"It has been established that during the initialisation of the system applications factory-installed on a Xiaomi Mi 10T device, these applications contact a server in Singapore at the address globalapi.ad.xiaomi.com (IP address 47.241.69.153) and download the JSON file
MiAdBlacklistConfig, and save this file in the metadata catalogues of the applications. A list of applications for which the MiAdBlacklistConfig file was found in metadata catalogues is presented in Table 13."
...
"Once the applications have downloaded the file, the download date is recorded in order to facilitate periodically updating the list. The scheme for downloading the MiAdBlacklistConfig file is shown in Figure 11."
"This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time of the analysis, the MiAdBlacklistConfig file contained 449 elements). A fragment of the MiAdBlacklistConfig file is shown in Table 14."
Similar lists existed within Google for their ("on hold" last I heard) project Dragonfly [0]. I saw a bunch of banned terms like these in the Dragonfly repo before they hid it from regular employees. It was a very long list. On it were also the names of specific activists and human rights lawyers, including some who'd been disappeared [1] or forcibly confined to mental institutions [2].
My impression is that Sundar was all-in on Dragonfly, and he only rolled it back because of tremendous external and internal pressure. As that pressure abates over time, expect Dragonfly to return. Word of warning for those who trust Google as a defender of digital privacy and human rights.
Considering Google has forfeited a lot of money over many years for resisting Chinese censorship I would say they're more trustworthy on this issue than Apple or Microsoft which have both publicly caved. The remnants of the "Don't be evil" culture is what allowed Dragonfly to be resisted. No such culture exists at Apple or Microsoft.
Surely nobody on HN trusts Google in this way (or any other for that matter), but the referenced comment is useful for educating our less-aware peers (usually those outside our industry), allowing them to come to more informed conclusions on Google. Forewarned is forearmed.
It was more clever than that. They tried to reverse-engineer the Great Firewall's block list by running queries from their Chinese office, so they could make a Chinese Censorship-compliant search engine that would work even outside the Great Firewall.
As for trust in Google, has anyone actually believed they are benevolent for the last decade or so?
Is it me or is this an extremely clumsy way of doing censorship?
Why not do this at network or server-side level? Why not use some kind of hash (ala Apple'e proposed child pornography hunter)?
In this design, everyone would have to have this plain text configuration file ... also other brands (Oppo, Huawei etc.) would have to have it. What if it needs an update? Suppose the hui muslims starts causing trouble ... Or if people starts using slang or deliberate misspelling ...
They are too powerful to give a damn, they looked at USA and their allies and how they overcome any evil thing they do just by being the strongest country and they said why we can't do the same?
I guess it comes down to, why bother when the simplest solution works?
Make no mistake: As and when they get caught out doing such things, the sophistication of their implementation is bound to increase, in response to it. Money is no object for state-actors and mega-corps.
This has some smell of a compliance issue. I.e. the company gets ordered to block stuff; the order states "this shall be blocked" and provides a list, and then the company does the simplest/cheapest way to comply which is literally checking for whatever was required by the order.
> the sophistication of their implementation is bound to increase
You're right about this, including with backdoors. Electronics from China must be treated as treacherous computing devices that obey the orders of the Chinese Communist Party.
If the West was sensible, we simply wouldn't buy any electronics from them.
Or manufacturer any product from there...why does the world continue to be stupid on China and pump up their economy by having the majority of their goods manufactured there? Its going to continue to bite us and everyone in the butt.
Because the supply chain for electronics manufacturing, and many other classes of products, is hard to replicate.
Large multinational corporations would love to shift production to Vietnam, Thailand, Indonesia or India, where labor is now cheaper than China, but there are logistics obstacles. Apple now manufactures some phones in India, but mostly older models.
> Because the supply chain for electronics manufacturing, and many other classes of products, is hard to replicate.
Software is eating the world, as Marc Andreessen says. So who controls the software -- including by controlling the hardware the software runs on -- controls the world.
This means that every polity that wants to be truly independent needs to control its computing infrastructure, ideally all the layers of the technology stack from chips to social media. So it would be well worth polities such as the USA or EU putting up whatever level of import tariffs (and other measures) it takes to encourage manufacturers to do these things domestically.
Not that doing so would be that much more expensive anyway. The cost of low-level assembly line labour per iPhone is probably only a few dollars. I'd guess that building them in the USA would only add $10-20 to the cost.
Atoms still matter, and there are blue-collar manufacturing skills the US has lost to China, and most of the low-cost labor alternative locales never had in the first place.
It may not be a state actor. I am the last person to defend the CCP, but as the chinese phones are made by companies that have lots of reason to fear the government, this may be proactive censorship added by the vendor to avoid getting in trouble, and it might even have been accidentally left in foreign models. We don't know the full story yet.
I think the distinction between being compelled by the sword and compelled by fear of the sword is pretty meaningless here. Unless these companies are independently deciding to push this out due to some internal zealous managers that reject the general CCP platform I think it's pretty safe to lay the blame at the feed of the party.
There's also all sorts of pretty reasonable whataboutism to be thrown about here but it's wrong either way.
There's really no difference between the state providing a blacklist, and the state inspiring enough terror that blacklists are compiled. Actually, there is - the latter is far scarier.
Another word for ad is promotion. These sites promote certain groups. The censor believes they profit from this activity. It is not unreasonable for such a censor to understand them as illegal ads.
Just to be clear; the (incomplete) code snippets in the report have been through a code mangler. The only names readable are of the api that is actually used.
I have a Xiaomi device and can confirm the API request. It does this regardless of country, including in GDPR countries. It makes multiple requests like this per minute. And if you click on the Privacy Policy in the Xiaomi Smart Home app for instance, it shows a 404 error.
This is pretty clearly a low-effort filter for advertisements deemed political.
> 204 "人民报", “People’s daily newspaper”
People's Daily is an official Communist Party newspaper... Why on earth would they blocklist that if this is a politically-motivated censorship program (as the paper/many here are implying)?
I think you would have to be mad to leave the stock ROM running on a Xiaomi phone, IIRC they were caught logging peoples browser history a few years ago.
Several models have mainline LineageOS support, I'm running Lineage on my Mix 2S and hope to have years worth of updates going forward.
The hardware is really good value as long as you install an non-tainted OS.
Bank websites in some (developed, European) countries restrict you to 6-8 digit passwords (not alphanumeric), and don't have a 2FA option like Facebook or Google do. It's a massive joke.
Granted that is on a phone where you can usually just swipe left to their email application and run through some forgot your password steps - also the 2FA that most people use is just SMS which goes to the same place.
Assume that if someone has your unlocked phone they own your life.
My favourite was when I needed to enter the second and fifth caracter of my password, and seventh and ninth digit from the login number. These are surely hashed in the database! (Metro Bank UK) not banking with them anymore.
Many must also store them in plaintext as well, or something like it, because the operator has to be able to confirm the spoken password for telebanking.
That's what happens when you have external security requirements along with audits and incompetent/greedy management. Designing and implementing a security policy based on the standard is a waste of money when you can do the bare minimum by checking off boxes.
> Restrict apps, but can still log in via browser.
This isn't paradoxical. You treat the browser as a less trusted security domain than a phone, which usually has a secure boot chain, strong sandboxing, encrypted disk, reliable hardware cryptography etc, and therefore provide a different/better service on the phone. If a phone is missing one of these expected components then you're not the target market for the app, I guess. (Of course, your phone OS might be perfectly good, and the stock one might be crap, but the app developers don't care.)
I disagree. My main bank allows several high-risk actions to be performed when logged in from a web browser, which are entirely impossible from the mobile banking app.
It's completely ridiculous that I can't use my mobile banking app for day to day low risk, low volume transactions if my phone is rooted, yet I can do anything and everything with high values of cash and credit from a Linux machine running any web browser I wish, as root.
The reality is, the mobile app development is outsourced to incompetent teams for presumably the lowest price who "ensure security" by just saying, "lets chuck a library in that prevents running if the device is detected as being rooted, and call it a day".
These are protections any reasonably technical user can circumvent with the likes of Magisk and still, all to do far, far less damage than is possible than if they were to use a web browser.
