Shits like this is what makes me wary about Chinese made video games proliferating in the west. You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
It's even worse now with cheating creating the world of Kernel Level Anticheat (KLAC) who knows what they are doing! A dream for someone who wants to move laterally through a network, probe, etc.
Epic Games partially owned by Tencent and already was caught of including spyware [0][1] in their launcher, but “Tim Sweeney is the anti-corporate robinhood who will dismantle hegemony of Valve and Apple” is very popular narrative on every western tech site
It's the least convincing excuse used to circle around GDPR and similar laws. "I swear, it's for security! (please ignore the part in our ToS that says we can resell your HW configuration profile and installed software stats to our commercial partners)".
I'm sick of corporations and bootlickers who claim you cannot do games without anticheats. Even if I am not personally running that software, all the users are still normalizing spying on our devices and networks.
If your business model relies on violating the privacy of others, your business deserves to die.
This is why I don't mix work and play and have a dedicated machine for games, but this only solves half the problem. It really needs it's own VLAN or to use 'guest' wifi to keep it isolated, but that only solves half the remaining problem. Two easy steps to get to 75% solved, but still leaves a high-powered machine connected to the internet that could be abused, can still listen on bluetooth and enumerate wifi (precise geolocation), and so on. At least this way it's only online for a few hours a day at most. It's the most I can do without investing serious time trying to block state-level intrusion in a battle I can never win.
There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
That is fair. I do not think anyone could feasibly could detect/extract the exact data sent, because of HTTPS.
However I was more thinking of simple things, such as disabling anything that SHOULD be communicating with the Internet and seeing if any constant traffic persists.
Now of course, some very small (e.g plaintext) traffic might be almost undetectable, however that would suggest that most of the data would not be able to be transmitted due to size.
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
In my case, I don't currently have any capture software on my main computer at all.
Our routers are Asus, and so I'm able to install tcpdump and log traffic directly without the source device itself knowing anything. This makes it really easy to monitor the traffic of any device, albeit not knowing exactly what it is being sent.
But it is true that I really can't know much more than what tcpdump shows.
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
I only run software from Chinese companies inside a sandbox, either on my Android/iOS phone or inside a VM for desktop apps and only enable necessary permissions. Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data.
I’m not in a position, nor do I have the skills, to fully validate exactly what I’m agreeing to. Let us assume that what I’m sharing is merely my app usage data: what I listen to, my likes, follows, comments, usage patterns, etc.
They share this data with 954 “partners” - what exactly does this mean? What other data do those organisations have? Who do they share it with?
I don’t think the average user has any chance of fully understanding what they’re agreeing to.
There is a difference when you simply lazy, or don’t care enough to understand the information in front of you, or when they don’t provide those information. You’re right, most people don’t care enough, but this is a huge difference. And west is magnitudes better with this.
Also I’m living in the EU. If I want I can get all of the information which you asked for.
But on the other hand, companies purposefully make those information as obscure as possible. Also, I’m not sure that people would care even if it had been clear. People love free stuffs.
I'm not sure why "954 partners" is surprising: log10(954) is between 2 and 3 so, if you assume Soundcloud uses at least 10 SaaS products to manage data (AWS, Snowflake, Datadog, etc. this number is definitely a low estimate). And then you assume each of those entities process the data through 10 partners of various kinds, it only takes 3 steps out to get 1,000.
I quite like Shelter [1]. Shelter apps are installed in a separate work profile, which essentially sandboxes it from the rest of your data. It also has a neat feature to automatically disable (freeze) specific apps and seamlessly re-enable them when you launch them through Shelter.
This is what I do too. If i need to use or test something i don't trust then I use an old phone. All of the phones use crDroid(1) and I have scripts to quickly wipe and reinstall the OS whenever I need a full nuke.
You really have to put everything in a box nowadays. Companies are indiscriminate. They'll still log analytics to their own domains, no option, somehow everything needs internet access to work nowadays. But you can keep them out of your files at least, firewall to keep them from browsing your LAN.
>You really have to put everything in a box nowadays.
What if that was always a good idea.
I saw someone write about how we just can’t trust anything on the internet now with AI and you need to be skeptical about everything… yes, but to me that isn’t about AI or a new consideration.
The context is somebody asking "Mainland US or Mainland China?" The comment you're responding to brought up Taiwan because that's the natural "not-mainland" when you're talking about China.
