I think you would have to be mad to leave the stock ROM running on a Xiaomi phone, IIRC they were caught logging peoples browser history a few years ago.
Several models have mainline LineageOS support, I'm running Lineage on my Mix 2S and hope to have years worth of updates going forward.
The hardware is really good value as long as you install an non-tainted OS.
Correct, its entirely possible they could be doing more insidious stuff at the firmware level, but dumb keyword checking is almost certainly implemented in userspace.
I don't think you can trust any proprietary firmware out there, its just a question of which you trust less than the others.
As stupid as it might sound, I do trust Pixel phones, and an hypothetical iPhone running a different OS, the most of all alternatives. If one want's a smartphone, if not just take a 20+ year old dumb phone. Or BlackBerry.
>"its just a question of which you trust less than the others."
Simple. I do not "trust less". I just do not trust. My phone is a phone. No Internet activity. I spend enough time in front of my desktop, dragging another computer anywhere I go is the last thing on my mind.
You can't exactly do it without permission though. You need to crack the bootloader for the baseband and that's way easier said than done and immediately noticeable.
> You need to crack the bootloader for the baseband and that's way easier said than done
There have been more than enough cases of people poking holes in bootloaders, including secret services. For what it's worth, Huawei and Xiaomi can be considered as part of the Chinese CCP dictatorship and I'd expect them to have access to such exploits.
> and immediately noticeable.
How is an user supposed to notice a modified baseband firmware? The only thing that a user can see is if the device has been rooted, but with a factory-supplied backdoor even that doesn't help.
There's a difference between poking a hole the device bootloader and the baseband bootloader. The second is wayyy more lockdown and has a tiny attack surface.
A user can directly download the baseband image from the chipset using for example QFIL. Then you can check if it's signed with Qualcomm's key or another. Exploiting this would require Xiaomi to hide two baseband firmwares in the baseband firmware which isn't feasible, and it would also require them to completely rewrite the baseband bootloader instead of just exploiting it.
But even then you'd be able to read the eMMC and notice that there are two baseband firmwares. If you want to figure it out, you're free to buy any Xiaomi phone, read the eMMC, and check how many baseband images there are, then you'll be able to definitively know. Let me know if you do it.
When I said immediately noticeable I meant by Qualcomm, not by the end user though. They have contractual obligations to lock down their baseband and their licensing system relies on it so they have a large incentive.
Only when CPU is Qualcomm I think. I'm not knowledgeable with QPST/QXDM scenes but it didn't sound like firmware integrity mechanisms on qcom modems are too tight.
Of course the firmware is only Qualcomm if the modem is Qualcomm.
QPST/QXDM allows you to mess with the modems by sending it commands and changing configs yeah. But if you want to flash the firmware that's something else.
Yeah the firmware integrity mechanism are not the best, and there's definitely vulnerabilities in the firmware. But there's still no way of installing unsigned firmware on more recent devices, and I've never come across a way of running unsigned code without it being really obvious.
There was a bug recently that allowed you edit baseband memory from within the OS, but again you'll never be able to hide that from Qualcomm on a million devices.
Did you have any problems with AOSP? I want to replace the stock spyware on me mom's 9T, but the experience seems to be mixed, judging by a couple of forum discussions.
Minor inconveniences mostly, but that's probably because I keep flashing different ROMs to try stuff out.
My only "issue" is that because of my escapedes with flashing I now have only Widevine L3 support, so no full-HD videos on Netflix. But this should be easily fixed by flashing xiaomi.eu ROM and then going back to AOSP.
> Restrict apps, but can still log in via browser.
This isn't paradoxical. You treat the browser as a less trusted security domain than a phone, which usually has a secure boot chain, strong sandboxing, encrypted disk, reliable hardware cryptography etc, and therefore provide a different/better service on the phone. If a phone is missing one of these expected components then you're not the target market for the app, I guess. (Of course, your phone OS might be perfectly good, and the stock one might be crap, but the app developers don't care.)
If the bank is planning to use the app to replace their hardware 2FA tokens (that they used to mandate for web transactions here), then the app must be considered more secure than the browser (probably because the secrets can be placed somewhere not trivially readable).
I disagree. My main bank allows several high-risk actions to be performed when logged in from a web browser, which are entirely impossible from the mobile banking app.
It's completely ridiculous that I can't use my mobile banking app for day to day low risk, low volume transactions if my phone is rooted, yet I can do anything and everything with high values of cash and credit from a Linux machine running any web browser I wish, as root.
The reality is, the mobile app development is outsourced to incompetent teams for presumably the lowest price who "ensure security" by just saying, "lets chuck a library in that prevents running if the device is detected as being rooted, and call it a day".
These are protections any reasonably technical user can circumvent with the likes of Magisk and still, all to do far, far less damage than is possible than if they were to use a web browser.
> The reality is, the mobile app development is outsourced to incompetent teams for presumably the lowest price who "ensure security" by just saying, "lets chuck a library in that prevents running if the device is detected as being rooted, and call it a day".
I don't understand, why people think so. Banks hire good developers. They don't pay them well (by banks' own standards), but they still pay enough to hire competent programmers.
Unfortunately, working in bank is highly competitive environment, that fosters sycophants and rewards socially adept people, good at obeying orders to letter. Who cares, what the programmers think, they are at the bottom of command chain anyway.
The fraud prevention is often split into it's own department. As for "computer security" department, it is a fang-less security circus, that exists to satisfy PCI DSS. In some banks it outright pretends, that web sites and mobile apps don't exist. All your data will be processed in "secure server enclave", managed by "certified professionals", while sending hashes of credit card numbers to Google Analytics.
That's what happens when you have external security requirements along with audits and incompetent/greedy management. Designing and implementing a security policy based on the standard is a waste of money when you can do the bare minimum by checking off boxes.
Bank websites in some (developed, European) countries restrict you to 6-8 digit passwords (not alphanumeric), and don't have a 2FA option like Facebook or Google do. It's a massive joke.
Granted that is on a phone where you can usually just swipe left to their email application and run through some forgot your password steps - also the 2FA that most people use is just SMS which goes to the same place.
Assume that if someone has your unlocked phone they own your life.
Many must also store them in plaintext as well, or something like it, because the operator has to be able to confirm the spoken password for telebanking.
My favourite was when I needed to enter the second and fifth caracter of my password, and seventh and ninth digit from the login number. These are surely hashed in the database! (Metro Bank UK) not banking with them anymore.
It probably will never be. It just takes one OEM to fuck it up and everyone can use their device ID. That's why hardware backed attestation doesn't work, OnePlus fucked it up and now Magisk can pretend to be that phone and get exempted.
Even apps like Netflix are configured not to be available on Google play if the device is not a certified one. That certification is lost AFAIK on rooting. I have two perfectly good android tablets that can’t run Netflix
That's the reality we live in. They will put up with being spied upon 24/7 for the convenience of a cheap phone they can't be bothered to root and ROM.
