem into yet another old-fashioned, government-controlled economic sector.
We all call each other the same honorifics, make our offices cute and comfy, and try not to have a visible hierarchy. But at the end of the day, it's the government that tells you which projects will be funded and when you should submit screenshots of the deliverables. Angels? Yeah, they exist, but where do you think half of their money comes from?
The government gives out a lot of grants to startups, but largely in the range of $10k-$100k USD. Beyond that, there aren't many angels, and VC is dominated by highly conservative corporates. It's an incredibly tough fundraising environment.
> Startups are quite big in SK because the government gives them lots of funding.
They need funding mainly because otherwise the govt sector and chaebol would outlive them. It greatly depends on the exact circumstances though. (Source: Had been in several startups with varying degrees of funding.)
> Fair warning to other foreigners, you will have to make _a lot_ of sacrifices.
Mainly because most if all people in Korean startups are necessarily Koreans. The same thing happens whenever many members share the same background, not just the nationality.
> Source: I worked at a South Korean startup. Fair warning to other foreigners, you will have to make _a lot_ of sacrifices.
As a foreigner living in Seoul, working for US startups, and eyeing creating a US-styled startup in Seoul in the future, what are the sacrifices you have in mind?
Do you know of anyone who has created a US style startup in Seoul? Only two people I can think of are Matthew Shampine and Jason Boutte. Jason Boutte is literally the only foreigner I know who pulled it off, I've lived in Seoul doing startup stuff for 5 years till recently.
> You boss gives you a deadline for a feature which is treated an non-negotiable so you cut corners to get it out. Your boss can't 'see' security vulnerabilities, but can see a UI. So you get told "good job" and then get given the next unachievable deadline.
If only that happened only in SK.
It definitely happens in the west too. Maybe its worse in SK because of the culture, but its definitely not unique. The problem of the boss or the customer seeing the UI but not security issues is universal.
"Hierarchical work culture" is like the go-to blanket excuse to explain anything in East Asia that Americans don't like or think is bad.
If you've ever spent a few years at any decent-sized white collar company in the US (tech, finance, consulting) you know it's the same in the west. Especially FAANGs. All these mid-level engineers are just yes-men trying to suck up to their VPs to get in the next promo cycle. The western companies just have better marketing about "flat hierarchies" but it's all PR talk and lip service. Some PM or SVP drops some mandate and no one ever has the balls to question it, they just grumble and do it.
The saddest part is that these tech bros actually believe the marketing they are fed about their company cultures, and it breeds this shallow superiority complex and so whenever something negative about Asian companies comes up, you get comments like this citing this 'go-to' rationale about hierarchy.
It's actually kind of sad these guys don't have the self-awareness to critically examine what they are told vs. what reality is.
I've spent many years at large companies including FAANGs. I've had no problems or issues pushing back on unreasonable deadlines or being the bearer of bad news about vulns, bugs, or systemic flaws. I've also seen plenty of engineers do the same.
Fun fact: western ride sharing apps don't work in South Korea, and this company also makes the leading rideshare app in the country.
I was forced to make an account on the mobile chat app in order to log into their rideshare app, on a recent trip to Seoul. The UX was not great... not to mention that it was mostly in Korean. I had a lot of trouble. They didn't strike me as the most professional operation..
I lived in South Korea some years ago, and it was interesting how they had a separate ecosystem of apps and services. “KakaoTalk” and “Naver” had approximately the roles that WhatsApp/Meta and Google have in the West.
I think it’s great how these managed to thrive, despite increased competition from multinational companies. In many other countries, local tech companies seem to have become nearly irrelevant over the past decade, which is a sad to see.
It's the result of protectionist government policy. The policies are protectionist not just against foreign entry but also against entry of new products into the market. The government picks technology winners. Unsurprisingly, the government doesn't do a great job of this. Infamously it mandated usage of ActiveX and Internet Explorer for banking long after ActiveX had its time in the sun (the government made this the mandate in 1996 and didn't reform it until 2021!)
In case of Kakao Taxi vs Uber, it was Uber's unwillingness to work with existing taxi operators that killed any chance Uber had in the Korean market. Kakao (at least until they became dominant) acted more like an agent that sends additional customers to existing independent taxi drivers while Uber kept trying to find legal loopholes to bypass the taxi licensing system. S Korea is a civil law country, and its courts have no patience for actors whose entire legal strategy is to subvert the intent of the laws, and that was the end for Uber there.
To be accurate, Uber didn't abide by laws in most countries it went up against. It was a little slimy but also the taxi systems of most places were very entrenched. I remember never enjoying riding taxis in San Francisco for years, the cars were gross and the drivers were grumpy and generally shady about having their "credit card readers being broken" so they didn't have to pay the fees. Uber and a bunch of companies did and end run around those very politically entrenched systems and I certainly am happy to have clean, friendly, safe, modern rides with good tech where reviews keep things in line and payment is easy and I can share my location easily and know I'm going to end up at the right place way better.
Exactly. Uber was shady, but that kind of shadiness and willingness to ignore laws is necessary to bring positive change in a highly corrupt society. It's a lot like Batman: when the police are completely ineffectual or corrupt and working for organized crime, you need a vigilante who ignores the laws that just protect the criminals.
However, in better-run and not-so-corrupt societies like Korea, it's not necessary and probably downright harmful.
> However, in better-run and not-so-corrupt societies like Korea, it's not necessary and probably downright harmful.