Almost. Both China and USA have threatened military action in Taiwan and Greenland respectively, but legally the USA and Greenland are not one; Greenland is a territory of Denmark despite having an independent government. Taiwan and Mainland China also have independent governments, but legally both consider themselves China, so it would be like North and South Korea if they had never agreed that they are separate countries now. Recently Taiwan has begun changing their identity as an independent country, and began the legal updates, however this is not internationally recognized because mainland china has resisted it, and frankly few countries want to go against china and risk sanctions or other political action from china. Even the USA doesn't recognize taiwan as separate, officially, although actions speak louder than words, and it is clear that most respect Taiwan's desire for independence and treat them as sovereign.
Sort of, except not really, except yes really. It's complicated.
The China that was a founding member of the United Nations was the Republic of China (ROC), and it controlled both mainland China and what we call Taiwan. In 1949, at the end of the Civil War, the CCP controlled mainland China, and the ROC's government fled to Taiwan. Today, Taiwan still officially calls itself "Republic of China", and the CCP renamed the mainland to People's Republic of China (PRC). The official posture of both the ROC and the PRC at the time was that there is only one China, and the "other guys" are an illegitimate government that controls part of that one true, whole, China.
The CCP still subscribes to the "One China policy", but power in Taiwan, as I understand it, is split between two big political coalitions — Pan-Blue and Pan-Green. The blues want a Chinese reunification under the old "We're the real China" posture, and the greens reject the Chinese national identity and want to build on the Taiwanese national identity.
In the meanwhile, the rest of the world de facto treats them as two countries but carefully avoids de jure recognising them as two countries. Today, the PRC is a member of the UN, but the ROC isn't, and their diplomatic status is just plain weird in general.
There are two governments that contain the substring of "China" and their constitutions claim a single unified Chinese country that includes mainland and Taiwan island, most of the world, seems ok with that.
Sounds like 5D chess, since Taiwan applied to be the "sole legal government of China" in the UN back in the 50s. (which was rejected) then they rejected the 70s resolution of "two Chinas". So it comes through as ambitious. But I will let the Taiwanese correct me on that.
Yes, the situation was different in the 50s and 70s. But for the last few decades it has been explicit chinese policy that any change of the status quo would lead to an invasion.
Somewhat similar to HongKong where China apologists always bring up that HK never had any democratic autonomy while conveniently not mentioning that China explicitly stated that such would instantly result in an invasion.
Putting a gun to someones head forcing him to say something and then using that against him.
> Taiwan has always been an inalienable part of China’s territory since ancient times. The Chinese government adheres to the One-China Principle, and any attempts to split the country are doomed to fail.
> Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data
Every time a Chinese company does something like this, the comment section is always "but the US companies..." or slightly soften version "but all tech companies..." It's so predictable.
This is why I run educational software (and VMware’s edusoft remote VM client) in native Mac VMs. Not surprised to see someone trying to abuse data harvesting from another country, too. Perhaps a report to Apple Security might be in order, to let them evaluate whether it’s an RCE/CNC scenario (we only have the telemetry detected so far!) and whether it deserves a malware kill worldwide. Though I’m surprised it’s allowed to access all those properties without a Permissions dialog. Maybe this will inspire Apple to finally let us deny Discord its system-wide data collection activity!
ps. UTM.app is a nice way to sandbox Discord, since it’s using the OS-level sandbox already in a way that prevents us from limiting it further with a .sb file. Takes some extra space, I suppose.
(3) In order to ensure account security, identify and prevent malicious programs, and create a fair, healthy and safe environment, we will collect your device identifier information, product identification information, hardware and operating system information, installed application list, application process and product crash record information during your use of the service, including during the background operation of the application, so as to combat acts that damage the product environment or interfere with the normal operation of the product service.(Used to detect piracy, scan cheating programs or software, prevent cheating).
It still surprises me that such behavior is still allowed on modern macOS, which is supposed to be privacy focused. What’s the point of having an app sandbox when it is opt-in?
This is why im always feeling bad when putting mobile versions of games i love made by netease on my phone.
Where i felt especially bad was Dead by Daylight mobile.
Persona 5X is not made by NetEase but i still dont have a good feeling about them.
I would think they would be more restricted in what they can collect on a Phone OS (android in my case) but i still wonder if there is some way to fully isolate shady apps.
the gist author being new and the writing looking polished doesn't change that the log files are right there on disk for anyone to verify. ls the directory and read the output yourself.
