[HN Gopher] Lithuania says throw away Chinese phones due to cens...
___________________________________________________________________
Lithuania says throw away Chinese phones due to censorship concerns
Author : ChemSpider
Score : 468 points
Date : 2021-09-22 14:28 UTC (8 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| gowld wrote:
| Please don't submit tweets that are just links to news articles.
|
| Here's the official report:
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
| mzs wrote:
| Thanks, there was also this discussion earlier this morning
| which linked there as well:
|
| https://news.ycombinator.com/item?id=28613703
| ChemSpider wrote:
| Thanks. I used the tweet due to the paywall of the Reuters
| article. But this original source is of course much better.
| jaywalk wrote:
| Why is this linked to some random tweet that adds absolutely
| nothing instead of the article the tweet links to?
| https://www.reuters.com/business/media-telecom/lithuania-say...
| ChemSpider wrote:
| I used the tweet due to the paywall of the Reuters article.
|
| Another user below found the best link, the true original
| source:
|
| Here's the official report:
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
| (link updated)
| stevehawk wrote:
| that link 404'd for me
|
| this should work (note: direct link to pdf)
|
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-
| analysi...
| [deleted]
| [deleted]
| throwaway4good wrote:
| We really should be discussing this pdf rather than some
| tweet.
| jaywalk wrote:
| Since when has Reuters employed a paywall? I know they had
| planned on implementing one earlier this year, but that was
| indefinitely postponed.
| ChemSpider wrote:
| Ah, it says "Register for Free". So not really a paywall,
| my mistake.
| nottorp wrote:
| You pay with your personal data :)
| aasasd wrote:
| Well, I for one can't read the article other than in the
| private mode, because the site says it's time to register.
| belter wrote:
| From the shared PDF page 23...
|
| "It has been established that during the initialisation of the
| system applications factory-installed on a Xiaomi Mi 10T device,
| these applications contact a server in Singapore at the address
| globalapi.ad.xiaomi.com (IP address 47.241.69.153) and download
| the JSON file MiAdBlacklistConfig, and save this file in the
| metadata catalogues of the applications. A list of applications
| for which the MiAdBlacklistConfig file was found in metadata
| catalogues is presented in Table 13."
|
| ... "Once the applications have downloaded the file, the download
| date is recorded in order to facilitate periodically updating the
| list. The scheme for downloading the MiAdBlacklistConfig file is
| shown in Figure 11."
|
| "This file contains a list composed of the titles, names and
| other information of various religious and political groups and
| social movements (at the time of the analysis, the
| MiAdBlacklistConfig file contained 449 elements). A fragment of
| the MiAdBlacklistConfig file is shown in Table 14."
|
| Extract from table 14....
|
| ===================================================
|
| No.: Original - Approximate translation
|
| 1 "Zong Jiao Qian Xin Zhe Zhen Xian ", "Front of religious
| believers",
|
| ...
|
| 22 "Xi Cang Zi You ", "Free Tibet",
|
| ...
|
| 60 "Meng Gu Du Li ", "Independence of Mongolia",
|
| 61 "89Min Yun ", "89 Democracy Movement",
|
| 62 "Ji Du Ling En Bu Dao Tuan ", "Christian charismatic mission",
| ...
|
| 145 "Yi Si Lan Lian Meng ", "Islamic League",
|
| ...
|
| 201 "Min Yun ", "Democratic Movement",
|
| 202 "Fu Nu Wei Yuan Hui ", "Women's Committee",
|
| 203 "Yi Si Lan Ma Ge Li Bu Ji Di Zu Zhi ", "Al-Qaida in the
| Islamic Maghreb",
|
| 204 "Ren Min Bao ", "People's daily newspaper",
|
| 205 "Ba Le Si Tan Jie Fang Zu Zhi ", "The Organisation for the
| Liberation of Palestine",
|
| =======================================================
| trasz wrote:
| So, what are the other entries, and why were they redacted out?
| belter wrote:
| PDF is here:
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-
| analysi...
|
| ...do you want me to post 449 items? :-)
| throwaway4good wrote:
| The PDF only have the selected entries. Does anyone have
| the contents or actual url of the full file?
| pphysch wrote:
| This is pretty clearly a low-effort filter for _advertisements_
| deemed political.
|
| > 204 "Ren Min Bao ", "People's daily newspaper"
|
| People's Daily is an official Communist Party newspaper... Why
| on earth would they blocklist that if this is a politically-
| motivated censorship program (as the paper/many here are
| implying)?
| thaumasiotes wrote:
| It's a bad translation. "People's daily newspaper" should
| translate Ren Min Ri Bao (the newspaper you mention); Ren
| Min Bao contains no "daily" element.
| AnotherGoodName wrote:
| Renminbao [Ren Min Bao ] is an independent Chinese online
| news website that criticizes the Chinese regime.
|
| First result, funnily enough via a site that tracks phrases
| censored in China.
|
| https://china-chats.net/keywords/1705
| throwaway4good wrote:
| Is it me or is this an extremely clumsy way of doing
| censorship?
|
| Why not do this at network or server-side level? Why not use
| some kind of hash (ala Apple'e proposed child pornography
| hunter)?
|
| In this design, everyone would have to have this plain text
| configuration file ... also other brands (Oppo, Huawei etc.)
| would have to have it. What if it needs an update? Suppose the
| hui muslims starts causing trouble ... Or if people starts
| using slang or deliberate misspelling ...
| ignoramous wrote:
| I guess it comes down to, _why bother when the simplest
| solution works_?
|
| Make no mistake: As and when they get caught out doing such
| things, the sophistication of their implementation is bound
| to increase, in response to it. Money is no object for state-
| actors and mega-corps.
| PeterisP wrote:
| This has some smell of a compliance issue. I.e. the company
| gets ordered to block stuff; the order states "this shall
| be blocked" and provides a list, and then the company does
| the simplest/cheapest way to comply which is literally
| checking for whatever was required by the order.
| rsj_hn wrote:
| It may not be a state actor. I am the last person to defend
| the CCP, but as the chinese phones are made by companies
| that have lots of reason to fear the government, this may
| be proactive censorship added by the vendor to avoid
| getting in trouble, and it might even have been
| accidentally left in foreign models. We don't know the full
| story yet.
| munk-a wrote:
| I think the distinction between being compelled by the
| sword and compelled by fear of the sword is pretty
| meaningless here. Unless these companies are
| independently deciding to push this out due to some
| internal zealous managers that reject the general CCP
| platform I think it's pretty safe to lay the blame at the
| feed of the party.
|
| There's also all sorts of pretty reasonable whataboutism
| to be thrown about here but it's wrong either way.
| GauntletWizard wrote:
| There's really no difference between the state providing
| a blacklist, and the state inspiring enough terror that
| blacklists are compiled. Actually, there is - the latter
| is far scarier.
| neartheplain wrote:
| Similar lists existed within Google for their ("on hold" last I
| heard) project Dragonfly [0]. I saw a bunch of banned terms
| like these in the Dragonfly repo before they hid it from
| regular employees. It was a very long list. On it were also the
| names of specific activists and human rights lawyers, including
| some who'd been disappeared [1] or forcibly confined to mental
| institutions [2].
|
| My impression is that Sundar was all-in on Dragonfly, and he
| only rolled it back because of tremendous external and internal
| pressure. As that pressure abates over time, expect Dragonfly
| to return. Word of warning for those who trust Google as a
| defender of digital privacy and human rights.
|
| [0] https://en.wikipedia.org/wiki/Dragonfly_(search_engine)
|
| [1] https://www.theguardian.com/world/2016/dec/06/un-human-
| right...
|
| [2] https://finance.yahoo.com/news/chinas-ink-girl-defaced-
| xi-09...
| nytgop77 wrote:
| worth noting, that blacklist filtering decompiled code looks this
| way (just one line; to show the naming) if
| (iNativeAd.getAdTitle() != null &&
| m12161a(iNativeAd.getAdTitle(), str)
|
| If to believe the naming, it is filtering advertisements.
| throwaway4good wrote:
| That would be my interpretation as well - these non mangled
| names I guess they come from an api.
| [deleted]
| zibzab wrote:
| I would love to see a similar analysis for Nokia phones (before
| they moved development from China to EU).
| EMM_386 wrote:
| I just helped someone remove the built-in Chinese malware from a
| US Government provided phone.
|
| It's insane.
|
| https://blog.malwarebytes.com/android/2020/07/we-found-yet-a...
| [deleted]
| reginold wrote:
| Wow thanks for all that you do and blogging about this.
|
| HN discussion here:
| https://news.ycombinator.com/item?id=28499918
| titzer wrote:
| This is what kinda terrifies me about today's digital
| landscape. Now it's so cheap to hide surveillance capabilities
| (spyware, hidden microphones or cameras) that bad actors can
| just embed surveillance into _every_ cheap device, hoping just
| by sheer numbers to get one into a sensitive area (e.g.
| Pentagon, Langley), and then remotely activate surveillance.
| With the computational capabilities of today 's data centers,
| they don't even have to be all that selective anymore. They
| could just be monitoring everyone, at some granularity, dumping
| logs into a massive database with just enough metadata to make
| it searchable/queryable.
|
| It's downright dystopian.
| EMM_386 wrote:
| > It's downright dystopian.
