Related to Xiaomi, the company is also doing some sketchy things in the smart home space under their brand "Aqara". I use HomeKit in my apartment and opted for Aqara branded wireless buttons and temp/humidity sensors because of the attractive hardware and good reviews. The devices require a wi-fi connected hub, not too strange for things that use Zigbee, so I gave that a go.
Well, on cursory examination, the Aqara/Xiaomi hub was talking to a bunch of Chinese servers constantly. I didn't dive too deep into what all they were actually for. When I blocked the device from phoning home with my router, all the connected devices stopped working! None of the buttons or sensors would work, the RGB light on the hub couldn't even be changed. As soon as it lost the ability to ping its servers in China, the thing actually started strobe light flashing blue. Re-enable the outside network access on it, starts working again. This was totally antithetical to why I use HomeKit in the first place, so I removed the hub and paired all the Aqara accessories with a generic open source Zigbee hub (ConBee II) and added it to HomeKit with HomeBridge.
In the future I plan to give brands more scrutiny before investing time/money in them and granting them unfettered access to my LAN...
ornornor 1138 days ago [-]
I use some xiaomi connected lamps. First thing I did was connect them to home assistant via a dedicated VLAN that has no internet access. I see pages and pages of denied connections in the firewall from the smart lamps. They work with HA just fine, I just wonder what they’re trying to do with these servers. This is pure speculation but I’m convinced that all these smart devices from China are the largest state sponsored Trojan horse program in history. They’re probably not interested in you and me but since everyone and their dog has these devices, it’s possible to access and infiltrate any given high value target with these. No one even knows what’s in the firmware. I have no illusions other countries are doing the same, but none have the reach that Chinese branded electronics do. Bar google maybe.
dvfjsdhgfv 1138 days ago [-]
I was thinking the same. The Mi ecosystem seems nice, has good reviews, and is relatively inexpensive. You can control everything from one app and they make things easy for you. Among many appliances they also have inexpensive IP cameras. When you think about it, it's really scary. They have all possible sensors and several actuators. With time, it may get much worse.
nextos 1138 days ago [-]
I love some of their non-smart devices that can't spy me. For example, their Mijia precision screwdrivers are exceptionally good quality (Wiha heads) and the price is fair.
Their phones running Android One are also fine and can be reflashed. But the rest of the items are quite shady. I have sniffed on the network traffic some devices generate and it's quite scary.
The same thing applies to other Chinese industrial equipment. For example, I know some labs put BGI sequencers inside airgapped subnetworks because of industrial espionage fears.
madacol 1137 days ago [-]
How do you reflash those androids?, It's been hard for me trying to find a trustworthy ROM for an Mi A2 Lite
orestarod 1136 days ago [-]
Why not LineageOS?
madacol 1133 days ago [-]
There's no ROM for my model =(
deepstack 1138 days ago [-]
the company is also doing some sketchy things in the smart home space under their brand "Aqara"
The whole idea of connecting everything to the internet is getting out of hand.
1. Internet and digital infrastructure has no integrity as how it is currently.
2. Anything for home, machinery, all should work when there is NO internet connection. Just like an app should work (to some extend) in airplane mode. It really comes down to the idea of data/device sovereignty.
Is this my device or not? If I need to ping some place in China to get this working. Then make it clear on your front page that it is is a lease.
mcv 1138 days ago [-]
The only company I would trust with home automation at this point is IKEA. They're the only ones doing this who are actually in the business of making their customers' homes nice, rather than collecting and monetizing their customers' data.
(And now I'm half expecting someone to respond that IKEA also collects our data. I don't know if they do, and I'd expect them not to, but I'd really like to know if they do.)
amelius 1138 days ago [-]
It's a company. With shareholders. Even if you can trust them now, that's no guarantee for the future. Trusting companies is just silly.
skeeter2020 1138 days ago [-]
I guess this is technical true, but then you're a person and some people do terrible things, therefore you must be terrible?
I think what the GP is stating is that Ikea's model is based on selling home goods, so the incentives align to sell you home goods not collect data for the Dutch government. Apple could steal all your most private data as well, but their business is luxury electronics so it's not in their best interest. Could this change? asolutely, but are you more concerned with what could be, or what currently is?
amelius 1138 days ago [-]
> I guess this is technical true, but then you're a person and some people do terrible things, therefore you must be terrible?
People are on average far more predictable than companies. A company is like a person with a very unstable personality. And the predictable component of a company's behavior is usually selfish and evil, whereas the predictable component of a person's behavior is usually good.
dna_polymerase 1138 days ago [-]
> It's a company. With shareholders.
It's owned by a dutch foundation which serves to "promote and support innovation in the field of architectural and interior design" (via [0]). Oh and something about kids in developing countries.
IKEA has a complex corporate structure which was created specifically because of the high Swedish taxes. Hence the Dutch connection.
Also, read the criticisms section of that link. Only after publication of the criticism in the Economist did the family who owns IKEA take action. Now imagine what happens if the family has less control in the future. Also, supporting innovation and supporting developing countries does not mean "don't track users", etc.
mywittyname 1138 days ago [-]
Shareholders care about public perception. Selling user data isn't that profitable. It makes sense that a company would weigh in the potential cost to the brand when determining whether to sell user data.
I could see IKEA using their "good behavior" as a marketing expenditure or selling point. Much like Apple does. This would align well with their general brand perception vis-a-vis sustainability and whatnot.
blaser-waffle 1138 days ago [-]
The only people that care about this sort of thing here, on hacker news. Or similar tech forums.
My mom isn't going to care, she's going to get something because she thinks it looks cool and the brand is eco-friendly or some shit.
There is a demand for bulletproof cars and blackout curtains, but judging by what I see in my neighborhood, I wouldn't invest heavily in a company that makes those things. But the latest fashions, made sustainably, in POC & women owned business, OMG SO AWESOMEMMEMEME
conjectures 1138 days ago [-]
I realise this is an opinion du jour around here now, but it's a pretty paranoid take on the market economy.
I trust that if I buy a can of coke, it will contain coke because coke want to keep selling me coke. They don't need to be good people, they just have to care about making money in the future. The fact that I think they care about that is why I can trust that the can of coke in fact contains coke with high probability.
amelius 1138 days ago [-]
> I trust that if I buy a can of coke, it will contain coke because coke want to keep selling me coke.
Perhaps but if the company could sell you more coke by having your personal data, it would be silly to assume they would not explore that route.
hrktb 1138 days ago [-]
When we buy genuine Xiaomi lightbulbs it’s definitely Xiaomi lightbulbs in the package, that’s not the argument.
The question is what happens at the purchase time, and afterwards. To bring back the coke you love, there’s Coca-Cola vending machine that will accept payment from a cell phone, linking with the vending machine through NFC.
What happens to you info when you download the app, what do they do with your purchase history ? Do your data stay in the ‘coke’ silo or move to all the other sister brands and partner marketing firms to infinity and beyond ? Do they scan the other apps on your phone to better profile you ? Do they lobby where you live to get rid of blocking rules when they track you buy less because of them ?
That’s the questions that would come with ‘buying a coke’
einpoklum 1138 days ago [-]
> I trust that if I buy a can of coke, it will contain coke because coke want to keep selling me coke
You don't even know what coke is, since that formula is kept secret (well, Coca Cola's at least). Also, in some countries, you'll get high-fructose corn syrup instead of cane sugar, which is believed to increase the risk of fatty liver disease, obesity etc. (caveat: Some believe the evidence is not conclusive enough for certainty.)
And why don't they just "sell you coke" everywhere? Because it makes them more money. And the raison d'etre of a commercial company/corporation is pecuniary gain. Profiting. Making money. Management is obligated to act so as to maximize profit (under legal obligations etc. etc.)
This brings us to your first point:
> it's a pretty paranoid take on the market economy.
No, it's literally what commercial companies' charters and fundamental structure requires. No conspiracy theory or paranoia.
In context of spying - if the company has determined their profits would improve by them spying on you, and that they can get away with it - then it's pretty likely they will indeed spy on you.
conjectures 1138 days ago [-]
The point is that if I want a can of sugar water (or aspartame) I can reliably find one. I'm unlikely to pop the tab and find kombucha or sand.
'Companies are out to make money' is not the debate trump card you seem to think it is. In fact the same view is embedded in my previous comment. The question is, given it's true what's the range of phenomena that result, what works well, what badly etc?
krageon 1138 days ago [-]
> market economy
If your argument for the market economy working in a way that shouldn't inspire paranoia is based on trust and distinguished consumer choice, you've not been paying attention to world news or you're arguing in bad faith.
conjectures 1138 days ago [-]
> If your argument for the market economy working in a way that shouldn't inspire paranoia is based on trust and distinguished consumer choice, you've not been paying attention to world news or you're arguing in bad faith.
No, I think you missed the point. It's based on greedy organisations being predictable. Amazon will send stuff we order so that we buy more stuff from them. Electricity grid with zero regulation will fail to invest in preventative measures against extreme events. Trust or distrust arises from the particular game theoretic situation we're talking about. Simply thinking every corporation will screw us at every moment is the paranoia.
AniseAbyss 1138 days ago [-]
IKEA is a European company. Can't trust America- its bought and payed for by corporations- and the Chinese are enigmatic- who knows what they want?
ericd 1138 days ago [-]
Is this satire?
kennu 1139 days ago [-]
I have a cheap air quality meter which basically connects to an MQTT broker server in China to transmit its readings constantly. The phone app connects to the same MQTT server, subscribes to a topic and receives the readings. I guess this is a very simple way to do it. Too bad the MQTT server has no authentication so you can actually subscribe to any topic. Many IoT solutions seem to be made by developers not very experienced in security.
amenod 1138 days ago [-]
Are you saying you can actually read the air quality readings of other users? That's... quite an oversight. :-/
kennu 1138 days ago [-]
The actual MQTT payload seemed to have some sort of custom encryption on it (not the usual MQTT-over-TLS). I didn't dig deep enough to find out how it works, but it didn't seem very sophisticated.
Siira 1138 days ago [-]
Free big data for everyone.
baybal2 1138 days ago [-]
The whole of Internet will know when you spoil the air :P
Foivos 1138 days ago [-]
I know that you are joking, but the data from an air quality monitor can reveal a lot of useful things, such as when somebody is at home.
paulcarroty 1138 days ago [-]
> the Aqara/Xiaomi hub was talking to a bunch of Chinese servers constantly
It's not only Xiaomi issue: many Chinese top and noname smartphones stealing user data and show ads inside their UIs. Cheap hardware & users data mining - great business model.