Made me chuckle. I know a guy who finds Netflix a total PITA and the streaming experience (sorely) lacking. So he pays for Netflix streaming and dvds, and then downloads what he wants to watch via torrents for the convenience.
I think if you've been torrenting this entire time you're probably set for life - being looped into all sorts of movie sharing rings that you regularly seed for... but breaking into it fresh - it's tough.
This is why I still have my iPhone around. I know that one day my banking apps will just stop working. For now, Magisk Hide does the job.
Next time when I'll be looking for a new Android phone to buy, stock Android will be a hard requirement. I was stupid to pick my Xiaomi phone for it's hardware, I should've just gone with a Motorola.
I have a Mi 8 and use the xiaomi.eu ROM which supposedly has a lot of the junk removed. I also rooted it. I have no issues with any banking apps, Netflix or SafetyNet.
Most people don't care if another country spies on them, since their laws don't apply to them. They would care much more if they are profiled by their own government. Or more like tech companies on behalf of the government spying on them, and them being discriminated, harassed, or jailed based on that data. So in a way its actually kind of smart to go with a Chinese phone if you live in America.
Good value assuming you're on the right carrier. AT&T in the US and its MVNOs are moving to a whitelist model in February, making Xiaomi phones unusable for anyone in the US not on T-Mobile.
On a related note, Realme recently bricked two (maybe more) phone models with an update that caused a soft-boot loop if the weather service (!) was removed by the user to reduce bloat. The problem is not fixed. People have lost data. I personally put Realme on my "never do business with" list.
If their engineering is so poor that they haven't caught this in time, nor reacted by releasing a one-line software patch that can be applied manually (cause users sure as hell can't do it themselves - stock can only apply signed updates), they shouldn't be trusted with anything.
What difference does it make to disable the censorship function compared to fully removing it from the code base?
Considering that phone updates cannot be verified, every phone maker has the ability to secretly add such features at any time. And if the phone is link to a user account they could even do this in a targeted way.
The thing is if these censorship is enabled, its going to be found out in a second by someone and explode in the news. All it does is that it deletes a word you typed on your phone or prevent you from seeing a piece of content that you want to see. It's going to be so obvious. It will not achieve the desired goal to censor in the first place and will make people realize what you don't want people to see. It will completely backfire. Given it is a broken and illogical plan, then it is highly unlikely there is a a multi year effort to build phones, sale to international markets, just to censor what people want to say and feed people about ccp propaganda. Even if someone is so stupid and want to do it anyway. What you fear is the censorship actually work. But you don't have to worry about that as it will not work.
The 35 page report has details that should make it easy to replicate.
"This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time of the analysis, the MiAdBlacklistConfig file contained 449 elements). A fragment of the MiAdBlacklistConfig file is shown in Table 14."
page 23
"Member of the German parliament, Manuel Höferlin, who serves as the chairman of the Digital Agenda committee in Germany, has penned a letter to Apple CEO Tim Cook, pleading Apple to abandon its plan to scan iPhone users' photo libraries"
So, it's better than US made spyware which cannot be removed from "our" PC CPUs? Best we can do is "disable" these features in the BIOS/UEFI and sleep well, even though we nothing's really stopped.
Sorry for the whataboutism but I am lot less concerned about Chinese spyware because I know for a fact that my government serves the EU and the US.
All this anti China propaganda is really tiresome. China this, China that. Someone seems really scared. Fuck this someone
As you can see, one gets downvoted quickly when pointing out double standards, or posting anything else that could interfere with anti-Chinese propaganda efforts.
> It's disabled on phones in western markets, but can be enabled remotely by the manufacturer
Well, I think everything can be enabled remotely by your manufacturer, no matter which... it is what we call "software upgrades".
But for me, a western, it's actually good to have a phone controlled by the Chinese. I would be concerned if it were controlled by my government, though.
It's also in Chinese, so if it is activated typing it in English doesn't do anything. But that's not to say that it can't be also updated to be other languages
Xiaomi system applications (Security, MiBrowser, Cleaner, MIUI Package Installer and Themes) have been found to regularly download the manufacturer’s updated configuration file MiAdBlacklistConfig from a server located in Singapore. This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time the analysis was performed, 449 records were identified in the MiAdBlacklistConfig file). Analysis of the Xiaomi application code showed that the applications have implemented software classes for filtering the target multimedia displayed on the device according to the downloaded MiAdBlacklistConfig list.
This allows a Xiaomi device to perform an analysis of the target multimedia content entering a phone: to search for keywords based on the MiAdBlacklist list received from the server. When it is determined that such content contains keywords from the list, the device blocks this content. It is thought that this functionality can pose potential threats to the free availability of information.
I don't understand what you're saying or intending with your comments. There are 32 pages in the report. I'm curious about steps to replicate as well, generally for stuff like this.
I mean the piece quoted above is the correct original source.
I wanted to post exactly this snippet myself.
From that a possible test case can be to open this HN thread in MiBrowser and see the webpage blocked due to the "free Tibet" phrases posted here (assuming MiAdBlacklistConfig includes English versions).
If anyone has a Xiaomi phone and is willing to accept the MiBrowser terms of use, please try.
Unless you are based in China, a Chinese national, a known dissident or a journalist it doesn't really matter, does it? Also, how do you know what Xiaomi did after you typed it?
EDIT: As I really phrased it badly, I mean it doesn't proof anything if none of the above mentioned groups does it. It absolutely matters that Xiaomi is censoring and monitoring stuff based on key words. I oppose that even more than oppose Apple monitoring child pornography. Simply because Xiaomi is already doing the monitoring for a non Democratic repressive government.
No, quite the opposite actually. Just that it doesn't mean anything if a random Xiaomi user in Europe can type words Xiaomi is monitoring. Since that user most likely isn't the reason why Xiaomi is doing that kind of stuff.
Yes, rather than "it doesn't matter", something like "typing in a phrase yourself isn't relevant as this feature is likely disabled for you".
Believe that's why you're being downvoted. The way HN moves comments around also so yours was not right next to the comment you replied to, which didn't help.
Reading my comment again, I do see the problem... On the positive side, it teaches clear, consive writing. Even in quick, short comments. Or thinking, as far as that's concerned. I would have used the same words verbally as well.
Pronouns in particular seem problematic. "It", "they", "he", "her" seem to be on their way out because they are less and less useful at communicating information.
According to the 32 page research report the phrase is "西藏自由", and also that blocking is disabled outside regions of interest. So it's likely you won't see anything happen, but worth a try!
> "Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible," Defence Deputy Minister Margiris Abukevicius told reporters in introducing the report.
This is applicable equally for every other country.
Whilst the loveable bear was somewhat banned online for a little time a while ago, it's now not actually banned in China in itself and is and has been a popular children's toy. Disney stores also exist and sell winne the pooh in China.
What's more accurate is the use of the bear with reference to their leader (who looks like him!)
A better string would be "tianamen square massacre"
From the article:
Relations between Lithuania and China have soured recently. China demanded last month that Lithuania withdraw its ambassador in Beijing and said it would recall its envoy to Vilnius after Taiwan announced that its mission in Lithuania would be called the Taiwanese Representative Office
No one trust China but this sure looks like politically motivated. Was someone else able to authenticate or reproduce the results.