> The reality is, the mobile app development is outsourced to incompetent teams for presumably the lowest price who "ensure security" by just saying, "lets chuck a library in that prevents running if the device is detected as being rooted, and call it a day".
I don't understand, why people think so. Banks hire good developers. They don't pay them well (by banks' own standards), but they still pay enough to hire competent programmers.
Unfortunately, working in bank is highly competitive environment, that fosters sycophants and rewards socially adept people, good at obeying orders to letter. Who cares, what the programmers think, they are at the bottom of command chain anyway.
The fraud prevention is often split into it's own department. As for "computer security" department, it is a fang-less security circus, that exists to satisfy PCI DSS. In some banks it outright pretends, that web sites and mobile apps don't exist. All your data will be processed in "secure server enclave", managed by "certified professionals", while sending hashes of credit card numbers to Google Analytics.
If the bank is planning to use the app to replace their hardware 2FA tokens (that they used to mandate for web transactions here), then the app must be considered more secure than the browser (probably because the secrets can be placed somewhere not trivially readable).
It probably will never be. It just takes one OEM to fuck it up and everyone can use their device ID. That's why hardware backed attestation doesn't work, OnePlus fucked it up and now Magisk can pretend to be that phone and get exempted.
Did you have any problems with AOSP? I want to replace the stock spyware on me mom's 9T, but the experience seems to be mixed, judging by a couple of forum discussions.
Minor inconveniences mostly, but that's probably because I keep flashing different ROMs to try stuff out.
My only "issue" is that because of my escapedes with flashing I now have only Widevine L3 support, so no full-HD videos on Netflix. But this should be easily fixed by flashing xiaomi.eu ROM and then going back to AOSP.
Even apps like Netflix are configured not to be available on Google play if the device is not a certified one. That certification is lost AFAIK on rooting. I have two perfectly good android tablets that can’t run Netflix
That's the reality we live in. They will put up with being spied upon 24/7 for the convenience of a cheap phone they can't be bothered to root and ROM.
Made me chuckle. I know a guy who finds Netflix a total PITA and the streaming experience (sorely) lacking. So he pays for Netflix streaming and dvds, and then downloads what he wants to watch via torrents for the convenience.
I think if you've been torrenting this entire time you're probably set for life - being looped into all sorts of movie sharing rings that you regularly seed for... but breaking into it fresh - it's tough.
This is why I still have my iPhone around. I know that one day my banking apps will just stop working. For now, Magisk Hide does the job.
Next time when I'll be looking for a new Android phone to buy, stock Android will be a hard requirement. I was stupid to pick my Xiaomi phone for it's hardware, I should've just gone with a Motorola.
I have a Mi 8 and use the xiaomi.eu ROM which supposedly has a lot of the junk removed. I also rooted it. I have no issues with any banking apps, Netflix or SafetyNet.
Correct, its entirely possible they could be doing more insidious stuff at the firmware level, but dumb keyword checking is almost certainly implemented in userspace.
I don't think you can trust any proprietary firmware out there, its just a question of which you trust less than the others.
As stupid as it might sound, I do trust Pixel phones, and an hypothetical iPhone running a different OS, the most of all alternatives. If one want's a smartphone, if not just take a 20+ year old dumb phone. Or BlackBerry.
>"its just a question of which you trust less than the others."
Simple. I do not "trust less". I just do not trust. My phone is a phone. No Internet activity. I spend enough time in front of my desktop, dragging another computer anywhere I go is the last thing on my mind.
Good value assuming you're on the right carrier. AT&T in the US and its MVNOs are moving to a whitelist model in February, making Xiaomi phones unusable for anyone in the US not on T-Mobile.
You can't exactly do it without permission though. You need to crack the bootloader for the baseband and that's way easier said than done and immediately noticeable.
> You need to crack the bootloader for the baseband and that's way easier said than done
There have been more than enough cases of people poking holes in bootloaders, including secret services. For what it's worth, Huawei and Xiaomi can be considered as part of the Chinese CCP dictatorship and I'd expect them to have access to such exploits.
> and immediately noticeable.
How is an user supposed to notice a modified baseband firmware? The only thing that a user can see is if the device has been rooted, but with a factory-supplied backdoor even that doesn't help.
There's a difference between poking a hole the device bootloader and the baseband bootloader. The second is wayyy more lockdown and has a tiny attack surface.
A user can directly download the baseband image from the chipset using for example QFIL. Then you can check if it's signed with Qualcomm's key or another. Exploiting this would require Xiaomi to hide two baseband firmwares in the baseband firmware which isn't feasible, and it would also require them to completely rewrite the baseband bootloader instead of just exploiting it.
But even then you'd be able to read the eMMC and notice that there are two baseband firmwares. If you want to figure it out, you're free to buy any Xiaomi phone, read the eMMC, and check how many baseband images there are, then you'll be able to definitively know. Let me know if you do it.
When I said immediately noticeable I meant by Qualcomm, not by the end user though. They have contractual obligations to lock down their baseband and their licensing system relies on it so they have a large incentive.
Only when CPU is Qualcomm I think. I'm not knowledgeable with QPST/QXDM scenes but it didn't sound like firmware integrity mechanisms on qcom modems are too tight.
Of course the firmware is only Qualcomm if the modem is Qualcomm.
QPST/QXDM allows you to mess with the modems by sending it commands and changing configs yeah. But if you want to flash the firmware that's something else.
Yeah the firmware integrity mechanism are not the best, and there's definitely vulnerabilities in the firmware. But there's still no way of installing unsigned firmware on more recent devices, and I've never come across a way of running unsigned code without it being really obvious.
There was a bug recently that allowed you edit baseband memory from within the OS, but again you'll never be able to hide that from Qualcomm on a million devices.
On a related note, Realme recently bricked two (maybe more) phone models with an update that caused a soft-boot loop if the weather service (!) was removed by the user to reduce bloat. The problem is not fixed. People have lost data. I personally put Realme on my "never do business with" list.
If their engineering is so poor that they haven't caught this in time, nor reacted by releasing a one-line software patch that can be applied manually (cause users sure as hell can't do it themselves - stock can only apply signed updates), they shouldn't be trusted with anything.
Most people don't care if another country spies on them, since their laws don't apply to them. They would care much more if they are profiled by their own government. Or more like tech companies on behalf of the government spying on them, and them being discriminated, harassed, or jailed based on that data. So in a way its actually kind of smart to go with a Chinese phone if you live in America.
There are no details really as to how Xiaomi censors those terms. If one does not use the bundled-in browser / app-store, I doubt Xiaomi can censor anything at all in other browsers unless they MiTM with client-cert. OTOH, many popular non-browser apps (at least the ones that matter) pin certificates, so even Lenovo-esque shenanigans wouldn't work [0].
What can they possibly be doing in the firmware or the ROM to break TLS (and other such authenticated key-exchange protocols)? The only thing I think of: Injecting a compromised https stack in to an app's classpath / ld_library_path. This may sound ambitious, but the Android modding community already uses such runtime swappers to great affect [1][2].
> But Wardle found that in some edge cases, a bug in the Taiwan-censorship code meant that instead of treating the Taiwan emoji as missing from the phone's library, it instead considered it an invalid input. That caused phones to crash altogether, resulting in what hackers call a denial-of-service attack that would let anyone crash a vulnerable device on command.
Which was also a bug—the conditions of which's existence are manifestly political (which I have zero desire/intent to defend here), but nonetheless an Apple-side bug that was patched eventually
This is what kinda terrifies me about today's digital landscape. Now it's so cheap to hide surveillance capabilities (spyware, hidden microphones or cameras) that bad actors can just embed surveillance into every cheap device, hoping just by sheer numbers to get one into a sensitive area (e.g. Pentagon, Langley), and then remotely activate surveillance. With the computational capabilities of today's data centers, they don't even have to be all that selective anymore. They could just be monitoring everyone, at some granularity, dumping logs into a massive database with just enough metadata to make it searchable/queryable.
Certainly, legislation would be enormously helpful, but legislation isn't incantation. Economic factors are real.