That’s why AI tech is much more advanced than any other Computing subjects in China, they get massive free data to train their networks.
bombcar 1139 days ago [-]
It’s absolutely infuriating how many IoT devices round trip to the cloud for no good reason at all.
helloworld11 1139 days ago [-]
Not quite for no good reason at all. For someone else who programmed them to do this, it is for a very self-servingly good reason of data vacuuming obsession, it just happens to be no good reason for the customer.
baybal2 1139 days ago [-]
The thing is, they really don't. They just stop working after few minutes of no connectivity.
No real roundtrip happening.
sampo 1138 days ago [-]
> temp/humidity sensors
If you're into writing your own code, https://ruuvi.com/ has bluetooth low energy sensors that transmit temperature/humidity/air pressure/3d-acceleration data with an open protocol, also their firmware is open source. They have a mobile app that displays readings from sensors, but for anything else you'd need to set up your own data logging or home automation server.
La1n 1138 days ago [-]
I can also recommend ESPhome, it supports many sensors and runs on basically anything with a ESP32 or 8266. It's open source and super easy to integrate with home assistant.
edit: and -> a
nialv7 1139 days ago [-]
> The devices require a wi-fi connected hub, not too strange for things that use Zigbee
Wait, why would Zigbee devices require Wi-Fi connection? That would be a red flag for me, I would have avoided products like this.
Yaggo 1139 days ago [-]
They don't. You can use Aqara-branded zigbee devices just fine with Home Assistant (open source), no propietary cloud services required. With most manufacturer's own hubs it's a whole different story, basically they all talk to their cloud, that's how they are designed. I can see why, that's the easiest option for average consumer, plug & play.
Usually so you can control the devices from your smartphone. Phone talks to hub over local wi-fi, hub talks to devices over Zigbee. They might have a web interface where you can program schedules for the lights, define "scenes" and such. So it's not entirely pointless.
There is however no reason why the hub should have internet access though.
allyant 1138 days ago [-]
I believe they are used to allow the users to control their devices outside the network.
1139 days ago [-]
txdv 1139 days ago [-]
I blocked all Chinese subnets because of the constant tries to log in to my servers.
Obviously Xiaomi devices do not work in my network anymore.
yurielt 1138 days ago [-]
How also can you make a guide of how to do it?
BelenusMordred 1138 days ago [-]
iptables -I INPUT -m geoip --src-cc CH -j DROP
iptables -I OUTPUT -m geoip --src-cc CH -j DROP
No guide needed.
eznzt 1138 days ago [-]
CH is not China but Switzerland.
zeepzeep 1138 days ago [-]
CN then?
BelenusMordred 1138 days ago [-]
Correct, I messed up the original country code.
Siira 1138 days ago [-]
V2ray has the option to route based on geoip, but it creates a socks/http proxy, not a whole system solution.
CountSessine 1138 days ago [-]
Really, it’s probably just telemetry data. It’s probably for QA and maybe even follow-up sales.
Not that that is at all ok - it’s really not. But China is a country where there’s no concept of privacy - when companies are actually required to keep tabs on their customers and report data back to the state on a regular basis without legal oversight from an independent judiciary, the notion that the company isn’t entitled to peek in on you must be an alien idea.
jwr 1138 days ago [-]
My Xiaomi devices (air purifiers) are on a different network, which I created specifically for sketchy "IoT" devices. It is physically separated, with separate addressing, and connected only at the exit router, where it is firewalled from the rest of my network.
It doesn't mean Xiaomi doesn't learn everything about my air quality, temperature and humidity, but it at least decreases the attack surface.
nyx_ 1139 days ago [-]
I use a couple of Aqara sensors to report temperature back to my Home Assistant instance via a HUSBZB-1 USB Zigbee dongle[0]. They work pretty well, although they report data pretty infrequently absent any large temperature swings, so not great for data-viz purposes.
I'm not at all surprised the hub thing constantly chats with its family back in China, but a properly security-paranoid home automation aficionado wouldn't be caught dead giving some proprietary black box power and network inside their own home.
> but a properly security-paranoid home automation aficionado wouldn't be caught dead giving some proprietary black box power and network inside their own home.
That sounds like the definition of a cell phone.
nyx_ 1138 days ago [-]
Don't even get me started. :( It gives me pangs of cognitive dissonance every time I use my Android phone to type up a rant about how creepy Google is. I'd love to walk the talk, but my impression is that FOSS Linux phones aren't really viable yet if you're interested in things like, you know, functional power management or a Bluetooth stack that actually works.
riston 1138 days ago [-]
About the smart home space, there is also Home Assistant which basically provides all the tools to keep everything isolated from internet.
gverrilla 1139 days ago [-]
Couldn't you just return the hardware to the store and receive payback where you live?
ericd 1138 days ago [-]
Does anyone know of any good resources on how to kit out a home with sensors that speak strictly locally/have no cloud connectivity?
Is the answer just to find zigbee-only gear?
melomal 1138 days ago [-]
> was talking to a bunch of Chinese servers constantly
Out of curiosity do you want Chinese companies to use US servers? Or where would servers be ideally placed for a Chinese brand to be accepted? I genuinely am curious to know.
dylan604 1138 days ago [-]
Is this a serious question? How about don't contact any external server unless the user clicks an update button (or possibly on a schedule time the user has specifically allowed). After that, there is no legit reason for a device sensing the temperature in my home, a light switch, an electrical plug to ever call "home" about how it is being used. Maybe, just maybe, if the device detects that it is failing or other serious errors that might be okay, but if and ONLY if the user has specifically allowed that to happen. I don't care if the server is located in the US, China, Timbuktu, or Atlantis, and I don't care if the company is based in the US, China, or Martian. Just don't do it.
pferdone 1138 days ago [-]
I think you're both on the same page here, but (and I'm also guessing here) I think OP implies there's a certain bias when it comes to chinese servers. And I too have this feeling, that if it's a server in the "western world" not a lot of people would bat an eye. But if it's a chinese or russian server, now that's something "we don't want".
melomal 1138 days ago [-]
This is what I am trying to figure out. I have a UK focused website therefore I use UK based servers, US focused website I use US based servers.
Aren't most processing chips/hardware made in China for all major western tech companies anyway? I get the RU/China server suspiciousness but as far as I can tell, US unicorns are up to the same tricks and openly/brazenly pillaging data without any threat or fear.
buran77 1138 days ago [-]
We're in a western/US-centric bubble here on HN. People are aware data collection is bad, they'd rather not have it at all even if they'll accept some from Google, MS, Amazon, etc., but most of all they'd rather not have China/Russia/NK/etc. have any that data. As you can already tell, just asking the question is enough to get flak.
Otherwise most consumer products (devices or software) phone home for one reason or another, whether it's telemetry and data collection, basic functionality that's implemented exclusively via cloud, or more advanced cloud features. It's down to deciding whether you trust western legal system and increased transparency to deal with the nefarious aspect of data collection, rather than the Russian, Chinese, etc. legal systems and transparency.
Almost every device or software with network connectivity I played with phoned home: the Philips Hue gateway (Netherlands), Tado (Germany), Apple Homepod (US), Amazon Alexa/Fire* stuff (US), Synology (Taiwan), Unifi Controller (US), LG/Samsung smart TVs (South Korea), Google Chromecast (US), random assortment of network connected cameras (China, Taiwan), and a big etc. here. Some do a better job than others and just connect for basic stuff as far as I can tell, some enabled telemetry without asking and after the backlash ask again after every update, some have no option to disable this connectivity, etc.
One thing that trips most people looking at this for the first time is when they start off with blocking internet connectivity for the least trustworthy devices (Chinese brands) and immediately see a zillion attempts being blocked, even if the device keeps working. They conclude the devices are trying to exfiltrate that much data. They're most likely constantly reattempting until they get a response. Some of my network cameras would try every second but after a successful connection the flood stopped and they barely sent anything.
I chose to "complicate" my life a bit and buy hardware that I can flash with some open source firmware cutting out the cloud features completely, or connecting via "home made" solutions everywhere I can then using my home VPN to control them if needed. Whether China or the US have that data is of little real consequence to me right now but it's a matter of principle and I'd rather not shift my principles based on geography.
melomal 1138 days ago [-]
Thank you for your response and clarification! Your point on the multiple attempts to connect etc seems to make sense. I would imagine a lot of people checking these requests may jump to conclusions that every piece of data is being pulled across.
> just asking the question is enough to get flak
You are definitely right about that!
kwanbix 1138 days ago [-]
Of course (almost?) no government is a saint. However, China is a totalitarian non-democratic government. I would fear the Chinese government much more than the US or UK governments, for example. But I might be too naive.
melomal 1138 days ago [-]
> I would fear the Chinese government
If you are outside of China then surely there is nothing to really be scared of? What could the Chinese government do with your data that could cause harm?
I get it's the principle but ultimately we are all scared of sharing our data with China and I am not sure why?
AniseAbyss 1138 days ago [-]
I don't get it either. Whenever someone uses the words "the West" I cringe because because every goddamn privacy invasion has come from our friendly American overlords. Who I might ad are not just like us.
melomal 1138 days ago [-]
> I cringe because because every goddamn privacy invasion has come from our friendly American overlords
Exactly! It seems that the propaganda machine is still rolling heavy.
mmmmmk 1138 days ago [-]
There is a big difference. An open, democratic government can be peacefully corrected. A closed, totalitarian government cannot be. If the chinese and russian governments were open, then we could worry less about them.
osmarks 1138 days ago [-]
Western governments operate mass surveillance programs seemingly without any public open oversight or democratic input.
melomal 1138 days ago [-]
The United Kingdom has more CCTV activity than any other European country, per capita. No-one bats an eyelid. They have also been using facial recognition to find people in the crowd with a really poor rate of success. No one seems to batter an eye lid, China does the same and everyone is going crazy.
kwanbix 1137 days ago [-]
The big difference is that you can say President USA is this and that and nothing will happen to you. But speak badly of the Chinese government and you would end up in a shithole for life. Or worst. Or say something bad about the N Korean leader for example. This is totally different.
kwanbix 1138 days ago [-]
With totalitarian governments, you never know.
Look what happened to Alexei Navalny.
Look what happened to Sergei and Yulia Skripal in UK?
Again, I am not saying the other governments are saints, but I feel you have much more options in democratic countries.
melomal 1138 days ago [-]
> Look what happened to Sergei and Yulia Skripal in UK?
The UK is Russia's poison playground so in this instance it would seem that realistically no one is safe, even if you reside in a democratic country. But then again these were people with major clout or enemies of the state.