Most people don't have Xiaomi phones. And it's worth noting that the document only mentions some of those, from over 300 entries. What are the others and why were they redacted out?
Thet are very common in Lithuania, to the point where I’d say around 20% of new phones being sold are from Xiaomi. They expanded heavily into other industries, like home automation, with prices that are a fraction of what other manufacturers would ask for their hardware.
My prediction is that their market share is going to substantially grow. Xiaomi phones are much cheaper in terms of the hardware they offer. A Xiaomi Poco F3 costs €350. A comparable device from others is probably in the €>450 range. An iPhone's probably in the €>800 range.
There are no details really as to how Xiaomi censors those terms. If one does not use the bundled-in browser / app-store, I doubt Xiaomi can censor anything at all in other browsers unless they MiTM with client-cert. OTOH, many popular non-browser apps (at least the ones that matter) pin certificates, so even Lenovo-esque shenanigans wouldn't work [0].
What can they possibly be doing in the firmware or the ROM to break TLS (and other such authenticated key-exchange protocols)? The only thing I think of: Injecting a compromised https stack in to an app's classpath / ld_library_path. This may sound ambitious, but the Android modding community already uses such runtime swappers to great affect [1][2].
> But Wardle found that in some edge cases, a bug in the Taiwan-censorship code meant that instead of treating the Taiwan emoji as missing from the phone's library, it instead considered it an invalid input. That caused phones to crash altogether, resulting in what hackers call a denial-of-service attack that would let anyone crash a vulnerable device on command.
Which was also a bug—the conditions of which's existence are manifestly political (which I have zero desire/intent to defend here), but nonetheless an Apple-side bug that was patched eventually
Thanks to those who posted a link to the actual report [1]
It may be worth clarifying that all those keywords and terms are in Chinese. So when they say "Free Tibet" they mean that the phone has a blacklist file that contains "西藏自由" and which use is disabled in the "European region".
On the other hand, it seems that this blacklist file is actually downloaded into the phone, which suggests to me that they could update it to match any terms in any language if they wanted.
I think that Chinese manufacturers will really need to produce 'clean' firmware that satisfies independent audits instead of these superficial feature flags if they want to continue to sell in the West long term. If not they will suffer Huawei's fate one after the other when this sort of thing is found out.
Depending on your definition that’s also a Chinese phone. You might be able to get one build in India, but that require a lot of effort.
The problem is that you’re more or less screwed if you trust neither China nor Google. Generally speaking the iPhone is your best option, but partly due to a lack of options.
Just buy Pixel phones, the pure Android experience and day 1 updates are worth it. The new Pixel 6 will use LTS kernel and custom SoC, rumored to have updates for 5 years instead of what was a standard of 3.
Consider the Gigaset GS4 or one of their older devices. The GS4 is not currently rooted afaik but some of their older devices (GS290?) are supported by (edit)e.foundation [1] and etc. As an additional benefit, they are made in Germany (though the origin of the parts is probably not exclusively German I guess.)
China has no qualms invading privacy of anybody. They will try any and every way to get whatever they need and they are pretty effective at it.
Ever read about making business in China? What we call cheating or stealing is a standard business practice there. If you point it out they will back off and try somewhere else, ad nauseam. It is practically part of Chinese culture and upbringing.
Why do you think "chinese" is practically synonym to "cheap and most likely defective"?
Just say no to Chinese phones and TVs and internet services, because you WILL be exploited. It is not a question if but rather when and whether you will or will not know about it.
This is the kind of claim that's deep in conspiracy theory territory until the smoking gun is uncovered, and once that's out (and only then) it becomes obvious and unsurprising.
> No, it is not and has not been surprising for decades.
I still recall the Supermicro backdoor chip story, and how once the Bloomberg news broke it was immediately so obvious and so clear that backdoor spy chips were undoubtedly being injected.
But a few years have blown by and the story is now a renowned hoax.
So... this would be like saying "We have a murderer, we have ample evidence for it on tape and multiple witnesses. But there is also this one person that lied about being witness so then it must mean that the suspect is innocent."
It sounds you lost track of the discussion. If you browse back through the thread you'll notice that the whole point is that without evidence this sort of accusation lies deep inside conspiracy theory territory, among all nutty baseless conspiracies. The key difference in this case is that, unlike all other conspiracy theories, there is indeed evidence that provide substance to accusations. Stating that an accusation is obvious is not evidence nor enough on itself. As I pointed out, the accusations in the Supermicro case we're also immediately obvious. Too bad they were not grounded on reality and after all these years there is no evidence to support them. But they were obvious, right?
I think the focus on China with respect to privacy is misplaced. This is a problem with many tech companies now. Just look at how smart TVs hoover up data from their customers. There's a danger to painting this as a problem with China's tech industry because it implicitly lets other tech companies off the hook for their horrendous privacy practices.
> What we call cheating or stealing is a standard business practice there.
What about "move fast and break things"? Or Uber's skirting of labor and taxi laws in many jurisdictions worldwide? I get that this is literally whataboutism, but the above examples are considered virtuous by many here. What's the fundamental difference? To me it seems like China has just perfected the tech "hustle" culture invented in SV.
Appreciate your perspective here, you're right. The insidious "filter list" in the dictionary is sensational and the meta-story is around the worldwide invasion of user privacy.
> I think the focus on China with respect to privacy is misplaced. This is a problem with many tech companies now.
Yes and no.
Yes, it is a problem with many tech companies, I agree.
But the way China does this is something completely different. Tech companies do this for their profit. China as a country exploits every single avenue to steal information and protect their position.
Stealing information and protecting their position is pretty common in the corporate world, in fact that's how many corporations ensure their continued profitability.
What you have in China is equivalent to "US Government" + "Big Tech" - "Bill of Rights".
Given the erosion in the bill of rights here, I suspect things are on a similar playing field. The main difference is the US government only censors using indirect means or by attacking the providers of information like Julian Assange.
Did we forget that the NSA is collecting most of the traffic on the internet?
I still say there is a big difference between intercepting the Internet traffic and saying that giving unlimited access to the information is a prerequisite to doing business.
Just think US government decided to imprison Apple executives and put their own in place of them unless Apple gave unlimited access to all their devices to US agencies.
Also the way China uses this information -- to control minorities, punish "thought crime", erase historical events and uncomfortable topics from public.
> Given the erosion in the bill of rights here, I suspect things are on a similar playing field.
Not even close. Ready?
Joe Biden is suffering from worsening dementia. It was obvious before he took office. He's incompetent for the office. His aids constantly have to protect him from the public spectacle of his declining mental condition. The media also constantly does their part to artificially shield him. Biden was probably the candidate most capable of beating Trump (the Biden campaign mostly let Trump punch himself out), perhaps the only candidate capable of it, however he was also not mentally/physically fit for the office.
