Shits like this is what makes me wary about Chinese made video games proliferating in the west. You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
Epic Games partially owned by Tencent and already was caught of including spyware [0][1] in their launcher, but “Tim Sweeney is the anti-corporate robinhood who will dismantle hegemony of Valve and Apple” is very popular narrative on every western tech site
It's even worse now with cheating creating the world of Kernel Level Anticheat (KLAC) who knows what they are doing! A dream for someone who wants to move laterally through a network, probe, etc.
It's the least convincing excuse used to circle around GDPR and similar laws. "I swear, it's for security! (please ignore the part in our ToS that says we can resell your HW configuration profile and installed software stats to our commercial partners)".
I'm sick of corporations and bootlickers who claim you cannot do games without anticheats. Even if I am not personally running that software, all the users are still normalizing spying on our devices and networks.
If your business model relies on violating the privacy of others, your business deserves to die.
This is why I don't mix work and play and have a dedicated machine for games, but this only solves half the problem. It really needs it's own VLAN or to use 'guest' wifi to keep it isolated, but that only solves half the remaining problem. Two easy steps to get to 75% solved, but still leaves a high-powered machine connected to the internet that could be abused, can still listen on bluetooth and enumerate wifi (precise geolocation), and so on. At least this way it's only online for a few hours a day at most. It's the most I can do without investing serious time trying to block state-level intrusion in a battle I can never win.
There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
That is fair. I do not think anyone could feasibly could detect/extract the exact data sent, because of HTTPS.
However I was more thinking of simple things, such as disabling anything that SHOULD be communicating with the Internet and seeing if any constant traffic persists.
Now of course, some very small (e.g plaintext) traffic might be almost undetectable, however that would suggest that most of the data would not be able to be transmitted due to size.
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
In my case, I don't currently have any capture software on my main computer at all.
Our routers are Asus, and so I'm able to install tcpdump and log traffic directly without the source device itself knowing anything. This makes it really easy to monitor the traffic of any device, albeit not knowing exactly what it is being sent.
But it is true that I really can't know much more than what tcpdump shows.
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
I only run software from Chinese companies inside a sandbox, either on my Android/iOS phone or inside a VM for desktop apps and only enable necessary permissions. Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data.
I’m not in a position, nor do I have the skills, to fully validate exactly what I’m agreeing to. Let us assume that what I’m sharing is merely my app usage data: what I listen to, my likes, follows, comments, usage patterns, etc.
They share this data with 954 “partners” - what exactly does this mean? What other data do those organisations have? Who do they share it with?
I don’t think the average user has any chance of fully understanding what they’re agreeing to.
There is a difference when you simply lazy, or don’t care enough to understand the information in front of you, or when they don’t provide those information. You’re right, most people don’t care enough, but this is a huge difference. And west is magnitudes better with this.
Also I’m living in the EU. If I want I can get all of the information which you asked for.
But on the other hand, companies purposefully make those information as obscure as possible. Also, I’m not sure that people would care even if it had been clear. People love free stuffs.
I'm not sure why "954 partners" is surprising: log10(954) is between 2 and 3 so, if you assume Soundcloud uses at least 10 SaaS products to manage data (AWS, Snowflake, Datadog, etc. this number is definitely a low estimate). And then you assume each of those entities process the data through 10 partners of various kinds, it only takes 3 steps out to get 1,000.
I quite like Shelter [1]. Shelter apps are installed in a separate work profile, which essentially sandboxes it from the rest of your data. It also has a neat feature to automatically disable (freeze) specific apps and seamlessly re-enable them when you launch them through Shelter.
This is what I do too. If i need to use or test something i don't trust then I use an old phone. All of the phones use crDroid(1) and I have scripts to quickly wipe and reinstall the OS whenever I need a full nuke.
You really have to put everything in a box nowadays. Companies are indiscriminate. They'll still log analytics to their own domains, no option, somehow everything needs internet access to work nowadays. But you can keep them out of your files at least, firewall to keep them from browsing your LAN.
>You really have to put everything in a box nowadays.
What if that was always a good idea.
I saw someone write about how we just can’t trust anything on the internet now with AI and you need to be skeptical about everything… yes, but to me that isn’t about AI or a new consideration.
The context is somebody asking "Mainland US or Mainland China?" The comment you're responding to brought up Taiwan because that's the natural "not-mainland" when you're talking about China.
Almost. Both China and USA have threatened military action in Taiwan and Greenland respectively, but legally the USA and Greenland are not one; Greenland is a territory of Denmark despite having an independent government. Taiwan and Mainland China also have independent governments, but legally both consider themselves China, so it would be like North and South Korea if they had never agreed that they are separate countries now. Recently Taiwan has begun changing their identity as an independent country, and began the legal updates, however this is not internationally recognized because mainland china has resisted it, and frankly few countries want to go against china and risk sanctions or other political action from china. Even the USA doesn't recognize taiwan as separate, officially, although actions speak louder than words, and it is clear that most respect Taiwan's desire for independence and treat them as sovereign.
Sort of, except not really, except yes really. It's complicated.