BigJ1211 1137 days ago [-]
I think most people assume totalitarian regime that's interested in at the very least being the economic powerhouse of the world, won't have good intentions with collecting everyone's data.
A far better assumption than: "well others do it too, therefore nothing about it can be more nefarious."
I do not want anyone getting their hands on my data, but in order of regions collected data this is my 'preference': EU >>> US > RU >> CN
yumraj 1138 days ago [-]
If Chinese companies place servers in US, then these servers would just be a proxy to feed data to Chinese servers.
To each there own, but I think China will have to fundamentally change at this point for me to have any trust in any Chinese companies. Just look at Alibaba. If they are not safe from CCP influence, then it is safe to assume that all Chinese companies are just shells, or under influence of, the CCP.
melomal 1138 days ago [-]
I get the fear but what do you imagine would happen to you and your data if the Chinese government got their hands on it? Will they create an internal credit system for the West? If so, how would this affect you.
I'm genuinely curious what people fear will happen to them and their data if it went to a Chinese server. What are the consequences? What is the difference between Amazon running A/B tests to get as much money from you as quickly as possible VS TikTok trying to improve their suggestion algo to improve their engagement for increased ad revenue?
higerordermap 1137 days ago [-]
They collect data of all other countries. As their devices become pervasive, the data and thousands of RCEs serve as an aid to intelligence, if your country is competing with or in a fight with China, this is actively harmful.
bigphishy 1139 days ago [-]
Hahaha holy shit
cavendish3313 1138 days ago [-]
Xiaomi did one thing wrong: It is a Chinese brand.
mensetmanusman 1138 days ago [-]
Amazon should be fined for selling IoT devices that do this. It is likely a threat to America’s infrastructure.
Imagine if China could stop all smart homes from working if a politician said something about concentration camps.
Do you think the average american cares more about their garage door opener working or the camps?
danpalmer 1139 days ago [-]
This paragraph stood out to me:
> The intention here seems to be that aigt is the timestamp when the ID was generated. So if that timestamp deviates from current time by more than 7776000000 milliseconds (90 days) a new ID is going to be generated. However, this implementation is buggy, it will update aigt on every call rather than only when a new ID is generated. So the only scenario where a new ID will be generated is: this method wasn’t called for 90 days, meaning that the browser wasn’t started for 90 days. And that’s rather unlikely, so one has to consider this ID permanent.
If we assume that Xiaomi aren't literally trying to spy for a government and are in fact just poorly calibrated on what's legitimate to collect for product analytics purposes, this paragraph highlights why that's still incredibly dangerous despite "good intentions".
I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice.
This paragraph seems to suggest a similar problem at Xiaomi. This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points. The fact it wasn't suggests that these stages either don't exist or are insufficient.
sammorrowdrums 1139 days ago [-]
Genuinely, I really want to see Purism succeed and increasing numbers of competitors in that space, because we need tools that don't require so much blind trust. Whether caused by inept software devs, scope for malicious code / backdoors in firmware, analytics spyware, and whether this stuff is well intentioned or not, if it can be abused, it will be.
Open source and verifiable down to the firmware is the only chance we have at any real level of trust, otherwise as is always apparent in these conversations, it often falls otherwise to who you think could compromise your device and making your bed with it, like USA not China or vice versa
cosmodisk 1139 days ago [-]
The problem is that purism doesn't pay as much as all the tracking, preinstalled bloatware, random 3rd party utilities and other stuff. This will never ever be solved through competition,because people either don't care, or there aren't enough of those who do. Legislation is the only way to make it work, but then again, that's hardly an option for most of the world.
fsflover 1138 days ago [-]
Purism are trying to lobby for the legislation [0] and to change the industry [1].
While I agree with your intent, the problem is that, many open source software is not verifiable.
Remember that a Kaggle competitor was openly cheating with his published code? (cf. https://www.theregister.com/2020/01/21/ai_kaggle_contest_che... ) Eventually he got caught, but it's sometimes extremely difficult to spot a well-hidden malicious code in a plain sight. We need to be much better at analyzing software.
ShroudedNight 1138 days ago [-]
While having the source available is not a panacea, it would seem that, at least in the case you mentioned, not having the source code would have allowed for the cheating to continue with impunity, as there would have been no way for anyone to begin to discover what had been going on. That would suggest that having the source available is a necessary part of establishing real trust, even if it's not sufficient.
> While I agree with your intent, the problem is that, many open source software is not verifiable.
To me, this sentence reads as "That a nice idea, but untenable in practice." rather than "Open source is necessary, but shouldn't be considered sufficient." which strikes me as counter-productive to the objective of easily verifiable software.
fsflover 1138 days ago [-]
> many open source software is not verifiable
Open source software is more verifiable than closed source though.
sammorrowdrums 1139 days ago [-]
Yeah, you are definitely correct on the lack of verification tools and I hope research on that one day breaks out of academia and into more common usage. The Kaggle story is great. One mildly related thing is Purism's bootloader tampering detection with their "librem key". Naturally it does nothing to verify the running code, but it does feel like knowing you're running the code you thought you were has some merit.
I think maybe some replies have interpreted my comment as naively assuming that open source firmware would would mean complete trust. I just think it is a good step on the journey.
giantrobot 1139 days ago [-]
Purism is never going to end up with fully open source baseband firmware. It's not going to happen because the radios are subject to several regulations which means customers can't be able to modify that firmware. There's going to always be a trust hole.
phkahler 1139 days ago [-]
You can still make the code and tool chain open source. Then require a key to write to the device. Reading could be allowed.
This can work where everything is in the open except a private firmware signing key.
fsflover 1138 days ago [-]
People should push for open source as much as possible. At some point it will be easier to lobby for the new regulations when everything else is fully open source. See also: https://forum.pine64.org/showthread.php?tid=11815
giantrobot 1138 days ago [-]
The regulations around radios exist because the spectrum is limited and emissions propagate over a wide area. You and I (assuming you're in the US) have the same standing to use radio spectrum. If I go and modify my phone's firmware to increase the power output I could literally jam communications from your phone.
It's very different than if I modified the firmware on my hard drive or UEFI on a PC. I might fuck up my stuff but it doesn't affect you. I can fiddle with my hard drive firmware all day but I'm not going to block a 911 call you're trying to make.
Also a company giving out modem firmware is an exception and not a rule. It re-classes the device as a hobbyist/experimental device and if they go traipsing around with it they could potentially face fines (unlikely but possible).
Again it's not about lobbying it's about a limited spectrum and people being stupid/assholes not realizing or caring their pocket radio affects others. You live in a world where shitheads try to make their cars louder on purpose and you can pick up dozens of WAPs because everyone sets the power to the highest number the interface allows.
fsflover 1137 days ago [-]
Using wrong spectrum and jamming communications of others can be illegal without forcing proprietary firmware. It's like making all cars illegal, because someone blocks access roads for a fire brigade.
giantrobot 1136 days ago [-]
It's not forcing proprietary firmware. The firmware could be entirely open so long as end users couldn't freely modify it on their devices. Competition between baseband manufacturers drives them to keep firmwares proprietary.
fsflover 1135 days ago [-]
Preventing modification of the firmware is like making your car unrepairable and unopenable, so you couldn't mess with it.
baybal2 1139 days ago [-]
Who said you cannot? Just do it, and see.
giantrobot 1139 days ago [-]
Every radio regulation agency on the planet? Most radio hardware is capable of operating outside of regulated limits. The device firmware is usually what keeps the devices running within their regulated limits and gets those components licenses to be sold. Anyone selling regulated devices running outside of their regulated envelope faces fines and even criminal charges.
Cell phones only work because the millions of devices run within strict limits and behave reasonably. There's not a lot of difference between a properly operating radio and a radio jammer. Purism isn't going to find a baseband vendor that's going to risk their licenses by allowing for open source firmware.
baybal2 1139 days ago [-]
No, pretty of radio transmitting equipment are fully open soft modems.
As far as I know, there is no licensing whatsoever for baseband makers?
Where did you get that it is?
giantrobot 1138 days ago [-]
In the US a baseband processor's entire software stack that controls the radio front end must be certified. They'll also have the modems to talk to the cellular networks. BPs use their own CPU(s) and an RTOS firmware that's FCC certified.
This is why a baseband processor is a fully separate component from a device's application processor(s). Since the AP doesn't talk directly to the radio it doesn't need to be certified and can be updated without recertification. The BP can also get certification and any manufacturer using that BP doesn't need to re-certify it. The interfaces are also such that the AP can't (or shouldn't be able to) tell the BP firmware to boost the output power above legal limits or something.
Radios that have "open" soft modems don't typically have fully software controlled radio front ends. The radio front end will have its statutory limits baked in electrically or have very limited software control. The modulation on the back end isn't as important as the front end. Broken modulation just means you can't talk to anyone, an overdriven transmitter is effectively a radio jammer or can give someone an RF burn.
baybal2 1138 days ago [-]
> In the US a baseband processor's entire software stack that controls the radio front end must be certified.
Can you point where it is stated?
giantrobot 1138 days ago [-]
47 CFR.
baybal2 1138 days ago [-]
What rule in particular?
giantrobot 1138 days ago [-]
Part 2 covers recertification of changes to radio equipment (everything touching the front end of the radio). Part 24 cover broadband PCS while Part 15 covers WiFi and Bluetooth since they're ISM band components.
If you're actually interested read the regulations and look up some FCC IDs for devices.
matheusmoreira 1139 days ago [-]
> we need tools that don't require so much blind trust
Completely agree.
> Open source and verifiable down to the firmware is the only chance we have at any real level of trust
The hardware itself could be compromised though. There's just no way to know what's really inside these black boxes.
We'll never have real trust until we get the ability to fabricate our own processors in our own home just like we already have the ability to write our own software.
mohaine 1139 days ago [-]
This doesn't help completely unless you fabricated the fabricator on trusted parts as well. Unless you trust it there is nothing to prove that the fabricator isn't inserting back doors into whatever it prints.
Well, I would love to print out my own cpu in the garage, but until then, I would also be happy, if the factories producing security critical HW, get frequent audits by qualified personel. Certifying and reviewing the build process.
Not very likely on a broader scale, though.
africanboy 1139 days ago [-]
as much as I am eager to see open source mobile OS succeed, tracking happens at the app level.
What happens when I install the FB app on a Purism enabled device?
My way to go until now has been installing as many OSS apps on my smartphone as possible, to the point that even the keyboard and the launcher on my smartphone are installed through f-droid.