South Korea was under varying levels of dictatorship from the Korean War until the Sixth Republic in 1987. Roh Tae-woo, the first president after authoritarian rule, was imprisoned for corruption. Roh Moo-hyun, the President from 2003-2008 was investigated for corruption and died by suicide rather than face charges. Lee Myung-bak, his successor, was imprisoned for corruption. Park Geun-hye, his successor, was imprisoned for corruption.
I don't know that South Korea is the poster child for a "better-run and not not-so-corrupt" society.
>I don't know that South Korea is the poster child for a "better-run and not not-so-corrupt" society.
It's not a poster child, but the US sets such a low bar that SK looks great by comparison.
Note also that the US isn't so visibly corrupt at the federal level; it's at the local levels where it's really no better than the typical poster children for corrupt countries. Taxis are a completely local (municipal) issue.
Yeah, I wouldn't go quite that far. Here's Samsung's heir, convicted in court of bribery, getting a special presidential pardon because, and I quote, he's "needed back at the helm to spearhead economic recovery post-pandemic".
Not sure I'd call Korea and its countless cases of political corruption with Chaebol more and more appearing to be basically running the show "not-so-corrupt".
When you mention it, as a Linux user at the time I struggled a lot with the ActiveX thing… Eventually I think I gave up.
I had no idea that stuff was government-mandated.
It was government mandated but it was an attempt by their government to strengthen security at the time when they couldn't import stronger crypto. Then it became established and hard to remove.
>Due to restrictions on the export of cryptography from the United States, standard 128-bit SSL encryption was unavailable in Korea. Web browsers were only available to Koreans with weakened 40-bit encryption. In the late 1990s, the Korea Internet & Security Agency developed its own 128-bit symmetric block cipher named SEED and used ActiveX to mount it in web browsers. This soon became a domestic standard, and the country's Financial Supervisory Service used the technology as a security screening standard. ActiveX spread rapidly in Korea. In 2000, export restrictions were lifted, allowing the use of full-strength SSL anywhere in the world. Most web browsers and national e-commerce systems adopted this technology, while Korea continued to use SEED and ActiveX.
I heard Korea had a problematic mandatory Internet login wall specifically built for IE with ActiveX on XP, and that that made use of Linux and/or Firefox complicated.
Funnily it lead to creation of PC F2P gaming culture too for some reason.
Running IE in wine wasn't always the easiest thing in the world, and when you were specifically running it to try and use weird integrations even less so.
While you're right, in the specific case of navigation apps (Google maps) or apps that need navigation data (uber), it's typically because of the Geospatial Information Management Act. High-quality mapping data isn't allowed to leave the physical borders of Korea so most foreign companies just stop trying. Nowadays it's just protectionism, but the original justification was to make it harder for north korea to aim artillery.
Just like how British car companies collapsed when foreign competition entered the market on equal footing, these companies will disintegrate if forced to compete.
> The reason American apps penetrate the world usually is because America is a superpower that has almost colonised the web.
I live in the USA and EU, and the reason that I prefer a Samsung display in almost all cases is because it is the best product. Korea has not colonized us, but the product is often superior, so that is why I buy it.
Why is it that Korean software cannot do the same? I find it very interesting, and I mean to ask this in a very neutral/curious way.
Now that you bring it up, I can't recall ever (knowingly) using a piece of Korean software that wasn't a game or baked into a phone's firmware. Does seem kind of odd considering how much Korean hardware there is in my life.
TVs for most of their existence were simple devices, with mostly a few different consumer relevant parameters, which were mostly objective.
Apps on the other hand strongly reflect the philosophy of usage, control, privacy etc, and the design aesthetic of their creators. Different countries/cultures have radically different philosophies, and old countries have aesthetics that go back thousands of years. Using apps from the creators of a different culture almost certainly causes significant friction with your own culture's philosophy and aesthetics.
To give a related example. I don't know Korea, but many in the English speaking world are marginally know of Japanese TV shows - you know with the crazy antics. Imagine that you were forced to consume only that form of TV, and how jarring that would be compared to your own philosophical and aesthetic inclinations. The same with Apps.
> The reason American apps penetrate the world usually is because America is a superpower that has almost colonised the web.
Love how the word "colonise" is thrown out without any thought.
Please tell us one example where America enacted a hostile takeover of a Korean site, and extracted its resources solely for the benefit of American interests.
This doesn't really fit with the way the US government ensured dominance of its tech sector globally in the 80s, 90s, and even early 2000s. It was not a fair competition by any stretch of the imagination and involved a lot of strong-arming by the US government abusing its leverage.
As if those were sufficient or necessary. Even a passing familiarity with the history of computing would show that these had little effect. A deep understanding would reveal what actually did.
If you created it, then you're not colonizing it in any meaningful sense of the word (you are using the word to invoke implications of historical atrocities, etc.)
Each of language groups across the globe has its own dominant and different messaging apps. US has Messenger, Korea has KakaoTalk, Japan took LINE, China built WeChat, Russia picked Telegram, and so on. The Meta Facebook/Messenger/Instagram triad isn't the global default of social apps the way it might look to people from US.
And I don't think it takes conspiracy theories to explain it, maybe users don't like platforms that isn't dominated by similar users of their primary language, or maybe there are something else that prevent app experiences optimized for two distinct cultures at the same time.
This isn't really true. WhatsApp was used pre-acquisition and continues to be dominant throughout LATAM, Africa, and Europe in addition to US/NA. Only in the APJC region and Russia do we see significant divergence in messaging apps.
Having traveled extensively in these places, I always theorized it was due to UX behavior aligning well with the local languages. While the countries WhatsApp dominates speak different languages, they all use the Latin alphabet. In Russia and APJC there are many non-Latin alphabets used and those languages may also use different directions for writing/reading than Romance and Germanic languages.