The China that was a founding member of the United Nations was the Republic of China (ROC), and it controlled both mainland China and what we call Taiwan. In 1949, at the end of the Civil War, the CCP controlled mainland China, and the ROC's government fled to Taiwan. Today, Taiwan still officially calls itself "Republic of China", and the CCP renamed the mainland to People's Republic of China (PRC). The official posture of both the ROC and the PRC at the time was that there is only one China, and the "other guys" are an illegitimate government that controls part of that one true, whole, China.
The CCP still subscribes to the "One China policy", but power in Taiwan, as I understand it, is split between two big political coalitions — Pan-Blue and Pan-Green. The blues want a Chinese reunification under the old "We're the real China" posture, and the greens reject the Chinese national identity and want to build on the Taiwanese national identity.
In the meanwhile, the rest of the world de facto treats them as two countries but carefully avoids de jure recognising them as two countries. Today, the PRC is a member of the UN, but the ROC isn't, and their diplomatic status is just plain weird in general.
There are two governments that contain the substring of "China" and their constitutions claim a single unified Chinese country that includes mainland and Taiwan island, most of the world, seems ok with that.
Sounds like 5D chess, since Taiwan applied to be the "sole legal government of China" in the UN back in the 50s. (which was rejected) then they rejected the 70s resolution of "two Chinas". So it comes through as ambitious. But I will let the Taiwanese correct me on that.
> Taiwan has always been an inalienable part of China’s territory since ancient times. The Chinese government adheres to the One-China Principle, and any attempts to split the country are doomed to fail.
> Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data
Every time a Chinese company does something like this, the comment section is always "but the US companies..." or slightly soften version "but all tech companies..." It's so predictable.
This is why I run educational software (and VMware’s edusoft remote VM client) in native Mac VMs. Not surprised to see someone trying to abuse data harvesting from another country, too. Perhaps a report to Apple Security might be in order, to let them evaluate whether it’s an RCE/CNC scenario (we only have the telemetry detected so far!) and whether it deserves a malware kill worldwide. Though I’m surprised it’s allowed to access all those properties without a Permissions dialog. Maybe this will inspire Apple to finally let us deny Discord its system-wide data collection activity!
ps. UTM.app is a nice way to sandbox Discord, since it’s using the OS-level sandbox already in a way that prevents us from limiting it further with a .sb file. Takes some extra space, I suppose.
(3) In order to ensure account security, identify and prevent malicious programs, and create a fair, healthy and safe environment, we will collect your device identifier information, product identification information, hardware and operating system information, installed application list, application process and product crash record information during your use of the service, including during the background operation of the application, so as to combat acts that damage the product environment or interfere with the normal operation of the product service.(Used to detect piracy, scan cheating programs or software, prevent cheating).
This is why im always feeling bad when putting mobile versions of games i love made by netease on my phone.
Where i felt especially bad was Dead by Daylight mobile.
Persona 5X is not made by NetEase but i still dont have a good feeling about them.
I would think they would be more restricted in what they can collect on a Phone OS (android in my case) but i still wonder if there is some way to fully isolate shady apps.
It still surprises me that such behavior is still allowed on modern macOS, which is supposed to be privacy focused. What’s the point of having an app sandbox when it is opt-in?
the gist author being new and the writing looking polished doesn't change that the log files are right there on disk for anyone to verify. ls the directory and read the output yourself.
I see a lot of discussions about government level spying, this is a legitimate debate, but it mustn't obscure the "boring" security threat storing the results of ps aux poses!
This is security 101 to never store this kind of information. I mean a bad actor now just has to (gain) access to these files!
I mean besides the theorical high level threat, there is a very practical one maybe sufficient for suing the company if it was a western one (I don't work in legal, I don't know what I'm saying)
the scheduling is the tell. 17 commands every 30 min isn't analytics or crash reporting - that's systematic fingerprinting with a consistent cadence.
what's frustrating is this is basically invisible without running in a monitored environment. static analysis won't surface it. you'd need behavioral monitoring - network traffic plus syscall tracing - to even know it's happening.
seen similar patterns in CI/CD tooling actually. less blatant but same mechanism - process phoning home way more often than you'd expect, commands that look like routine system auditing. most devs assume third-party tools behave themselves.
I would always refer to Hanlon's razor on things like this: Never attribute to malice that which is adequately explained by stupidity. I'm not trying to finding excuses for them, just saying that most likely there's no deep conspiracy theory involving government level surveillance here, they are just stupid. On average, Chinese software engineers are less educated and have no sense about privacy or how to implement privacy related features properly.
While logging serial number and some of the basic analytics stats might be attributed to stupidity, I tend to think that using a pretty advanced set of system commands and logging output consistently to log files is very sketchy.
One possible stupid-but-not-malicious explanation is that some anti-cheat company made a sketchy anti-cheat that includes server-side "is CheatEngine.exe running" code, and they're doing that via ps aux... and then this game player app was bullied by some game company into including this anti-cheat library to allow their game to run.
I'm a little wary of believing this without confirmation. It certainly sounds like something an app from a big Chinese company might do, but the LLM writing style with em-dashes replaced by double hyphens looked like someone trying to hide that they use an LLM. And I noticed that the account for the Gist submission is only 3 hours old. And then looking here the account on HN is also only 3 hours old. Seems a little sketchy to me.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
reply