I see a lot of discussions about government level spying, this is a legitimate debate, but it mustn't obscure the "boring" security threat storing the results of ps aux poses!
This is security 101 to never store this kind of information. I mean a bad actor now just has to (gain) access to these files!
I mean besides the theorical high level threat, there is a very practical one maybe sufficient for suing the company if it was a western one (I don't work in legal, I don't know what I'm saying)
the scheduling is the tell. 17 commands every 30 min isn't analytics or crash reporting - that's systematic fingerprinting with a consistent cadence.
what's frustrating is this is basically invisible without running in a monitored environment. static analysis won't surface it. you'd need behavioral monitoring - network traffic plus syscall tracing - to even know it's happening.
seen similar patterns in CI/CD tooling actually. less blatant but same mechanism - process phoning home way more often than you'd expect, commands that look like routine system auditing. most devs assume third-party tools behave themselves.
I would always refer to Hanlon's razor on things like this: Never attribute to malice that which is adequately explained by stupidity. I'm not trying to finding excuses for them, just saying that most likely there's no deep conspiracy theory involving government level surveillance here, they are just stupid. On average, Chinese software engineers are less educated and have no sense about privacy or how to implement privacy related features properly.
While logging serial number and some of the basic analytics stats might be attributed to stupidity, I tend to think that using a pretty advanced set of system commands and logging output consistently to log files is very sketchy.
One possible stupid-but-not-malicious explanation is that some anti-cheat company made a sketchy anti-cheat that includes server-side "is CheatEngine.exe running" code, and they're doing that via ps aux... and then this game player app was bullied by some game company into including this anti-cheat library to allow their game to run.
I'm a little wary of believing this without confirmation. It certainly sounds like something an app from a big Chinese company might do, but the LLM writing style with em-dashes replaced by double hyphens looked like someone trying to hide that they use an LLM. And I noticed that the account for the Gist submission is only 3 hours old. And then looking here the account on HN is also only 3 hours old. Seems a little sketchy to me.
Shits like this is what makes me wary about Chinese made video games proliferating in the west. You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
It's even worse now with cheating creating the world of Kernel Level Anticheat (KLAC) who knows what they are doing! A dream for someone who wants to move laterally through a network, probe, etc.
Epic Games partially owned by Tencent and already was caught of including spyware [0][1] in their launcher, but “Tim Sweeney is the anti-corporate robinhood who will dismantle hegemony of Valve and Apple” is very popular narrative on every western tech site
[0] https://news.ycombinator.com/item?id=19394399
[1] https://www.reddit.com/r/PhoenixPoint/comments/b0rxdq/epic_g...
>Epic Games partially owned by Tencent and already was caught of including spyware [0][1] in their launcher,
Your sources for that claim is a bit underwhelming, given that epic apparently (?) doesn't upload any information without explicit user consent.
The new Delta Force is made in China nowadays and apparently scans your whole hdd (for anti cheat).
Isn't that somewhat common in AC software?
Yes, it's a common feature of malware.
For security, yo.
It's the least convincing excuse used to circle around GDPR and similar laws. "I swear, it's for security! (please ignore the part in our ToS that says we can resell your HW configuration profile and installed software stats to our commercial partners)".
>please ignore the part in our ToS that says we can resell your HW configuration profile and installed software stats to our commercial partners
source?
I'm sick of corporations and bootlickers who claim you cannot do games without anticheats. Even if I am not personally running that software, all the users are still normalizing spying on our devices and networks.
If your business model relies on violating the privacy of others, your business deserves to die.
> You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
Don't be ridiculous, all that garbage is VLAN'd off, and my router has strict firewall logging for any suspicious outbound traffic.
I'm sure I can trust my Chinese made router to handle this safely for me.
This is why I don't mix work and play and have a dedicated machine for games, but this only solves half the problem. It really needs it's own VLAN or to use 'guest' wifi to keep it isolated, but that only solves half the remaining problem. Two easy steps to get to 75% solved, but still leaves a high-powered machine connected to the internet that could be abused, can still listen on bluetooth and enumerate wifi (precise geolocation), and so on. At least this way it's only online for a few hours a day at most. It's the most I can do without investing serious time trying to block state-level intrusion in a battle I can never win.