That's the main reason why I prefer Android phones over Apple ones.
robotbikes 1139 days ago [-]
I don't think Facebook is likely to release a Linux based app. If they did it would likely be electron style. There also lots of Facebook apps that wrap the mobile website inside of a stand-alone "app" available on F-Droid. I also wonder what type of permissions API even exist that would allow you to view contacts as an app inside of Purism. Maybe Gnome has something kind of API already for apps to access built-in contents but this far there hasnt been a lot of proprietary software released for Linux that embeds spyware because of the low # of users and increased difficulty and general lack of distribution platform. But Purism is also really far away from being a viable platform for non-techies at this point.
UnpossibleJim 1139 days ago [-]
|This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points.|
If the very first people (presumably the "higher ups"/more prestigious designers) in the design process miss such things, it is very hard to call them out in a societal construct that is the business construct that has become Xiaomi and the Chinese Government.
It's hard enough in some companies for QA to question software engineers and not catch backlash in the US when making games. Companies like EA, Atari and Nintendo are notorious for it. Apple used to shitcan QA who didn't treat "the talent" nice enough, and they weren't a quasi governmental entity.
You're right, of course. But man, that's a big frog in your throat to go up to your manager and say, "Sir, I'm sorry but this whole process has issues. Here's the fix, but it means a redesign of a core process." That's tough. That's double tough.
danpalmer 1138 days ago [-]
This is something that a company with a mature security posture needs though. Yes it's hard, but that's the point.
There are many ways to work around this, having teams whos incentives are tied to finding issues, maybe in a different reporting chain or office or country to those writing the software is one way.
UnpossibleJim 1138 days ago [-]
I think incentivizing and anonymizing issue finding by restructure sound like amazing ideas, to be honest. Having batch issues come in to the devs via bug tracking software and conversations be labeled with a user ID rather than name would make a world of difference; so would basic professionalism. An understanding that it isn't team against team. Sdets (and manual testers) are not adversaries to devs or management... Though, I think a lot of devs realize this but project management/producers have a harder time understanding this. This is where I think a basic understanding of coding and the development pipeline would help a lot.
But, here we are. In the real world =/
thw0rted 1132 days ago [-]
If your design is "accidentally" indistinguishable from intentional state-sponsored surveillance, does it really matter whether you arrived at it through malice or incompetence?
45ure 1139 days ago [-]
>I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice. This paragraph seems to suggest a similar problem at Xiaomi.
ASFAIK, Xiaomi does not sell any critical infrastructure equipment, nor is it installed anywhere; not entirely sure why GCHQ or NCSC would be involved, especially when there is ambiguity around which/what equipment they should be conducting a code review upon?
With regard to Huawei, there was no decisive conclusion, despite a comprehensive security review. Furthermore, it has been business as usual for currently installed equipment. All future decisions will be based around the 5G infrastructure.
cmeacham98 1139 days ago [-]
Presumably phones used by government employees in relation to sensitive data are security critical? I'm not aware if their phones are being used in the wild in such a way but it's not hard to imagine such use cases.
thw0rted 1132 days ago [-]
Here in Europe, Huawei and Xiaomi are two of the most popular phone brands I see in shops. Even if the government isn't actually buying them to issue as "work phones" for employees, those employees are certainly buying them for personal use, carrying them to sensitive places, and leaking their own life details.
You'd have to be a complete idiot to believe that the CCP isn't happily digging through all the data they send back.
michaelcampbell 1139 days ago [-]
> If we assume that Xiaomi aren't literally trying to spy for a government
Is that even allowed by Chinese law?
buildbot 1139 days ago [-]
I believe the implication would be they are spying for China in this case, and therefore as legal as they want it to be.
michaelcampbell 1139 days ago [-]
Right, I meant is it allowed by Chinese law to NOT spy for the government. As I understand it, to be allowed to operate in China as a Chinese company, you are under the obligation to provide any information you collect to the gov't upon request. Is that not the case?
tehjoker 1139 days ago [-]
You guys are familiar with the Snowden disclosures and how all telecom companies and very likely all major tech companies are spying for the US government right?
At this point, this is table stakes for big tech and it's completely anti-democratic. China may have a very good domestic dragnet but clearly it's playing catch up compared to the foreign intelligence assets the USG (and five eyes) has.
ethbr0 1139 days ago [-]
If you're going to cite Snowden, please be accurate.
Remember that one of the leaks was that the NSA tapped unencrypted Google backhaul in transit without Google's knowledge.
There's a difference between panopticon fearmongering and citing specific information we should be wary of. The former leads to apathy. The latter leads to action.
That was ATT. It (and all the other exposed operations) hardly support the statement that "all telecom companies and very likely all major tech companies are spying for the US government".
xtian 1139 days ago [-]
The US defense and intelligence apparatuses have been deeply intertwined with private enterprise for many decades. This is a matter of historical fact. But I totally understand if it's more comfortable for you to believe that now things are different despite the fact that no one was ever held to account for what happened in the past.
ethbr0 1138 days ago [-]
There is no proof that I'm aware of that all telecom companies and very likely all major tech companies are spying for the US goverent.
To be clear, evidence that some telecoms have, or that some major tech companies have is insufficient.
Extrapolating some into all is unreasonable. Do you have more proof it's the latter?
Judgmentality 1139 days ago [-]
Whoa. I'm surprised I'd never heard of this before. Thank you.
tehjoker 1139 days ago [-]
Right, that's why I said "very likely" instead of "proven". However, at the point it's pretty clear the tech companies are all competing for pentagon contracts (e.g. Project Maven, JEDI, etc) so the 2013 information has significant potential to be dated.
Thinking America's largest monopolies and America's government and foreign policy are at odds over more than superficial things is probably not an accurate view of the world. America uses our corporations to advance nebulously defined "national security interests" and corporations use the government to get rich(er).
So does the US. The only real difference between countries is not if it is different but how each has implemented it in law. The result is the same.
dodobirdlord 1138 days ago [-]
Google publishes a transparency report with aggregate information on government requests for user data, and regularly challenges requests to reduce their scope. To pretend that this is the same as China is a joke.
Yet google didn’t know their data was being hijacked and harvested by nsa and co... so hop down off that high horse of US exceptionalism.
michaelcampbell 1138 days ago [-]
Pointing out a difference is not what you assert.
onethought 1138 days ago [-]
> To pretend that this is the same as China is a joke.
... it is the same as China. Or is that the joke?
sleepydog 1139 days ago [-]
Splitting hairs here, but the wording of your question gives the impression that one could choose not to collect any data and then be free of said obligations, but I don't think that's the case. Does anyone know?
thw0rted 1132 days ago [-]
There is a difference between being required to collect data that they wouldn't otherwise need for a legitimate business purpose, and being required to provide access to data they've already collected to their government. I'm no expert but it seems like a Chinese company could design products that don't collect a bunch of extraneous information, without violating Chinese law.
thoughtstheseus 1139 days ago [-]
That is the case.
ajsnigrutin 1139 days ago [-]
Better question is, why are those devices allowed to be sold in EU/US/...
1138 days ago [-]
duxup 1139 days ago [-]
I believe they're required to comply if asked. In theory they could have not been asked...
Craighead 1139 days ago [-]
No
1139 days ago [-]
wonnage 1139 days ago [-]
if you mean this in the sense that "all chinese companies are automatically spy agencies", then no, that's certainly not true. But would they have to comply with a government request - yeah, probably, just like any other company.
michaelcampbell 1138 days ago [-]
That feels like a distinction without a difference. The gov't has access to all the the data of all Chinese companies, and those companies are not required to divulge that to their consumers.
ComodoHacker 1138 days ago [-]
Another possible explanation is this isn't a bug, but intended behavior. If the browser hasn't been used for 90 days, this might be a good indication that the phone has changed hands, and you need to generate a new ID.
africanboy 1139 days ago [-]
I'm writing this from a Xiaomi smartphone.
I know Xiaomi is not the best brand to buy for privacy, but I consider their products one of the best in terms of value for money
I own a few Xiaomi devices, I simply install Blokada on each one of them and I think you would be surprised by how many non Chinese domains it blocks, Google being one of the worst offenders.
EDIT 2: paradoxically knowing that Xiaomi is a Chinese company make buyers more aware of the privacy risks involved. It breaks that false sense of security associated with electronic devices that many people believe in.
Daho0n 1139 days ago [-]
About your second edit: If you live anywhere on earth that isn't in the geographical area of China it would likely be better to have data going to China than the big US corps. For most it is unlikely the data could be used against you in anything from ads to a police raid, unlike with something like Google collecting it where it will almost for sure be used and useful.
kelnos 1139 days ago [-]
I hear this a lot, but it strikes me as being short sighted. That only works if the status quo remains so forever. Maybe 5 or 10 years from now, relations between the Chinese and US governments gets cozier, and part of their deal includes sharing of this kind of data.
Or maybe the US government knows it can't legally collect certain information on its own citizens, but can rely on China to collect it, and then purchase it from the Chinese government.
Then there's the overall argument against: I don't want any government collecting data about me, period. It's none of their damn business, regardless of the chances of me having to interact with them in any capacity.
sudosysgen 1139 days ago [-]
The US and Chinese government will absolutely never have a rapprochement. Geopolitics states they will be at odd.
bigiain 1139 days ago [-]
We know about five eyes.
The pessimist in me assumes that's because it's a good cover for the intelligence agencies data sharing agreements between the US, China, India, Russian, North Korea, et al.
petra 1139 days ago [-]
How do you whether Xiaomi's spyware doesn't bypass Blockada ?
ignoramous 1139 days ago [-]
There are a lot of binaries other than Android that run on Smartphones that you cannot possibly control from within Android even with fully-privileged apps (let alone restricted user-space apps). And, even within Android, because Blokada doesn't support "Block connection without VPN", there's no guarantee that apps don't bypass the VPN it sets up. Besides, Blokada leaks DNS requests over TCP (only handles the UDP ones) [0]. All of this is discounting the fact that Blokada has a hard-coded list of applications it blanket allows by-default [1].
Also, these fingerprinting bits in their code-base doesn't inspire confidence either [2][3].
I'd not consider Blokada a serious security app at this point, though it does have the potential to be one.
Honestly I don't, the same way I don't know if Google is bypassing them.
But according to the logs on my router Blokada is working.
p.s. blokada actually also blocks ads on the formula 1 official app that are served through websockets
dreamcompiler 1139 days ago [-]
> This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points.