Have you seen some of the super creepy videos of him on YouTube? How about all his various embarrassing gaffs (fella from down under)? They're still on YouTube. It works in a similar way in China with Xi and the party in general, right?
I've placed this comment on a public forum, anyone can read it.
When do the authorities show up to disappear me? How many years shall I spend in prison for my comment? Will my family be safe?
Did you see what the media did to Trump during his Presidency? Did you read social media during those four years? And there is a similar playing field in the US as in China? Ha.
Very few of us can read Chinese (which explains why no one treats China like a country made of people), but I expect that in a country of a billion people many people have all kinds of rude opinions for and against the government expressed all over the internet.
> Why do you think "chinese" is practically synonym to "cheap and most likely defective"?
I think this is orthogonal to china stealing/copying. A lot of stuff from china is cheap/low quality because that's where you can cheaply mass produce plastic crap. But a lot of products from china are extremely high quality, world class level. You just have to pay more for it.
Western companies and business people have been remarkably myopic over the last few decades when it comes to the reality of doing business in China. The parent comment here is exactly right... this person knows what they are talking about yet somehow companies in the West seem to persist in trying to make a go of it. They almost all eventually learn their lesson but it doesn't have to be this way. This is not new info or new behavior.
> It is practically part of Chinese culture and upbringing.
Wow. Didn’t expect such blanket and shallow statement on HN.
Are you a Chinese yourself? On what basis do you base your assumptions on? Really.
> What we call cheating or stealing is a standard business practice there. If you point it out they will back off and try somewhere else, ad nauseam.
Now this is something that is attributable to human behaviour. Pretty sure it is observable across all kinds of culture and races. But why did you single out the Chinese?
For my experience working with Chinese and other peoples' reports of the same?
I have worked for a company that has outsourced production to a Chinese company. They would try new trick every other month. Replacing parts for cheaper substitutes, skipping process steps, using counterfeit components. You point it out, they fix it, then they do the same when you are not looking at their hands.
Every time they are being polite about it, but you know, this happening almost every shipment is not an accident.
And even when you come with a solid proof they bend backwards to not admit they did it.
Read up on some other horror stories of outsourcing production to China.
Successfully outsourcing to China usually requires a sizable fleet of lawyers, constant presence at the production facility and inspecting every shipment for adherence to the contract.
Again, don't you understand the reason for why you buy Chinese from Chinese company and it immediately falls apart? Or tries to kill you? The Chinese companies that try to make quality products are a small minority. They do exist, my Andonstar soldering microscope and Rigol osciloscope is a proof of it, but they are an exception.
Yea I think parent is more worried about being PC than being truthful. All of the points mentioned were true, they just aren't PC.
Gutter oil has been outlawed for a good minute now, yet it gets into even the restaurants, I've friends from mainland China who say even if you stay away from street vendors eventually you will eat it, so people just give up worrying about it.
Myriad and many are the stories of factories taking specs and running off to start a cheaper knockoff competitor.
Sometimes the truth sucks. I used to dream of visiting China, now I'd be scared to.
I lived in China for a year and vouch for this type of behaviour. It’s just considered normal in China. The really odd thing is that when you call them out on it, they are super polite. Eg they will always try to give foreigners fake money but after a while you can spot the fakes “zhe shi jia de!!”, you say (This is fake!) and they apologise and give you a real one. At the same time, you earn respect from them. It’s just all very odd but you get used to it. Whilst I enjoyed living in China, I don’t want to ever go back.
Your post reminds me of the time people in China rioted because students were not allowed to cheat on their exams. There really is something cultural going on there.
That has because the exams were national university entrance exams and the new stronger anti-cheating measures were only being applied in one city.
The parents in that city felt that widespread cheating was normal everywhere else essentially turning admissions into a lottery with a big disadvantage to anyone who did not cheat.
You can't post slurs like this to HN. Nationalistic, racial, and/or ethnic flamewar is not welcome either. I'm sure you can make your substantive points without any of that.
I don't disbelieve you, but your comment definitely did not make it clear that you have "nothing against Chinese people". On the contrary, it rather it made it sound as if you did. No doubt you didn't consider this possibility because you know your own intent—but intent doesn't communicate itself. It's your responsibility to disambiguate that.
HN readers with Chinese backgrounds or Chinese connections have just as much a right to be here as anyone else does. I invite you to consider how someone in their position would feel after reading your comment about how "Chinese culture and upbringing" includes "cheating and stealing". Even minimal empathy would make you recoil from what you posted.
HN readers with Chinese backgrounds have already been hounded off this site by prejudicial comments. That's shameful. I don't want it to happen again, and your comment crossed into that territory. Please don't do it again. As I said above, you can make your substantive points—including relating your personal experience—without crossing into prejudicial generalization. It's not that hard - you just need to be mindful of the audience. You're broadcasting to a large, diverse population when you comment here.
What's "decomposition analysis" and how can I do it at home?
Since others here are curious, how would one go replicating these results to find the MiAdBlacklistConfig file? Can I download the OS from a website and just search for strings in the MiAdBlacklistConfig file? I'm genuinely interested, rather than using this question to cast doubt on the 32 page research report.
From what I can gather from the report it should be possible to reproduce the analysis. Probably it is even possible to run the apps in question in an emulator.
Also it should be possible to get the full url of the censorship configuation file and also its full contents.
Given the extreme politics around this, I think it would be better if this type of analysis was done as open source and in a completely reproducible manner.
No, the OP in the thread later retracted as they could not replicate and it seemed more like a random bug in the camera:
"Yesterday I was a bit in a hurry and could not do all tests that I would have liked to. Today I tried to repeat the whole process with the same setup, documents still laying on the same table untouched etc. Just the lighting changed substantially (morning sun).
I was unable to repeat the 'green picture effect' even once... all pictures taking with Xiaomi stock camera turned out well.
I am sorry that I jumped to unproven conclusions (censoring) :( "
Please read your full source in the future before posting. It clouds the discussion. (I just did this myself on another article)
this turned out to not be true - the comments pointed out that the overwrite is likely an app interpreting it as different image format, which had happened before, and OP didn't replicate the issue the next day in different light
This is what kinda terrifies me about today's digital landscape. Now it's so cheap to hide surveillance capabilities (spyware, hidden microphones or cameras) that bad actors can just embed surveillance into every cheap device, hoping just by sheer numbers to get one into a sensitive area (e.g. Pentagon, Langley), and then remotely activate surveillance. With the computational capabilities of today's data centers, they don't even have to be all that selective anymore. They could just be monitoring everyone, at some granularity, dumping logs into a massive database with just enough metadata to make it searchable/queryable.
> I hate to say this, but OSS anarchism is not going to work. Most people cannot really work or live with those devices.
Baby steps. Such changes start small.
> This is a problem that needs to be solved with legislation, lobbying, superPACs, and candidates who are not ethically flexible.
Yes, but regulations do also ring-in different challenges and over the long-term, the status-quo ends up being enshrined in them, thwarting the otherwise thriving diversity of the ecosystem. Though, it is inevitable Internet / Web gets regulated ala Finance / Telecommunications industries.