|
| It sure is. No stopping it now though.
|
| I'm old enough to remember being able to go to someone's
| place and expect privacy. These days literally anything can
| have an HD cam.
|
| Not great for paranoia but what can you do?
|
| > They could just be monitoring everyone,
|
| They are. Snowden already proved this, and we apparently got
| into that particular situation to keep pace with China.
|
| Not my job.
| reginold wrote:
| You are more powerful than you may realize. Work on
| supporting open source hardware and software options.
|
| 1. If you are a developer, consider buying a Pinephone [1]
| and contributing to the codebase.
|
| 2. If not a developer, you can submit bug reports and test
| fixes. Same for Purism Librem phone as well [2].
|
| 3. If you are neither, or have no time to spare but do have
| money, you can always purchase one for kicks or donate to
| open source like Ubuntu.
|
| 4. Finally if you have no time or money, simply upvoting
| privacy related threads on HN and talking with your friends
| about it helps too.
|
| [1] https://pine64.com/product/pinephone-beta-edition-with-
| conve...
|
| [2] https://puri.sm/products/librem-5/
|
| edit: added numbering
| abakker wrote:
| I hate to say this, but OSS anarchism is not going to
| work. Most people cannot really work or live with those
| devices.
|
| This is a problem that needs to be solved with
| legislation, lobbying, superPACs, and candidates who are
| not ethically flexible.
|
| The solution to bad government is not "no government" and
| the solution to bad company behavior is better rules.
| tombert wrote:
| I don't disagree at all with what you're saying, but
| shouldn't we still what little we can? Even if it's
| incremental, doesn't it at least send a tiny signal to
| manufacturers and companies and government if they see an
| increase in the demand of open hardware and open-source
| software?
|
| The end solution will definitely require something more
| systemic, no question, but I don't think that should
| stopping the common person from doing what what they can.
|
| I bought an iPhone less than a year ago (to use up a
| discount code before I left Apple), but a part of me
| already regrets not biting the bullet and purchasing
| something open, like a PinePhone.
| systemvoltage wrote:
| This is the correct answer. Legislation and outright bans
| of products that require any sort of internet connection
| to work.
|
| Furthermore, legislation that explicitly prevents
| gathering of any data, user account or coercion to use
| the product in any way without explicit consent of the
| user.
|
| OSS is not going to cut the mustard.
| titzer wrote:
| We need both. First, Stallman was right. We simply cannot
| trust the magic incantations (code) of closed-source
| software and hardware to respect laws, in spirit or in
| letter. We must be able to audit all devices at every
| level. Second, the EFF is right, too. They fight at the
| legislative level. But they are fighting a defensive
| game. Consumers need to go on the offensive and lobby for
| legislatures to pass a digital Bill of Rights.
| reginold wrote:
| Open to other ways of taking action. What are you doing
| to support the solutions you describe?
| ignoramous wrote:
| > _I hate to say this, but OSS anarchism is not going to
| work. Most people cannot really work or live with those
| devices._
|
| Baby steps. Such changes start small.
|
| > _This is a problem that needs to be solved with
| legislation, lobbying, superPACs, and candidates who are
| not ethically flexible._
|
| Yes, but regulations do also ring-in different challenges
| and over the long-term, the status-quo ends up being
| enshrined in them, thwarting the otherwise thriving
| diversity of the ecosystem. Though, it is inevitable
| Internet / Web gets regulated ala Finance /
| Telecommunications industries.
| bobthechef wrote:
| Certainly, legislation would be enormously helpful, but
| legislation isn't incantation. Economic factors are real.
|
| Western countries _need_ to rebuild their domestic
| manufacturing bases. There is no other way to guarantee
| that production will respect ethical norms and no other
| way to realistically punish violations. Legislation must
| incrementally direct industry back to the West and
| provide conditions under which it can flourish. This is
| easier said than done which is why any temptation to
| outsource ought to be VERY carefully considered because
| once you outsource industry, not only do you destroy the
| industrial base and mutually beneficial complex
| relationships, but you also starve domestic expertise and
| competence and the culture of that industry. Industry is
| a culture and culture is only transmitted when it is
| living, when there is a society of people who communicate
| and share and contribute and make use of it. If you ship
| textile manufacturing abroad, your domestic textile
| culture atrophies and withers. I think people
| underestimate this. It 's not just a matter of willing
| something. You don't just say "well, all we need to do is
| build a factory for making X". Yeah? Who knows how to
| build that factory and to make X, and make it well so
| that it is competitive? Not you. Western cultures have
| forgotten how to make certain things. It's like trying to
| go into the pyramid building business by just wanting to
| do it or by looking over some old papyrus. Yeah, sure,
| you have to start somewhere, and do start, but don't
| expect it to be easy.
|
| Decentralizing production is also better for security by
| removing unnecessary dependence. You want production to
| be distributed. You do not want one guy to make all of X.
|
| And placing your bets on Chinese reform or political
| pressure on China to "be nice" is so ludicrous that I
| won't waste my proverbial breath. I will only say that
| the vast imperial ambitions of China are not only
| obvious, but that the elites of our own countries have
| taken a liking to their methods. The recent self-hatred
| of Westerners creates a vacuum, and Chinese ideas seem
| poised to fill it.
| vbezhenar wrote:
| Technically capable person can easily protect himself.
| It's not that hard. At least from ordinary threats. Use
| dedicated firewall device, use software firewalls,
| periodically check out running services.
|
| Issue is with rest 99.9% of people who will share
| whatever you say, because their phone happened to be
| nearby and you can't really do anything about it.
| vorpalhex wrote:
| I'm, like many people here, the IT support for my extended
| family.
|
| I generally do my best to not only steer them away from
| invasive devices but also explain why.
|
| Unfortunately this is more and more turning into a
| situation where I have hardware sent to me, reflashed with
| a known good rom and then mailed back out.
| systemvoltage wrote:
| It's underrated but DJI drones sold by millions is a great
| way to spy on what could not be gathered through satellite
| imagery. If not now then during war time, CCP has a million
| remote cameras in form of DJI drones and can turn it on in a
| snap. It would require nationwide firewall to stop. Of
| course, DJI drones require DJI flight app to even take off.
|
| Why isn't US Gov putting together legislation for this sort
| of a thing is beyond me.
| x86_64Ubuntu wrote:
| In your scenario, is China leveraging it's own DJI drones?
| Or DJI drones already owned by hobbyists?
| systemvoltage wrote:
| Taking over drones owned by hobbyists.
|
| There seems to be a onslaught of positive DJI YouTube
| videos about how creating a user account is great and
| easy. Including fake comments praising DJI. Just search
| on YT DJI Mavic Pro setup.
|
| All this is too suspicious for me. I returned the drone
| for obvious reasons but millions of people are already
| buying into the ecosystem.
| EMM_386 wrote:
| > All this is too suspicious for me. I returned the drone
| for obvious reasons but millions of people are already
| buying into the ecosystem.
|
| We're way past the point of no return with all of this.
|
| At some point you just have to accept the new normal.
| Some of this should be handled by national security teams
| but I am unsure where we stand (US).
|
| I'm surprised Lithuania of all places takes a firm stand
| on Chinese phones, meanwhile the US seems to be spinning
| its wheels. I am not sure what is going on behind closed
| doors.
| systemvoltage wrote:
| I'm not sure if I agree with defeatist attitude. I'd do
| whatever I can. But, I do agree that this needs to be
| taken care of at the legislation / national security
| level and citizens shouldn't have to.
| selimthegrim wrote:
| Lithuania let Taiwan call its interests section an
| embassy or something and China is pissed so they were
| probably expecting blowback
| umvi wrote:
| Is that even enough though? Couldn't china put in shadow
| processors or other hardware-level surveillance similar to
| Intel's management engine? And it would be extremely difficult
| to detect, let alone disable or mitigate.
| Aerroon wrote:
| > _Couldn 't china put in shadow processors or other
| hardware-level surveillance similar to Intel's management
| engine?_
|
| Do we know for certain that IME is not already doing this
| kind of spying though?
| fnord77 wrote:
| if one company is doing it, they're all doing it.
|
| From the snowden leaks we know the NSA puts their own firmware
| into enterprise hardware.
|
| One should assume that they're in american consumer hardware
| firmware as well
| marderfarker2 wrote:
| I know right? This post and the report it links reeks of
| political motive.
| dvh wrote:
| "Free Tibet", "Long live Taiwan independence" or "democracy
| movement". Sent from my Xiaomi, let's see if it works.
|
| Anyway, I always thought if I have to use American phone
| backdoored by FBI or Chinese phone backdoored by China, I choose
| Chinese because they really cannot arrest me, unlike FBI.
| lazide wrote:
| Well, if you have anything on your Chinese phone (assuming it
| dead leak/back door back to China) that could get you arrested
| by the FBI - then whoever in China who had that ability to use
| it could then blackmail you with threats of arrest by the FBI
| if they told them, and you'd be in even worse shape right?
|
| Especially since then they'd probably have you do things that
| would result in even more jail time if caught than the original
| thing. And since your data is transiting international borders
| all the time, it would make a nice juicy target for the NSA as
| well!
| [deleted]
| mda wrote:
| backdoored by FBI : Which phone is that?