Seems more likely this was done on purpose so if they got caught they could say "Junior engineer made a mistake. So sorry."
soared 1139 days ago [-]
Hanlon's razor is a principle or rule of thumb that states "never attribute to malice that which is adequately explained by stupidity"
dreamcompiler 1138 days ago [-]
My corollary to Hanlon's Razor is "When you and/or your associates have been caught being malicious multiple times, Hanlon's Razor no longer applies to you."
learnstats2 1139 days ago [-]
I find it a bad principle which absolves responsibility. Stupidity is the same as malice, if the outcome is the same.
rsj_hn 1139 days ago [-]
That can be explained as a bug, but tracking what you typed into youtube search boxes doesn't seem like a bug and has no justification in terms of performance optimization.
walrus01 1139 days ago [-]
I truly don't understand, from a security and privacy perspective, why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China. The MSS is no joke.
This is the same reason that Zoom is banned at my workplace and many other partner companies.
You've actually got two problems here. One is the commercial advertising/for-profit related data sharing problem described in the article. The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
grishka 1139 days ago [-]
Xiaomi phones are frighteningly popular here in Russia because they're very cheap. Like, a-phone-could-not-cost-this-little cheap. A 7000₽ (around $100) phone? Why not, seems legit! And not many people really understand what Xiaomi is actually doing to offset that cost. Heck, when you open the built-in calculator app in MIUI, it has a freakin privacy policy and refuses to operate if you don't accept that. Same for the gallery and the music player — you know, all the apps that have no business knowing that the internet at all exists.
names_are_hard 1139 days ago [-]
Not defending Xiaomi in general, but it's worth mentioning that the stock calculator in MIUI (at least when I last used it) was much more than just a traditional calculator. It had all kinds of sophisticated functionality that goes beyond our arithmetic, such as currency conversion, which obviously requires network and an api that might very well be third party and require a privacy policy.
So while I assume they're tracking users, I don't think the calculator having a privacy policy is as shocking as it initially sounds.
grishka 1139 days ago [-]
Uh. An API that provides currency exchange rates is a textbook case of a read-only API. Unless that privacy policy is the nonsensical "we receive and process your IP address" (or course you do, that's how the internet works, duh), it has no reason to have one because no data flows in that direction.
judge2020 1139 days ago [-]
Trying to get legal to sign-off on allowing no-privacy-policy access to anything is going to be hard every time, especially if you do keep personal information like IP addresses for any amount of time (hello gdpr).
grishka 1139 days ago [-]
But how can one prove whether a third party stores something? Especially if it's the IP address that it must receive anyway.
judge2020 1139 days ago [-]
While I don't think there would be much investigation on a simple currency API storing user info, most companies aren't in the business of increasing legal risk for the tradeoff of user experience.
SilverRed 1139 days ago [-]
IP addresses are not identifying info under the GDPR. They are only potentially identifying. The address in your nginx logs does not count, if you are storing other data and can use the IP to identify an individual, now its identifying data.
ptx 1139 days ago [-]
The photo editor on my Sony phone keeps telling me it wants to send data to Sony and refuses to open when I decline. So the Chinese are no worse than the Americans and, apparently, the Japanese in this regard.
rsj_hn 1139 days ago [-]
Wow, so because of this one example you conclude "So the Chinese are no worse than the Americans and, apparently, the Japanese in this regard."
You are saying that if you can find a single example of X happening in domain A and a single example of X happening in domain B, then "apparently" A and B must be "no different" with respect to X. People are murdered in Japan. People are murdered in Brazil. Thus Japan is no different than Brazil with respect to murders.
Please please tell me that you are just being inflammatory and that this "find one example" criteria isn't how you go about making assessments of things.
0xbadcafebee 1138 days ago [-]
You're right; our natural bias would be to distrust the Chinese more, because culturally and politically they are so far removed from us. So actually we should be suspecting the Americans and Japanese more than China to counter our biases.
Could China possibly have infiltrated as much of global communications networks as the NSA & Five Eyes have for the past decade and a half? Not likely! If we didn't have such successful digital espionage programs, would we instead rely on our corporations to spy on our behalf? Very likely, seeing as we've already done that too.
approxim8ion 1139 days ago [-]
It's not really that a phone could not cost this little. Xiaomi's pricing model is pretty transparent, they make a 5% or so profit from each device and also monetize via UI ads.
It's more that consumers around the world have been brainwashed into believing huge markups are the default and must be accepted.
That of course does not alleviate the data collection concerns about Xiaomi, but it is unfair to say that given the production apparatus to produce at scale and the ability to absorb losses initially, it is not possible to make devices this cheap.
elbrownos 1139 days ago [-]
I love Xiaomi phones, I've owned a couple. But I wouldn't dream of using them without first replacing MIUI with Lineage OS.
WeekSpeller 1138 days ago [-]
Any chance of getting Lineage OS support for the Poco X3?
walrus01 1139 days ago [-]
In large software companies that have whole GUI/human interface design departments, they do lots of R&D and testing of interfaces. Traditional things like putting people with new software interfaces in rooms with video cameras and one-way mirrors of staff watching.
It would be very interesting to see a random sampling of 20 'non technical' users presented with such a phone, and given instructions simply "here is your new phone, please unbox it and connect it to the wifi and do things on the internet for three hours". Record a video of their interactions with the screen.
In my experience the vast, overwhelming majority of people when presented with a software popup like "Do you accept the license agreement to use this calculator?" will simply click yes/accept/okay/proceed as quickly as possible and disregard what it actually means.
I have a theory that a very small percentage of persons would actually balk or become suspicious of seeing something like a privacy policy agreement for a photo gallery or music player.
grishka 1139 days ago [-]
Now, I'm not a UX specialist, I'm merely a developer and these are just my own observations, but...
Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about. And that's why dark patterns work more often than not.
I roughly categorize UI/UX patterns into those that respect the user and those that don't. Showing a modal and making them decide something right now and right there is very disrespectful and off-putting. iOS of all things does this for system updates, low battery, and some urgent as hell alerts about your Apple ID. What you should be doing instead is use something non-blocking that can be ignored, like a notification, an icon badge, or a clickable bar at the top of the screen. Anyway, I digress.
And then, if you need a calculator, but the one that came with your phone quits unless accept the terms of use, what are you gonna do, as a non-technical person? Go to Google Play and look for a better one? Probably not.
alex3305 1138 days ago [-]
> Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about.
I think most users even accept this as general setup things. When I, as a developer, want my device set up as quickly as possible, I mostly just proceed with everything.
boring_twenties 1138 days ago [-]
Here in the US, a Moto G7 Play is $130 brand new from amazon.com, and seems to be much more reasonable from a privacy standpoint. I seem to remember being presented with a clear choice to disable phoning home to Motorola during initial setup.
bildung 1138 days ago [-]
How is that different from stock Android, besides this being per app and having to give blanket permission for all things Google right at installation of stock Android?
grishka 1138 days ago [-]
For one, Google Play services come with a disable button. So, apparently, yes, you can de-googlify your phone without flashing anything.
alex3305 1138 days ago [-]
Sure, but you will still have a sort of chain of trust with Google that that disable button will actually do anything. Except bothering you in the future with a new, fancy enable button to make certain apps work.
swiley 1138 days ago [-]
The pinephone isn't much more expensive then that and doesn't have these problems.
alex3305 1138 days ago [-]
You can't be serious about this right? Except from being a black rectangle, the ~$100-ish Xiaomi device isn't comparable to a PinePhone.
The Xiaomi phone is better and more attractive in any other way, except privacy.
swiley 1138 days ago [-]
Privacy and software selection. You can't run desktop Linux apps on android and it's becoming increasingly difficult to run CLI apps.
lucideer 1139 days ago [-]
Could it be the same reason anyone outside of the US would voluntarily choose to run close-source software from a company that's subject to domestic laws and regulations in the US? The ECPA is no joke.
yibg 1139 days ago [-]
I would argue if you are American nor Chinese, the US has a greater ability to negatively influence your life. Chinese government has full control domestically but can’t (currently) do too much outside of their borders. The US on the other hand...
stjohnswarts 1139 days ago [-]
It goes the same for any of the "Eyes" countries. They share intelligence and tracking of citizens as well. It's not just the US, so don't act like it is.
Daho0n 1139 days ago [-]
Don't pretend any other country have as much surveillance capability as the US does. There are levels to the awfulness and not everyone is at final boss level. Most are random green scrubs comparatively.
skynet-9000 1139 days ago [-]
> Don't pretend any other country have as much surveillance capability as the US does.
The level of surveillance in Xinjiang vastly exceed that of anywhere else in the world except for military installations.
approxim8ion 1139 days ago [-]
You're drawing a parallel that doesn't exist. Xinjiang is a physical location that is controlled entirely by them.
US (or any) surveillance, especially over data, requires no such ownership or control.
marakv2 1139 days ago [-]
Don't forget our laws here in Australia. (I know you mentioned eyes countries, which we are, but I wanted to highlight this).
Our laws are so damn barbaric in relation to security that it's scary.
It's gotten to the point where I nearly gave up on security. Who's compromised?
I definitely missed out on a job because I was Australian. (Confirmed later over drinks with one of the devs who I am friends with).
phist_mcgee 1139 days ago [-]
Can you relate anymore about the industry and size of company you applied for?
I'm an aussie dev, and I hadn't even considered my eligibility to foreign companies may be compromised.
walrus01 1139 days ago [-]
I'm sure that a Chinese citizen would see the NSA as an equal or greater threat. The difference from my perspective is that as a citizen of a NATO country with a functioning democracy, I'm highly unlikely to be rounded up by my government and put in a prison or concentration camp for expressing my political opinions or religion.
You only need to look at the past several years of news from Hong Kong and the Uyghur/Xinjiang province situation to see the stark real world difference in human rights, political freedoms and press freedoms.
lucideer 1139 days ago [-]
I'm not 100% sure from your comment whether you're making out that:
(a). China is bad (yes, known)
(b). The US is not quite as bad (debatable but for the sake of argument lets agree that this is true)
(c). The US is benign
My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true. Though terms such as "country with a functioning democracy" make me think you might...
walrus01 1139 days ago [-]
My point was absolutely not (c). The US has a vast and complex array of sociopolitical, economic disparity, racism, police brutality issues, some of which have been highlighted throughout 2020. But I definitely consider it to be the lesser of two evils.
chungus_khan 1139 days ago [-]
The lesser of two evils is still collecting literally as much data as it can on you. And helping the Saudis with it too:
US Intelligence has too long a history of its own largely consequence-free abuses too. Someone else having a surveillance state doesn't make the one at home any better.
esclerofilo 1139 days ago [-]
Someone from outside the US will probably worry more about its history of backing coups than the domestic problems you mentioned. If the US puts a Pinochet in my country and their algorithms say I'm likely to be a communist sympathizer, am I at risk?
the_af 1138 days ago [-]
Definitely. Those of us from Latin American countries have a history with the US that we don't have with China, and so while China might be bad to us, we are (mostly) outside its sphere of direct influence; on the other hand, the US has a proven track record of supporting blood-thirsty and ruthless dictators in the relatively recent past, and meddling with our democratic institutions and electoral processes, so it's the "biggest threat" to us, so to speak.
bassman9000 1139 days ago [-]
Black and white sophism. No country is going to meet c), no country is benign. What matters is how much better the country in aspects like this. And the US still much better, NSA included.
at-fates-hands 1139 days ago [-]
> My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true.