Western countries need to rebuild their domestic manufacturing bases. There is no other way to guarantee that production will respect ethical norms and no other way to realistically punish violations. Legislation must incrementally direct industry back to the West and provide conditions under which it can flourish. This is easier said than done which is why any temptation to outsource ought to be VERY carefully considered because once you outsource industry, not only do you destroy the industrial base and mutually beneficial complex relationships, but you also starve domestic expertise and competence and the culture of that industry. Industry is a culture and culture is only transmitted when it is living, when there is a society of people who communicate and share and contribute and make use of it. If you ship textile manufacturing abroad, your domestic textile culture atrophies and withers. I think people underestimate this. It's not just a matter of willing something. You don't just say "well, all we need to do is build a factory for making X". Yeah? Who knows how to build that factory and to make X, and make it well so that it is competitive? Not you. Western cultures have forgotten how to make certain things. It's like trying to go into the pyramid building business by just wanting to do it or by looking over some old papyrus. Yeah, sure, you have to start somewhere, and do start, but don't expect it to be easy.
Decentralizing production is also better for security by removing unnecessary dependence. You want production to be distributed. You do not want one guy to make all of X.
And placing your bets on Chinese reform or political pressure on China to "be nice" is so ludicrous that I won't waste my proverbial breath. I will only say that the vast imperial ambitions of China are not only obvious, but that the elites of our own countries have taken a liking to their methods. The recent self-hatred of Westerners creates a vacuum, and Chinese ideas seem poised to fill it.
We need both. First, Stallman was right. We simply cannot trust the magic incantations (code) of closed-source software and hardware to respect laws, in spirit or in letter. We must be able to audit all devices at every level. Second, the EFF is right, too. They fight at the legislative level. But they are fighting a defensive game. Consumers need to go on the offensive and lobby for legislatures to pass a digital Bill of Rights.
I don't disagree at all with what you're saying, but shouldn't we still what little we can? Even if it's incremental, doesn't it at least send a tiny signal to manufacturers and companies and government if they see an increase in the demand of open hardware and open-source software?
The end solution will definitely require something more systemic, no question, but I don't think that should stopping the common person from doing what what they can.
I bought an iPhone less than a year ago (to use up a discount code before I left Apple), but a part of me already regrets not biting the bullet and purchasing something open, like a PinePhone.
> I hate to say this, but OSS anarchism is not going to work. Most people cannot really work or live with those devices.
Baby steps. Such changes start small.
> This is a problem that needs to be solved with legislation, lobbying, superPACs, and candidates who are not ethically flexible.
Yes, but regulations do also ring-in different challenges and over the long-term, the status-quo ends up being enshrined in them, thwarting the otherwise thriving diversity of the ecosystem. Though, it is inevitable Internet / Web gets regulated ala Finance / Telecommunications industries.
This is the correct answer. Legislation and outright bans of products that require any sort of internet connection to work.
Furthermore, legislation that explicitly prevents gathering of any data, user account or coercion to use the product in any way without explicit consent of the user.
Technically capable person can easily protect himself. It's not that hard. At least from ordinary threats. Use dedicated firewall device, use software firewalls, periodically check out running services.
Issue is with rest 99.9% of people who will share whatever you say, because their phone happened to be nearby and you can't really do anything about it.
Biggest missing piece in all these "free" phones is giant (bigger than Linux kernel) baseband firmware blob. Until we have something like Osmocom but for LTE, LTE-A, 5G, etc, all this is pointless.
Not the same. It's only for use in computers with SDR hardware attached AFAIK. Nothing ready to flash into the phone firmware and just use it like OsmocomBB allowed with these Motorola phones.
I'm, like many people here, the IT support for my extended family.
I generally do my best to not only steer them away from invasive devices but also explain why.
Unfortunately this is more and more turning into a situation where I have hardware sent to me, reflashed with a known good rom and then mailed back out.
It’s underrated but DJI drones sold by millions is a great way to spy on what could not be gathered through satellite imagery. If not now then during war time, CCP has a million remote cameras in form of DJI drones and can turn it on in a snap. It would require nationwide firewall to stop. Of course, DJI drones require DJI flight app to even take off.
Why isn’t US Gov putting together legislation for this sort of a thing is beyond me.
There seems to be a onslaught of positive DJI YouTube videos about how creating a user account is great and easy. Including fake comments praising DJI. Just search on YT DJI Mavic Pro setup.
All this is too suspicious for me. I returned the drone for obvious reasons but millions of people are already buying into the ecosystem.
> All this is too suspicious for me. I returned the drone for obvious reasons but millions of people are already buying into the ecosystem.
We're way past the point of no return with all of this.
At some point you just have to accept the new normal. Some of this should be handled by national security teams but I am unsure where we stand (US).
I'm surprised Lithuania of all places takes a firm stand on Chinese phones, meanwhile the US seems to be spinning its wheels. I am not sure what is going on behind closed doors.
I’m not sure if I agree with defeatist attitude. I’d do whatever I can. But, I do agree that this needs to be taken care of at the legislation / national security level and citizens shouldn’t have to.
Is that even enough though? Couldn't china put in shadow processors or other hardware-level surveillance similar to Intel's management engine? And it would be extremely difficult to detect, let alone disable or mitigate.
The blacklist is interesting, because it maybe shows China's government interests - some of which are not widely known:
- "Independence of Mongolia" - Does this show they would like to acquire Mongolia (when the time will be appropriate)?
- "The Organisation for the Liberation of Palestine" - Does this show pro-Israel support?
China absolutely has designs on Mongolia. The whole existence of the modern Mongolian state is a mess of cold-war / world war 2 geopolitical compromises that left basically no one happy. If Sino-Russian relations cool, or the climate of Mongolia itself warms, it could quickly find itself in an awkward spot between two notoriously bad-faith superpowers and with essentially no alternatives to vassalage.
I suppose it would be very different from Tibet: Tibet provides 2/3rd of the water resources of China, and China came and secured it. I don’t think Mongolia has such scarce resources… does it?
Mongolia has a lot of copper, coal, and significant deposits of gold and other raw materials. Mostly, it's the Russians and Chinese that mine it, so that don't really have a reason to invade at this point.
Independence of Mongolia refers to Inner Mongolia, a Chinese region with a low ethnic Han population. It and the country of Mongolia serve as buffers against the Russians.
This seems to be rewriting the history of Russia creating an independent country of outer Mongolia out of collapsing Qing territory. It'd be akin to saying an independent Alsace nation "serves as a buffer" against the Germans.
So if China moves millions of Han Chinese to Xinjiang (which by the way they've been doing since at least the 50ies), so that they become the majority there, then the plight of Uyghurian self-determination and independence ceases to exist? Doesn't work like that. People remember.
>Qing territory
Both China and Russia have been oppressive identity-suppressing culture-destroying mutli-ethnic empires (something very very very very bad) since forever. (The identity-suppressing culture-destroying part really started up in the 19-20th century, when it became evident that the empires won't survive without colonization and suppression in the modern age) "Qing territory" doesn't say more to me than the British Empire's "territory". Same for Inner Mongolia, Tibet, Xinjiang, and arguably even Canton.
No. People don't remember over a sufficiently long period of time.
For instance, you mention China, Russia and the British Empire, but if you look further in time, you get to see other things which nobody remembers:
> The Islamization of Xinjiang started around 1000 AD by eliminating Buddhism. [1].
> Many Buddhists fear that their countries will lose their culture and become Muslim, as had been the case in many parts of modern day Central Asia, Xinjiang, Afghanistan, and Pakistan, which were majority Buddhist before the arrival of Islam in the 7th-11th centuries. [...] When the Muslim Turkic Qarakhanids captured the Buddhist city of Khotan in Xinjiang in 1006 CE, one of their poets penned this verse: “We came down on them like a flood/We went out among their cities/We tore down the idol-temples/We shat on the Buddha’s head.” In the Islamic world, a destroyer of idols came to be known as a but-shikan (بت شکن), a destroyer of but, a corruption of the word Buddha. [2]
Long before the Islamization of Buddhist Uyghur, there were "Caucasoid" people, which would be impossible to know without the discovery of the Tarim "Celtic" mummies (~2000 years BC) [3].