| [deleted]
| 908B64B197 wrote:
| Interestingly, people have been trying to flee Lithuania for
| the US when the USSR was still around, and not the other way
| around.
|
| I wonder if they might be skeptical of another communist regime
| starting to interfere with the country. Worked so well the last
| time...
| axiosgunnar wrote:
| ?
|
| Lithuania has been capitalist for 20+ years and quality of
| life has increased by a lot ever since.
|
| the three baltic states are frontrunners in gov
| digitalization, for example
| dzhiurgis wrote:
| Lithuania's gov digitalisation is a bit of a farce. To use
| it - you need to login via your bank or couple of other
| supremely inconvenient forms of homegrown federated login
| systems, none of which offer a simple U2F. Then you get a
| form that 99% of time doesn't work on mobile. When you do
| fill it, actual government clark picks it, reviews it and 4
| weeks later you get a response - "you need to come to the
| office to verify your identity".
|
| Contrast it with NZ - I had to send my documents via post.
| In 6 years I NEVER had to visit ANY of government agency
| but I did receive visas and passports, just simply by post
| (if you have local drivers licence you do get to use local
| online services, which is a stupid barrier to begin with,
| but whatever).
| 908B64B197 wrote:
| > Lithuania has been capitalist for 20+ years and quality
| of life has increased by a lot ever since.
|
| That's what I said. Lithuania had it bad under communism
| (USSR). Maybe they are simply not interested in having an
| other communist regime (the CCP) meddle into it's internal
| affairs.
| peoplefromibiza wrote:
| In hindsight we know that red scare was as bad as the thing
| they were fighting against
|
| _As the Cold War intensified, the frenzy over the perceived
| threat posed by Communists in the U.S. became known as the
| Red Scare. The United States government responded by creating
| the House Un-American Activities Committee (HUAC), which was
| charged with identifying Communist threats to the United
| States. HUAC often pressured witnesses to surrender names and
| other information that could lead to the apprehension of
| Communists and Communist sympathizers. Committee members
| branded witnesses as "red" if they refused to comply or
| hesitated in answering committee questions._
|
| with the only exception that Americans could not flee from
| persecutions.
| bassman9000 wrote:
| What can you send from your phone that will get you arrested by
| the FBI, vs what can get you arrested by Chinese forces? Is
| this a valid comparison?
| dvh wrote:
| Nice try!
| bassman9000 wrote:
| You could always link some news article on the FBI abuses.
|
| But you also have a gmail address, so I don't understand
| the reaction.
| adolph wrote:
| Having a gmail address is important to not stick out.
|
| https://www.itstactical.com/intellicom/mindset/gray-man-
| stra...
| bassman9000 wrote:
| If you don't use it for anything interesting, you're
| sticking out even more. A void can be as revealing.
|
| If you're using it for something interesting, well,
| you're not sticking out in the "not having gmail" camp,
| but what's the point.
| hughrr wrote:
| ECHELON!
|
| More seriously no platform is trustworthy unless it's
| airgapped these days.
| bassman9000 wrote:
| Still not addressing the critique. We banalize
| authoritarianism by putting things at the same level, when
| they should not be.
| reginold wrote:
| The scan is not for English words. Extract from table 14....
| =================================================== No.:
| Original - Approximate translation 1 "Zong Jiao Qian Xin Zhe
| Zhen Xian ", "Front of religious believers", ... 22 "Xi Cang Zi
| You ", "Free Tibet", ... 60 "Meng Gu Du Li ", "Independence of
| Mongolia", 61 "89Min Yun ", "89 Democracy Movement", 62 "Ji Du
| Ling En Bu Dao Tuan ", "Christian charismatic mission", ... 145
| "Yi Si Lan Lian Meng ", "Islamic League", ... 201 "Min Yun ",
| "Democratic Movement", 202 "Fu Nu Wei Yuan Hui ", "Women's
| Committee", 203 "Yi Si Lan Ma Ge Li Bu Ji Di Zu Zhi ", "Al-
| Qaida in the Islamic Maghreb", 204 "Ren Min Bao ", "People's
| daily newspaper", 205 "Ba Le Si Tan Jie Fang Zu Zhi ", "The
| Organisation for the Liberation of Palestine",
| felipelemos wrote:
| Sent from my Xiaomi device:
|
| No.: Original - Approximate translation 1 "Zong Jiao Qian Xin
| Zhe Zhen Xian ", "Front of religious believers", ... 22 "Xi
| Cang Zi You ", "Free Tibet", ... 60 "Meng Gu Du Li ",
| "Independence of Mongolia", 61 "89Min Yun ", "89 Democracy
| Movement", 62 "Ji Du Ling En Bu Dao Tuan ", "Christian
| charismatic mission", ... 145 "Yi Si Lan Lian Meng ",
| "Islamic League", ... 201 "Min Yun ", "Democratic Movement",
| 202 "Fu Nu Wei Yuan Hui ", "Women's Committee", 203 "Yi Si
| Lan Ma Ge Li Bu Ji Di Zu Zhi ", "Al-Qaida in the Islamic
| Maghreb", 204 "Ren Min Bao ", "People's daily newspaper", 205
| "Ba Le Si Tan Jie Fang Zu Zhi ", "The Organisation for the
| Liberation of Palestine",
|
| Let's see
| brendoelfrendo wrote:
| Are you in mainland China? Because the article clearly
| states that this functionality is disabled in phones
| manufactured for export to the West.
|
| Edit to add: page 24 of the linked PDF, for reference.
| everdrive wrote:
| Except your phone is not backdoored by the FBI.
| deadalus wrote:
| It is backdoored by : Pegasus, NSA, CIA, 14 Eyes
| icedistilled wrote:
| There is a difference between having the potential of
| access versus actually having software installed that scans
| keywords to phone home about.
|
| Wasn't everyone just outraged about apples csam because it
| could have the potential for intel agencies, like china's
| to abuse it by claiming political photos were csam?
| labster wrote:
| Five Eyes Burgers & Spies
| selimthegrim wrote:
| So that's why they're "going out of business"
| sorenjan wrote:
| Free Tibet. I just typed that on my Xiaomi with stock MIUI, using
| Google Gboard.
| reginold wrote:
| According to the 32 page research report the phrase is "Xi Cang
| Zi You ", and also that blocking is disabled outside regions of
| interest. So it's likely you won't see anything happen, but
| worth a try!
| wavefunction wrote:
| I don't think there were allegations that you couldn't type
| Free Tibet?
| avodonosov wrote:
| What exactly are the allegations then?
|
| "have a built-in ability to detect and censor terms such as
| "Free Tibet"
|
| Censor by preventing one posting the phrase? Removing the
| phrase from web pages?
|
| What are the steps to reproduce?
| tyingq wrote:
| The allegation is that the censorship code is there. It's
| disabled on phones in western markets, but can be enabled
| remotely by the manufacturer.
| oblak wrote:
| So, it's better than US made spyware which cannot be
| removed from "our" PC CPUs? Best we can do is "disable"
| these features in the BIOS/UEFI and sleep well, even
| though we nothing's really stopped.
|
| Sorry for the whataboutism but I am lot less concerned
| about Chinese spyware because I know for a fact that my
| government serves the EU and the US.
|
| All this anti China propaganda is really tiresome. China
| this, China that. Someone seems really scared. Fuck this
| someone
| trasz wrote:
| As you can see, one gets downvoted quickly when pointing
| out double standards, or posting anything else that could
| interfere with anti-Chinese propaganda efforts.
| tyingq wrote:
| The reply was to my fairly "just the facts" statement,
| where I didn't characterize what was happening, just
| explained it.
| severino wrote:
| > It's disabled on phones in western markets, but can be
| enabled remotely by the manufacturer
|
| Well, I think everything can be enabled remotely by your
| manufacturer, no matter which... it is what we call
| "software upgrades".
|
| But for me, a western, it's actually good to have a phone
| controlled by the Chinese. I would be concerned if it
| were controlled by my government, though.
| onepointsixC wrote:
| It's also in Chinese, so if it is activated typing it in
| English doesn't do anything. But that's not to say that
| it can't be also updated to be other languages
| reginold wrote:
| It's all covered in the 32 page research report:
|
| Xiaomi system applications (Security, MiBrowser, Cleaner,
| MIUI Package Installer and Themes) have been found to
| regularly download the manufacturer's updated configuration
| file MiAdBlacklistConfig from a server located in
| Singapore. This file contains a list composed of the
| titles, names and other information of various religious
| and political groups and social movements (at the time the
| analysis was performed, 449 records were identified in the
| MiAdBlacklistConfig file). Analysis of the Xiaomi
| application code showed that the applications have
| implemented software classes for filtering the target
| multimedia displayed on the device according to the
| downloaded MiAdBlacklistConfig list. This allows a Xiaomi
| device to perform an analysis of the target multimedia
| content entering a phone: to search for keywords based on
| the MiAdBlacklist list received from the server. When it is
| determined that such content contains keywords from the
| list, the device blocks this content. It is thought that
| this functionality can pose potential threats to the free
| availability of information.
|
| PDF here:
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-
| analysi...
| avodonosov wrote:
| Right
| reginold wrote:
| I don't understand what you're saying or intending with
| your comments. There are 32 pages in the report. I'm
| curious about steps to replicate as well, generally for
| stuff like this.