The country is an imperfect union. Although the country attempts at every turn to work towards "A more perfect Union"; clearly we have similar issues that other countries do.
In a comparative analysis, OP was merely saying the US is head and shoulders above a country that suppresses freedom of speech, eliminates political dissent and the people who promote freedom and sends them away to actual concentration camps under the guise of "re-education".
systemvoltage 1139 days ago [-]
2 million people. No less.
trasz 1139 days ago [-]
How are those different from American concentration camps, such as Guantanamo?
checkyoursudo 1139 days ago [-]
*Insert joke: [internet <- Chinese router - US router -> home network]
systemvoltage 1139 days ago [-]
Responses like this are so predictable and shed no further light or provide no new insight.
They're unproductive and flame-war prone. I downvoted your comment.
f6v 1139 days ago [-]
Why is it unproductive? Parent makes a point that non-US consumers don't care whether it's a US or Chinese product. Both nations have access to domestic company's data.
lucideer 1138 days ago [-]
The original message was saying they couldn't understand / couldn't empathise with someone making a conscious decision to use xiaomi. I gambled that they make the same conscious decisions using US software, but only see their decision to do so differently due to a set of pro-US biases that others won't have.
It's difficult to look past such biases if they're deeply ingrained but I think this can definitely be productive to do so. If you can empathise better with conscious xiaomi users, and understand why people use non-optimal software, such understanding can have a lot of benefits.
eznzt 1139 days ago [-]
There is nothing new about the question "why would someone buy cheap phones when they come with spyware". So someone asks a shit question and gets a shit answer.
esperent 1139 days ago [-]
Well, to play devils advocate, as a random Irish guy it seems like my choice is between Chinese companies spying on me or US companies spying on me. I don't see that huge a difference - although I do acknowledge there's a difference in freedom of speech and culture in the US, that applies to US citizens and when it comes to spying on people outside the US the difference is much smaller.
onepointsixC 1138 days ago [-]
Consider Document Number 9[1], and the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine. You already know what it's like living in a world which the US is a dominate super power, that's what the West has experience in the past 70 years and it had created some of the greatest prosperity both the US and West have experienced in their existence.
A dominant China is interested in promoting their own values of Xi thought. And they're working very hard to promulgate it. Their coercive ability is remarkable in how it's already transformed Hollywood. Their ability to do so will only increase.
> the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine
For the last decades, the US has been actively trying to undermine -- mostly covertly, sometimes more openly -- leftist parties and organizations in Latin America (more often than not completely unrelated to China), so...
amaccuish 1138 days ago [-]
> Consider Document Number 9[1], and the fact that the CCP considers your existing Irish political system and liberal ideology as a threat and one which it is actively working to undermine.
You have quite literally also just described the US.
"China and Communism are a threat which we should seek to undermine". It works both ways.
onepointsixC 1135 days ago [-]
Xi Jingping considers the promotion of liberal values, human rights, and democracy at their core to be "arrogance, prejudice and hatred". This goes beyond one power vs another, every democracy is under threat.
Similar boat, but I see a pretty big difference. Every time I have to fill out a FATCA form, I'm reminded of how much power the US government can wields over me - a non US citizen/resident.
Sebb767 1139 days ago [-]
> The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
If you're anywhere near any scene you might consider not liked by the current government (which surely also includes journalists and the likes), your domestic agencies are a far bigger threat than the MSS, as long as you don't choose to go to China - and even then, you're probably fine, unless you're fighting against the Chinese regime in particular.
And yes, the patriot act and the NSA are no joke. It's not like subpoenas are never head of (and the EU is, at least in parts, not much better).
BelenusMordred 1139 days ago [-]
> I truly don't understand, from a security and privacy perspective, why would anyone would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in the United States.
Fixed that for you. Xiaomi offer an official bootlock unloader for their shitty MIUI roms which no one else on the planet does and is one of two companies out there that sells stock android phones. They are the easiest mobiles on the planet to install LineageOS on.
Imagine being on HackerNews and not at least slightly acknowledging the fact this company makes the most hacker friendly phones on Earth. It's honestly embarrassing.
Feel free to sniff the packets on any other device and realise how prevalent phonehomes are and how the eyes can access all of it on a whim if it's going to non-Chinese companies.
If you were an activist in the Western world I would only recommend a Chinese phone to protect yourself.
I think it's important that you raised your point, but I don't see that Xiaomi providing stock android phones and the ability to unlock the bootloader on their MIUI phones forgives them from the clear privacy issues highlighted in the original post, particularly given that the vast majority of their customers stick with the default/popular option.
MisterTea 1139 days ago [-]
Same could be said for countries outside of the USA buying US tech equipment.
serial_dev 1139 days ago [-]
I agree, people give US companies way to much slack... But then what am I supposed to do if I'm European? The US and China pretty much covers the mobile market (and what's not covered is still not European).
walrus01 1139 days ago [-]
From a purely pragmatic point of view: If you're European...?
Consider that your country is likely either already a five eyes member, or a "five eyes plus" member with a historical record going back 45+ years of intelligence/law enforcement data sharing between the various NATO governments' intelligence agencies.
And take a risk calculation, based on what you're doing in your life, if all your metadata and traffic was in the hands of the NSA, what's the most likely end result that might affect you adversely?
Are you actually at risk of being persecuted for anything you're doing socially, religiously, politically? For instance, if you're a German, is all of your data being in the hands of the BND going to result in anything bad happening to you?
neltnerb 1139 days ago [-]
From a purely pragmatic point of view, a lot of especially Eastern Europe and Eastern Germany are viscerally aware that "anything you're doing socially, religiously, politically" will always somehow include something illegal and worrying about surveillance results in self-censorship.
I really don't think that's unreasonable, the fall of the berlin wall was within living memory. I hope that the NSA isn't going to do anything too, but the idea that they can't or won't is clearly not true. Staying under the radar might feel pragmatic, but I think a lot of people realize that's entirely inadequate with constantly shifting political environments.
walrus01 1139 days ago [-]
I am not a European but I am fairly sure I would have two very different opinions on this, relative to my personal perceived level of threat from my own national government, if I were a citizen and resident of the Netherlands or, for instance, Belarus.
MaanuAir 1138 days ago [-]
Threat model, I get that.
The simple fact that this explanation can exist and is somewhat commonly agreed by tech-savvy people is... disturbing in some way.
I mean, underlying are freedom, rights, security, surveillance, But also geopolitics, economics, philosophy maybe.
Just behind some daily tech.
ampdepolymerase 1139 days ago [-]
Considering the current target of deplatforming is the far-right, and given Germany's history specifically, they have a lot of reasons not to trust local hardware and software. The same goes for the Le Pen crowd in France, a somewhat adversarial government on the other side of the globe is often less risky than the status quo across the pond allied to the current French establishment.
walrus01 1139 days ago [-]
I was wondering how long it would take until we got to the argument of "oh no, won't somebody please think of the unfortunate oppressed fascists! it's a good thing that xiaomi has phones and software for them, because their own local european government is against them".
The paradox of tolerance and an open society is that if you allow actual fascism to flourish (and Le Pen is absolutely a fascist, in my opinion), you risk ending up with something much worse in the long run.
ampdepolymerase 1139 days ago [-]
That's not a very valid argument in a thread about information security.
Chris2048 1138 days ago [-]
"oh no, won't somebody please think of the unfortunate oppressed fascists!..
Except anyone that you want to oppress will retroactively be labelled "fascist", or "far-right" by whatever loose system serves that purpose.
The latest version of "terrorist", "activist" or "heretic".
and Le Pen is absolutely a fascist, in my opinion
But whose opinion is canon in matters of censorship? Le Pen is also a valid political candidate with fair support in her electorate.
Consider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
so you say "if you allow actual fascism to flourish.. something much worse in the long run" - who gets to decide what is "allowed", and what isn't?
Seems to me the basis for such stability would have nothing to do with subjective judgements of what constitutes "fascism" - and more to do with principles of democracy - i.e. a fascist entity can be democratically elected - it just can't be given powers that would allow it to override democracy, or escape legal oversight. Perhaps the key word is "extralegal"?
The problem is that too many political entities (not just far-right) seek extralegal, overreaching powers; believing it OK so long as "they can be trusted"; but if the king of today is a good king, his heir might still be bad. And the good government that allows for overreach enables the bad government that does the same.
amaccuish 1138 days ago [-]
> Consider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
This actually happened in recent history. Just because Hitler (and yes I must unfortunately rely on such a reference, and no, Le Pen is not Hitler, but it provides a good example of far-right vs democracy) was elected doesn't mean the entire world should roll over.
Chris2048 1138 days ago [-]
Just to clarify, by "roll over" you mean "change their democratic systems to prevent the election of fascists"?
The election of the Nazis didn't justify the sweeping power transfer that resulted, including control of the press, a private party militia (Brownshirts) etc etc etc
I'm criticising efforts to interfere with who is allowed to be elected, versus limiting what powers can be obtained through election.
robertlagrant 1139 days ago [-]
The paradox of oppressing in the name of opposing oppression is that it is already something much worse.
Keyframe 1139 days ago [-]
The US and China pretty much covers the mobile market (and what's not covered is still not European).
Remember when this was the other way around? How did we come to this in ~two decades?
usr1106 1138 days ago [-]
I know first hand that Nokia top and middle management understood nothing about software development or quality. The tools and practices used in the whole development were horrible. After a couple of years they just drowned in bugs and new products came slower and slower, failed projects more and more frequent.
I have no idea whether it's equally bad at Google/Android or Apple. I have the feeling it's not.
I don't think China really dominates in software world-wide. Xiaomi seems more like an exception to me. Hardware is a different story.