One advantage of Telegram over WhatsApp is that you don't have to display your phone number to your contacts and random people in group chats and blogs.
With some amusing exceptions: doctors are exclusively on WhatsApp; older (60+) people are often only on WhatsApp (and pre-Microsoft Skype before that).
LINE is very popular in Thailand for unclear reasons, I've heard the theory that their cute sticker packs set them apart in the early days. In the rest of SEA Whatsapp is the most popular.
When I went ~5 years ago, I was completely unable to use the taxi apps due to lack of Korean bank acct. This lead to being unable to even hail a cab at times - they mostly seemed to pick up fares from the apps. At one point I managed to get one of their attentions - and was told that he wouldn’t drive me because I was an “outsider”. Not sure if he was actually xenophobic, didn’t want to deal with a cash fare, didn’t want to deal with my lack of Korean, or just had a misunderstanding. A later “successful” cab ride put me going halfway across the city through the mountain. I had to call a date I’d had and get her to
explain to the driver that we were going the wrong way. The perils of going to new country underprepared I suppose.
One thing that surprised me about SK is that they have so many local alternatives for tech products that I thought were global. And the global/US version has almost no market penetration. An example of this was Google, at least when I visited in early 2015.
It's great that American software monopolies do not have access to Korean data and that Korean companies can create jobs hiring Koreans and add to the GDP. ALL sovereign countries should practice sovereign software and safeguard PII of its citizens
It's rather inconvenient for non-Koreans but you were never the intended audience nor is there much care for foreigners these days-there is growing hostility towards foreign tourists who have flocked to Japan and Korea in recent years.
> ALL sovereign countries should practice sovereign software and safeguard PII of its citizens
Most countries are incapable of this and when they do try they do a worse job.
My government has a website that allows you to fetch a person’s voting centre by knowing their ID number. Our ID numbers are sequential. Therefore you can use that website to get approximate location for literally everyone.
My government also has a website to request passports online. I was playing with it and it turns out they have an open GraphQL endpoint that lets me query billing transactions for _everyone_.
> Therefore you can use that website to get approximate location for literally everyone.
In America, before the Internet took off, every year everyone would get a book called the "white pages" that had the name, address, and phone number, of everyone who lived in their city.
The American view of privacy is that "openness makes for a civil society".
Although one can argue that hasn't been working out well for us lately ..
Likewise, marriages are publicly recorded and accessible online, as are all property purchases, births, deaths, and even property tax payments.
Though for some reason we consider income taxes to be super secret. Everything else is public, but not those! (How much cash someone put down to buy a house? Public. How much money that person makes? Not public. How much money everyone donates to politicians? Public.)
> Therefore you can use that website to get approximate location for literally everyone.
Approximate address, surely. Addresses are ... usually not very secret in the first place, though? It'd be absolutely fascinating if your government not only tracked everyone's location but assigned their voting center by current location, but, well,
The voting centre is typically the closest public school to where you live.
So when I say location here I mean the neighborhood where you live.
Also the main concern isn’t the government. They clearly already have the data and will always have that data. They also have the actual address of people.
The main concern is literally anyone can access the data and this thread is about countries protecting PII lol.
In some Western countries voter's lists with names and addresses are publicly accessible, if I understand correctly. Helps to make sure government doesn't add dead souls to vote for them.
> It'd be absolutely fascinating if your government not only tracked everyone's location but assigned their voting center by current location, but, well,
That's exactly what happens in Turkiye. I assume GP is there.
IMHO That's where the software model could change if more countries gave a serious shake at managing national services.
As you point out it's hard and few can do it, so getting more common open source platforms would be a natural evolution. Then relying on global providers that act as a service developer instead of a service owner would still be a huge difference.
That sounds great. I imagine it would turn out the same way using local transit has. Some are awesome like the netherlands and some are hostile towards users that you can’t even properly use it if you arrive too late at night because no one is available like france.
Everyone in this thread seems to thinks government is able to get things done. That is not what my last 40 years of life has shown me.
Most countries ARE capable of that. Or rather, most people of a country don't like platforms not dominated by their own primary language, and this is passively achieved by that tendency.
Lots of Russian stuffs on the Internet come through Telegram, meanwhile China has Weibo and TikTok, Korea does its thing in KakaoTalk and Facebook/Insta, Japan uses LINE along Twitter/Insta instead, so on and so forth. Everyone could be on Facebook, but that isn't what is going on.
The Interweb isn't so global, and English isn't the lingua franca of all communications. It's just the perception one experiences through an American door, though the Web do tend to be more developed in en-US.
Why would we think that every country blocking out foreign companies would result in better software being written for consumers in that country?
I think some tiny amount of protectionism can be necessary to get a domestic industry started, when it is important for reasons beyond giving access to the best products like national security. Especially in edge cases like competing with foreign companies with the backing of their state government or an international market that has degenerated to a monopoly. But ultimately free trade makes better products and international consumers richer and is the desired end goal, not every nation rewriting the same tech stack and providing local flavors of software solving similar problems.
> not every nation rewriting the same tech stack and providing local flavors of software solving similar problems.
Why not? Isn't Diversity good? Wouldn't it be nice to have multiple colors, implementations of things rather than the monopolistic (and probably American) beige?
Diversity comes from (fair) competition. Why would I not make American monopoly beige if it works for America locally? But if the foreign company is already that color I have to differentiate somehow. I have to compete on whatever I know about the domestic market, and force the foreign companies to learn and adapt to reach parity with me.