But non-chinese game listening and siphoning all your data is ok.
> is listening to you and siphoning all data on your local network to China.
How is it any different from western apps listening to you and siphoning all data on your local network to 3 letter agencies?
There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
As someone from the EU, could I not use the argument to argue that for me it's both an adversarial country?
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
And to be fair only US is openly hostile to EU.
Both the US and China are openly hostile to domestic populations.
I see no harm if China use my data. But US companies are actually using my data against me.
It's still distasteful, but they aren't in a position to do me much direct harm, so there's that.
As someone from the EU, please do!
I don't know why you're being downvoted, the US has been way more belligerent towards the EU recently than China.
I beg you pardon.
We've got a live situation where three letter agencies are taking down their OWN country and citizens in its wake. Oh, and the alliances as well.
Sure, materially different.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
Yet we have the current example of the United States.
ICE? DOJ? Hello?
> The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
I swear I'm not trying to be dense on purpose, but come on.
Unless _woosh_, in which case well played.
> There's a massive difference between having a country spying on it's own citizen
Like CIA, NSA, FBI ? Of course there is a difference.
Like US saying EU is its adversary and spying on it? Trump had been pretty clear that he sees EU as a threat while China and Russia is not.
And don’t forget that ICE sees both non-citizens and citizens as the enemy if they don’t agree with Trump.
You're lucky if you truly live in a "Western" country where the throne isn't held by the enemy.
Yes, in the headlines the agencies playing adversaries to the common folk are definitely mainly chinese... /s
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
we have routers that you can monitor traffic on
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
Companies have also been known to secretly eavesdrop and not tell users before (Apple + Siri https://www.courthousenews.com/judge-approves-95-million-app...)
>Most traffic is encrypted with HTTPS unless you can root every single device you own
>Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
This line of thinking gets dangerously close to unfalsifiable territory.
If apps are eavesdropping on us, where's the network data? It's encrypted.
But you can disable https pinning by jailbreaking/rooting? The spying logic automatically disables if it detects it's jailbroken/rooted.
Where's the jailbreak/root detection logic? It's buried in 9 layers of obfuscation so you can't find it.
What about microphone indicator? They found a 0day in both Android and iOS, or the two are complicit as well.
But we don't see any backdoors in AOSP? It's built into the hardware/baseband itself.
>Companies have also been known to secretly eavesdrop and not tell users before (Apple + Siri https://www.courthousenews.com/judge-approves-95-million-app...)
"secretly eavesdrop" implies they were intentionally doing it, when even the plaintiffs admit it wasn't intentional.
That is fair. I do not think anyone could feasibly could detect/extract the exact data sent, because of HTTPS.
However I was more thinking of simple things, such as disabling anything that SHOULD be communicating with the Internet and seeing if any constant traffic persists.
Now of course, some very small (e.g plaintext) traffic might be almost undetectable, however that would suggest that most of the data would not be able to be transmitted due to size.
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
In my case, I don't currently have any capture software on my main computer at all.
Our routers are Asus, and so I'm able to install tcpdump and log traffic directly without the source device itself knowing anything. This makes it really easy to monitor the traffic of any device, albeit not knowing exactly what it is being sent.
But it is true that I really can't know much more than what tcpdump shows.
Now, how confident are you of all of the above, but instead of for your computer, for your router?
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
As I tell my friends
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
Are those your assumptions or something that have been tested?
It's been a while since I browsed anything without an ad blocker.
Do you still get ads for the exact thing you just bought for a week after buying it? :)
>How is it any different from western apps listening to you and siphoning all data on your local network to 3 letter agencies?
Examples?
Google's Android, Apple's iOS, Microsoft Windows
More than one thing can be bad at once.
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
> The consensus is usually "well the government only targets you when you probably deserve it"
Not sure where you got that consensus from, it sounds made up to me or at least outdated as of Feb 2026, especially on HN.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
[citation needed]
Please stop with the hyperbole. Shit is bad enough; more fake news from any direction doesn’t help.
I am not sure where hyperbole is - if your believe it is "fake news", it's your choice.
Do chinese apps make use of all data they can access? Absolutely. Do western apps make use of all data they can access? Absolutely.
Both concepts are evil. Talking one is evil while dropping off the other is skew of discussion towards vilifying one side and omitting the subject.