0xy 1139 days ago [-]
That's not true, because US companies are allowed to export E2E technology in products. Chinese companies are not given the same leeway. All Chinese messenger clients are not encrypted and are fully surveilled. That is not true for US messenger clients.
xtracto 1139 days ago [-]
IIRC American companies (specially service companies, but surely also hardware companies) can be forced to introduce backdoors and other spying mechanisms and then force them not to disclose such a thing (i.e. Lavabit, Groklaw, Room 641 and equivalent Google and Facebook programms).
For us that don't live in the US or China, it is just a matter of choosing between two evils. And in being pragmatics, the 90% of the population outside of China and the US does not give a damn if the US or China are spying in their mundane conversations.
dodobirdlord 1138 days ago [-]
> IIRC American companies (specially service companies, but surely also hardware companies) can be forced to introduce backdoors and other spying mechanisms and then force them not to disclose such a thing (i.e. Lavabit, Groklaw, Room 641 and equivalent Google and Facebook programms).
You recall incorrectly. By extension of the First Amendment, US companies are protected from being forced to introduce functionality so as to collect or decrypt information (or for any other purpose). Carrying out original work for the government is considered to be speech, and as a result cannot be compelled. If the data is already collected and available in a decrypted form to the company a court order can compel the data to be turned over as evidence, as is the case with any data (or any thing) held by anyone (with narrow exceptions related to the 5th amendment).
This was a topic of national attention several years ago when the FBI tried (and failed) to compel Apple to create and sign a custom software update to unlock an iPhone.
And yet from the free to export US we keep finding backdoors and hardcoded admin passwords in things that are supposed to be way more secure than a random chat client. Even if all of them are actually bugs I'm not sure that is any better. No E2EE to share my shopping list with my girlfriend versus the piss poor security in enterprise hardware from manufacturers like Cisco etc? At least I can download another chat client. Purging US enterprise equipment from my company, home and ISP? Not so much.
0xy 1139 days ago [-]
Huawei's security doesn't come close to Cisco's security practices. Mostly because the vast majority of their hardware and software was sourced from stolen IP (Huawei had cash bounties for employees to provide stolen IP to the company). If you sell stolen technology, you don't truly understand how it works or how to secure it.
Given the choice, I'd choose Cisco every day of the week. It's not perfect but then again there's no such thing as perfect security.
With an E2E messenger, you can be sure that most likely your communications are not being intercepted. With a Chinese company, your communications are never secure.
Not only are Chinese software products not secure, but they'll lie to you about their security. Zoom claimed to have E2E encryption on calls which turned out to be an egregious fabrication (on top of them exporting calls to Chinese servers).
uzakov 1138 days ago [-]
What are your thoughts on Ubiquity?
matkoniecz 1139 days ago [-]
I am using Xiaomi phone for roughly the same reasons as I am using Gmail.
I dislike results of either, replacement of both is on my oversized TODO list - and was there since at least two years.
I dislike that USA government, China government and God knows who else has full (partial?) copy of whatever I ever typed on my phone but I did nothing beyond selecting Android Zero, declining "send all what I typed to Google" and declining gloud sync.
(I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited)
nicbou 1138 days ago [-]
I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
Anyway, you're right. In practice, protecting your privacy is a massive hassle. I just do it step by step, knowing that even half-assing it is better than nothing.
matkoniecz 1138 days ago [-]
I really hope that privacy situation will start getting better - or at least not getting worse.
For email I basically gave up (for now) as it will likely leak on other side anyway.
But I aggressively avoid cloud sync, and my files on cloud are either public or locally encrypted before uploading. Well, at least it protects against non-targeted attacks.
> I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
:)
Just in case that you have an Android phone - I recommend StreetComplete, it allows limited editing with zero OSM-specific knowledge. Registering for OSM account is the most difficult part.
I do contribute through OsmAnd. I mapped a few gas stations in more desolate areas. However this is a much more exciting way to contribute. Thanks for sharing!
matkoniecz 1138 days ago [-]
Thank you for mapping! Especially in remote areas.
I am glad that you like SC :)
f6v 1139 days ago [-]
> why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China
Because outside US it doesn't really matter whether it's Chinese or American company that has your data.
cle 1139 days ago [-]
It is critically important depending on your country's relationship with either country.
Daho0n 1139 days ago [-]
Yes, if you are in a country friendly with the US it is better to have Xiaomi harvest the data than Apple.
taotau 1139 days ago [-]
This question is particularly pertinent in a country like Australia. Both the US and China have strong interest in controlling our loyalty and GDP, and I for one dont want to be a subject of either regime.
africanboy 1139 days ago [-]
if your Country has good relationships with both of them it doesn't really matter.
EDIT: you have to understand that the cold war is over and you can't replace USSR with modern China, my country has good relationships with both the US and China so it doesn't really matters who's spying on you, they are "good friends" anyway...
onethought 1139 days ago [-]
But in context:
- Australia has similar laws.
- Snowden releases showed the US don’t even ask, they just take it.
So it’s not like there is a huge amount of difference around the world.
frogcoder 1139 days ago [-]
> But in context:
>
> - Australia has similar laws.
>
> - Snowden releases showed the US don’t even ask, they just take it.
>
> So it’s not like there is a huge amount of difference around the world.
I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
Snowdon case made the US government look bad, please don't use the same reason to make the Chinese Communist Party look good or OK.
It's kind weird when something bad happens, everyone just points at the US and says they do that too! The CCP did something bad, Somehow it's OK because the US government did something bad.
If you are an US national and living in the US, you can complain and bitch about your government all you want and not worrying about your safety, hence you can talk about the Snowdon case or berate the president, and things might change. Would you dare doing that in Chinese soil even if your are not Chinese.
onethought 1139 days ago [-]
No, I was pointing out the "Don't by Xiaomi because you can't trust them" is logically flawed... because you can't trust any of the countries involved with the manufacture of phones.
This isn't excusing the behaviour, it's pointing out that "privacy" is not a justification for not using Chinese goods, because American goods have evidence of exactly the same compromise.
strangeattractr 1139 days ago [-]
All mobile phone manufacturers are spying on you does not automatically follow from the fact that Xiaomi browsers are spyware.
onethought 1139 days ago [-]
Pretty sure I didn't state that. But I agree with what you're stating.
rstuart4133 1138 days ago [-]
> I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
I assume it's the Australian Assistance and Access Bill that's being referred to here. It has nothing to do with privacy. It's prime job (which isn't hidden - it's spelt out in the explanatory notes) is to circumvent encryption by accessing the data at the end points, where it isn't encrypted. It must be unencrypted at the end points because humans can't read or listen to encrypted data. https://searchsecurity.techtarget.com/definition/Australian-...
The bill gives several government agencies the legal right to coerce any software company to "assist" them by writing a bug that is invisible to the OS. The "access" part gives them right to coerce a software company to distribute software to any device they target (there is legal oversight on who they can target).
To fill this out with a concrete example, they could compel Google to provide a version of the Android Google Keyboard that records all key strokes and the name of the application it is are sending them to. They can then force Google to install that keyboard via their auto update mechanism. Notice that using an open source program like Signal that securely and correctly encrypts everything, and comes from a trusted source is not a useful defence against this.
Both of these powers are accompanied by an automatic gag mechanism, meaning if Google revealed they were asked to do either of these things someone would go to jail. The provisions in the act for reporting when and where these powers are used, so the voters could have some say are to put it mildly weak.
Although Australia is very clearly a country that operates around "the rule of law", in the end the only difference that has made is we know they are doing it, whereas China could deny they are doing it. In reality, I don't think China tries to deny the Great Firewall of China, or the invasive probes they force citizens to install to support their social credits system.
So yeah in my view OP is quite correct. If there are differences they revolve around how widely these things are deployed, not over whether they exist. I presume my home country, Australia, deploys them a lot less, but they go to a great deal of trouble to ensure there is no way to be sure.
Havoc 1139 days ago [-]
I’m running a Xiaomi air filter. Not connected to wifi.
Even without wifi access it is vastly superior to previous choices. At similar pricing to my previous one.
I’m quite wary of the whole monitoring scene but my next air filter purchase will be a Xiaomi again.
Can’t really speak to their other products but on that front they have made a convert out of me despite my aversion to questionable data practices.
Also apparently it’s home assistant compatible. So HA it and firewall it off is the plan
esyir 1138 days ago [-]
From what I recall, the Xiaomi air filter is known to underperform heavily.
I know, I know, you're thinking that doesn't either, but you can control it remotely through an app or website, and automate certain actions. You might want your air cleaner to start running when you leave your office, for example so that your air is dust-free when you get home.
I've actually used a Xiaomi light remote-controlled over the internet to simulate being home while on another continent so that anyone casing the place for a burglary might be dissuaded. I disabled its internet connectivity when I was done with that.
Havoc 1138 days ago [-]
I wanted to switch it off automatically at night. Doesn't seem to be necessary though so haven't connected it
HNfriend234 1139 days ago [-]
I use a xiaomi phone and the reason I use it is because it is significantly cheaper compared to a samsung or apple phone. Example: A $200 xiaomi phone is equivalent in specs to a $600 Samsung.
Also it is likely the Chinese are spying on me indirectly (data collection where the chinses military can access the data if they want to) but I really have nothing significant on me that the Chinese would want to be concerned with me.
rglullis 1139 days ago [-]
> significantly cheaper compared to a samsung or apple phone.
Shouldn't that be a huge red flag? Any time someone offers something too good to be true, it never is.
> Also it is likely the Chinese are spying on me indirectly
Why?
> I really have nothing significant on me that the Chinese would want to be concerned with me.
It's not just about you, dammit. [0]
By accepting their offer, you validate their actions. You give them bigger reach and make it easier for them to get people that might be of interest.
Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable. Privacy should mean privacy, even if that means losing functionality on a select few sites.
* P3A doesn’t collect any personal information.
* You can turn P3A off at any time in the “Privacy and Security” section of the browser preferences.
* All the P3A code will be open source (...) you can check that your browser is only sharing the specific things we promise.
> Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable.
The claim was never about absolute privacy but rather as strong as default as possible while keeping the web functional. And in that department they are delivering more than any alternative - more than even Firefox out of the box. Not to mention that TFA itself states that the implementation was far from ideal.
Anyway, the biggest question I have for those that are so quick to criticize Brave is "what else do we have with a business model that can disrupt Surveillance Capitalism?". Apple could if they wanted, but where is Safari for Windows/Linux? Any of the others? Doubtful. Even Mozilla's dependency on ad revenue from Google makes them less credible. So why shit on Brave when there is absolutely zero potential alternatives?
africanboy 1139 days ago [-]
> Shouldn't that be a huge red flag? Any time someone offers something too good to be true, it never is
does that include the free tiers that many US companies are offering?