That whole process works in reverse too, where I have to reach parity with the large multinational company on all the features the domestic audience cares about. That last step is usually the first one to be missed when a government hands a monopoly on a tech vertical to a local company with protectionist policies. (And often they don’t just do it to insulate them from foreign competition, they will end up insulating them from domestic too as an artifact of the way these relationships reinforce themselves)
So, the state should intervene to help level the playing field to reach fair competition. In practice though it rarely stops there and instead works to insulate the domestic company from any competition. Which results in inferior products.
It is not diversity to have many people reinventing and maintaining essentially the same wheel. Exceptionally, this is necessary for national security purposes, but in the common case this is actually a poor deal for local consumers who prop up a worse product.
This is rich, coming from someone in a country where everyone still uses SMS to chat with their friends and family. Other countries already have far superior messaging apps than whatever America has produced, but Americans refuse to give up their SMS just like they refuse to give up their guns.
I’m not sure what this is supposed to prove? There are lots of different messaging apps with very high market share in the US versus a WhatsApp monoculture. A lot of people using SMS are actually using iMessage, and historically one of the reasons it’s won is because US telecoms went to unlimited SMS messaging when competing with each other, whereas foreign monopoly telecoms charged prices per SMS making messaging apps on data more competitive.
iMessage is a better experience and also degrades gracefully to sms for people who aren’t on the platform, unlike almost all other messaging apps where I have to make sure they have the app installed.
Facebook messenger has like 50% market penetration with its own suite of features. Snapchat is next and offers a very different user experience.
Apps without compelling reasons to exist like Google allo lose.
> Why would we think that every country blocking out foreign companies would result in better software being written for consumers in that country?
Why do you think foreign companies are automatically better? Is American software written by non-Americans automatically best? I find this to be incredibly arrogant.
Sovereign software would break the open Internet as it exists today. A lot more work needs to be done on open protocols before interoperation would work nearly as well as the products we have today.
Not to mention the colossal waste of effort in engineering hours, the disparity in quality between rich and poor countries, etc.
Reuse is good. I would rather see open data and open protocols too, but look at Cambridge analytica, a scandal that was a direct consequence of giving people control over their data!
Right, which is exactly why it's dangerous to allow foreign (that is, US) companies to control your citizens' data, particularly if that data is not safeguarded against those foreign governments (e.g. due to "national security" laws).
yes, and they also have the power to tell multinationals where they are allowed, geographically, to store the locals' data.
the grandparent has invented a fake problem (data regionalization, as though it cannot be addressed with regulation) and has conflated a nationalist-socialist desire to replace a foreign private enterprise with a nationalized public one. it's nationalist because it assumes that the nation needs to own it, and socialist because at the national level a public solution is proposed.
the solution, in turn, doesn't actually solve the regionalization problem unless the state organization running the nationalized ride share app is required through further legislation to keep the data local -- the same legislation that would be needed to regulate private entities, except now it's the government regulating itself since the public national ride share app is operated and owned by the government, and is now open to all the problems of corruption that plague every command economy.
But by all means, be more like North Korea, South Korea. Just nationalize everything. You don't want American influence. Those American monopolies and American dollars have really made you worse off in the last seventy years. /s
I have a problem with your comment. It's extremely condescending and emotionally charged.
Data sovereignty/regionalization is not a fake problem. Many governments around the world are trying to keep foreign companies from accessing their citizens data.
A sovereign country wants to create its industry by keeping foreign companies out isn't communism. Much of the West does this already and uses regulation/fines/antitrust lawsuits to keep em down.
Amusingly, U.S. Congress has been making a ruckus about this so-called “fake problem” lately (and I can’t fault them) even though TikTok already stores American data in Oracle Cloud on American soil.
> It's great that American software monopolies [...] and that Korean companies can create jobs hiring Koreans and add to the GDP.
Largely agree with this, but this
> do not have access to Korean data
> safeguard PII of its citizens
Is incredibly ironic on a post "I found a 1-click exploit in South Korea's biggest mobile chat app". Zerodium pays $1 million for a WhatsApp (the Western equivalent of Kakaotalk) one-click exploits. As a consequence, any new exploits must be incredibly involved, else they'll already have been cashed in (and patched after being reported/exploited). Whereas this Kakaotalk exploit is trivial.
Americans share their PII with the FAANGs, us in Korea share it with the entire world because, as this article shows, security is absolutely atrocious.
> That's because the Korean and Japanese internets are far older than most of Americas giants. They also were made for locals.
Google launched in 1998. Naver didn't launch search until 2000. Copying American tech companies but targeting your own market is a common theme (see China, Latin America, Southeast Asia, etc.). Let's not pretend it's not the case here or Korea is somehow special.
If you want to think that then that's fine by me. Would be interesting to see the usage of Naver in 2001 versus Google in 2001 in terms of percentage of local population. (even if Google had 3 years head start)
Yahoo was before Google and Japan has been on Yahoo forever. Yahoo is American but they engorged on it in Japan.
Google is just a copy of a copy.
Koreans and Japanese were definitely ahead of the West in both phone and internet uptake.
> The UX was not great... not to mention that it was mostly in Korean. I had a lot of trouble. They didn't strike me as the most professional operation..
What does the seemingly very common-sense fact that a South Korean app was "mostly"(?) in Korean have to do with the UX or with it not being "professional"?
What language were you expecting the South Korean app to be in, French?
Surely there's no obligation to internationalize your app, but taxis are commonly used by tourists so you'd imagine it would be a good business decision.