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
> but it's existence at least means that intelligence agencies are willing to follow domestic law
Oh they break it alright whenever they please. And they have been caught handsomely.
> A competent Western administration
...because they have done so well with X, Meta and etc doing exactly the same thing.
I only run software from Chinese companies inside a sandbox, either on my Android/iOS phone or inside a VM for desktop apps and only enable necessary permissions. Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data.
I recently downloaded the Soundcloud app for the first time on this iOS device and it said something along the lines of:
By continuing you agree to us sharing your data with our 954 partners…
Yeah and that means the data that you share with Soundcloud.
It's very different from:
> ps aux # Every running process with full arguments
If you think these two cases are even remotely comparable, I don't know what to tell you.
> data that you share with Soundcloud.
I’m not in a position, nor do I have the skills, to fully validate exactly what I’m agreeing to. Let us assume that what I’m sharing is merely my app usage data: what I listen to, my likes, follows, comments, usage patterns, etc.
They share this data with 954 “partners” - what exactly does this mean? What other data do those organisations have? Who do they share it with?
I don’t think the average user has any chance of fully understanding what they’re agreeing to.
There is a difference when you simply lazy, or don’t care enough to understand the information in front of you, or when they don’t provide those information. You’re right, most people don’t care enough, but this is a huge difference. And west is magnitudes better with this.
Also I’m living in the EU. If I want I can get all of the information which you asked for.
But on the other hand, companies purposefully make those information as obscure as possible. Also, I’m not sure that people would care even if it had been clear. People love free stuffs.
I'm not sure why "954 partners" is surprising: log10(954) is between 2 and 3 so, if you assume Soundcloud uses at least 10 SaaS products to manage data (AWS, Snowflake, Datadog, etc. this number is definitely a low estimate). And then you assume each of those entities process the data through 10 partners of various kinds, it only takes 3 steps out to get 1,000.
How do you sandbox on mobile? I can't say I love having various apps like wechat on my phone...
I quite like Shelter [1]. Shelter apps are installed in a separate work profile, which essentially sandboxes it from the rest of your data. It also has a neat feature to automatically disable (freeze) specific apps and seamlessly re-enable them when you launch them through Shelter.
[1] https://github.com/achalmgucker/Shelter
It seems that the repository has moved to https://gitea.angry.im/PeterCxy/Shelter/.
Every app is sandboxed by default.
Secure Folders on Samsung. Multiple user profiles on Pixels/AOSP.
Separate grapheneos accounts for everything does that I believe
I went with a separate non-critical phone when I had to communicate on WeChat.
This is what I do too. If i need to use or test something i don't trust then I use an old phone. All of the phones use crDroid(1) and I have scripts to quickly wipe and reinstall the OS whenever I need a full nuke.
(1) https://crdroid.net/
You really have to put everything in a box nowadays. Companies are indiscriminate. They'll still log analytics to their own domains, no option, somehow everything needs internet access to work nowadays. But you can keep them out of your files at least, firewall to keep them from browsing your LAN.
>You really have to put everything in a box nowadays.
What if that was always a good idea.
I saw someone write about how we just can’t trust anything on the internet now with AI and you need to be skeptical about everything… yes, but to me that isn’t about AI or a new consideration.
Chinese mainland or mainland US?
China mainland. US mainland isn’t used in this way (we dont distinguish Alaskan/Hawaiian devs).
Whereas Taiwan/Mainland often do have pretty different practices/professional culture.
I don't know why you're bringing Taiwan into this, and I don't think TSMC has an app...
The context is somebody asking "Mainland US or Mainland China?" The comment you're responding to brought up Taiwan because that's the natural "not-mainland" when you're talking about China.
Taiwan is "not mainland China" in the same way that Greenland is "not mainland USA"
Almost. Both China and USA have threatened military action in Taiwan and Greenland respectively, but legally the USA and Greenland are not one; Greenland is a territory of Denmark despite having an independent government. Taiwan and Mainland China also have independent governments, but legally both consider themselves China, so it would be like North and South Korea if they had never agreed that they are separate countries now. Recently Taiwan has begun changing their identity as an independent country, and began the legal updates, however this is not internationally recognized because mainland china has resisted it, and frankly few countries want to go against china and risk sanctions or other political action from china. Even the USA doesn't recognize taiwan as separate, officially, although actions speak louder than words, and it is clear that most respect Taiwan's desire for independence and treat them as sovereign.