I don't disagree at all with what you're saying, but shouldn't we still what little we can? Even if it's incremental, doesn't it at least send a tiny signal to manufacturers and companies and government if they see an increase in the demand of open hardware and open-source software?
The end solution will definitely require something more systemic, no question, but I don't think that should stopping the common person from doing what what they can.
I bought an iPhone less than a year ago (to use up a discount code before I left Apple), but a part of me already regrets not biting the bullet and purchasing something open, like a PinePhone.
This is the correct answer. Legislation and outright bans of products that require any sort of internet connection to work.
Furthermore, legislation that explicitly prevents gathering of any data, user account or coercion to use the product in any way without explicit consent of the user.
We need both. First, Stallman was right. We simply cannot trust the magic incantations (code) of closed-source software and hardware to respect laws, in spirit or in letter. We must be able to audit all devices at every level. Second, the EFF is right, too. They fight at the legislative level. But they are fighting a defensive game. Consumers need to go on the offensive and lobby for legislatures to pass a digital Bill of Rights.
Certainly, legislation would be enormously helpful, but legislation isn't incantation. Economic factors are real.
Western countries need to rebuild their domestic manufacturing bases. There is no other way to guarantee that production will respect ethical norms and no other way to realistically punish violations. Legislation must incrementally direct industry back to the West and provide conditions under which it can flourish. This is easier said than done which is why any temptation to outsource ought to be VERY carefully considered because once you outsource industry, not only do you destroy the industrial base and mutually beneficial complex relationships, but you also starve domestic expertise and competence and the culture of that industry. Industry is a culture and culture is only transmitted when it is living, when there is a society of people who communicate and share and contribute and make use of it. If you ship textile manufacturing abroad, your domestic textile culture atrophies and withers. I think people underestimate this. It's not just a matter of willing something. You don't just say "well, all we need to do is build a factory for making X". Yeah? Who knows how to build that factory and to make X, and make it well so that it is competitive? Not you. Western cultures have forgotten how to make certain things. It's like trying to go into the pyramid building business by just wanting to do it or by looking over some old papyrus. Yeah, sure, you have to start somewhere, and do start, but don't expect it to be easy.
Decentralizing production is also better for security by removing unnecessary dependence. You want production to be distributed. You do not want one guy to make all of X.
And placing your bets on Chinese reform or political pressure on China to "be nice" is so ludicrous that I won't waste my proverbial breath. I will only say that the vast imperial ambitions of China are not only obvious, but that the elites of our own countries have taken a liking to their methods. The recent self-hatred of Westerners creates a vacuum, and Chinese ideas seem poised to fill it.
Technically capable person can easily protect himself. It's not that hard. At least from ordinary threats. Use dedicated firewall device, use software firewalls, periodically check out running services.
Issue is with rest 99.9% of people who will share whatever you say, because their phone happened to be nearby and you can't really do anything about it.
Biggest missing piece in all these "free" phones is giant (bigger than Linux kernel) baseband firmware blob. Until we have something like Osmocom but for LTE, LTE-A, 5G, etc, all this is pointless.
Not the same. It's only for use in computers with SDR hardware attached AFAIK. Nothing ready to flash into the phone firmware and just use it like OsmocomBB allowed with these Motorola phones.
I'm, like many people here, the IT support for my extended family.
I generally do my best to not only steer them away from invasive devices but also explain why.
Unfortunately this is more and more turning into a situation where I have hardware sent to me, reflashed with a known good rom and then mailed back out.
It’s underrated but DJI drones sold by millions is a great way to spy on what could not be gathered through satellite imagery. If not now then during war time, CCP has a million remote cameras in form of DJI drones and can turn it on in a snap. It would require nationwide firewall to stop. Of course, DJI drones require DJI flight app to even take off.
Why isn’t US Gov putting together legislation for this sort of a thing is beyond me.
There seems to be a onslaught of positive DJI YouTube videos about how creating a user account is great and easy. Including fake comments praising DJI. Just search on YT DJI Mavic Pro setup.
All this is too suspicious for me. I returned the drone for obvious reasons but millions of people are already buying into the ecosystem.
> All this is too suspicious for me. I returned the drone for obvious reasons but millions of people are already buying into the ecosystem.
We're way past the point of no return with all of this.
At some point you just have to accept the new normal. Some of this should be handled by national security teams but I am unsure where we stand (US).
I'm surprised Lithuania of all places takes a firm stand on Chinese phones, meanwhile the US seems to be spinning its wheels. I am not sure what is going on behind closed doors.
I’m not sure if I agree with defeatist attitude. I’d do whatever I can. But, I do agree that this needs to be taken care of at the legislation / national security level and citizens shouldn’t have to.
Is that even enough though? Couldn't china put in shadow processors or other hardware-level surveillance similar to Intel's management engine? And it would be extremely difficult to detect, let alone disable or mitigate.
426 comments
[ 4.8 ms ] story [ 289 ms ] thread[0] https://en.wikipedia.org/wiki/Android_One#2020
1. Approaching death, about to die.
2. Reaching obsolescence.
I learned a new word today, thank you.
I don't think you can trust any proprietary firmware out there, its just a question of which you trust less than the others.
Simple. I do not "trust less". I just do not trust. My phone is a phone. No Internet activity. I spend enough time in front of my desktop, dragging another computer anywhere I go is the last thing on my mind.
There have been more than enough cases of people poking holes in bootloaders, including secret services. For what it's worth, Huawei and Xiaomi can be considered as part of the Chinese CCP dictatorship and I'd expect them to have access to such exploits.
> and immediately noticeable.
How is an user supposed to notice a modified baseband firmware? The only thing that a user can see is if the device has been rooted, but with a factory-supplied backdoor even that doesn't help.
A user can directly download the baseband image from the chipset using for example QFIL. Then you can check if it's signed with Qualcomm's key or another. Exploiting this would require Xiaomi to hide two baseband firmwares in the baseband firmware which isn't feasible, and it would also require them to completely rewrite the baseband bootloader instead of just exploiting it.
But even then you'd be able to read the eMMC and notice that there are two baseband firmwares. If you want to figure it out, you're free to buy any Xiaomi phone, read the eMMC, and check how many baseband images there are, then you'll be able to definitively know. Let me know if you do it.
When I said immediately noticeable I meant by Qualcomm, not by the end user though. They have contractual obligations to lock down their baseband and their licensing system relies on it so they have a large incentive.
QPST/QXDM allows you to mess with the modems by sending it commands and changing configs yeah. But if you want to flash the firmware that's something else.
Yeah the firmware integrity mechanism are not the best, and there's definitely vulnerabilities in the firmware. But there's still no way of installing unsigned firmware on more recent devices, and I've never come across a way of running unsigned code without it being really obvious.
There was a bug recently that allowed you edit baseband memory from within the OS, but again you'll never be able to hide that from Qualcomm on a million devices.
The problem with replacing the OS is that I believe most banking apps I use will stop working. Might just need to write this phone off.