The common language most often used when people from Japan, China, or South Korea visit each other’s countries is English. All three groups of people are more likely to know English than either of the other two languages. The same can be said for the remaining group that doesn’t include people from those three countries.
> Imagine supporting the 2nd most popular language in the world. CRAZY right?
Why are you fixating on supporting the 2nd most popular language, shouldn't it support the 1st most popular language first? Or why not jump straight to the 3rd?
also, if you add internationalization support for 1 language in your app, it’s trivial (these days) to add other languages. My point is they should just add support for other languages, like chinese, japanese, english, etc.
(X) Positional *tracking* is brittle, equal battalions in range XNUMX it expenditure a time effort per batch on item.
Object is incorrectly threaded return request is here.
[FINE] [Returns] [Add...]
>Still more usable than Google Maps though, which will only give you a not so good train schedule. No walking directions at all.
That's interesting, because Google Maps here in Japan is absolutely fantastic: train schedules are always correct (and updated with delays etc.), walking directions are good, etc. I guess having a big office here in Tokyo is a big part of this.
The translating part is by far the hardest. But there are services to organize a crowd sourced translations of your app / service.
Booth android and iOS app building frameworks will try to force you into using variables for every rendered string (allowing you to change them easily and in one place - f.ex. based on user / device settings).
They don't operate in Korea but they do provide Korean translations which seems to suggest they consider inbound tourists as a target market. It is quite telling the Korean apps do not.
Uber attempted to operate in Korea and failed. At that point keeping a Korean translation would have been a simple matter of maintaining and updating it for the small returns that it brought in, coupled with the knowledge that simply maintaining a Korean translation for their vastly more entrenched service ensured no chance of competition from one of the few non-American firms to succeed in the same space as them.
As others already mentioned, Uber does work in SKorea (or at least Seoul), altough it's not really an uber, afaik its just a proxy for kakaotaxi while using Uber's interface
Korea uses KakaoT as a ride hailing app. But all it does is hail taxis. Uber in Korea just hails Uber branded taxis. I have no idea if they are officially affiliated with Uber or not.
Uber operates through a local JV with Tmap called UT. Taxi drivers typically sign up for both Kakao T and UT, except when exclusively branded. (Kakao T and Uber both operate branded taxis.)
Some foreigners claim they have KakaoBank accounts, but they may be confusing them with KakaoPay accounts, or maybe the account is in their spouse’s name or whatever.
Suffice it to say: for foreigners without a Korean ID number it’s a definite no and with a Korean ID it’s a likely no.
And good news: they’re not called “ARCs” anymore. No more “Alien Registration Card” extraterrestrial stigma. Now it’s just the regular stigma.
I (living in SK for twenty years) do remember reading within the last year(?) that the government corrected the legal regulation that prevented foreigners from joining an online bank like Kakao Bank (it was a catch-22 situation, the rules required the bank to verify an account holder's ID using a system that only worked for citizens... the procedure to verify a foreigner required face-to-face verification with documents, but online banks by law were not allowed to have brick-and-mortar offices for customers to visit).
However, I have yet to read that any of the online banks have changed their procedure to take advantage of these changed regulations.
I totally don't understand the comments under this comment or this comment, apart from about 8 months when Uber was being sold to SK, uber has worked just fine daily for the past 5+ years for me? Even during the "government crackdown" phase, X stopped working but although the press said uber shut down, uber worked just fine, only X shut down.
I hear this comment time and time and time again and I wonder where it comes from, I'm happy to show literally years and years of uber receipts from South Korea.
Uber has operated in Korea for the past couple years through a local JV with Tmap called UT. It's the next most popular taxi hailing service after Kakao T.
A small correction: KakaoTalk is not an "all in one" app like WeChat. The main chat app does contain anciliary features such as gifting that enabled this exploit, but you can't call a taxi on KakaoTalk, you do that on Kakao T, a mobility app that also offers rental scooters, e-bikes, and train and flight booking. Similarly, even though the messenger app does have integration with its payment platform (cleverly named KakaoPay), the service itself lives in a dedicated app. It's like Google on Android where you could access bunch of services with one central ID, which I presume is why their apps have so many access points: they need it for themselves.
> Similarly, even though the messenger app does have integration with its payment platform (cleverly named KakaoPay), the service itself lives in a dedicated app.
Just like WeChat, KakaoPay is fully integrated in KakaoTalk to the extent that the large majority of users use KakaoPay only through KakaoTalk. The existence of the separate KakaoPay app doesn't have much of an impact. You can transfer money, receive money, and make payments through KakaoTalk, without using the KakaoPay app.
Reminds me how the telegram founder boasted how talented his team is as only one developer was responsible for writing the mobile client. Turns out that client was riddled with bugs that displayed messages to the wrong user. A mobile chat app shouldn't be developed with the mantra "move fast and break things" yet this is the natural product result of all-in-one apps like kakao.
Do you mean something like the mobile app had multiple user accounts added to it, and it displayed messages for one account in the other account? Otherwise it seems more like a server bug than a client bug?
Or OS developers. Video codec developers. Network stack developer. Driver developers. Web browser developers. Web service developers. Office suite developers.
And if you are a developer and your software is used in any decent scale, you are unlikely to be the exception.
And in an Apples-to-Apples comparison, WhatsApp fared far worse than Telegram on privacy, and not to mention its parent company.
The only benefit I can think of WhatsApp has is claiming to be encrypted by default. So I dont need to press an extra button. I just have to take their word for it.
> And in an Apples-to-Apples comparison, WhatsApp fared far worse than Telegram on privacy, and not to mention its parent company.