What?? China and Taiwan are two separate countries.
Sort of, except not really, except yes really. It's complicated.
The China that was a founding member of the United Nations was the Republic of China (ROC), and it controlled both mainland China and what we call Taiwan. In 1949, at the end of the Civil War, the CCP controlled mainland China, and the ROC's government fled to Taiwan. Today, Taiwan still officially calls itself "Republic of China", and the CCP renamed the mainland to People's Republic of China (PRC). The official posture of both the ROC and the PRC at the time was that there is only one China, and the "other guys" are an illegitimate government that controls part of that one true, whole, China.
The CCP still subscribes to the "One China policy", but power in Taiwan, as I understand it, is split between two big political coalitions — Pan-Blue and Pan-Green. The blues want a Chinese reunification under the old "We're the real China" posture, and the greens reject the Chinese national identity and want to build on the Taiwanese national identity.
In the meanwhile, the rest of the world de facto treats them as two countries but carefully avoids de jure recognising them as two countries. Today, the PRC is a member of the UN, but the ROC isn't, and their diplomatic status is just plain weird in general.
Both are claiming to be the real China.
Taiwan's official name is "Republic of China".
There are two countries that contain the substring "Republic of the Congo" and everyone seems to be okay with that
There are two governments that contain the substring of "China" and their constitutions claim a single unified Chinese country that includes mainland and Taiwan island, most of the world, seems ok with that.
A bit ambitious, isn't it?
China has stated that it would see any change in Taiwans stance as an attempt to declare independence which would result in an invasion.
Sounds like 5D chess, since Taiwan applied to be the "sole legal government of China" in the UN back in the 50s. (which was rejected) then they rejected the 70s resolution of "two Chinas". So it comes through as ambitious. But I will let the Taiwanese correct me on that.
Yes, the situation was different in the 50s and 70s. But for the last few decades it has been explicit chinese policy that any change of the status quo would lead to an invasion.
Somewhat similar to HongKong where China apologists always bring up that HK never had any democratic autonomy while conveniently not mentioning that China explicitly stated that such would instantly result in an invasion.
Putting a gun to someones head forcing him to say something and then using that against him.
Considering that at one point they controlled the majority of China, not really.
Not so much ambitious as nostalgic.
Both POC and ROC consider themselves China.
wdym? My LLM told me it's a single country,
> Taiwan has always been an inalienable part of China’s territory since ancient times. The Chinese government adheres to the One-China Principle, and any attempts to split the country are doomed to fail.
Taiwan is the country that uses "mainland" (大陸 dalu) to refer to China
HKers also refer to the rest of China with 大陸 from my experience.
Yes
> Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data
/s/Mainland//
FTFY.
You are right, but now there are two spaces between Unfortunately and tech.
That’s to represent the slop that is modern tech.
Every time a Chinese company does something like this, the comment section is always "but the US companies..." or slightly soften version "but all tech companies..." It's so predictable.
Now, why do you think that might be?
because its true lol
This is why I run educational software (and VMware’s edusoft remote VM client) in native Mac VMs. Not surprised to see someone trying to abuse data harvesting from another country, too. Perhaps a report to Apple Security might be in order, to let them evaluate whether it’s an RCE/CNC scenario (we only have the telemetry detected so far!) and whether it deserves a malware kill worldwide. Though I’m surprised it’s allowed to access all those properties without a Permissions dialog. Maybe this will inspire Apple to finally let us deny Discord its system-wide data collection activity!
ps. UTM.app is a nice way to sandbox Discord, since it’s using the OS-level sandbox already in a way that prevents us from limiting it further with a .sb file. Takes some extra space, I suppose.
This only reinforce the image, software/hardware from China and no ethics. They will do whatever they can to get hold of their user's info.
This is ugly and bad.
Meanwhile they do tell you they collect everything
https://www.mumuplayer.com/privacy-policy.html
Not to defend them, but just feel sad about the world.
"other network/technical information" is pulling a lot of weight there.
Where does in that webpage say they're collecting output of `ps aux`?
I think it's this part:
(3) In order to ensure account security, identify and prevent malicious programs, and create a fair, healthy and safe environment, we will collect your device identifier information, product identification information, hardware and operating system information, installed application list, application process and product crash record information during your use of the service, including during the background operation of the application, so as to combat acts that damage the product environment or interfere with the normal operation of the product service.(Used to detect piracy, scan cheating programs or software, prevent cheating).