| avodonosov wrote:
| I mean the piece quoted above is the correct original
| source. I wanted to post exactly this snippet myself.
|
| From that a possible test case can be to open this HN
| thread in MiBrowser and see the webpage blocked due to
| the "free Tibet" phrases posted here (assuming
| MiAdBlacklistConfig includes English versions).
|
| If anyone has a Xiaomi phone and is willing to accept the
| MiBrowser terms of use, please try.
| reginold wrote:
| Right. MiAdBlackListConfig does not include English
| versions, according to the 32 page research article.
| Therefore "Free Tibet" is not relevant.
|
| A user here testing this is irrelevant. If someone wants
| to verify, figure out where we can get the codebase and
| search these strings ourselves.
| avodonosov wrote:
| Chinese versions are posted already too, so this thead
| can be used for testing now.
| hef19898 wrote:
| Unless you are based in China, a Chinese national, a known
| dissident or a journalist it doesn't really matter, does it?
| Also, how do you know what Xiaomi did after you typed it?
|
| EDIT: As I really phrased it badly, I mean it doesn't proof
| anything if none of the above mentioned groups does it. It
| absolutely matters that Xiaomi is censoring and monitoring
| stuff based on key words. I oppose that even more than oppose
| Apple monitoring child pornography. Simply because Xiaomi is
| already doing the monitoring for a non Democratic repressive
| government.
| fartcannon wrote:
| Those first two categories make up 1 in 5 people on earth.
| You don't care what happens to 20% of the human race?
| reginold wrote:
| Are you saying you don't care what happens to journalists
| around the world? Seems like a recipe for disaster.
| hef19898 wrote:
| No, quite the opposite actually. Just that it doesn't mean
| anything if a random Xiaomi user in Europe can type words
| Xiaomi is monitoring. Since that user most likely isn't the
| reason why Xiaomi is doing that kind of stuff.
| reginold wrote:
| Oh I get what you mean, my bad. You're saying the above
| poster "typing in Free Tibet and nothing bad happened"
| doesn't prove anything. Yep, agreed.
| hef19898 wrote:
| Exactly that, I could have phrased it better I think.
| reginold wrote:
| Yes, rather than "it doesn't matter", something like
| "typing in a phrase yourself isn't relevant as this
| feature is likely disabled for you".
|
| Believe that's why you're being downvoted. The way HN
| moves comments around also so yours was not right next to
| the comment you replied to, which didn't help.
| hef19898 wrote:
| Reading my comment again, I do see the problem... On the
| positive side, it teaches clear, consive writing. Even in
| quick, short comments. Or thinking, as far as that's
| concerned. I would have used the same words verbally as
| well.
| reginold wrote:
| Pronouns in particular seem problematic. "It", "they",
| "he", "her" seem to be on their way out because they are
| less and less useful at communicating information.
| reginold wrote:
| What's "decomposition analysis" and how can I do it at home?
|
| Since others here are curious, how would one go replicating these
| results to find the MiAdBlacklistConfig file? Can I download the
| OS from a website and just search for strings in the
| MiAdBlacklistConfig file? I'm genuinely interested, rather than
| using this question to cast doubt on the 32 page research report.
| throwaway4good wrote:
| I am curious about this too.
|
| From what I can gather from the report it should be possible to
| reproduce the analysis. Probably it is even possible to run the
| apps in question in an emulator.
|
| Also it should be possible to get the full url of the
| censorship configuation file and also its full contents.
|
| Given the extreme politics around this, I think it would be
| better if this type of analysis was done as open source and in
| a completely reproducible manner.
| game_the0ry wrote:
| I'm really not sure how serious I should take the threat of
| Chinese made electronics - almost _all_ electronics are made
| China, not just Xaiomi and Hauwei.
|
| My iphone is made in China by Chinese contract manufacturer
| (Foxconn) - does that mean all iphones could be compromised with
| Chinese malware? It could be possible, but how can you tell? Is
| it possible to observe network packets going form my phone to a
| Chinese or Chinese-allied country?
|
| Genuinely curious, btw. Any feedback would be very appreciated.
| stickfigure wrote:
| Presumably Apple ensures there is nothing nefarious in the
| hardware, but it seems an unlikely avenue for compromise. Most
| of the "phone" is Apple-provided software.
|
| In theory sure, you could have a chip snooping on the bus. But
| it would have to have a lot of OS-level knowledge and then how
| would it exfiltrate the data without OS-level access to the IP
| stack?
|
| Like the Bloomberg/Supermicro story, I am extremely skeptical.
|
| A Chinese-built phone that comes supplied with an OS, that's a
| totally different matter.
| nitrogen wrote:
| _how would it exfiltrate the data without OS-level access to
| the IP stack_
|
| Do iPhones use modems embedded in the SoC? Modem firmware can
| communicate with the cell network without the OS.
| stickfigure wrote:
| Which cell network, in which country? What protocol are
| those packets going to travel over, what is their
| destination, and how do they get routed?
| PeterisP wrote:
| The exact same protocol and route as any normal packets -
| I'd presume that for a phone it's just as for computer
| network hardware, that OS is not in full control of the
| IP stack and the firmware can send extra packets that OS
| won't see (with the same source/routing as configured by
| the OS after it does it) and process the response packets
| without propagating them to where the OS might see them.
| eloisius wrote:
| Just a nit because you're mostly right, but Foxconn is a
| Taiwanese company that does its manufacturing in China.
| game_the0ry wrote:
| Fair nit, my friend. I did not know that.
| reginold wrote:
| As far as I can tell, the meta solution here is open source
| hardware and software. Otherwise it just doesn't matter who is
| doing this, why they do it, or who is affected.
|
| The core issue is the lack of end to end encryption and open
| source hardware and software. Options today are okay, but they
| need to be great to reach the right people. See my post in this
| thread about Pinephone and Librem.
| [deleted]
| game_the0ry wrote:
| > As far as I can tell, the meta solution here is open source
| hardware and software. Otherwise it just doesn't matter who
| is doing this, why they do it, or who is affected.
|
| I agree with you there, but I want to know how to analyze
| devices that are closed source.
| jl6 wrote:
| Network isn't even the only egress route out of a cellphone.
| They have sophisticated radios, so a low-level (e.g. on-
| silicon) backdoor could send your data out to a nearby agent
| using all manner of electro-magnetic emissions.
|
| You just have to trust the manufacturer and its supply chain,
| and that applies to open source too.
| techrat wrote:
| "made" in this case tends to refer to created, not just
| manufactured. it (as the article states) is mostly an issue for
| chinese _brands_ with poor quality control or ulterior motives.
| rsj_hn wrote:
| Foxconn is not Chinese, it's a Taiwanese contract manufacturer,
| that does have most factories in China (but it also has
| factories in other countries). The reason why Foxconn is so
| successful is because they do a good job in quality control and
| honoring contracts, which sets them apart. They are trying to
| blend Western-style rule of law with Chinese wages and
| infrastructure.
|
| The successful stories about western companies outsourcing to
| China do tend to fall into the category of building and running
| your own factory there, rather than contracting with a Chinese
| owned and managed factory to produce to spec, which suffers
| from all the ethical problems discussed in the parent post.
| E.g. these are all decisions taken by management, not
| individual factory workers, so if you want to reduce risk, then
| install your own management.
| mlang23 wrote:
| I wonder how long it will take until $RANDOMCOUNTRY says the same
| thing about US phones.
| coolspot wrote:
| There are no mass-produced US phones. Hand-made boutique Purism
| US-edition doesn't count.
| marderfarker2 wrote:
| Technically all phones today have parts sourced or designed
| in the US. I do not understand how and why HN has such a hate
| boner for China.
|
| What China does today has been done ad nauseum by the US.
| China is merely following its footsteps.
| vanderZwan wrote:
| I suppose this isn't important but I am really curious: in which
| languages? Also how did the Lithuanian government find out?
| reginold wrote:
| It seems like the keyword match is based on Chinese, based on
| the extract on page 23 of the report.
|
| Linked near the top of the thread, 32 pages of goodness:
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
| Scoundreller wrote:
| Canada has unofficially banned the sale of theirdevices, or at
| least that's why eBay said the Canadian government told them to
| not allow their sale.
|
| Though eBay.ca just blocked any listing containing the word
| "xiaomi", though they make a ton of things that aren't phones. I
| just took out xiaomi and left the model number and sold my thing.
|
| Still waiting for my government to respond to my request to find
| out why.
| sudosysgen wrote:
| Xiaomi devices are not and never were certified for use in
| Canada.
| Scoundreller wrote:
| Doesn't usually result in the government requesting a stop-
| sale on eBay. Happened on newegg too:
|
| (Amp link because Reddit is actually down)
|
| https://www.google.com/amp/s/amp.reddit.com/r/Xiaomi/comment.
| ..
|
| Though you can still roam in Canada with them, so I don't
| know how that works. Shouldn't base stations reject
| uncertified device IMEIs? I guess it's all okay as long as
| there's revenue to be had.
| alliao wrote:
| I wonder when it'd be accidentally turned on
| [deleted]
| 1MachineElf wrote:
| They say the _Apple_ doesn 't fall far from the tree...
| marcellus23 wrote:
| Huh?