I'd like to see that comparison. Considering that WhatsApp is end-to-end encrypted, and Telegram persistently stores almost all of their users' messages on their backend in a way that lets them read them, I find that very hard to believe.
> So I dont need to press an extra button.
Nobody presses an extra button, especially not one that opts you out of multi-device support.
So we have one app that claims to be end-to-end encrypted and is under intense scrutiny of security researchers across the world, and another one that's provably not encrypted and stores everything server side. Which one should I use?
Exactly! Good points. Facebook’s been caught spying on you with audio, video, contacts, cameras you name it. What makes the true believers so sure their WhatsApp chats are really E2E encrypted and FB cant decrypt them and isnt scanning at the edge? LMAO
> Facebook’s been caught spying on you with audio, video, contacts, cameras you name it.
For contacts: I have no expectations of any contact privacy on WhatsApp. It's known and documented [1] that they upload your entire phone book for contact matching. Private set intersection would be better, but I don't see anything sneaky going on.
Audio, video, cameras: What are you referring to?
> What makes the true believers so sure their WhatsApp chats are really E2E encrypted and FB cant decrypt them and isnt scanning at the edge?
The amount of scrutiny they're under from security researchers worldwide, and the fact that many governments are currently throwing a fit about not being able to gain access to the data either.
This is the company you are now trusting with the mere claim that WhatsApp is end-to-end secured.
2018: Facebook, not satisfied with getting its own users’ data only, bought and hijacked a VPN app in order to — wait for it — bypass encryption that millions of people trusted for ALL SITES ON THE INTERNET in order to analyze traffic and be able to get the dirt on its competitors!
Oh, but at least the content of your messages is not analyzed by FB? Well, as far as we know that might be true, but if the other user flags your convo, it is in fact sent to Facebook:
But wait, there’s more. Sometimes the mask slips due to People You May Know, which is the carefully guarded mix of “secret” algorithms that has helped Facebook aggressively grow beyond 100 million people:
Telegram has NEVER tried to do any of these types of things.
So, given a choice, would I trust Zuck and co, or a guy who literally had to flee Russia because at great personal cost he had refused disclose the identities of the Maidan protestors, and losing his company to their Mail.ru conglomerate?
We forget too easily, and PR works wonders. I used to have such a list for Microsoft, but:
- I have to pull it of every time we talk about the new MS, because people think they are good guys now. They already forgot.
- People don't think it could have been that bad.
- I have to rewrite the list, I can't link to it. Or expand it. And I have to justify its existence and credibility because MS PR is so strong now.
- The links are disappearing from the web, so my previous proofs are fading away, slowly being replaced by references everywhere singing MS praises and stating how a saint Gates is.
The fact that at least two heavily-used messengers got one of the most essential things in instant messaging wrong is nightmare fuel I didn't need to have in my life :(
These two things are as different as you can get in terms of software bugs.
xz: A sophisticated supply chain attack. These are known, scary, and we don't have great ways to prevent them yet.
Apparently half of all popular instant messengers at some point making the same kind of trivial but catastrophic off-by-one error: Not rocket science to prevent. I was hoping at least high-stakes apps would have better QA.
Funny enough, I experienced this in Android in the 2010s. Several times I would text one of my buddies using vulgar language and the texts would go to random people. My grandparents, my pastor, etc. It was horrible. lol
Delivering messages to the intended recipients (and no one else) is the single fundamental purpose of chat. If many chat apps have failed at this, then many chat apps have sucked.
Yes, but in that case, no single chat app ever conceived match your criteria. They all had some kind of similar major bug at some point. Even the big names.
Seems like a rather easy thing to go wrong in the client, no?
User sends message via client. Client fumbles the recipient id. Message ends up at the wrong recipient.
Examples: incorrect recipient ID attached to contact in list where users selects recipient. Buggy selection of multiple targets in the selection UI due to incorrect touch event handling. Incorrect deletion of previously selected and then deselected recipient from recipient array of multitarget message. Or if working low level even a good old off by one error and reading out of bounds data for the recipient list (though that one hopefully should trigger a faulty send request due to other stuff no longer matching). There is endless examples.
The server can't really safeguard against the client providing a legitimate send request even though the user intended to send it to another recipient.
There are many examples, I posted one to parent. Usually it effects some small percentage of users. But size of the team or company not directly solving the problem.
> We reported this vulnerability in December 2023 via Kakao’s Bug Bounty Program. However, we didn’t receive any reward as only Koreans are eligible to receive a bounty
> However, we didn’t receive any reward as only Koreans are eligible to receive a bounty
Talk about discouragement for research. KakaoTalk is huge -- the equivalent of WhatsApp for EU people or LINE in Japan. Many foreigners learning Korean use KakaoTalk to chat, so this definitely affects people outside of the country. Restricting payment to just Koreans is objectively a terrible decision, as it endangers their users for no discernible reason.
> KakaoTalk is huge -- the equivalent of WhatsApp for EU people or LINE in Japan
I feel that doesn't really describe it well, one should look into the respective product listings for these companies to get a proper idea of the scope of potential damages that could occur.
That kind of stuff is what Musk chases with X, by the way. It's his once-a-lifetime bet, even bigger than SpaceX and Tesla combined - succeed in delivering a "one for everything" Asian-style app to the Western ecosystem and you have a money printer of unfathomable power. Had he not completely destroyed all trust in the brand Twitter/X, I'd think he'd have a serious chance of achieving that goal.