> From the evidence available, we have found that during the first 1,000 years after the Loulan Beauty [~4000 years ago], the only settlers in the Tarim Basin were Caucasoid. East Asian peoples only began showing up in the eastern portions of the Tarim Basin about 3,000 years ago, Mair said, while the Uighur peoples arrived after the collapse of the Orkon Uighur Kingdom, largely based in modern day Mongolia, around the year 842. [4]
The Independence of Mongolia is probably about Inner Mongolia, which is part of China. You can read some history about how Mongolia became independent. The official map of ROC (Republic of China) does not officially recognize Mongolia. The PRC (CCP) recognized the independence of Mongolia. Probably people in Mongolia think Inner Mongolia in China should be part of their territory, and there is an organization for that.
China is pro Palestine if you follow the news. The relationship between Palestine and China goes back to 80s.
I don't think Xiaomi cares what people in Lithuania are reading, other than selling its phones. I don't think CCP cares about what people in Lithuania are reading.
Independence of Mongolia maybe talking about "Inner Mongolia," which has ten times as many people as the country of Mongolia. My guess with the Palestine piece is the "Muslim terrorists" in Xinjiang would be interested in that.
The common thread here is how Beijing is afraid from organized ethnic minority movements, religious movements and/or societies from the civil society that could have their own independent ideas.
They are not that different from other Leninist inspired governments. Cuba does that. Vietnam does that. The Soviet Union certainly did that.
These governments always lose their minds with the idea of people organizing themselves and the controlling party having no control whatsoever about these groups.
I have no idea how the People's Daily plays into that. Maybe the readership is so small and it attracts a certain type of personality that Zhongnanhai thinks it is a good idea to report on them.
I've read that the major clique in the CCP certainly wasn't happy about students calling themselves Maoists and supporting workers striking.
I don't know much about China to say about that nor if the People's Daily has many people reading it.
The term in the list is actually 人民报 "People's newspaper" not 人民日报 "People's Daily newspaper". From a quick look at their website, 人民报 appears to be pretty anti-communist. Basically typosquatting.
The issue of Mongolian independence was left ambiguous by the USSR and China (this includes the PRC and ROC -- they both technically claim it). Mongolia had at one point petitioned to join the USSR but was actually rejected. The status of Mongolia was a bargaining chip the USSR used with the PRC and China never really completely relinquished its claim on it (whether that claim is legit is another issue)
> (this includes the PRC and ROC -- they both technically claim it)
Neither claims it anymore. The PRC never did. The ROC did at least until the 60s, but they changed position around 2002.
The ROC technically recognized the independent Mongolia in 1946 after some pressure from the Soviets, though they backpedaled on that and blocked Mongolia admission into the UN in the 50s. Taiwan certainly recognizes Mongolia since 2002 at least. They have good relation.
The PRC has good enough relations with Mongolia since mid 80s.
I'm really not sure how serious I should take the threat of Chinese made electronics - almost all electronics are made China, not just Xaiomi and Hauwei.
My iphone is made in China by Chinese contract manufacturer (Foxconn) - does that mean all iphones could be compromised with Chinese malware? It could be possible, but how can you tell? Is it possible to observe network packets going form my phone to a Chinese or Chinese-allied country?
Genuinely curious, btw. Any feedback would be very appreciated.
Presumably Apple ensures there is nothing nefarious in the hardware, but it seems an unlikely avenue for compromise. Most of the "phone" is Apple-provided software.
In theory sure, you could have a chip snooping on the bus. But it would have to have a lot of OS-level knowledge and then how would it exfiltrate the data without OS-level access to the IP stack?
Like the Bloomberg/Supermicro story, I am extremely skeptical.
A Chinese-built phone that comes supplied with an OS, that's a totally different matter.
Apple itself nefarious. Leeching data to FBI and cops. Google is absolutely horrendous when comes to invading privacy. Amazon literally listens to people using home devices.
Good luck using any tech without compromising your and your family's privacy.
No, they're separate baseband chips with Qualcomm-designed Snapdragon ICs running Apple-signed firmware with their own build flavors of Qualcomm's RTOS. Apple has to verify that the fab produces the low-level hardware exactly as designed, but nothing is going to sneak into that firmware.
The exact same protocol and route as any normal packets - I'd presume that for a phone it's just as for computer network hardware, that OS is not in full control of the IP stack and the firmware can send extra packets that OS won't see (with the same source/routing as configured by the OS after it does it) and process the response packets without propagating them to where the OS might see them.
Well no, if the baseband firmware sends that then only the cell operator would see them, there's no user-controlled software or hardware between the chip and the mobile operator (like the router in the wifi scenario) unless you run your own 4G cell and record packets there. Just as for your laptop, if your ethernet firmware would be malicious in this way then it would apply only to the ethernet adapter and not any other network adapters like wifi.
As far as I can tell, the meta solution here is open source hardware and software. Otherwise it just doesn't matter who is doing this, why they do it, or who is affected.
The core issue is the lack of end to end encryption and open source hardware and software. Options today are okay, but they need to be great to reach the right people. See my post in this thread about Pinephone and Librem.
> As far as I can tell, the meta solution here is open source hardware and software. Otherwise it just doesn't matter who is doing this, why they do it, or who is affected.
I agree with you there, but I want to know how to analyze devices that are closed source.
Foxconn is not Chinese, it's a Taiwanese contract manufacturer, that does have most factories in China (but it also has factories in other countries). The reason why Foxconn is so successful is because they do a good job in quality control and honoring contracts, which sets them apart. They are trying to blend Western-style rule of law with Chinese wages and infrastructure.
The successful stories about western companies outsourcing to China do tend to fall into the category of building and running your own factory there, rather than contracting with a Chinese owned and managed factory to produce to spec, which suffers from all the ethical problems discussed in the parent post. E.g. these are all decisions taken by management, not individual factory workers, so if you want to reduce risk, then install your own management.
Network isn’t even the only egress route out of a cellphone. They have sophisticated radios, so a low-level (e.g. on-silicon) backdoor could send your data out to a nearby agent using all manner of electro-magnetic emissions.
You just have to trust the manufacturer and its supply chain, and that applies to open source too.
I think the whole discussion is missing the mark, so much so that I personally tend to believe that is the point. Your electronics spies on you, that's just how it is. The important question is if the data gathered could possibly hurt you now or in the future. We can only speculate on what thoughts and opinions become dangerous in the future. So with that said I would look at the problem from the perspective of "can this hurtful data be accessed by someone with reach to reach me". All the way from targeted advertisements to someone kicking in your door. That only leaves one answer as far as I can tell: Chinese phones are safer for everyone not inside China or maybe in one or two other countries. Using US electronics or software on the other hand and you can be reached in pretty much all the countries left out above.
"made" in this case tends to refer to created, not just manufactured. it (as the article states) is mostly an issue for chinese brands with poor quality control or ulterior motives.
> The capability in Xiaomi's Mi 10T 5G phone software had been turned off for the "European Union region", but can be turned on remotely at any time, the Defence Ministry's National Cyber Security Centre said in the report.
While a lot of comments are rightly focusing on the censorship aspect of it, IMHO, the most concerning part of this is that this intrusive capability, while disabled for the EU region can be remotely enabled at any time. This implies that Xiaomi, and most likely all Chinese phone vendors and by extension CCP, has backdoors in all these devices.
This re-enabling is probably just the tip of the iceberg, wonder what all they can do via these backdoors?
>> This implies that Xiaomi, and most likely all Chinese phone vendors and by extension CCP, has backdoors in all these devices.
They don't need backdoors. They are the "administrator" of your phone just like Apple is on iOS and MacOS or Microsoft on Windows boxes.You are just a guest.
It just happens that the chinese admins(aka vendors) don't mind being nasty and clumsy at the same time. All the manufacturers/vendors are controlled by their government(more or less).
That being said I don't buy chinese phones or software unless I have no choice but I don't trust Apple to shield my data from various governments either. It's just a matter of lesser evil.
I think you will have a hard time proving beyond speculation that Apple or Microsoft has backdoors to their OS. Would be curious to see any sources though. I actually think that is the difference here, Chinese phones and possibly other devices have backdoors, but Apple/Microsoft likely do not.