It still surprises me that such behavior is still allowed on modern macOS, which is supposed to be privacy focused. What’s the point of having an app sandbox when it is opt-in?
MacOS is not privacy focused, it's marketing focused.
Specifically: can we market this [feature/change/refusal/etc...]?
I've never heard people describe macOS as 'privacy focused.' Perhaps copywriting from Apple itself?
iOS maybe. macOS no.
This is why im always feeling bad when putting mobile versions of games i love made by netease on my phone. Where i felt especially bad was Dead by Daylight mobile. Persona 5X is not made by NetEase but i still dont have a good feeling about them.
I would think they would be more restricted in what they can collect on a Phone OS (android in my case) but i still wonder if there is some way to fully isolate shady apps.
Look into GrapheneOS. Or Calyx
Don’t feel bad.
Enjoy the games and feel good.
I think people who create such spy-software need to go to prison for +10 years mandatorily. CEOs who are involved here should go to prison as well.
years ago everyone used a personal firewall called "little snitch" that would make this behaviour visible. Do we trust OS supplied security too much?
the gist author being new and the writing looking polished doesn't change that the log files are right there on disk for anyone to verify. ls the directory and read the output yourself.
>the writing looking polished
it's AI slop. And they obviously collect the Mac hardware ID because the emulator is DRM'd and the license & trial is bound to your HW ID.
But how is that different from your usual SaaS using 3 kinds of intrusive analytics packages at the same time?
If was open source then could remove the reconnaisance
Source code is neither necessary nor sufficient.
All you need is the ability to edit any byte on your hard drive. ;-)
Generally, I dont use a hard drive
I run programs from RAM (mfs and/or tmpfs)
I see a lot of discussions about government level spying, this is a legitimate debate, but it mustn't obscure the "boring" security threat storing the results of ps aux poses! This is security 101 to never store this kind of information. I mean a bad actor now just has to (gain) access to these files!
I mean besides the theorical high level threat, there is a very practical one maybe sufficient for suing the company if it was a western one (I don't work in legal, I don't know what I'm saying)
I am curious how the author of the GitHub gist managed to figure all this out. Any ideas?
You can use fsevents to see which apps write where and firewalls will tell you which app is connecting to the internet.
the scheduling is the tell. 17 commands every 30 min isn't analytics or crash reporting - that's systematic fingerprinting with a consistent cadence.
what's frustrating is this is basically invisible without running in a monitored environment. static analysis won't surface it. you'd need behavioral monitoring - network traffic plus syscall tracing - to even know it's happening.
seen similar patterns in CI/CD tooling actually. less blatant but same mechanism - process phoning home way more often than you'd expect, commands that look like routine system auditing. most devs assume third-party tools behave themselves.
Android emulator used by Chinese gamers for competitive online games have anticheat, news at 11.
yeah like… no shit?
I would always refer to Hanlon's razor on things like this: Never attribute to malice that which is adequately explained by stupidity. I'm not trying to finding excuses for them, just saying that most likely there's no deep conspiracy theory involving government level surveillance here, they are just stupid. On average, Chinese software engineers are less educated and have no sense about privacy or how to implement privacy related features properly.
While logging serial number and some of the basic analytics stats might be attributed to stupidity, I tend to think that using a pretty advanced set of system commands and logging output consistently to log files is very sketchy.
One possible stupid-but-not-malicious explanation is that some anti-cheat company made a sketchy anti-cheat that includes server-side "is CheatEngine.exe running" code, and they're doing that via ps aux... and then this game player app was bullied by some game company into including this anti-cheat library to allow their game to run.
Privacy is a totally different concept in China, this becomes very clear once you visit a public toilet in Beijing’s Hutongs.
I'm a little wary of believing this without confirmation. It certainly sounds like something an app from a big Chinese company might do, but the LLM writing style with em-dashes replaced by double hyphens looked like someone trying to hide that they use an LLM. And I noticed that the account for the Gist submission is only 3 hours old. And then looking here the account on HN is also only 3 hours old. Seems a little sketchy to me.
Totally, Chinese software would never do anything like that. Shocking news, I say, shocking!
I didn't disagree with that?
"It certainly sounds like something an app from a big Chinese company might do"
Doesn't mean I want to blindly trust a random source about it though.