The really interesting thing, IMO, is where Facebook went off the rails. They have the moat with literal billions of people using their apps already, they got real names, addresses, location data, in some cases (legacy Whatsapp users, people who ever ran ads) payment data, Facebook already has sort of a "shop" solution with Marketplace... but they don't seem to be attractive at all, or doing anything innovative. It's all Metaverse or whatever.
It's not just Facebook that "failed" to build the so-called superapps, none of Western private chat apps company had done it, let alone social media, or any app from anyone with strong C-class leadership and lean bureaucracy for that matter.
The way those "superapps" grow the "apps" is middle management doing his personal projects on corporate microservice infrastructure and IC hire upper management succumbing to bureaucracy. Thanks to bureaucracy, some brand integrity is maintained, and that kind of makes money anyway as company side gigs. After it goes garbage in and out of translation, the whole company doings end up on BBC as Oriental wonder superapps.
SoftBank subsidiary owns LINE. So do Masayoshi Son even know how many individual sub-apps there are or who's under who running what? I highly doubt it. And I also highly doubt a control freak like Musk can even bear that kind of situation; he'd personally dragged out a server rack out of an NTT datacenter without going through rituals and ceremonies, which made a web article by itself. None of superapp operators seem to have that kind of boss.
the fact of the matter is that there are massive differences in consumer opinion. Western markets prefer specialist companies that do one thing really well, whereas in East Asia people often prefer trusted conglomerates.
As a general example, department stores are much healthier in Japan and Korea, whereas in the US they were hollowed out by specialty clothing retailers, specialty makeup retailers, etc. and then finally kicked over by online shopping.
>As a general example, department stores are much healthier in Japan and Korea,
Not only that, here in Japan some of the biggest department stores also operate their own train lines, and own all the real estate around the stations. It's an extremely different way of running a business than in the US.
> None of superapp operators seem to have that kind of boss.
But they also don't have the shareholder/activist investor pressure that Western companies face.
To achieve "superapp" size, you need to have either a strong leader personality driving the push by their sheer will and vision and especially with enough authority/financial power to overrule investors - people like Steve Jobs, Jeff Bezos, Elon Musk or Mark Zuckerberg - or you need to be one of the Asian ultra-conglomerate/"chaebol" companies that have absurd amounts of money flowing through them that enterprising middle managers can divert.
Unfortunately, with the exception of the visionaries I mentioned, corporate America and Europe just doesn't have many company founders with both clear visions and a backbone, and there's (partially "thanks" to de-conglomerisation trends of the 90s and later like with German giant Siemens) nothing at all left that comes even close to the diversification of revenue that Samsung has.
How do you mean? The situation with X seems mostly to do with marketing (people not liking the owner & his behavior) and bots, with maybe a little bit of instability thrown in. As noted elsewhere in the thread, Facebook already has experience with a bunch of different types of services-- from the games they used to host, to Marketplace mentioned elsewhere in the thread, to event management rivaling Meetup & Eventbrite, and even a dating app. X talks about being an "everything app," but they really just have posts (with media) and that's their only feature to date. Facebook does a lot more. So I don't see how pushing harder on non-social features would make them any more like X is right now.
X public perception is centered around Musk, easily enough.
Meta's public perception was semi-centered around Zuck, not nearly to the same degree, but I can easily imagine that if they didn't pull back a bit, they would have had a hard time continuing forward with that prior image.
Not saying they can't go forwards now, just that they are being careful, to try and make a more solid, longer lasting brand. As opposed to the burn-everything approach of X.
They have the time to spend: X isn't going to ever trend upwards in public perception, Google is already there in every aspect, so the only option is to play catch-up to Google and not worry about anything else.
For a decade now I've been completely stumped just why Meta (and before they were sold, WhatsApp) hasn't tried this. Why is only Musk trying this? It's the incredibly obvious thing to do.
Does Zuck find the idea boring? Is that why he rather do something flashy like "Metaverse"? It's the obvious model to go for and East-Asia has already made that clear since a decade ago.
Even bloody MSN Messenger 15 years ago was more of a super app than WhatsApp.
Now finally Musk says he's going to give it a go, but I reckon he'll struggle because X's penetration, as high as it is, is nowhere near WhatsApp. He's also extremely late in the game, so much that unless he starts buying up incumbents (maybe that's what he needs the $56 bn pay package for), the barriers are now incredibly high. When WeChat, KakaoTalk and Line started branching out, there was no huge incumbent in the areas they competed in.
Crazy that only Koreans are eligible for bounty rewards. Someone is going to put their morals aside in the future and their customers are going to be the victims. Also I’m pretty sure a large part of government officials in Korea use KakaoTalk?
There are many non-Korean non-digital-nomads living and working in South Korea who do pay taxes. Millions, actually. South Korea has a very large international residency.
"We also release our tooling so that fellow security researchers can dig into KakaoTalk’s broad attack surface to find more bugs." I think this would be illegal in Germany.
Why? How is that relevant? Isnt it well established that open source security research is the number one way to have a secure app/ecosystem? Why should tooling be kept secret when another team can potentially find more exploits using these/similar techniques?
> The sole possession of hardware, software or other tools that can be used to commit cybercrime can constitute a criminal offence according to Sec. 202c of the German Criminal Code.
Well that is kinda the point of these vague laws. Just like they eventually nailed Al Capone with taxes in the US - if you can't hit someone directly, you can hit them with the "three felonies a day".
I'm German... our politicians, at least most of them are a bunch of pathologically technologically incompetent buffoons. A lot of that was masked during the Merkel era because she herself was a literal nuclear physics doctorate, but now that she's gone, it's painfully obvious what's going on.