| fortuna86 wrote:
| Sloppy attempt at Whataboutism
| ph2082 wrote:
| What happens when you type - Winnie the pooh ?
| thinkingemote wrote:
| Whilst the loveable bear was somewhat banned online for a
| little time a while ago, it's now not actually banned in China
| in itself and is and has been a popular children's toy. Disney
| stores also exist and sell winne the pooh in China.
|
| What's more accurate is the use of the bear with reference to
| their leader (who looks like him!)
|
| A better string would be "tianamen square massacre"
| MomoXenosaga wrote:
| Few months ago I read Xiaomi is now bigger than Apple.
|
| The cynic in me says this is just part of American anti China
| warfare. And Lithuania is, how should I put it nicely, an
| American lapdog. Disclosure: yes this was typed on a Poco.
| 2Gkashmiri wrote:
| pfff... this is nothing. the government simply stop you on the
| roadside, demand you unlock your phone and if they find any vpn,
| or god forbid any "anti national content", beat you to a pulp and
| then charge you for terrorism. state sponsored mobile
| surveillance is too far away.
|
| edit: the downvoters think i am just bluffing?
| https://thekashmirwalla.com/not-pegasus-kashmiris-are-worrie...
| zolosa wrote:
| From the article: Relations between Lithuania and China have
| soured recently. China demanded last month that Lithuania
| withdraw its ambassador in Beijing and said it would recall its
| envoy to Vilnius after Taiwan announced that its mission in
| Lithuania would be called the Taiwanese Representative Office
|
| No one trust China but this sure looks like politically
| motivated. Was someone else able to authenticate or reproduce the
| results.
| no_way wrote:
| You can read the report and literally look up file on your
| Xiaomi phone which contains censored words.
| trasz wrote:
| Most people don't have Xiaomi phones. And it's worth noting
| that the document only mentions some of those, from over 300
| entries. What are the others and why were they redacted out?
| oseityphelysiol wrote:
| Thet are very common in Lithuania, to the point where I'd
| say around 20% of new phones being sold are from Xiaomi.
| They expanded heavily into other industries, like home
| automation, with prices that are a fraction of what other
| manufacturers would ask for their hardware.
| no_way wrote:
| I am not sure how accurate this information is but quick
| google search says Xiaomi have 24% phone market share in
| EU, not just Lithuania.
| Aerroon wrote:
| My prediction is that their market share is going to
| substantially grow. Xiaomi phones are much cheaper in
| terms of the hardware they offer. A Xiaomi Poco F3 costs
| EUR350. A comparable device from others is probably in
| the EUR>450 range. An iPhone's probably in the EUR>800
| range.
| fortuna86 wrote:
| Yes the context is Lithuania dared state the obvious fact that
| Taiwan is a country, and now they are paying the price.
| crhutchins wrote:
| Isn't the better solution to this is to stop any activities
| relating to the Xiaomi phones?
| kburman wrote:
| > "Our recommendation is to not buy new Chinese phones, and to
| get rid of those already purchased as fast as reasonably
| possible," Defence Deputy Minister Margiris Abukevicius told
| reporters in introducing the report.
|
| This is applicable equally for every other country.
| ignoramous wrote:
| There are no details really as to how Xiaomi censors those terms.
| If one does not use the bundled-in browser / app-store, I doubt
| Xiaomi can censor anything at all in other browsers unless they
| MiTM with client-cert. OTOH, many popular non-browser apps (at
| least the ones that matter) pin certificates, so even Lenovo-
| esque shenanigans wouldn't work [0].
|
| What can they possibly be doing in the _firmware_ or the _ROM_ to
| break TLS (and other such authenticated key-exchange protocols)?
| The only thing I think of: Injecting a compromised https stack in
| to an app 's _classpath_ / _ld_library_path_. This may sound
| ambitious, but the Android modding community already uses such
| runtime swappers to great affect [1][2].
|
| [0] https://news.ycombinator.com/item?id=9072424
|
| [1] https://forum.xda-developers.com/f/magisk.5903/
|
| [2] https://forum.xda-developers.com/f/xposed-general.3094/
| cronix wrote:
| Maybe they just turn offenders along with the evidence over the
| the PLA, for "review."
| bitcurious wrote:
| Off the top of my head, theu can censor at the keyboard level,
| at the SMS level, and at the camera level:
| https://www.reddit.com/r/Xiaomi/comments/pgk8y3/xiaomi_camer...
| mzs wrote:
| I don't think that camera thing was censorship, instead bug:
|
| https://www.reddit.com/r/Xiaomi/comments/pgk8y3/comment/hbf5.
| ..
|
| https://news.ycombinator.com/item?id=28395885
| heavyset_go wrote:
| Censorship of the Taiwanese flag by Apple on the iPhone for
| users in China manifested itself as a crash whenever the
| Taiwan flag emoji was used[1].
|
| [1] https://www.wired.com/story/apple-china-censorship-bug-
| iphon...
| disk0 wrote:
| > But Wardle found that in some edge cases, a bug in the
| Taiwan-censorship code meant that instead of treating the
| Taiwan emoji as missing from the phone's library, it
| instead considered it an invalid input. That caused
| phones to crash altogether, resulting in what hackers
| call a denial-of-service attack that would let anyone
| crash a vulnerable device on command.
|
| Which was also a bug--the conditions of which's existence
| are manifestly political (which I have zero desire/intent
| to defend here), but nonetheless an Apple-side bug that
| was patched eventually
| ignoramous wrote:
| Yikes, yes: The _Input Methods_ are totally under their (ROM
| 's) control even if one uses a non-Xiaomi keyboard.
| 2Gkashmiri wrote:
| Free tibet", long live Taiwan independence", or "democracy
| movement".
|
| i sent this to a friend who owns a xiaomi phone and asked him
| to resent this back to me via sms. the message appeared just
| fine.
|
| note: i am from india so this might not be enabled on the
| phones here for now
| miohtama wrote:
| Android hacker community, like XDA, should be able to quickly
| reserve engineer this as more details surface
| bitcurious wrote:
| https://www.reddit.com/r/Xiaomi/comments/pgk8y3/xiaomi_camer...
|
| Related, in this thread the OP discovered that he couldn't take
| photos of an election ballot - they were being overwritten with a
| big green block.
| reginold wrote:
| No, the OP in the thread later retracted as they could not
| replicate and it seemed more like a random bug in the camera:
|
| "Yesterday I was a bit in a hurry and could not do all tests
| that I would have liked to. Today I tried to repeat the whole
| process with the same setup, documents still laying on the same
| table untouched etc. Just the lighting changed substantially
| (morning sun).
|
| I was unable to repeat the 'green picture effect' even once...
| all pictures taking with Xiaomi stock camera turned out well.
|
| I am sorry that I jumped to unproven conclusions (censoring) :(
| "
|
| Please read your full source in the future before posting. It
| clouds the discussion. (I just did this myself on another
| article)
| mvolfik wrote:
| this turned out to not be true - the comments pointed out that
| the overwrite is likely an app interpreting it as different
| image format, which had happened before, and OP didn't
| replicate the issue the next day in different light
| everdrive wrote:
| It's unfortunate that it's hosted in Singapore. I do a lot of
| geo-blocking on my router, and I often wonder to what degree it
| helps me at all.
| msegal wrote:
| Motorola is also, now, a Chinese phone maker. Does it suffer from
| these same vulnerabilities?
| dylan604 wrote:
| well, for the 4 people left using a Moto, maybe??
| Koshkin wrote:
| Xiaoyu for doing stuff like this.
| throwaway4good wrote:
| I would like to see concrete reproducible evidence for this.
| reginold wrote:
| The 35 page report has details that should make it easy to
| replicate.
|
| "This file contains a list composed of the titles, names and
| other information of various religious and political groups and
| social movements (at the time of the analysis, the
| MiAdBlacklistConfig file contained 449 elements). A fragment of
| the MiAdBlacklistConfig file is shown in Table 14." page 23
|
| Linked elsewhere but here's the PDF report:
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
| fredgrott wrote:
| Hmm that is why that Huawie android fork flaw of running other
| mods as system allowed with hidden updates is screaming at me
| now.
|
| Its way to update that mod in real time without the user knowing
| about it as its system allowed due it running in a separate
| allowed system space.
| neonate wrote:
| http://web.archive.org/web/20210922185730/https://www.reuter...
|
| https://archive.is/YgfUs
| amiga-workbench wrote:
| I think you would have to be mad to leave the stock ROM running
| on a Xiaomi phone, IIRC they were caught logging peoples browser
| history a few years ago. Several models have mainline LineageOS
| support, I'm running Lineage on my Mix 2S and hope to have years
| worth of updates going forward. The hardware is really good value
| as long as you install an non-tainted OS.
| EveYoung wrote:
| Not to sound paranoid, but won't even LinageOS phones have to
| run closed-sourced firmware and drivers?
| amiga-workbench wrote:
| Correct, its entirely possible they could be doing more
| insidious stuff at the firmware level, but dumb keyword
| checking is almost certainly implemented in userspace.
|
| I don't think you can trust any proprietary firmware out
| there, its just a question of which you trust less than the
| others.
| summm wrote:
| Not only firmware. Custom ROMs actually have to use binary
| blobs in kernelspace and userspace as well, in order to be
| able to use the hardware.