My only "issue" is that because of my escapedes with flashing I now have only Widevine L3 support, so no full-HD videos on Netflix. But this should be easily fixed by flashing xiaomi.eu ROM and then going back to AOSP.
This is my daily driver: https://forum.xda-developers.com/t/rom-11-0-official-davinci...
Restrict apps, but can still log in via browser.
I have one bank app that actually says to screenshot a payment screen for your records, while blocking screenshots via app policy.
This isn't paradoxical. You treat the browser as a less trusted security domain than a phone, which usually has a secure boot chain, strong sandboxing, encrypted disk, reliable hardware cryptography etc, and therefore provide a different/better service on the phone. If a phone is missing one of these expected components then you're not the target market for the app, I guess. (Of course, your phone OS might be perfectly good, and the stock one might be crap, but the app developers don't care.)
It's completely ridiculous that I can't use my mobile banking app for day to day low risk, low volume transactions if my phone is rooted, yet I can do anything and everything with high values of cash and credit from a Linux machine running any web browser I wish, as root.
The reality is, the mobile app development is outsourced to incompetent teams for presumably the lowest price who "ensure security" by just saying, "lets chuck a library in that prevents running if the device is detected as being rooted, and call it a day".
These are protections any reasonably technical user can circumvent with the likes of Magisk and still, all to do far, far less damage than is possible than if they were to use a web browser.
Don't give them any ideas. They'll just ban Linux browsers now.
I don't understand, why people think so. Banks hire good developers. They don't pay them well (by banks' own standards), but they still pay enough to hire competent programmers.
Unfortunately, working in bank is highly competitive environment, that fosters sycophants and rewards socially adept people, good at obeying orders to letter. Who cares, what the programmers think, they are at the bottom of command chain anyway.
The fraud prevention is often split into it's own department. As for "computer security" department, it is a fang-less security circus, that exists to satisfy PCI DSS. In some banks it outright pretends, that web sites and mobile apps don't exist. All your data will be processed in "secure server enclave", managed by "certified professionals", while sending hashes of credit card numbers to Google Analytics.
Assume that if someone has your unlocked phone they own your life.
Really this all just shows that people will truly put up with anything to make their lives more convenient, or for them to have to do less work.
This is a contradiction in terms.
That's the reality we live in. They will put up with being spied upon 24/7 for the convenience of a cheap phone they can't be bothered to root and ROM.
Next time when I'll be looking for a new Android phone to buy, stock Android will be a hard requirement. I was stupid to pick my Xiaomi phone for it's hardware, I should've just gone with a Motorola.
If their engineering is so poor that they haven't caught this in time, nor reacted by releasing a one-line software patch that can be applied manually (cause users sure as hell can't do it themselves - stock can only apply signed updates), they shouldn't be trusted with anything.
Considering that phone updates cannot be verified, every phone maker has the ability to secretly add such features at any time. And if the phone is link to a user account they could even do this in a targeted way.
Linked near the top of the thread, 32 pages of goodness: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
"This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time of the analysis, the MiAdBlacklistConfig file contained 449 elements). A fragment of the MiAdBlacklistConfig file is shown in Table 14." page 23
Linked elsewhere but here's the PDF report: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
Its way to update that mod in real time without the user knowing about it as its system allowed due it running in a separate allowed system space.
Surveillance doesn't belong on our devices. Period.
Once it's in, the dictators can clamp down even harder. Over time, freedom atrophies and the window slides closer to totalitarian control.
Don't invite the devil in. Scream it away.
"Member of the German parliament, Manuel Höferlin, who serves as the chairman of the Digital Agenda committee in Germany, has penned a letter to Apple CEO Tim Cook, pleading Apple to abandon its plan to scan iPhone users' photo libraries"
https://www.macrumors.com/2021/08/18/german-politician-lette...
https://appleinsider.com/articles/21/08/17/germany-writes-to...
Along with
"Apple photo-scanning plan faces global backlash from 90 rights groups"
https://arstechnica.com/tech-policy/2021/08/apple-photo-scan...
And 487 other articles, reports, fusses that went against Apple's plans.
Here's the official report: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
https://news.ycombinator.com/item?id=28613703
Another user below found the best link, the true original source:
Here's the official report: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi... (link updated)
this should work (note: direct link to pdf)
https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
"have a built-in ability to detect and censor terms such as "Free Tibet"
Censor by preventing one posting the phrase? Removing the phrase from web pages?
What are the steps to reproduce?
Sorry for the whataboutism but I am lot less concerned about Chinese spyware because I know for a fact that my government serves the EU and the US.
All this anti China propaganda is really tiresome. China this, China that. Someone seems really scared. Fuck this someone
Well, I think everything can be enabled remotely by your manufacturer, no matter which... it is what we call "software upgrades".
But for me, a western, it's actually good to have a phone controlled by the Chinese. I would be concerned if it were controlled by my government, though.
Xiaomi system applications (Security, MiBrowser, Cleaner, MIUI Package Installer and Themes) have been found to regularly download the manufacturer’s updated configuration file MiAdBlacklistConfig from a server located in Singapore. This file contains a list composed of the titles, names and other information of various religious and political groups and social movements (at the time the analysis was performed, 449 records were identified in the MiAdBlacklistConfig file). Analysis of the Xiaomi application code showed that the applications have implemented software classes for filtering the target multimedia displayed on the device according to the downloaded MiAdBlacklistConfig list. This allows a Xiaomi device to perform an analysis of the target multimedia content entering a phone: to search for keywords based on the MiAdBlacklist list received from the server. When it is determined that such content contains keywords from the list, the device blocks this content. It is thought that this functionality can pose potential threats to the free availability of information.
PDF here: https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
From that a possible test case can be to open this HN thread in MiBrowser and see the webpage blocked due to the "free Tibet" phrases posted here (assuming MiAdBlacklistConfig includes English versions).
If anyone has a Xiaomi phone and is willing to accept the MiBrowser terms of use, please try.
A user here testing this is irrelevant. If someone wants to verify, figure out where we can get the codebase and search these strings ourselves.
EDIT: As I really phrased it badly, I mean it doesn't proof anything if none of the above mentioned groups does it. It absolutely matters that Xiaomi is censoring and monitoring stuff based on key words. I oppose that even more than oppose Apple monitoring child pornography. Simply because Xiaomi is already doing the monitoring for a non Democratic repressive government.
Believe that's why you're being downvoted. The way HN moves comments around also so yours was not right next to the comment you replied to, which didn't help.
This is applicable equally for every other country.
What's more accurate is the use of the bear with reference to their leader (who looks like him!)
A better string would be "tianamen square massacre"
No one trust China but this sure looks like politically motivated. Was someone else able to authenticate or reproduce the results.
What can they possibly be doing in the firmware or the ROM to break TLS (and other such authenticated key-exchange protocols)? The only thing I think of: Injecting a compromised https stack in to an app's classpath / ld_library_path. This may sound ambitious, but the Android modding community already uses such runtime swappers to great affect [1][2].
