[second_brekkie]

Source: I live in SK

For some context, you can't live in South Korea and not use Kakao, even your grandma has it.

So the fact that they have so many holes in their security is a cause for concern.

You grandma isn't going to know a fishy link when she sees one, especially with this exploit where domain looks legitimate.

A contributing factor is the hierarchical work culture in Korea. You boss gives you a deadline for a feature which is treated an non-negotiable so you cut corners to get it out. Your boss can't 'see' security vulnerabilities, but can see a UI. So you get told "good job" and then get given the next unachievable deadline.

This all amounts to an app full of security holes, and until Kakao stock drops because of it, they're not going to address it.

[lifthrasiir]

I actually don't use Kakaotalk (or LINE or Facebook, to be comprehensive) even though I'm a Korean. That does make me some kind of weirdo, but many enough services have an SMS fallback so I can live without it.

On the security side though: I don't think it is a work culture at the play because major IT companies in South Korea---often referred as to the initialism 네카라쿠배, for Naver, Kakao, LINE, Coupang and Baemin operated by Woowa Bros---are known for much better work culture and higher compensation than the nation average [1]. It is probably more like that these apps are domestic and hadn't been scrutinized enough compared to globally popular apps.

[1] But still lower than US or even some Korean startups in my experience.

[chabulhwi]

I'm also a Korean, and I've been getting on without KakaoTalk for two years. But I've never met any other Korean personally who doesn't use it.

[1oooqooq]

it was the same in other places. it's only a matter of time.

south America and most of Africa was taken over by metabook whatsapp. you can't even schedule government appointments without one (which then require a mobile phone number, which then require all the data each govt require for a mobile phone sim purchase)

Europe requires sms plus a apple/google validated app and stock phone. you can't access most eu or eu commission or local gov services without it.

but it all started with "it's fine, i still have X fall back working". but we only cry about china dystopian techno state...

[Angostura]

> Europe requires sms plus a apple/google validated app and stock phone.

Which European central government services require you to use an online service or app, with no voice, paper on in-person fallback. I can think of one in the UK - my council's resident's parking permit system

[1oooqooq]

uk is not even EU...

try the SSO solution for all things eu commission for starters

https://webgate.ec.europa.eu/cas/login

you have the option of two badly coded apps, which refuse to run on android without stock rom and google play services. it gatekeeps both internal services as well as access to public grant offers and financial help.

it used to accept sms, and it still show in some flows, but is forbidden on most common cases now.

[graemep]

> uk is not even EU...

The GP comment said "Europe" not the EU and the UK is in Europe so a valid counter example.

The main govt services I know of that require mobile apps are lcoal govt ones for parking. Everything else works in a web browser. As far as private sector services go I know of Virgin Money and supermarket loyalty cards.

[Angostura]

Thank you, yes I was aware that the UK wasn't in the EU. Looking at that page, I can see that you are also apparently able to log in with EiD, Google or Facebook.

[vladvasiliu]

> Europe requires sms plus a apple/google validated app and stock phone. you can't access most eu or eu commission or local gov services without it.

I haven't interacted with the EU sites other than just looking up random things (so no login required).

But French government services (both national and local) work perfectly on my Firefox/Linux PC without any kind of interaction with my phone. I've never actually tried this, but I don't see why they wouldn't work on any phone browser, stock or otherwise.

I haven't tried them all, obviously, but I'm thinking vehicle registration, voter registration and tax service (both personal and corporate).

They have an SSO scheme, France Connect, which is used for multiple services, so I expect that if it worked for the ones I've used, it'll work for the others, too.

The private sector can be more of a clow show, though, especially some banks.

[Ylpertnodi]

Eu citizen here: where in Europe are you talking about?

[rjzzleep]

Didn't Japan just buy(back) line and pledge better operational security a while back? Samsung is famous for frequently reinventing things on their own and leaving it full of security holes as a result. Somehow it's just part of the culture.

[lifthrasiir]

That description applies to many enough non-Korean companies as well. The nationwide culture can't be the whole reason.

[kijin]

You can find hierarchical work cultures with impossible deadlines all around the world, not just SK. The difference seems to be that the government sector and the chaebol take up such a huge share of the "IT" market in SK, that there really isn't much space left for startup culture to make a difference.