| halfstar91 wrote:
| And based on recent discoveries it sounds like Xiaomi
| should be trusted less than others.
| hef19898 wrote:
| As stupid as it might sound, I do trust Pixel phones, and
| an hypothetical iPhone running a different OS, the most
| of all alternatives. If one want's a smartphone, if not
| just take a 20+ year old dumb phone. Or BlackBerry.
| DanAtC wrote:
| You can replace the user-facing software, but can/would you
| trust the baseband?
| sudosysgen wrote:
| Isn't the baseband Qualcomm code? Do you think Qualcomm
| allowed Xiaomi to run their own baseband on it?
| numpad0 wrote:
| Only when CPU is Qualcomm I think. I'm not knowledgeable
| with QPST/QXDM scenes but it didn't sound like firmware
| integrity mechanisms on qcom modems are too tight.
| sudosysgen wrote:
| Of course the firmware is only Qualcomm if the modem is
| Qualcomm.
|
| QPST/QXDM allows you to mess with the modems by sending
| it commands and changing configs yeah. But if you want to
| flash the firmware that's something else.
|
| Yeah the firmware integrity mechanism are not the best,
| and there's definitely vulnerabilities in the firmware.
| But there's still no way of installing unsigned firmware
| on more recent devices, and I've never come across a way
| of running unsigned code without it being really obvious.
|
| There was a bug recently that allowed you edit baseband
| memory from within the OS, but again you'll never be able
| to hide that from Qualcomm on a million devices.
| nottorp wrote:
| Do you think a Chinese company would even ask for
| permission? :)
| sudosysgen wrote:
| You can't exactly do it without permission though. You
| need to crack the bootloader for the baseband and that's
| way easier said than done and immediately noticeable.
| mschuster91 wrote:
| > You need to crack the bootloader for the baseband and
| that's way easier said than done
|
| There have been more than enough cases of people poking
| holes in bootloaders, including secret services. For what
| it's worth, Huawei and Xiaomi can be considered as part
| of the Chinese CCP dictatorship and I'd expect them to
| have access to such exploits.
|
| > and immediately noticeable.
|
| How is an user supposed to notice a modified baseband
| firmware? The only thing that a user can see is if the
| device has been rooted, but with a factory-supplied
| backdoor even that doesn't help.
| sudosysgen wrote:
| There's a difference between poking a hole the device
| bootloader and the baseband bootloader. The second is
| wayyy more lockdown and has a tiny attack surface.
|
| A user can directly download the baseband image from the
| chipset using for example QFIL. Then you can check if
| it's signed with Qualcomm's key or another. Exploiting
| this would require Xiaomi to hide two baseband firmwares
| in the baseband firmware which isn't feasible, and it
| would also require them to completely rewrite the
| baseband bootloader instead of just exploiting it.
|
| But even then you'd be able to read the eMMC and notice
| that there are two baseband firmwares. If you want to
| figure it out, you're free to buy any Xiaomi phone, read
| the eMMC, and check how many baseband images there are,
| then you'll be able to definitively know. Let me know if
| you do it.
|
| When I said immediately noticeable I meant by Qualcomm,
| not by the end user though. They have contractual
| obligations to lock down their baseband and their
| licensing system relies on it so they have a large
| incentive.
| gpderetta wrote:
| I was stupid enough to buy a Xiaomi phone without enough due
| diligence. Aside from all spying that is going on, the software
| is abysmal.
|
| The problem with replacing the OS is that I believe most
| banking apps I use will stop working. Might just need to write
| this phone off.
| beerandt wrote:
| Banking has to be the dumbest "security" industry there is.
|
| Restrict apps, but can still log in via browser.
|
| I have one bank app that actually says to screenshot a
| payment screen for your records, while blocking screenshots
| via app policy.
| TazeTSchnitzel wrote:
| > Restrict apps, but can still log in via browser.
|
| This isn't paradoxical. You treat the browser as a less
| trusted security domain than a phone, which usually has a
| secure boot chain, strong sandboxing, encrypted disk,
| reliable hardware cryptography etc, and therefore provide a
| different/better service on the phone. If a phone is
| missing one of these expected components then you're not
| the target market for the app, I guess. (Of course, your
| phone OS might be perfectly good, and the stock one might
| be crap, but the app developers don't care.)
| tyingq wrote:
| They allow browsers with, for example, extensions that
| can spy on a banking interaction with very little effort.
| beerandt wrote:
| What can a phone OS do to an app that a modern browser
| can't do to a webpage, as it relates to being a frontend
| to your bank account?
| MisterTea wrote:
| That's what happens when you have external security
| requirements along with audits and incompetent/greedy
| management. Designing and implementing a security policy
| based on the standard is a waste of money when you can do
| the bare minimum by checking off boxes.
| concinds wrote:
| Bank websites in some (developed, European) countries
| restrict you to 6-8 digit passwords (not alphanumeric), and
| don't have a 2FA option like Facebook or Google do. It's a
| massive joke.
| harikb wrote:
| Even apps like Netflix are configured not to be available on
| Google play if the device is not a certified one. That
| certification is lost AFAIK on rooting. I have two perfectly
| good android tablets that can't run Netflix
| sneak wrote:
| Is there anyone who knows how to root a device that doesn't
| know how to torrent?
| effingwewt wrote:
| Not even just that but magisk modules can show phone as
| stock to banking apps and such.
|
| Really this all just shows that people will truly put up
| with anything to make their lives more convenient, or for
| them to have to do less work.
| sneak wrote:
| > _truly put up with anything to make their lives more
| convenient_
|
| This is a contradiction in terms.
| effingwewt wrote:
| No it's not.
|
| That's the reality we live in. They will put up with
| being spied upon 24/7 for the convenience of a cheap
| phone they can't be bothered to root and ROM.
| [deleted]
| sudosysgen wrote:
| Use Magisk, your banking apps will work fine.
| throwaway52170 wrote:
| For now, until hardware backed attestation becomes properly
| enforced... Isn't security great
| sudosysgen wrote:
| It probably will never be. It just takes one OEM to fuck
| it up and everyone can use their device ID. That's why
| hardware backed attestation doesn't work, OnePlus fucked
| it up and now Magisk can pretend to be that phone and get
| exempted.
| jsudi wrote:
| If a Chinese oem loses their keys why not just revoke
| them?
| sudosysgen wrote:
| And cut off the phone from SafetyNet? That would hurt
| SafetyNet adoption and be bad for Google, which is
| presumably why they didn't do it for OnePlus.
| hxii wrote:
| I have installed an AOSP-based rom on my Xiaomi 9T and
| banking apps (well, at least one) seems to be working fine.
| 5e92cb50239222b wrote:
| Did you have any problems with AOSP? I want to replace the
| stock spyware on me mom's 9T, but the experience seems to
| be mixed, judging by a couple of forum discussions.
| ggktk wrote:
| This is why I still have my iPhone around. I know that one
| day my banking apps will just stop working. For now, Magisk
| Hide does the job.
|
| Next time when I'll be looking for a new Android phone to
| buy, stock Android will be a hard requirement. I was stupid
| to pick my Xiaomi phone for it's hardware, I should've just
| gone with a Motorola.
| gpderetta wrote:
| I went from two nexuses to two motorolas to the Xiaomi. I
| didn't how good I had it with stock Android.
| hef19898 wrote:
| Banking works under CalyxOS with microG. It doesn't like VPNs
| so, which I can understand somewhat.
| dukeofdoom wrote:
| Most people don't care if another country spies on them, since
| their laws don't apply to them. They would care much more if
| they are profiled by their own government. Or more like tech
| companies on behalf of the government spying on them, and them
| being discriminated, harassed, or jailed based on that data. So
| in a way its actually kind of smart to go with a Chinese phone
| if you live in America.
| [deleted]
| zzzbra wrote:
| Galaxy Brain take.
| pier25 wrote:
| What about Android One?
| amiga-workbench wrote:
| I believe Xiaomi left the Android One program last year.
| kspacewalk2 wrote:
| Android One is moribund and is basically just Nokia now[0].
|
| [0] https://en.wikipedia.org/wiki/Android_One#2020
| Causality1 wrote:
| Good value assuming you're on the right carrier. AT&T in the US
| and its MVNOs are moving to a whitelist model in February,
| making Xiaomi phones unusable for anyone in the US not on
| T-Mobile.
| mytailorisrich wrote:
| Thanks to those who posted a link to the actual report [1]
|
| It may be worth clarifying that all those keywords and terms are
| in Chinese. So when they say "Free Tibet" they mean that the
| phone has a blacklist file that contains "Xi Cang Zi You " and
| which use is disabled in the "European region".
|
| On the other hand, it seems that this blacklist file is actually
| downloaded into the phone, which suggests to me that they could
| update it to match any terms in any language if they wanted.
|
| I think that Chinese manufacturers will really need to produce
| 'clean' firmware that satisfies independent audits instead of
| these superficial feature flags if they want to continue to sell
| in the West long term. If not they will suffer Huawei's fate one
| after the other when this sort of thing is found out.
|
| [1] https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-
| analysi...
| nottorp wrote:
| > which suggests to me that they could update it to match any
| terms in any language if they wanted.
|
| About the same thing as Apple scanning iPhones for what they
| say is child porn.