[0] https://news.ycombinator.com/item?id=9072424
[1] https://forum.xda-developers.com/f/magisk.5903/
[2] https://forum.xda-developers.com/f/xposed-general.3094/
i sent this to a friend who owns a xiaomi phone and asked him to resent this back to me via sms. the message appeared just fine.
note: i am from india so this might not be enabled on the phones here for now
https://www.reddit.com/r/Xiaomi/comments/pgk8y3/comment/hbf5...
https://news.ycombinator.com/item?id=28395885
[1] https://www.wired.com/story/apple-china-censorship-bug-iphon...
Which was also a bug—the conditions of which's existence are manifestly political (which I have zero desire/intent to defend here), but nonetheless an Apple-side bug that was patched eventually
It may be worth clarifying that all those keywords and terms are in Chinese. So when they say "Free Tibet" they mean that the phone has a blacklist file that contains "西藏自由" and which use is disabled in the "European region".
On the other hand, it seems that this blacklist file is actually downloaded into the phone, which suggests to me that they could update it to match any terms in any language if they wanted.
I think that Chinese manufacturers will really need to produce 'clean' firmware that satisfies independent audits instead of these superficial feature flags if they want to continue to sell in the West long term. If not they will suffer Huawei's fate one after the other when this sort of thing is found out.
[1] https://www.nksc.lt/doc/en/analysis/2021-08-23_5G-CN-analysi...
About the same thing as Apple scanning iPhones for what they say is child porn.
suggests to me they could update it to match any images if they wanted...
The problem is that you’re more or less screwed if you trust neither China nor Google. Generally speaking the iPhone is your best option, but partly due to a lack of options.
Not Pixel 6 though. Still made in China https://asia.nikkei.com/Business/China-tech/COVID-slows-Appl...
[1] https://doc.e.foundation/devices
China has no qualms invading privacy of anybody. They will try any and every way to get whatever they need and they are pretty effective at it.
Ever read about making business in China? What we call cheating or stealing is a standard business practice there. If you point it out they will back off and try somewhere else, ad nauseam. It is practically part of Chinese culture and upbringing.
Why do you think "chinese" is practically synonym to "cheap and most likely defective"?
Just say no to Chinese phones and TVs and internet services, because you WILL be exploited. It is not a question if but rather when and whether you will or will not know about it.
This is the kind of claim that's deep in conspiracy theory territory until the smoking gun is uncovered, and once that's out (and only then) it becomes obvious and unsurprising.
In China there are no private companies.
There are only companies that Chinese government lets you run as long as you cooperate with the government.
I still recall the Supermicro backdoor chip story, and how once the Bloomberg news broke it was immediately so obvious and so clear that backdoor spy chips were undoubtedly being injected.
But a few years have blown by and the story is now a renowned hoax.
https://www.theregister.com/2021/02/12/supermicro_bloomberg_...
So tell me, is this sort of story also unsurprising for decades?
It sounds you lost track of the discussion. If you browse back through the thread you'll notice that the whole point is that without evidence this sort of accusation lies deep inside conspiracy theory territory, among all nutty baseless conspiracies. The key difference in this case is that, unlike all other conspiracy theories, there is indeed evidence that provide substance to accusations. Stating that an accusation is obvious is not evidence nor enough on itself. As I pointed out, the accusations in the Supermicro case we're also immediately obvious. Too bad they were not grounded on reality and after all these years there is no evidence to support them. But they were obvious, right?
> What we call cheating or stealing is a standard business practice there.
What about "move fast and break things"? Or Uber's skirting of labor and taxi laws in many jurisdictions worldwide? I get that this is literally whataboutism, but the above examples are considered virtuous by many here. What's the fundamental difference? To me it seems like China has just perfected the tech "hustle" culture invented in SV.
Yes and no.
Yes, it is a problem with many tech companies, I agree.
But the way China does this is something completely different. Tech companies do this for their profit. China as a country exploits every single avenue to steal information and protect their position.
What you have in China is equivalent to "US Government" + "Big Tech" - "Bill of Rights".
Did we forget that the NSA is collecting most of the traffic on the internet?
Just think US government decided to imprison Apple executives and put their own in place of them unless Apple gave unlimited access to all their devices to US agencies.
Also the way China uses this information -- to control minorities, punish "thought crime", erase historical events and uncomfortable topics from public.
Not even close. Ready?
Joe Biden is suffering from worsening dementia. It was obvious before he took office. He's incompetent for the office. His aids constantly have to protect him from the public spectacle of his declining mental condition. The media also constantly does their part to artificially shield him. Biden was probably the candidate most capable of beating Trump (the Biden campaign mostly let Trump punch himself out), perhaps the only candidate capable of it, however he was also not mentally/physically fit for the office.
Have you seen some of the super creepy videos of him on YouTube? How about all his various embarrassing gaffs (fella from down under)? They're still on YouTube. It works in a similar way in China with Xi and the party in general, right?
I've placed this comment on a public forum, anyone can read it.
When do the authorities show up to disappear me? How many years shall I spend in prison for my comment? Will my family be safe?
Did you see what the media did to Trump during his Presidency? Did you read social media during those four years? And there is a similar playing field in the US as in China? Ha.
I think this is orthogonal to china stealing/copying. A lot of stuff from china is cheap/low quality because that's where you can cheaply mass produce plastic crap. But a lot of products from china are extremely high quality, world class level. You just have to pay more for it.
Wow. Didn’t expect such blanket and shallow statement on HN.
Are you a Chinese yourself? On what basis do you base your assumptions on? Really.
> What we call cheating or stealing is a standard business practice there. If you point it out they will back off and try somewhere else, ad nauseam.
Now this is something that is attributable to human behaviour. Pretty sure it is observable across all kinds of culture and races. But why did you single out the Chinese?
For my experience working with Chinese and other peoples' reports of the same?
I have worked for a company that has outsourced production to a Chinese company. They would try new trick every other month. Replacing parts for cheaper substitutes, skipping process steps, using counterfeit components. You point it out, they fix it, then they do the same when you are not looking at their hands.
Every time they are being polite about it, but you know, this happening almost every shipment is not an accident.
And even when you come with a solid proof they bend backwards to not admit they did it.
Read up on some other horror stories of outsourcing production to China.
Successfully outsourcing to China usually requires a sizable fleet of lawyers, constant presence at the production facility and inspecting every shipment for adherence to the contract.
Again, don't you understand the reason for why you buy Chinese from Chinese company and it immediately falls apart? Or tries to kill you? The Chinese companies that try to make quality products are a small minority. They do exist, my Andonstar soldering microscope and Rigol osciloscope is a proof of it, but they are an exception.
Gutter oil has been outlawed for a good minute now, yet it gets into even the restaurants, I've friends from mainland China who say even if you stay away from street vendors eventually you will eat it, so people just give up worrying about it.
Myriad and many are the stories of factories taking specs and running off to start a cheaper knockoff competitor.
Sometimes the truth sucks. I used to dream of visiting China, now I'd be scared to.
