Categories
Software & Internet

The Problem With Trends

I was fortunate to be born in the era of the internet. I grew up hearing all the tales of Facebook, Google, Apple, and their founders… and of course, Tencent, Baidu, and Alibaba. As a child, adults often asked what I wanted to be in the future. I could not give an exact answer. So they told me, “why don’t you become an entrepreneur, like Jack Ma?” I thought it was a really good idea. But it wasn’t just me; almost every teenager had the same thought. Then at some point, everyone built their internet startup company, a lot of which got backed by VCs. Experienced as well as inexperienced VCs put their money into good as well as shitty products. The outcome dovetailed with a simple principle in the market economy: The shitty ones were worth nothing so they died, and the good ones survived. “That was a bubble,” people began to whine on the cyberspace, blaming “internet entrepreneurship.”

The Chinese government launched a campaign to promote mass entrepreneurship and innovation. A few of my friends bought the idea so they started their own business on the internet right away after graduation, and most of them did not work well. The problem is, many of them wouldn’t even be able to get a decent job in the career market. When others with better educational backgrounds, more extensive experience, and more professional expertise were struggling with their startups, my friends did not even get a chance to join the game after working for years. However, there were some companies did thrive when Chinese VCs were wasting their money on overvalued products: local ride-hailing app Didi Chuxing beat their US competitor Uber, and food delivery service Eleme became a billion-dollar unicorn. The Chinese startup environment has been turning healthier thereafter as both VCs and entrepreneurs began to understand what makes a valuable product.

Overvalued products are definitely bubbles, but without the trend of entrepreneurship, it would be impossible for investors and entrepreneurs to distinguish the good ones (probably < 1%) from all the others that are shitty.

Today, blockchain projects are facing the analogous problem. Kodak’s stock price skyrocketed as they decided to make its own blockchain product, although nobody knew exactly what the project was. Many people have realized the great momentum of blockchain, yet the vast majority of people do not understand how it works, and only very few people could see what some possibilities are. As a result of this mindset, investors began to make speculations and put large amounts of money on overvalued crappy projects (professionally known as “shitcoins”). So that being said, we are going to invest >99% in overvalued shitcoins, and <1% in good blockchain projects, and we are going to lose money. But the idea isn’t wrong, it’s just that it takes time for us to tell the goods and the bads apart. During another “trend” that took place around 1849 — the Gold Rush — people came to the Sacremento Valley in search of gold, but many people returned home with nothing and only a few people actually became wealthy.

As entrepreneurs, it is also important to realize that strong trends are signals of change. Labeling yourself as a blockchain company will not prevent you from being knocked out, but ignoring emerging technologies is definitely not going to be a smart approach. If Sears had looked into e-commerce in 1993, it would probably have looked different today than getting close to shutting down almost all of their stores throughout the USA.

Edited 1/11/18: An earlier version of this post described Kodak’s blockchain project as a cryptocurrency. Thanks to Gee Law for pointing this out.

Categories
Software & Internet

SMS Verification Is Making Telegram Insecure

这篇文章已被翻译至中文:Telegram 的短信验证让你的隐私聊天变得不安全

The world sucks on the second you come to the realization that governments, online advertising companies, your credit card company, and your ISP, are all extremely eager to know what you (and millions and billions of other Internet users) do online. And almost everybody feels that way, even Mark Zuckerburg.

Image from 9to5Mac

Pavel Durov, the founder of VK, too, thought it was a horrible idea, and obviously wanted to help Mark out. He and a few friends made Telegram, an encrypted messaging service, and everybody liked it, even the ISIS.

Screenshot of Telegram.org

I have been a Telegram user since 2015, and it’s still one of the primary messaging tools that I rely on on a daily basis. But this recently caught my attention:

  • China wants to regulate cryptocurrencies.
  • China wants group chat administrators on the Internet to be legally responsible for speech made by group members. As a result, China-based crypto investors decided to delete their group chats on WeChat and opt for the foreign encrypted chat service, Telegram. But hang on for a second! Using Telegram to avoid the Big Brother does not seem to be a perfect idea — and here’s where the problem is.

With a 5-digit SMS auth code, anyone can log into your Telegram account

All you need to log into a Telegram account is

  1. The phone number associated with that account,
  2. An SMS verification code sent to that number, like this:

That being said, as long as someone has the access to your SMS history, your Telegram account can easily be hacked.

Who??

Telegram Web login page
  • SMS communications may be secure, but since the encryption isn’t end-to-end, your security completely depends on how your cell phone carrier encrypts it. If it decides to read your text messages, they are certainly able to do so.
  • The carrier is able to read your private messages and disclose them to the government or private entities.
  • Even if your SMS is completely secure over the transmission, the malware or backdoors on your phone may vouchsafe your auth code, aka the key to your private data, to the hackers. The reason I mentioned the Chinese bitcoiners was that China ironically seems to be the perfect country for your Telegram account to be hacked. This is because,
  1. The Chinese regulator “scans” text messages from local carriers. There are precedents that Chinese authorities censor/filter SMS messages, and Chinese mobile network operators assisted them.

  2. Chinese smartphone manufacturers were reported to send user data to China through a pre-installed application. China might not be (and most likely isn’t) the only country where these happen. If any of these takes place, hackers will be able to log into your Telegram account and see what is on there.

What should I do? Should I stop using Telegram?

There are a few things you can do to protect your privacy:

  • Enable cloud password. In Settings -> Privacy and Security, turn on two-step verification. When 2FA is turned on, Telegram will ask for your password along with the SMS verification code for new login attempts. (@telegram replied to my complaint tweet.)

  • Use secret chats. Secret chat uses end-to-end encryption, chat history does not remain on the server, and messages are destroyed instantly. Even if someone hacks into your account, none of your chatlogs will be available to them.

I took a photo of my phone because the interface cannot be screenshotted.

  • Although we technically shouldn’t trust anyone, use a phone number from a country and a network carrier that you trust. Many countries require cell phone users to register with a real name, and/or submit a passport/ID copy.

SMS is extremely vulnerable

That might be obvious to many of us, but using SMS for two-factor authentication (2FA) is fairly common, although extremely insecure. Sadly, companies like Twitter, Google, Amazon, and Dropbox are still employing SMS 2FA. I am using a physical authenticator key that costs less than 20 dollars from Amazon, and it’s very convenient although many major services haven’t supported it yet.

Telegram is still an awesome tool

I like Telegram. It’s geek-friendly and allows a lot of customizations if you are a developer. However, if you’re concerned about these insecure factors here, I hope the measures above could help. Besides, encrypting your own messages with PGP seems to be a good way to protect your privacy, too.

Questions, concerns, or suggestions? Feel free to reach me on Telegram, or send me PGP-encrypted emails (public key: 8967BA14).

A discussion about this article can be found on /r/telegram.