|
| suggests to me they could update it to match any images if they
| wanted...
| hef19898 wrote:
| Pretty much the same thing, if you ask me.
| chenster wrote:
| I'm keeping an eye on this while waiting for breaking from more
| prominent news sources.
| tasubotadas wrote:
| Are there any good non-Chinese smartphone besides Samsung?
| Preferably someone who delivers a stock android?
| [deleted]
| tmoravec wrote:
| iPhone?
| mrweasel wrote:
| Depending on your definition that's also a Chinese phone. You
| might be able to get one build in India, but that require a
| lot of effort.
|
| The problem is that you're more or less screwed if you trust
| neither China nor Google. Generally speaking the iPhone is
| your best option, but partly due to a lack of options.
| fsflover wrote:
| Not Android, but made in the USA:
| https://puri.sm/products/librem-5-usa (and can run Waydroid).
| karolist wrote:
| Just buy Pixel phones, the pure Android experience and day 1
| updates are worth it. The new Pixel 6 will use LTS kernel and
| custom SoC, rumored to have updates for 5 years instead of what
| was a standard of 3.
| [deleted]
| HanaShiratori wrote:
| Pixel with GrapheneOS
| vvatermelone wrote:
| And if GrapheneOS is too hardcore for you, CalyxOS
| fabianhjr wrote:
| If you care about privacy one of the few options is a Google
| Pixel with CalyxOS and no Google Services.
| hkmaxpro wrote:
| Pixel 5a. Made in Vietnam by the Taiwanese company Compal
| Electronics
| https://tw.appledaily.com/property/20210819/4W5C3MGDDJEILMIY...
|
| Not Pixel 6 though. Still made in China
| https://asia.nikkei.com/Business/China-tech/COVID-slows-Appl...
| fortuna86 wrote:
| New Pixel ?
| tjpnz wrote:
| What would people suggest with regards to IoT devices? I own a
| Xiaomi robotic vacuum for instance. I've taken the usual step of
| putting it on a segregated IoT network but it's also got a
| builtin camera.
| AdrianB1 wrote:
| Not trying to be a jerk, but the S in IoT comes from Security.
| I work in an area where IoT is the top buzzword of the past 3-4
| years, I have nothing in my house and so far nothing in my work
| area of influence. I have a "smart" Chinese air conditioning
| unit with WiFi disabled and a "smart" Samsung TV with Ethernet
| not connected, not because I am paranoid but because I am old
| enough to have some life experience.
| jszymborski wrote:
| Why recommend against them and simply not ban the sale of Xiaomi
| and co. in Lithuania?
| netcan wrote:
| "Censorship" is part of a whole here, and it's not obvious what
| to call that whole.
|
| This is a complex of censorship, data gathering, personalization
| and such. A few months ago microsoft accidentally turned on some
| china settings globally, and "tank man" disappeared from search
| results. Tank man is conspicuous, I wonder what less conspicuous
| switches can be flipped.
|
| The main arteries of media & communication are strategic assets.
| These responsible for near 100% of Alphabet & FB's revenue. Ad
| businesses, app stores, etc. Google pay Apple more revenue for
| search defaults than MSFT earn in gross from their "2nd place in
| the market" position. Google pay OEMs and telecoms to be their
| default app stores. The complex is all about bottlenecks,
|
| Control over these is the financial asset behind several of the
| world's most profitable companies. It is a primary intelligence
| target/asset. It's a major part of china's information/narrative
| control mechanism... has been for a while. The thing that's
| changing is that china's mass is starting to cause tides
| elsewhere.
|
| This game is a "ring of power" game.
| marcodiego wrote:
| Time to pressure vendors to seek RYF certification.
| EveYoung wrote:
| What difference does it make to disable the censorship function
| compared to fully removing it from the code base?
|
| Considering that phone updates cannot be verified, every phone
| maker has the ability to secretly add such features at any time.
| And if the phone is link to a user account they could even do
| this in a targeted way.
| echelon wrote:
| We should be up in arms over this. But we should also be up in
| arms over Apple's "CSAM" plans.
|
| Surveillance doesn't belong on our devices. Period.
|
| Once it's in, the dictators can clamp down even harder. Over
| time, freedom atrophies and the window slides closer to
| totalitarian control.
|
| Don't invite the devil in. Scream it away.
| thebraxton wrote:
| There were multiple articles about apple's csm with
| discussions.
| echelon wrote:
| And we should stop talking about it? That's what Apple and
| the intelligence orgs want.
| reginold wrote:
| I'm totally up for talking about it, what more can we talk
| about tho? I'm switching vendors and advocating for open
| sw/hw. Open to more threads!
| marderfarker2 wrote:
| I don't see Lithuania writing a report or making a fuss about
| it. Weird.
| dang wrote:
| pdf of the report being reported on:
| https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
| Aissen wrote:
| Anyone know why OnePlus is mentioned ? The only reference seem to
| be a stupid CVE; I'm sure they have much worse bugs.
| dehrmann wrote:
| Apple's getting remarkably close to the same place with its (on-
| hold) system for scanning for CSAM. It could be adapted for
| political censorship and "turned on remotely at any time."
| pulse7 wrote:
| The blacklist is interesting, because it maybe shows China's
| government interests - some of which are not widely known: -
| "Independence of Mongolia" - Does this show they would like to
| acquire Mongolia (when the time will be appropriate)? - "The
| Organisation for the Liberation of Palestine" - Does this show
| pro-Israel support?
| _dain_ wrote:
| There is the inner Mongolia autonomous region which is part of
| the PRC.
| miles wrote:
| Mongolia needs allies to withstand China's looming threat
| https://asia.nikkei.com/Opinion/Mongolia-needs-allies-to-wit...
|
| The implications of the rise of China's military for Mongolian
| security https://calhoun.nps.edu/handle/10945/5340
|
| China accused of 'cultural genocide' in Inner Mongolia
| https://www.ucanews.com/news/china-accused-of-cultural-genoc...
|
| China's Crackdown on Mongolian Culture
| https://thediplomat.com/2020/09/chinas-crackdown-on-mongolia...
| academia_hack wrote:
| China absolutely has designs on Mongolia. The whole existence
| of the modern Mongolian state is a mess of cold-war / world war
| 2 geopolitical compromises that left basically no one happy. If
| Sino-Russian relations cool, or the climate of Mongolia itself
| warms, it could quickly find itself in an awkward spot between
| two notoriously bad-faith superpowers and with essentially no
| alternatives to vassalage.
| laurent92 wrote:
| I suppose it would be very different from Tibet: Tibet
| provides 2/3rd of the water resources of China, and China
| came and secured it. I don't think Mongolia has such scarce
| resources... does it?
| codezero wrote:
| Maybe potential for mining rare earth elements?
| enkid wrote:
| Mongolia has a lot of copper, coal, and significant
| deposits of gold and other raw materials. Mostly, it's the
| Russians and Chinese that mine it, so that don't really
| have a reason to invade at this point.
| hangonhn wrote:
| The issue of Mongolian independence was left ambiguous by the
| USSR and China (this includes the PRC and ROC -- they both
| technically claim it). Mongolia had at one point petitioned to
| join the USSR but was actually rejected. The status of Mongolia
| was a bargaining chip the USSR used with the PRC and China
| never really completely relinquished its claim on it (whether
| that claim is legit is another issue)
|
| Good YouTube overview:
| https://www.youtube.com/watch?v=NUa1mvaYNtk
| throwhehehe wrote:
| > (this includes the PRC and ROC -- they both technically
| claim it)
|
| Neither claims it anymore. The PRC never did. The ROC did at
| least until the 60s, but they changed position around 2002.
|
| The ROC technically recognized the independent Mongolia in
| 1946 after some pressure from the Soviets, though they
| backpedaled on that and blocked Mongolia admission into the
| UN in the 50s. Taiwan certainly recognizes Mongolia since
| 2002 at least. They have good relation.
|
| The PRC has good enough relations with Mongolia since mid
| 80s.
| enkid wrote:
| Independence of Mongolia maybe talking about "Inner Mongolia,"
| which has ten times as many people as the country of Mongolia.
| My guess with the Palestine piece is the "Muslim terrorists" in
| Xinjiang would be interested in that.
| pphysch wrote:
| "People's Daily newspaper" is a pretty big counterexample that
| everyone is conveniently ignoring.
| AnotherGoodName wrote:
| It's not the mainland China paper if you search for the
| Chinese characters.
|
| Renminbao [Ren Min Bao ] is an independent Chinese online
| news website that criticizes the Chinese regime.
|
| https://china-chats.net/keywords/1705
| throwhehehe wrote:
| The common thread here is how Beijing is afraid from
| organized ethnic minority movements, religious movements
| and/or societies from the civil society that could have their
| own independent ideas.
|
| They are not that different from other Leninist inspired
| governments. Cuba does that. Vietnam does that. The Soviet
| Union certainly did that.
|
| These governments always lose their minds with the idea of
| people organizing themselves and the controlling party having
| no control whatsoever about these groups.
|
| I have no idea how the People's Daily plays into that. Maybe
| the readership is so small and it attracts a certain type of
| personality that Zhongnanhai thinks it is a good idea to
| report on them.
|
| I've read that the major clique in the CCP certainly wasn't
| happy about students calling themselves Maoists and
| supporting workers striking.