The parents in that city felt that widespread cheating was normal everywhere else essentially turning admissions into a lottery with a big disadvantage to anyone who did not cheat.
You can't post slurs like this to HN. Nationalistic, racial, and/or ethnic flamewar is not welcome either. I'm sure you can make your substantive points without any of that.
https://news.ycombinator.com/newsguidelines.html
I have nothing against Chinese people.
On the other hand what I described is day to day reality doing business in China and is easily backed by facts.
You may not like, you may not be aware of it, it but it is truth.
See accounts of other HN users in this thread.
"I lived in China for a year and vouch for this type of behaviour. It’s just considered normal in China. "
https://hn.algolia.com/?dateRange=all&page=0&prefix=false&so...
HN readers with Chinese backgrounds or Chinese connections have just as much a right to be here as anyone else does. I invite you to consider how someone in their position would feel after reading your comment about how "Chinese culture and upbringing" includes "cheating and stealing". Even minimal empathy would make you recoil from what you posted.
HN readers with Chinese backgrounds have already been hounded off this site by prejudicial comments. That's shameful. I don't want it to happen again, and your comment crossed into that territory. Please don't do it again. As I said above, you can make your substantive points—including relating your personal experience—without crossing into prejudicial generalization. It's not that hard - you just need to be mindful of the audience. You're broadcasting to a large, diverse population when you comment here.
Since others here are curious, how would one go replicating these results to find the MiAdBlacklistConfig file? Can I download the OS from a website and just search for strings in the MiAdBlacklistConfig file? I'm genuinely interested, rather than using this question to cast doubt on the 32 page research report.
From what I can gather from the report it should be possible to reproduce the analysis. Probably it is even possible to run the apps in question in an emulator.
Also it should be possible to get the full url of the censorship configuation file and also its full contents.
Given the extreme politics around this, I think it would be better if this type of analysis was done as open source and in a completely reproducible manner.
Related, in this thread the OP discovered that he couldn’t take photos of an election ballot - they were being overwritten with a big green block.
"Yesterday I was a bit in a hurry and could not do all tests that I would have liked to. Today I tried to repeat the whole process with the same setup, documents still laying on the same table untouched etc. Just the lighting changed substantially (morning sun).
I was unable to repeat the 'green picture effect' even once... all pictures taking with Xiaomi stock camera turned out well.
I am sorry that I jumped to unproven conclusions (censoring) :( "
Please read your full source in the future before posting. It clouds the discussion. (I just did this myself on another article)
It's insane.
https://blog.malwarebytes.com/android/2020/07/we-found-yet-a...
HN discussion here: https://news.ycombinator.com/item?id=28499918
It's downright dystopian.
It sure is. No stopping it now though.
I'm old enough to remember being able to go to someone's place and expect privacy. These days literally anything can have an HD cam.
Not great for paranoia but what can you do?
> They could just be monitoring everyone,
They are. Snowden already proved this, and we apparently got into that particular situation to keep pace with China.
Not my job.
1. If you are a developer, consider buying a Pinephone [1] and contributing to the codebase.
2. If not a developer, you can submit bug reports and test fixes. Same for Purism Librem phone as well [2].
3. If you are neither, or have no time to spare but do have money, you can always purchase one for kicks or donate to open source like Ubuntu.
4. Finally if you have no time or money, simply upvoting privacy related threads on HN and talking with your friends about it helps too.
[1] https://pine64.com/product/pinephone-beta-edition-with-conve...
[2] https://puri.sm/products/librem-5/
edit: added numbering
This is a problem that needs to be solved with legislation, lobbying, superPACs, and candidates who are not ethically flexible.
The solution to bad government is not "no government" and the solution to bad company behavior is better rules.
Baby steps. Such changes start small.
> This is a problem that needs to be solved with legislation, lobbying, superPACs, and candidates who are not ethically flexible.
Yes, but regulations do also ring-in different challenges and over the long-term, the status-quo ends up being enshrined in them, thwarting the otherwise thriving diversity of the ecosystem. Though, it is inevitable Internet / Web gets regulated ala Finance / Telecommunications industries.
The end solution will definitely require something more systemic, no question, but I don't think that should stopping the common person from doing what what they can.
I bought an iPhone less than a year ago (to use up a discount code before I left Apple), but a part of me already regrets not biting the bullet and purchasing something open, like a PinePhone.
Furthermore, legislation that explicitly prevents gathering of any data, user account or coercion to use the product in any way without explicit consent of the user.
OSS is not going to cut the mustard.
Western countries need to rebuild their domestic manufacturing bases. There is no other way to guarantee that production will respect ethical norms and no other way to realistically punish violations. Legislation must incrementally direct industry back to the West and provide conditions under which it can flourish. This is easier said than done which is why any temptation to outsource ought to be VERY carefully considered because once you outsource industry, not only do you destroy the industrial base and mutually beneficial complex relationships, but you also starve domestic expertise and competence and the culture of that industry. Industry is a culture and culture is only transmitted when it is living, when there is a society of people who communicate and share and contribute and make use of it. If you ship textile manufacturing abroad, your domestic textile culture atrophies and withers. I think people underestimate this. It's not just a matter of willing something. You don't just say "well, all we need to do is build a factory for making X". Yeah? Who knows how to build that factory and to make X, and make it well so that it is competitive? Not you. Western cultures have forgotten how to make certain things. It's like trying to go into the pyramid building business by just wanting to do it or by looking over some old papyrus. Yeah, sure, you have to start somewhere, and do start, but don't expect it to be easy.
Decentralizing production is also better for security by removing unnecessary dependence. You want production to be distributed. You do not want one guy to make all of X.
And placing your bets on Chinese reform or political pressure on China to "be nice" is so ludicrous that I won't waste my proverbial breath. I will only say that the vast imperial ambitions of China are not only obvious, but that the elites of our own countries have taken a liking to their methods. The recent self-hatred of Westerners creates a vacuum, and Chinese ideas seem poised to fill it.
Issue is with rest 99.9% of people who will share whatever you say, because their phone happened to be nearby and you can't really do anything about it.
We already do. SrsRAN[1] UE and OpenAirInterface.
[1] https://www.srslte.com/
I generally do my best to not only steer them away from invasive devices but also explain why.
Unfortunately this is more and more turning into a situation where I have hardware sent to me, reflashed with a known good rom and then mailed back out.
Why isn’t US Gov putting together legislation for this sort of a thing is beyond me.
There seems to be a onslaught of positive DJI YouTube videos about how creating a user account is great and easy. Including fake comments praising DJI. Just search on YT DJI Mavic Pro setup.
All this is too suspicious for me. I returned the drone for obvious reasons but millions of people are already buying into the ecosystem.
We're way past the point of no return with all of this.
At some point you just have to accept the new normal. Some of this should be handled by national security teams but I am unsure where we stand (US).
I'm surprised Lithuania of all places takes a firm stand on Chinese phones, meanwhile the US seems to be spinning its wheels. I am not sure what is going on behind closed doors.
Do we know for certain that IME is not already doing this kind of spying though?