Kakao used to be a cool startup, but they've been trying hard to emulate the chaebol once they became successful.

[OsrsNeedsf2P]

> there really isn't much space left for startup culture to make a difference.

This is very much not the case - Startups are quite big in SK because the government gives them lots of funding.

Source: I worked at a South Korean startup. Fair warning to other foreigners, you will have to make _a lot_ of sacrifices.

[kijin]

> Startups are quite big in SK because the government gives them lots of funding.

Exactly. All that funding and the associated paperwork, not to mention the adverse incentives it brings to the table, help to turn the Korean startup ecosystem into yet another old-fashioned, government-controlled economic sector.

We all call each other the same honorifics, make our offices cute and comfy, and try not to have a visible hierarchy. But at the end of the day, it's the government that tells you which projects will be funded and when you should submit screenshots of the deliverables. Angels? Yeah, they exist, but where do you think half of their money comes from?

Source: also a South Korean startup.

[tkazec]

The government gives out a lot of grants to startups, but largely in the range of $10k-$100k USD. Beyond that, there aren't many angels, and VC is dominated by highly conservative corporates. It's an incredibly tough fundraising environment.

[laborcontract]

yup. i wouldn’t consider sk a startup hub in the remotest. like you said, the vc landscape perfectly reflects it.

[lifthrasiir]

> Startups are quite big in SK because the government gives them lots of funding.

They need funding mainly because otherwise the govt sector and chaebol would outlive them. It greatly depends on the exact circumstances though. (Source: Had been in several startups with varying degrees of funding.)

> Fair warning to other foreigners, you will have to make _a lot_ of sacrifices.

Mainly because most if all people in Korean startups are necessarily Koreans. The same thing happens whenever many members share the same background, not just the nationality.

[AYBABTME]

> Source: I worked at a South Korean startup. Fair warning to other foreigners, you will have to make _a lot_ of sacrifices.

As a foreigner living in Seoul, working for US startups, and eyeing creating a US-styled startup in Seoul in the future, what are the sacrifices you have in mind?

[neom]

Do you know of anyone who has created a US style startup in Seoul? Only two people I can think of are Matthew Shampine and Jason Boutte. Jason Boutte is literally the only foreigner I know who pulled it off, I've lived in Seoul doing startup stuff for 5 years till recently.

[AYBABTME]

Nope, I didn't search either. I just want to do it. (Hi John)

[neom]

Ha, I figured it was you. Hi Antoine! Feel free to look up Jason and tell him John sent you if you want, he's a cool dude and I'm sure responsive.

[graemep]

> You boss gives you a deadline for a feature which is treated an non-negotiable so you cut corners to get it out. Your boss can't 'see' security vulnerabilities, but can see a UI. So you get told "good job" and then get given the next unachievable deadline.

If only that happened only in SK.

It definitely happens in the west too. Maybe its worse in SK because of the culture, but its definitely not unique. The problem of the boss or the customer seeing the UI but not security issues is universal.

[Rastonbury]

Is this something that would be picked up by the news in SK or a regulator? Potential ways to get the accountable besides share price

[intoamplitudes]

"Hierarchical work culture" is like the go-to blanket excuse to explain anything in East Asia that Americans don't like or think is bad.

If you've ever spent a few years at any decent-sized white collar company in the US (tech, finance, consulting) you know it's the same in the west. Especially FAANGs. All these mid-level engineers are just yes-men trying to suck up to their VPs to get in the next promo cycle. The western companies just have better marketing about "flat hierarchies" but it's all PR talk and lip service. Some PM or SVP drops some mandate and no one ever has the balls to question it, they just grumble and do it.

The saddest part is that these tech bros actually believe the marketing they are fed about their company cultures, and it breeds this shallow superiority complex and so whenever something negative about Asian companies comes up, you get comments like this citing this 'go-to' rationale about hierarchy.

It's actually kind of sad these guys don't have the self-awareness to critically examine what they are told vs. what reality is.

[awithrow]

I've spent many years at large companies including FAANGs. I've had no problems or issues pushing back on unreasonable deadlines or being the bearer of bad news about vulns, bugs, or systemic flaws. I've also seen plenty of engineers do the same.

[simonebrunozzi]

Is there an easy way for a non-SK (and non Korean speaking) to use it?

[verteu]

You can simply download KakaoTalk from the App Store, right?