|
| I don't know much about China to say about that nor if the
| People's Daily has many people reading it.
| pphysch wrote:
| People's Daily is an _official_ newspaper of the Communist
| Party of China, i.e. "Beijing". Perhaps this fact can
| improve your analysis.
| HAL9001Ti wrote:
| You are mistaken, see this comment:
| https://news.ycombinator.com/item?id=28622783
| yorwba wrote:
| The term in the list is actually Ren Min Bao "People's
| newspaper" not Ren Min Ri Bao "People's Daily
| newspaper". From a quick look at their website, Ren Min
| Bao appears to be pretty anti-communist. Basically
| typosquatting.
| lmilcin wrote:
| I wonder why is anybody still surprised.
|
| China has no qualms invading privacy of anybody. They will try
| any and every way to get whatever they need and they are pretty
| effective at it.
|
| Ever read about making business in China? What we call cheating
| or stealing is a standard business practice there. If you point
| it out they will back off and try somewhere else, ad nauseam. It
| is practically part of Chinese culture and upbringing.
|
| Why do you think "chinese" is practically synonym to "cheap and
| most likely defective"?
|
| Just say no to Chinese phones and TVs and internet services,
| because you _WILL_ be exploited. It is not a question if but
| rather when and whether you will or will not know about it.
| AlexandrB wrote:
| I think the focus on China with respect to privacy is
| misplaced. This is a problem with many tech companies now. Just
| look at how smart TVs hoover up data from their customers.
| There's a danger to painting this as a problem with China's
| tech industry because it implicitly lets other tech companies
| off the hook for their horrendous privacy practices.
|
| > What we call cheating or stealing is a standard business
| practice there.
|
| What about "move fast and break things"? Or Uber's skirting of
| labor and taxi laws in many jurisdictions worldwide? I get that
| this is literally whataboutism, but the above examples are
| considered _virtuous_ by many here. What 's the fundamental
| difference? To me it seems like China has just perfected the
| tech "hustle" culture invented in SV.
| reginold wrote:
| Appreciate your perspective here, you're right. The insidious
| "filter list" in the dictionary is sensational and the meta-
| story is around the worldwide invasion of user privacy.
| lmilcin wrote:
| > I think the focus on China with respect to privacy is
| misplaced. This is a problem with many tech companies now.
|
| Yes and no.
|
| Yes, it is a problem with many tech companies, I agree.
|
| But the way China does this is something completely
| different. Tech companies do this for their profit. China as
| a country exploits every single avenue to steal information
| and protect their position.
| photochemsyn wrote:
| Stealing information and protecting their position is
| pretty common in the corporate world, in fact that's how
| many corporations ensure their continued profitability.
|
| What you have in China is equivalent to "US Government" +
| "Big Tech" - "Bill of Rights".
| tehjoker wrote:
| Given the erosion in the bill of rights here, I suspect
| things are on a similar playing field. The main
| difference is the US government only censors using
| indirect means or by attacking the providers of
| information like Julian Assange.
|
| Did we forget that the NSA is collecting most of the
| traffic on the internet?
| lmilcin wrote:
| I still say there is a big difference between
| intercepting the Internet traffic and saying that giving
| unlimited access to the information is a prerequisite to
| doing business.
|
| Just think US government decided to imprison Apple
| executives and put their own in place of them unless
| Apple gave unlimited access to all their devices to US
| agencies.
|
| Also the way China uses this information -- to control
| minorities, punish "thought crime", erase historical
| events and uncomfortable topics from public.
| tehjoker wrote:
| At least some of the groups China bans are CIA funded or
| are other regime change attempts by the west, but point
| taken.
| umvi wrote:
| > Why do you think "chinese" is practically synonym to "cheap
| and most likely defective"?
|
| I think this is orthogonal to china stealing/copying. A lot of
| stuff from china is cheap/low quality because that's where you
| can cheaply mass produce plastic crap. But a lot of products
| from china are extremely high quality, world class level. You
| just have to pay more for it.
| gaoshan wrote:
| Western companies and business people have been remarkably
| myopic over the last few decades when it comes to the reality
| of doing business in China. The parent comment here is exactly
| right... this person knows what they are talking about yet
| somehow companies in the West seem to persist in trying to make
| a go of it. They almost all eventually learn their lesson but
| it doesn't have to be this way. This is not new info or new
| behavior.
| marderfarker2 wrote:
| > It is practically part of Chinese culture and upbringing.
|
| Wow. Didn't expect such blanket and shallow statement on HN.
|
| Are you a Chinese yourself? On what basis do you base your
| assumptions on? Really.
|
| > What we call cheating or stealing is a standard business
| practice there. If you point it out they will back off and try
| somewhere else, ad nauseam.
|
| Now this is something that is attributable to human behaviour.
| Pretty sure it is observable across all kinds of culture and
| races. But why did you single out the Chinese?
| lmilcin wrote:
| > But why did you single out the Chinese?
|
| For my experience working with Chinese and other peoples'
| reports of the same?
|
| I have worked for a company that has outsourced production to
| a Chinese company. They would try new trick every other
| month. Replacing parts for cheaper substitutes, skipping
| process steps, using counterfeit components. You point it
| out, they fix it, then they do the same when you are not
| looking at their hands.
|
| Every time they are being polite about it, but you know, this
| happening almost every shipment is not an accident.
|
| And even when you come with a solid proof they bend backwards
| to not admit they did it.
|
| Read up on some other horror stories of outsourcing
| production to China.
|
| Successfully outsourcing to China usually requires a sizable
| fleet of lawyers, constant presence at the production
| facility and inspecting every shipment for adherence to the
| contract.
|
| Again, don't you understand the reason for why you buy
| Chinese from Chinese company and it immediately falls apart?
| Or tries to kill you? The Chinese companies that try to make
| quality products are a small minority. They do exist, my
| Andonstar soldering microscope and Rigol osciloscope is a
| proof of it, but they are an exception.
| effingwewt wrote:
| Yea I think parent is more worried about being PC than
| being truthful. All of the points mentioned were true, they
| just aren't PC.
|
| Gutter oil has been outlawed for a good minute now, yet it
| gets into even the restaurants, I've friends from mainland
| China who say even if you stay away from street vendors
| eventually you will eat it, so people just give up worrying
| about it.
|
| Myriad and many are the stories of factories taking specs
| and running off to start a cheaper knockoff competitor.
|
| Sometimes the truth sucks. I used to dream of visiting
| China, now I'd be scared to.
| rojeee wrote:
| I lived in China for a year and vouch for this type of
| behaviour. It's just considered normal in China. The really
| odd thing is that when you call them out on it, they are
| super polite. Eg they will always try to give foreigners
| fake money but after a while you can spot the fakes "zhe
| shi jia de!!", you say (This is fake!) and they apologise
| and give you a real one. At the same time, you earn respect
| from them. It's just all very odd but you get used to it.
| Whilst I enjoyed living in China, I don't want to ever go
| back.
| rualca wrote:
| > I wonder why is anybody still surprised.
|
| This is the kind of claim that's deep in conspiracy theory
| territory until the smoking gun is uncovered, and once that's
| out (and only then) it becomes obvious and unsurprising.
| lmilcin wrote:
| No, it is not and has not been surprising for decades.
|
| In China there are no private companies.
|
| There are only companies that Chinese government lets you run
| as long as you cooperate with the government.
| vnchr wrote:
| Even Jack Ma was put through the wringer after questioning
| the CCP publicly.
| rualca wrote:
| > No, it is not and has not been surprising for decades.
|
| I still recall the Supermicro backdoor chip story, and how
| once the Bloomberg news broke it was immediately so obvious
| and so clear that backdoor spy chips were undoubtedly being
| injected.
|
| But a few years have blown by and the story is now a
| renowned hoax.
|
| https://www.theregister.com/2021/02/12/supermicro_bloomberg
| _...
|
| So tell me, is this sort of story also unsurprising for
| decades?
| lmilcin wrote:
| So... this would be like saying "We have a murderer, we
| have ample evidence for it on tape and multiple
| witnesses. But there is also this one person that lied
| about being witness so then it must mean that the suspect
| is innocent."
| rualca wrote:
| > We have a murderer, we have (...)
|
| It sounds you lost track of the discussion. If you browse
| back through the thread you'll notice that the whole
| point is that without evidence this sort of accusation
| lies deep inside conspiracy theory territory, among all
| nutty baseless conspiracies. The key difference in this
| case is that, unlike all other conspiracy theories, there
| is indeed evidence that provide substance to accusations.
| Stating that an accusation is obvious is not evidence nor
| enough on itself. As I pointed out, the accusations in
| the Supermicro case we're also immediately obvious. Too
| bad they were not grounded on reality and after all these
| years there is no evidence to support them. But they were
| obvious, right?
| Foomf wrote:
| Your post reminds me of the time people in China rioted because
| students were not allowed to cheat on their exams. There really
| is something cultural going on there.
| MarkusWandel wrote:
| This may be kind of a dumb question, but what exactly is a
| "Chinese phone" and what is not? Is my current "Moto" branded
| phone (Lenovo) in the same boat and if not, why not?
| [deleted]
___________________________________________________________________
(page generated 2021-09-22 23:00 UTC)