> I think you will have a hard time proving beyond speculation that Apple or Microsoft has backdoors to their OS.
This statement is absurd -- they don't need to keep a backdoor around because they control the front door.
You do realize that controlling how/whether/when core system software updates are pushed to a device is equivalent to having a backdoor, don't you?
The operating system on my phone can be 100% backdoor-free today, but if Apple decides that their next update is going to include backdoor, then tomorrow my phone is going to have a backdoor.
Basically all consumer phones (save for a few cobbled together exceptions) implicitly accept arbitrary software updates from their upstream vendor.
"Basically all consumer phones (save for a few cobbled together exceptions) implicitly accept arbitrary software updates from their upstream vendor."
Actually ... all phones of all kinds explicitly accept arbitrary updates from the carrier in the form of java code that they can upload, and run, on your SIM card.
Your SIM card is a full fledged computer with CPU, RAM and storage and your carrier can upload and run arbitrary code on it.
However, there are some phones (including several iPhone generations) where the entire baseband/sim subsystem is isolated from the primary application processor and operating system, and essentially appears as something like a dumb USB modem that the OS can control / use / ignore as it pleases. In theory, this would make it difficult for a carrier to issue a baseband update that (for example) hoovers up photos from internal storage.
This is the same reason you should prefer a cable modem that's physically separate from your router/wifi/etc. Your cable modem gets firmware updates via DOCSIS from your ISP, and if you have one of those combo boxes, you're essentially letting your ISP onto your internal network.
>However, there are some phones (including several iPhone generations) where the entire baseband/sim subsystem is isolated from the primary application processor and operating system
Yes, that's what the developer says. Totally unverifiable though unless it is both open source and you built and installed the firmware yourself.. and still there could be hidden firmware running. This is no different than Intel saying we can trust them with the Intel Management Engine.
I agree with this perspective as well. Assume your carrier is capable of doing anything on your phone until a thorough hardware and software audit has been performed on the device in question (this kind of audit has been performed on several popular phones), but even then, continue to be careful/skeptical.
It's also a good idea to at least consider the possibility that the baseband <-> application processor link may be software defined, and that an update from the vendor might theoretically be able to turn a dumb-USB-peripheral link into a has-access-to-kernel-memory PCIe link, thus enabling future control by the carrier.
All points well taken but I would suggest there is one way to have high assurance in this regard ... and that is to buy a non-phone device and add a cellular USB dongle to it, after the fact.
Pretty unwieldy but given the economics of secretly throwing in a full-blown baseband processor with a SIM card that can function I think you can have high assurance that your carrier is fairly well segregated from your device ...
In fact, there used to be a particular Samsung galaxy "pad" or something that was identical to a phones form factor ... but wifi only. EDIT: Samsung galaxy "player" IIRC ?
As long as we're talking about it, I will mention one oft-overlooked downside to running a phone via external modem: in addition to cellular network functions your baseband processor is also responsible for a lot of real-time voice quality corrections and echo cancelling and related functions that are not handled by the application processor. You might, therefore, have voice quality issues with such a setup ...
> In fact, there used to be a particular Samsung galaxy "pad" or something that was identical to a phones form factor ... but wifi only. EDIT: Samsung galaxy "player" IIRC ?
Yup, and on the Apple side there's the iPod Touch (which is apparently still available!?)
Oh, you meant a literal modem-with-a-USB-port... okay, yeah.
An alternative might be to use one of those standalone cellular-to-wifi hotspots, connect the iPod touch to it via wifi, and then use a VoIP app. That way you can keep the hotspot in a backpack, perhaps with a big power bank / battery, rather than dealing with the unwieldy physical dongle.
I think the parent is being more expansive in what they call a "backdoor", and I tend to agree. Does Apple have the ability to remove an app or some bit of content off your phone (ostensibly to remove malware)? I believe they do? That feels like a backdoor to me. And I assume Google (and/or the phone's manufacturer) has the same ability on Android. No idea about Microsoft on Windows.
Backdoor implies something hidden and not advertised. Apple/Google/Microsoft and others are pretty clear about fully being in control of your device. They can push updates (both at the OS and app level), add new trusted root certificates, collect usage data, show ads, remotely track/lock/disable your device and lots more. Apple is even going to start scanning your phone for certain kinds of illegal content.
I don't think you understand what is going on here. What you are saying is that iPhones cannot download data containing a list of things to block (or do whatever with) or that Apple cannot push an update. Xiaomi phones are downloading a JSON file. That has nothing to do with backdoors or remote access. In fact that whole debacle about Apple scanning a device for child pornography works just like it: Download data from a server and do something. If that is a backdoor than 100% of devices that are online are basically backdoored. Functionally this is no different than iOS downloading a list of apps to block.
But they didn't find anything in Huawei's device or oneplus device. That shows this is not a marching order from the ccp or government to export censorship abroad. If so, then all products with Chinese origin should all have them. What is likely happened here is that xiaomi included code they needed to comply with laws in china in products for aboard, but it is deactivated for in any region other than mainland china. They should have removed the code completely, either have different software builds or don't do anything on the client side to comply with laws in china. Apple complies with Chinese laws fine and I doubt they had to implement any client side changes.
I doubt xiaomi and other Chinese company dares to enable censorship anywhere in international markets, or have a secret plan to control world's information discourse to support ccp. Any censorship or apparent support of ccp will be caught within seconds. Its commercial and political suicide. Also if they do have a secret plan, just blacking out whatever people are typing on their phones is such a dumb, stupid, and crude way of implementing censorship.
Also, this report found no censorship mechanisms on huawei and oneplus phones. Yet they said people should ditch all Chinese phones, which implies all phones originated from Chinese origin companies have censorship mechanisms. That is a much larger conclusion than what the evidence they provided, seem like a politically motivated desire to discredit and defame all Chinese origin companies and products.
I also doubt ccp has a marching order for Chinese companies to censor speech internationally and manipulate world's information discourse. Chinese phones have big market share already, and huawei's gear has wide market share in Europe, but no one ever experienced censorship on their device for speaking against China. And if there is a secret plan to control world's information, they are doing a terrible job at it. The covid origins, xinjiang Uyghurs, Hongkong. The point of view of Chinese side is non existent. For example the xinjiang Uyghur situation, I know people in xinjiang, many of whom are uyghur people, the accusation of mass genocide, 1 million imprisonment, wide spread physical abuse and rapes in prisons, massive internment camps with forced labor is wildly inaccurate from the truth. Yet, it hasn't stopped this from becoming the wildly believed truth, to the point where if you disagree with these statements, you are a ccp shill, a genocide sympathizer and brainwashed. For me and a lot of mainland Chinese people I know, we feel our voices and our personal real life experiences are being censored by international media and public discourse. Sometimes I read something about China in the international discourse, it feels its talking about an alternative universe than my real life experience. I have to wonder who is really controlling the narrative, censoring speech and pushing their political agenda.
I share your sentiment. However it is the way it is at the moment. I think it's difficult for people outside of China to have a clearer view because it's hard to verify any situation unless they are in person. Knowing the language isn't enough since unlike the Anglo-sphere no much are known expect news media (largely from non-mainland reporters who have strong political stance already) or entertainment industry.
But I'm still optimistic. Even in english reporting one can still be heavily biased towards negativity (e.g Russia, Ireland etc). As long as we keep the communication bridge open eventually we'll have a better understanding of each other.
From the article:
Relations between Lithuania and China have soured recently. China demanded last month that Lithuania withdraw its ambassador in Beijing and said it would recall its envoy to Vilnius after Taiwan announced that its mission in Lithuania would be called the Taiwanese Representative Office
No one trust China but this sure looks like politically motivated. Was someone else able to authenticate or reproduce the results.
Most people don't have Xiaomi phones. And it's worth noting that the document only mentions some of those, from over 300 entries. What are the others and why were they redacted out?
Thet are very common in Lithuania, to the point where I’d say around 20% of new phones being sold are from Xiaomi. They expanded heavily into other industries, like home automation, with prices that are a fraction of what other manufacturers would ask for their hardware.