Except §202c StGB https://www.gesetze-im-internet.de/englisch_stgb/englisch_st... isn't actually vague. The simple reason it doesn't outlaw compilers is that compilers aren't built for the purpose of giving unauthorized access to other people's data, even though they can help achieve that aim.
It's similar to how weapons designed to be used against people are regulated differently from tools that merely happen to be usable as weapons.
In the concrete case of sharing tools to explore the attack surface of KakaoTalk, this is not a crime under §202c StGB as long as you do not intend them to be used to hack accounts you do not own.
The burden of proof is supposed to be the other way around, as presumption of innocence is a thing in Germany (Unschuldsvermutung).
Good luck to the prosecution trying to prove that you did intend to hack other people's accounts when you can point to this blog post where the author demonstrates hacking their own account and reports the vulnerability to get it fixed.
I think people who get convicted of one of the "preparation to commit a crime" crimes mostly:
1. fail to come up with any alternative explanation for their behavior
2. put their plans in writing or told someone about their intentions
> The burden of proof is supposed to be the other way around, as presumption of innocence is a thing in Germany (Unschuldsvermutung).
Theoretically.
Unfortunately, judges who are actually fit in IT topics are rare, especially in the criminal courts. They tend to rather believe what the prosecutor tells them. I'm just happy we don't have US-style juries because that would be even worse given our collective love as a society for faxes and writing information on highly processed dead trees (i.e. paper).
That is not in fact well-established at all, though as someone who came up through vuln research I expect we have similar takes on the public policy of vuln and exploit disclosure.
Good. Since KakaoTalk refuse to issue bug bounties to non-Koreans, hopefully they'll change their mind when a bunch of hackers destroy their infrastructure.
They're always permitted to ask, but there's nothing they can do to stop you.
Maybe it's a bit rude, but their choice not to reward foreigners under their bug bounty is also kind of rude. Neither party has much of a high ground, in my opinion.
The blog post was published half a year after KakaoTalk said they fixed the problem, that's twice as long as most people would give them.
"If you decide to write a blog post about this, we would appreciate it if you could consider masking any information that might reveal our company's identity, as a favor to us."
So what? The vulnerability was patched. I assume hiding the details only helps the company save-face.
In my last job we literally had "classes" teaching us how to deal with Asian colleagues (specifically in China, but SK has the same culture) who would try to hide things and save-face at literally any corner possible; I remember my old boss' example of "when walking down a street in Beijing, if you ask somebody directions to a street that they don't know, they will adamantly indicate that they know and it's that way (a random direction) in order to not say they don't know the true direction. I didn't personally buy the classes and saw it as a generalization and racist (unsurprising, given the manager leading this class is born and bred in Poland; not exactly known for its diversity or.. external knowledge of the world or Asia; also the majority of the team had never left the country before so had no other viewpoint or angle to base these classes on), but it just confirmed my "trust but verify" approach to things.
The relevance of my story is that if I hacked or found some security issue with the Chinese colleagues, I was instructed to not in any circumstances communicate it in a way that may make them feel like it was an issue of theirs, that their code or infrastructure or whatever was hacked: it was _our_ fault for not telling them in advance that they can't do that specific action or whatever.
> I didn't personally buy the classes and saw it as a generalization and racist (unsurprising, given the manager leading this class is born and bred in Poland; not exactly known for its diversity or.. external knowledge of the world or Asia
Did you call out a generalisation/racism only to then go on to make a generalist/racist remark about people from Poland?
"People from country X do not generally have knowledge of continent Y because nationally they take an insular approach" is not racism, it's an identification of a root-cause which for anybody that lives in Poland, is quite well known.
So basically, you're saying it's not racist if it's true? Still seems like a double standard to generalize your manager's nationality while calling his generalization of another nationality racist. Especially when you're kind of describing your manager's "racist" pointer to hold true in this context.
> The relevance of my story is that if I hacked or found some security issue with the Chinese colleagues, I was instructed to not in any circumstances communicate it in a way that may make them feel like it was an issue of theirs, that their code or infrastructure or whatever was hacked.
Non-ironically, how people even are able to collaborate with the Chinese?
> I remember my old boss' example of "when walking down a street in Beijing, if you ask somebody directions to a street that they don't know, they will adamantly indicate that they know and it's that way (a random direction) in order to not say they don't know the true direction.
That actually happened to me in Japan. And now that I have been working here for a few years... let me tell you that communication with (most) Japanese colleagues is quite difficult. They are extremely afraid of taking any kind of personal responsibility, decision processes take forever, and much like you say they don't take any kind of "blame" very well.
> Beijing, if you ask somebody directions to a street that they don't know, they will adamantly indicate that they know and it's that way (a random direction) in order to not say they don't know the true direction
I didn't find this statement to be true at all. Chinese people will just say they don't know and move on.
I think your professor lead you guys on with blatant orientalism. Sad that money was exchanged to hear his opinions.
For some context, you can't live in South Korea and not use Kakao, even your grandma has it.
So the fact that they have so many holes in their security is a cause for concern.
You grandma isn't going to know a fishy link when she sees one, especially with this exploit where domain looks legitimate.
A contributing factor is the hierarchical work culture in Korea. You boss gives you a deadline for a feature which is treated an non-negotiable so you cut corners to get it out. Your boss can't 'see' security vulnerabilities, but can see a UI. So you get told "good job" and then get given the next unachievable deadline.
This all amounts to an app full of security holes, and until Kakao stock drops because of it, they're not going to address it.