My prediction is that their market share is going to substantially grow. Xiaomi phones are much cheaper in terms of the hardware they offer. A Xiaomi Poco F3 costs €350. A comparable device from others is probably in the €>450 range. An iPhone's probably in the €>800 range.
Thanks to those who posted a link to the actual report [1]
It may be worth clarifying that all those keywords and terms are in Chinese. So when they say "Free Tibet" they mean that the phone has a blacklist file that contains "西藏自由" and which use is disabled in the "European region".
On the other hand, it seems that this blacklist file is actually downloaded into the phone, which suggests to me that they could update it to match any terms in any language if they wanted.
I think that Chinese manufacturers will really need to produce 'clean' firmware that satisfies independent audits instead of these superficial feature flags if they want to continue to sell in the West long term. If not they will suffer Huawei's fate one after the other when this sort of thing is found out.
"Censorship" is part of a whole here, and it's not obvious what to call that whole.
This is a complex of censorship, data gathering, personalization and such. A few months ago microsoft accidentally turned on some china settings globally, and "tank man" disappeared from search results. Tank man is conspicuous, I wonder what less conspicuous switches can be flipped.
The main arteries of media & communication are strategic assets. These responsible for near 100% of Alphabet & FB's revenue. Ad businesses, app stores, etc. Google pay Apple more revenue for search defaults than MSFT earn in gross from their "2nd place in the market" position. Google pay OEMs and telecoms to be their default app stores. The complex is all about bottlenecks,
Control over these is the financial asset behind several of the world's most profitable companies. It is a primary intelligence target/asset. It's a major part of china's information/narrative control mechanism... has been for a while. The thing that's changing is that china's mass is starting to cause tides elsewhere.
What difference does it make to disable the censorship function compared to fully removing it from the code base?
Considering that phone updates cannot be verified, every phone maker has the ability to secretly add such features at any time. And if the phone is link to a user account they could even do this in a targeted way.
The thing is if these censorship is enabled, its going to be found out in a second by someone and explode in the news. All it does is that it deletes a word you typed on your phone or prevent you from seeing a piece of content that you want to see. It's going to be so obvious. It will not achieve the desired goal to censor in the first place and will make people realize what you don't want people to see. It will completely backfire. Given it is a broken and illogical plan, then it is highly unlikely there is a a multi year effort to build phones, sale to international markets, just to censor what people want to say and feed people about ccp propaganda. Even if someone is so stupid and want to do it anyway. What you fear is the censorship actually work. But you don't have to worry about that as it will not work.
What's "decomposition analysis" and how can I do it at home?
Since others here are curious, how would one go replicating these results to find the MiAdBlacklistConfig file? Can I download the OS from a website and just search for strings in the MiAdBlacklistConfig file? I'm genuinely interested, rather than using this question to cast doubt on the 32 page research report.
From what I can gather from the report it should be possible to reproduce the analysis. Probably it is even possible to run the apps in question in an emulator.
Also it should be possible to get the full url of the censorship configuation file and also its full contents.
Given the extreme politics around this, I think it would be better if this type of analysis was done as open source and in a completely reproducible manner.
Consider the Gigaset GS4 or one of their older devices. The GS4 is not currently rooted afaik but some of their older devices (GS290?) are supported by (edit)e.foundation [1] and etc. As an additional benefit, they are made in Germany (though the origin of the parts is probably not exclusively German I guess.)
Just buy Pixel phones, the pure Android experience and day 1 updates are worth it. The new Pixel 6 will use LTS kernel and custom SoC, rumored to have updates for 5 years instead of what was a standard of 3.
Depending on your definition that’s also a Chinese phone. You might be able to get one build in India, but that require a lot of effort.
The problem is that you’re more or less screwed if you trust neither China nor Google. Generally speaking the iPhone is your best option, but partly due to a lack of options.
Canada has unofficially banned the sale of theirdevices, or at least that’s why eBay said the Canadian government told them to not allow their sale.
Though eBay.ca just blocked any listing containing the word “xiaomi”, though they make a ton of things that aren’t phones. I just took out xiaomi and left the model number and sold my thing.
Still waiting for my government to respond to my request to find out why.
Though you can still roam in Canada with them, so I don’t know how that works. Shouldn’t base stations reject uncertified device IMEIs? I guess it’s all okay as long as there’s revenue to be had.
Just seemed strange that the radio-frequency regulator would demand that 3rd-party selling platforms stop transactions but not also demand ISPs to de-auth them too.
Just suggests that the restrict them are BS or maybe spyware/intelligence related.
If I remember correctly the regulation is against these devices being sold in Canada if they're not authorized, not about them being used in Canada. It would be really unpopular with the ISPs anyways and our regulators are completely captured here in Canada so I don't see them doing it even if they had to.
But yeah the law in Canada about IC regulation touches upon sale, not use. Manufacturers, distributers and importers are held responsible, not users or carriers.
This may be kind of a dumb question, but what exactly is a "Chinese phone" and what is not? Is my current "Moto" branded phone (Lenovo) in the same boat and if not, why not?
> "Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible," Defence Deputy Minister Margiris Abukevicius told reporters in introducing the report.
This is applicable equally for every other country.
"Free Tibet", "Long live Taiwan independence" or "democracy movement". Sent from my Xiaomi, let's see if it works.
Anyway, I always thought if I have to use American phone backdoored by FBI or Chinese phone backdoored by China, I choose Chinese because they really cannot arrest me, unlike FBI.
Well, if you have anything on your Chinese phone (assuming it dead leak/back door back to China) that could get you arrested by the FBI - then whoever in China who had that ability to use it could then blackmail you with threats of arrest by the FBI if they told them, and you’d be in even worse shape right?
Especially since then they’d probably have you do things that would result in even more jail time if caught than the original thing. And since your data is transiting international borders all the time, it would make a nice juicy target for the NSA as well!
The scan is not for English words. Extract from table 14....
===================================================
No.: Original - Approximate translation
1 "宗教虔信者阵线", “Front of religious believers”,
...
22 "西藏自由", “Free Tibet”,
...
60 "蒙古独立", “Independence of Mongolia”,
61 "89民运", “89 Democracy Movement”,
62 "基督灵恩布道团", “Christian charismatic mission”, ...
145 "伊斯兰联盟", “Islamic League”,
...
201 "民运", “Democratic Movement”,
202 "妇女委员会", “Women’s Committee”,
203 "伊斯兰马格里布基地组织", “Al-Qaida in the Islamic Maghreb”,
204 "人民报", “People’s daily newspaper”,
205 "巴勒斯坦解放组织", “The Organisation for the Liberation of Palestine”,
The capability in Xiaomi's Mi 10T 5G phone software had been turned off for the "European Union region", but can be turned on remotely at any time, the Defence Ministry's National Cyber Security Centre said in the report.
There is a difference between having the potential of access versus actually having software installed that scans keywords to phone home about.
Wasn't everyone just outraged about apples csam because it could have the potential for intel agencies, like china's to abuse it by claiming political photos were csam?
Yeah, you also need to subscribe to the Grey Service (tm), which simulates correspondence to your specifications. Tell them I didn’t send you and they will also throw in “for free”* a bug out bag disguised as an ordinary plastic shopping bag from a grocery store.
*Shipping and handling extra, depending on your jurisdiction a paper shopping bag may be substituted.
Earlier this year Lithuania authorized Taiwan to open an embassy-type office, and the relationship with China has (as somewhat expected) gone downhill since then. This report sounds like the result of what you would expect any reasonable government to do in that case - investigate what influence or security weaknesses said country may have.
In hindsight we know that red scare was as bad as the thing they were fighting against
As the Cold War intensified, the frenzy over the perceived threat posed by Communists in the U.S. became known as the Red Scare. The United States government responded by creating the House Un-American Activities Committee (HUAC), which was charged with identifying Communist threats to the United States. HUAC often pressured witnesses to surrender names and other information that could lead to the apprehension of Communists and Communist sympathizers. Committee members branded witnesses as “red” if they refused to comply or hesitated in answering committee questions.
with the only exception that Americans could not flee from persecutions.
"As bad as" is doing a lot of glossing over things there. HUAC and McCarthyism were reprehensible. That doesn't mean they were equivalent to abuses that occurred in the Soviet Union.
> Lithuania has been capitalist for 20+ years and quality of life has increased by a lot ever since.
That's what I said. Lithuania had it bad under communism (USSR). Maybe they are simply not interested in having an other communist regime (the CCP) meddle into it's internal affairs.
Lithuania's gov digitalisation is a bit of a farce. To use it - you need to login via your bank or couple of other supremely inconvenient forms of homegrown federated login systems, none of which offer a simple U2F. Then you get a form that 99% of time doesn't work on mobile. When you do fill it, actual government clark picks it, reviews it and 4 weeks later you get a response - "you need to come to the office to verify your identity".
Contrast it with NZ - I had to send my documents via post. In 6 years I NEVER had to visit ANY of government agency but I did receive visas and passports, just simply by post (if you have local drivers licence you do get to use local online services, which is a stupid barrier to begin with, but whatever).
Whole report is worth a read, but page 22 is where this "censorship" is discussed. Given this is HN I think some of you would be interested in the technical specifics in order to give a proper, informed opinion here.
The censorship involves blocking certain personalized ads within some of the core Xiao Mi apps by filtering political keywords. The keywords are all in mandarin, so ads that would be blocked would be Chinese ads. The list of keywords seems to be controversial political statements or news organization based on the report, including a pro china newspaper. The code is only run in China regions, but is stored on all these phones. Technically a standard software update could modify the code to remove that block.
I understand concerns about censorship are high, but logically I don't see the concern here; that is if you're not in mainland China. If you're in mainland China the wrong personalized ad can get you into trouble so this very elementary ad censorship is necessary, but this is about the EU region. It's bold to assume they'd allow this to be run in other regions after the user updated the apps, there's just no reason too, nor is there anything particularly invasive or malicious going on here that is different from other smart phones, based on the technical report.
How this is different from what Apple is going to do with that on-device image hash algos? The other big story on HN last few days is that a Google Drive account was blocked [1] because of a "terrorist" content. Why should I replace one set of censorship algos with another set of algos? At least Xiaomi limits their censorship algos only to Chinese users.
What would people suggest with regards to IoT devices? I own a Xiaomi robotic vacuum for instance. I've taken the usual step of putting it on a segregated IoT network but it's also got a builtin camera.
Not trying to be a jerk, but the S in IoT comes from Security. I work in an area where IoT is the top buzzword of the past 3-4 years, I have nothing in my house and so far nothing in my work area of influence. I have a "smart" Chinese air conditioning unit with WiFi disabled and a "smart" Samsung TV with Ethernet not connected, not because I am paranoid but because I am old enough to have some life experience.
No, the OP in the thread later retracted as they could not replicate and it seemed more like a random bug in the camera:
"Yesterday I was a bit in a hurry and could not do all tests that I would have liked to. Today I tried to repeat the whole process with the same setup, documents still laying on the same table untouched etc. Just the lighting changed substantially (morning sun).
I was unable to repeat the 'green picture effect' even once... all pictures taking with Xiaomi stock camera turned out well.
I am sorry that I jumped to unproven conclusions (censoring) :( "
Please read your full source in the future before posting. It clouds the discussion. (I just did this myself on another article)
this turned out to not be true - the comments pointed out that the overwrite is likely an app interpreting it as different image format, which had happened before, and OP didn't replicate the issue the next day in different light
Unless you are based in China, a Chinese national, a known dissident or a journalist it doesn't really matter, does it? Also, how do you know what Xiaomi did after you typed it?
EDIT: As I really phrased it badly, I mean it doesn't proof anything if none of the above mentioned groups does it. It absolutely matters that Xiaomi is censoring and monitoring stuff based on key words. I oppose that even more than oppose Apple monitoring child pornography. Simply because Xiaomi is already doing the monitoring for a non Democratic repressive government.
No, quite the opposite actually. Just that it doesn't mean anything if a random Xiaomi user in Europe can type words Xiaomi is monitoring. Since that user most likely isn't the reason why Xiaomi is doing that kind of stuff.
Yes, rather than "it doesn't matter", something like "typing in a phrase yourself isn't relevant as this feature is likely disabled for you".
Believe that's why you're being downvoted. The way HN moves comments around also so yours was not right next to the comment you replied to, which didn't help.
Reading my comment again, I do see the problem... On the positive side, it teaches clear, consive writing. Even in quick, short comments. Or thinking, as far as that's concerned. I would have used the same words verbally as well.
Pronouns in particular seem problematic. "It", "they", "he", "her" seem to be on their way out because they are less and less useful at communicating information.
According to the 32 page research report the phrase is "西藏自由", and also that blocking is disabled outside regions of interest. So it's likely you won't see anything happen, but worth a try!
Xiaomi system applications (Security, MiBrowser, Cleaner, MIUI Package Installer and Themes) have been found to regularly download the manufacturer’s updated configuration file MiAdBlacklistConfig from a server located in Singapore. This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time the analysis was performed, 449 records were identified in the MiAdBlacklistConfig file). Analysis of the Xiaomi application code showed that the applications have implemented software classes for filtering the target multimedia displayed on the device according to the downloaded MiAdBlacklistConfig list.
This allows a Xiaomi device to perform an analysis of the target multimedia content entering a phone: to search for keywords based on the MiAdBlacklist list received from the server. When it is determined that such content contains keywords from the list, the device blocks this content. It is thought that this functionality can pose potential threats to the free availability of information.
I don't understand what you're saying or intending with your comments. There are 32 pages in the report. I'm curious about steps to replicate as well, generally for stuff like this.
I mean the piece quoted above is the correct original source.
I wanted to post exactly this snippet myself.
From that a possible test case can be to open this HN thread in MiBrowser and see the webpage blocked due to the "free Tibet" phrases posted here (assuming MiAdBlacklistConfig includes English versions).
If anyone has a Xiaomi phone and is willing to accept the MiBrowser terms of use, please try.
It's also in Chinese, so if it is activated typing it in English doesn't do anything. But that's not to say that it can't be also updated to be other languages
> It's disabled on phones in western markets, but can be enabled remotely by the manufacturer
Well, I think everything can be enabled remotely by your manufacturer, no matter which... it is what we call "software upgrades".
But for me, a western, it's actually good to have a phone controlled by the Chinese. I would be concerned if it were controlled by my government, though.
So, it's better than US made spyware which cannot be removed from "our" PC CPUs? Best we can do is "disable" these features in the BIOS/UEFI and sleep well, even though we nothing's really stopped.
Sorry for the whataboutism but I am lot less concerned about Chinese spyware because I know for a fact that my government serves the EU and the US.
All this anti China propaganda is really tiresome. China this, China that. Someone seems really scared. Fuck this someone
As you can see, one gets downvoted quickly when pointing out double standards, or posting anything else that could interfere with anti-Chinese propaganda efforts.
Apple's getting remarkably close to the same place with its (on-hold) system for scanning for CSAM. It could be adapted for political censorship and "turned on remotely at any time."
pfff... this is nothing. the government simply stop you on the roadside, demand you unlock your phone and if they find any vpn, or god forbid any "anti national content", beat you to a pulp and then charge you for terrorism. state sponsored mobile surveillance is too far away.
Whilst the loveable bear was somewhat banned online for a little time a while ago, it's now not actually banned in China in itself and is and has been a popular children's toy. Disney stores also exist and sell winne the pooh in China.
What's more accurate is the use of the bear with reference to their leader (who looks like him!)
A better string would be "tianamen square massacre"
Few months ago I read Xiaomi is now bigger than Apple.
The cynic in me says this is just part of American anti China warfare. And Lithuania is, how should I put it nicely, an American lapdog.
Disclosure: yes this was typed on a Poco.
The 35 page report has details that should make it easy to replicate.
"This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time of the analysis, the MiAdBlacklistConfig file contained 449 elements). A fragment of the MiAdBlacklistConfig file is shown in Table 14."
page 23
You can't post slurs like this to HN. Nationalistic, racial, and/or ethnic flamewar is not welcome either. I'm sure you can make your substantive points without any of that.
I don't disbelieve you, but your comment definitely did not make it clear that you have "nothing against Chinese people". On the contrary, it rather it made it sound as if you did. No doubt you didn't consider this possibility because you know your own intent—but intent doesn't communicate itself. It's your responsibility to disambiguate that.
HN readers with Chinese backgrounds or Chinese connections have just as much a right to be here as anyone else does. I invite you to consider how someone in their position would feel after reading your comment about how "Chinese culture and upbringing" includes "cheating and stealing". Even minimal empathy would make you recoil from what you posted.
HN readers with Chinese backgrounds have already been hounded off this site by prejudicial comments. That's shameful. I don't want it to happen again, and your comment crossed into that territory. Please don't do it again. As I said above, you can make your substantive points—including relating your personal experience—without crossing into prejudicial generalization. It's not that hard - you just need to be mindful of the audience. You're broadcasting to a large, diverse population when you comment here.
> Why do you think "chinese" is practically synonym to "cheap and most likely defective"?
I think this is orthogonal to china stealing/copying. A lot of stuff from china is cheap/low quality because that's where you can cheaply mass produce plastic crap. But a lot of products from china are extremely high quality, world class level. You just have to pay more for it.
> It is practically part of Chinese culture and upbringing.
Wow. Didn’t expect such blanket and shallow statement on HN.
Are you a Chinese yourself? On what basis do you base your assumptions on? Really.
> What we call cheating or stealing is a standard business practice there. If you point it out they will back off and try somewhere else, ad nauseam.
Now this is something that is attributable to human behaviour. Pretty sure it is observable across all kinds of culture and races. But why did you single out the Chinese?
For my experience working with Chinese and other peoples' reports of the same?
I have worked for a company that has outsourced production to a Chinese company. They would try new trick every other month. Replacing parts for cheaper substitutes, skipping process steps, using counterfeit components. You point it out, they fix it, then they do the same when you are not looking at their hands.
Every time they are being polite about it, but you know, this happening almost every shipment is not an accident.
And even when you come with a solid proof they bend backwards to not admit they did it.
Read up on some other horror stories of outsourcing production to China.
Successfully outsourcing to China usually requires a sizable fleet of lawyers, constant presence at the production facility and inspecting every shipment for adherence to the contract.
Again, don't you understand the reason for why you buy Chinese from Chinese company and it immediately falls apart? Or tries to kill you? The Chinese companies that try to make quality products are a small minority. They do exist, my Andonstar soldering microscope and Rigol osciloscope is a proof of it, but they are an exception.
I lived in China for a year and vouch for this type of behaviour. It’s just considered normal in China. The really odd thing is that when you call them out on it, they are super polite. Eg they will always try to give foreigners fake money but after a while you can spot the fakes “zhe shi jia de!!”, you say (This is fake!) and they apologise and give you a real one. At the same time, you earn respect from them. It’s just all very odd but you get used to it. Whilst I enjoyed living in China, I don’t want to ever go back.
Yea I think parent is more worried about being PC than being truthful. All of the points mentioned were true, they just aren't PC.
Gutter oil has been outlawed for a good minute now, yet it gets into even the restaurants, I've friends from mainland China who say even if you stay away from street vendors eventually you will eat it, so people just give up worrying about it.
Myriad and many are the stories of factories taking specs and running off to start a cheaper knockoff competitor.
Sometimes the truth sucks. I used to dream of visiting China, now I'd be scared to.
Western companies and business people have been remarkably myopic over the last few decades when it comes to the reality of doing business in China. The parent comment here is exactly right... this person knows what they are talking about yet somehow companies in the West seem to persist in trying to make a go of it. They almost all eventually learn their lesson but it doesn't have to be this way. This is not new info or new behavior.
This is the kind of claim that's deep in conspiracy theory territory until the smoking gun is uncovered, and once that's out (and only then) it becomes obvious and unsurprising.
> No, it is not and has not been surprising for decades.
I still recall the Supermicro backdoor chip story, and how once the Bloomberg news broke it was immediately so obvious and so clear that backdoor spy chips were undoubtedly being injected.
But a few years have blown by and the story is now a renowned hoax.
So... this would be like saying "We have a murderer, we have ample evidence for it on tape and multiple witnesses. But there is also this one person that lied about being witness so then it must mean that the suspect is innocent."
It sounds you lost track of the discussion. If you browse back through the thread you'll notice that the whole point is that without evidence this sort of accusation lies deep inside conspiracy theory territory, among all nutty baseless conspiracies. The key difference in this case is that, unlike all other conspiracy theories, there is indeed evidence that provide substance to accusations. Stating that an accusation is obvious is not evidence nor enough on itself. As I pointed out, the accusations in the Supermicro case we're also immediately obvious. Too bad they were not grounded on reality and after all these years there is no evidence to support them. But they were obvious, right?
Your post reminds me of the time people in China rioted because students were not allowed to cheat on their exams. There really is something cultural going on there.
That has because the exams were national university entrance exams and the new stronger anti-cheating measures were only being applied in one city.
The parents in that city felt that widespread cheating was normal everywhere else essentially turning admissions into a lottery with a big disadvantage to anyone who did not cheat.
I think the focus on China with respect to privacy is misplaced. This is a problem with many tech companies now. Just look at how smart TVs hoover up data from their customers. There's a danger to painting this as a problem with China's tech industry because it implicitly lets other tech companies off the hook for their horrendous privacy practices.
> What we call cheating or stealing is a standard business practice there.
What about "move fast and break things"? Or Uber's skirting of labor and taxi laws in many jurisdictions worldwide? I get that this is literally whataboutism, but the above examples are considered virtuous by many here. What's the fundamental difference? To me it seems like China has just perfected the tech "hustle" culture invented in SV.
> I think the focus on China with respect to privacy is misplaced. This is a problem with many tech companies now.
Yes and no.
Yes, it is a problem with many tech companies, I agree.
But the way China does this is something completely different. Tech companies do this for their profit. China as a country exploits every single avenue to steal information and protect their position.
Stealing information and protecting their position is pretty common in the corporate world, in fact that's how many corporations ensure their continued profitability.
What you have in China is equivalent to "US Government" + "Big Tech" - "Bill of Rights".
Given the erosion in the bill of rights here, I suspect things are on a similar playing field. The main difference is the US government only censors using indirect means or by attacking the providers of information like Julian Assange.
Did we forget that the NSA is collecting most of the traffic on the internet?
I still say there is a big difference between intercepting the Internet traffic and saying that giving unlimited access to the information is a prerequisite to doing business.
Just think US government decided to imprison Apple executives and put their own in place of them unless Apple gave unlimited access to all their devices to US agencies.
Also the way China uses this information -- to control minorities, punish "thought crime", erase historical events and uncomfortable topics from public.
> Given the erosion in the bill of rights here, I suspect things are on a similar playing field.
Not even close. Ready?
Joe Biden is suffering from worsening dementia. It was obvious before he took office. He's incompetent for the office. His aids constantly have to protect him from the public spectacle of his declining mental condition. The media also constantly does their part to artificially shield him. Biden was probably the candidate most capable of beating Trump (the Biden campaign mostly let Trump punch himself out), perhaps the only candidate capable of it, however he was also not mentally/physically fit for the office.
Have you seen some of the super creepy videos of him on YouTube? How about all his various embarrassing gaffs (fella from down under)? They're still on YouTube. It works in a similar way in China with Xi and the party in general, right?
I've placed this comment on a public forum, anyone can read it.
When do the authorities show up to disappear me? How many years shall I spend in prison for my comment? Will my family be safe?
Did you see what the media did to Trump during his Presidency? Did you read social media during those four years? And there is a similar playing field in the US as in China? Ha.
Very few of us can read Chinese (which explains why no one treats China like a country made of people), but I expect that in a country of a billion people many people have all kinds of rude opinions for and against the government expressed all over the internet.
Appreciate your perspective here, you're right. The insidious "filter list" in the dictionary is sensational and the meta-story is around the worldwide invasion of user privacy.
"Member of the German parliament, Manuel Höferlin, who serves as the chairman of the Digital Agenda committee in Germany, has penned a letter to Apple CEO Tim Cook, pleading Apple to abandon its plan to scan iPhone users' photo libraries"