For example: Google, Facebook, Twitter, YouTube
rglullis 1139 days ago [-]
Yes. It also includes any free social media, any free messenger platform and any ad-based "freemium" service.
Surveillance Capitalism is bad and we should be fighting it.
reaperducer 1139 days ago [-]
I really have nothing significant on me that the Chinese would want to be concerned with me.
So you give them your email passwords? After all, you have nothing to hide.
subsection1h 1139 days ago [-]
> A $200 xiaomi phone is equivalent in specs to a $600 Samsung.
Xiaomi phones have much higher audio latency than Samsung phones.[1] As a VoIP user, I would rather use an entry level Samsung phone (e.g., a $150 A02s) than a Xiaomi flagship.
There's reason to be concerned about all software.
But I agree that software from significantly non free nations is extra concerning.
bassman9000 1139 days ago [-]
Ignorance and cost. Chinese phones are popular in Europe, where Apple/Google/Samsung flagship phones are prohibitive, and similarly spec'ed Chinese ones are a fraction of the cost.
And we can't forget many Euro citizens simply don't care.
ClumsyPilot 1139 days ago [-]
Maybe they are spreading rhe risk, now i can be spied on by agencies with conflicting interests, so noone has a complete picture?
vitorgrs 1139 days ago [-]
Because it has cost benefit.
Redmi Note here in Brazil are super popular.
The only alternative for that, it's Samsung, but is not exactly better. I believe Xiaomi devices are still cheaper than Samsung here.
dj_mc_merlin 1139 days ago [-]
It's a choice between being spied on by the West or the East.
perryizgr8 1139 days ago [-]
Because the products are literally 10x cheaper than the same thing from Apple or Samsung. The price gap is too large to ignore for most people.
La1n 1139 days ago [-]
I agree with your statement, but I'd like to get it a bit further. Why run any closed-sourced software from (or have servers in) countries that can request you data without a fair trial (e.g. secret courts). I feel just as uncomfortable about national security letters and the NSA/CIA as the MSS, this from someone who is not living in China or the US.
I do think this shows the perks of open source software and being able to self-host or federated solutions.
matkoniecz 1139 days ago [-]
> Why
Because it is much easier. I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited.
I have no time to learn how to and run and maintain my own mail server.
tiagod 1139 days ago [-]
Can you tell me which countries definitely won't force you to secretly do things you don't want to in matters of national security?
La1n 1139 days ago [-]
Maybe ask OP, as they did bring up MSS. I myself try to self-host as much as possible, and try to use open-source roms/software on my phone/desktop.
> I truly don't understand, from a security and privacy perspective, why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China.
They make cheap phones.
AntiImperialist 1138 days ago [-]
For the same reason anyone chooses products created in any other country. All countries can force the companies to share data hosted in that country to companies which operate in those countries.
Zoom is banned as a result of marketing efforts of competitors like Microsoft and Google. I have worked in companies which have either Microsoft products banned or Google products banned.
notsureaboutpg 1139 days ago [-]
All you have to do is look at it from more than a security/privacy perspective.
Chrome is the most used browser despite Firefox doing nearly everything Chrome does the same and everyone knowing that Firefox doesn't track you like Chrome does.
It's obvious why. It's a little faster, it has more money behind it, it comes pre-installed (and unremovable) on most phones, etc.
aroman 1139 days ago [-]
I recently bought a Xiaomi phone (Poco m3) for development. I was shocked to learn that in order to enable USB debug mode in developer settings, I needed to BOTH:
Apparently the only alternative to this is rooting the device, which may break it.
ev1 1139 days ago [-]
I've been told that the reasoning behind this is shady resellers loading unremovable system malware to the system partition (which runs as device admin++) before reselling this to you.
Apparently this is a huge problem in China, where there seems to be quite literally no trust at all on online shopping. This actually does seem to be the case if you try buying devices from any NON-xiaomi-official store Aliexpress shop. They're usually $0.01-$1.00 cheaper, and are guaranteed to be packed with massive amounts of malware. None of which can be pressed "disable" or "uninstall" (greyed out).
They use fake reviews and fake buyers much like Amazon in the west, to inflate their order count and ratings to be sorted above Xiaomi official store
Jesus, do you have any sources (Chinese is fine) for this? This is horribly anti-consumer and I'm surprised there's not more of a push back if it's so common.
ev1 1139 days ago [-]
Try search for phrase "fakerom" or "fake rom" or "rottensys" with xiaomi.
The resellers get paid a few dollars for the malware install. I think the most common is people reselling to ship out to other countries, and not sold in China itself.
The aliexpress shops get shut down, negative feedback, but they just open another. Note that aliexpress actually shuts these down in the first place and is "reputable" end of things. Never ever buy devices from gearbest, wish, etc. - ever .
john2010 1138 days ago [-]
another reason being some eBay/re-sellers buy in low cost places (like India/China) - reinstall EU ROM and sell it at high cost. (Even now many devices in Asian markets come with a label like - Only for India-SIM)
Daho0n 1139 days ago [-]
Anti-consumer? By the capitalist businesses? Of course. It's just like buying crap from Amazon. If you use it you support it.
grishka 1139 days ago [-]
Xiaomi phones have unlockable bootloaders, so rooting is really trivial, but guess what? You need a Xiaomi account to unlock the bootloader too! And they make you wait several days to do it.
And no, you can't break an Android device by rooting it. Worst case you'll have to reflash the system partition through recovery.
dave_sullivan 1139 days ago [-]
Went through this recently. Had to download xiaomi unlock software to unlock the bootloader. Probably sent an image of my hard drive back to china in the process. And the 7 day wait period. Really is an example of price too good to be true because they collect your data and probably get huge government subsidies to do so. Nice phone though once you flash it.
grishka 1139 days ago [-]
Yeah I did do that too several years ago too, but I ran it on a VM because I didn't have a real Windows machine anyway.
approxim8ion 1139 days ago [-]
>Probably sent an image of my hard drive back to china in the process.
Come on. Do better.
1139 days ago [-]
squarefoot 1139 days ago [-]
I just bought the same phone as a gift for my girlfriend, and was considering getting one for me one day since it's a really nice piece of hardware for the price. Some searches around brought this link of a community of non official developers attempting to clean up the system from some preinstalled junk.
You are probably better off wiping it and installing stock android or some popular custom ROM over trying to hack away the MIUI spyware.
squarefoot 1138 days ago [-]
Is there any tested and safe way to reflash it with a custom ROM (suggestions?). The chance of bricking a new phone doesn't look that appealing.
ps: Sadly, the Pinephone is permanently out of stock, otherwise I wouldn't even consider anything else.
qwertox 1139 days ago [-]
I bought a Poco X3 NFC about a month ago, and also was confronted with the Xiaomi account signup request when I tried to enable USB debugging.
For me this was enough of a reason to send the device back, but I started fiddling around and ended up being able to use USB debugging without an Xiaomi account. I don't remember how I managed to do this, I think I had to disable a specific MIUI optimization. No ADB had to be used for this. I think it was this https://android.stackexchange.com/a/185876
I'm also pretty sure that I did not insert a SIM card at that point, because I was still using the device-to-be-replaced on that and the following days.
I think it's just a lot of tactics which they use in order to push you to create an account, but ultimately it's not required.
That being said, I really despise their MIUI, all their modifications. Everything about it attempts to make you use their products, even if Google's apps are already installed.
For me, the Android experience which the Pixel devices give you are all I want. Even Motorola's minor enhancements are something I don't want on a new phone.
asien 1139 days ago [-]
> Is that not insane?
Yes I personnaly find it very schocking.
Bought a Samsung A20 for the same purpose, no need for a sim or any sort of dev account.
Plugged the usb cable and a few minutes later my nativescript app was running.
monksy 1139 days ago [-]
Same for the mi pad plus 4 to root it. You have to have it tied to an account for a month.
gruez 1139 days ago [-]
>2) insert a SIM card to the device (!)
You need to insert a SIM AND use mobile data on it (ie. turn off wifi, enable mobile data). Just inserting a dummy SIM card won't work.
dheera 1139 days ago [-]
That's terrible. Is it possible to even root it without enabling debug mode though? I've always had to use "adb reboot-bootloader" to get into the bootloader because the stupid key combination doesn't seem to work on recent phones, or maybe it's just that my fingers aren't fast enough.
SquareWheel 1139 days ago [-]
I ran into the exact same thing. And because I don't have a SIM card (it's an at-home "tablet"), I have no way to enable USB debugging. Pretty frustrating.
If Lineage starts supporting this device, I'll definitely move over from MIUI.
nottorp 1139 days ago [-]
Yes, I returned it and got a Samsung instead for this exact reason.
aroman 1139 days ago [-]
Any model to recommend? Not sure if our usecases are the same -- I wanted to find a cheap "lower end of the market" phone to test my mobile game on. Frankly, the poco m3 might even be too powerful for that purpose...
eptcyka 1139 days ago [-]
Not a Samsung in my experience. They get slow quick and the bluetooth chip on mine died literally out of nowhere. After 3 months of use, no less.
Get a pixel or a oneplus.
nottorp 1139 days ago [-]
I have a Galaxy A21s now. It was just slightly more expensive than the Xiaomi i tried. Not sure how low end it is though.
Mind, it's strictly a development phone. It sits on my desk plugged in, unless I debug those Android apps. No sim card in either. My personal phone is an iPhone XS.
stevenhuang 1139 days ago [-]
I recently ordered the 2020 version of the Moto G Power (XT2041-4) from Costco for personal use, upgrading from the Moto G6 Play.
And although Lenovo is now China-owned, the Moto line is still pure Android and no bloat.
Did a lot of research and the the last gen G Power is the best spec'd budget phone around this price point that is not a Samsung and sold in typical NA big box stores.
danlugo92 1139 days ago [-]
A10 or A01 are pretty slow
cwhiz 1139 days ago [-]
Chinese browser collects your data? Spyware.
American company collects your data? $1,400,000,000,000 valuation.
This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
chomp 1139 days ago [-]
1.) Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
2.) People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc.
3.) We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Why are you so upset about Xiaomi getting called out?
cwhiz 1139 days ago [-]
>Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
I'm referring to Google with that valuation.
>We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Propaganda? An oligarch is a rich person with a lot of political influence. Sounds like an average billionaire to me.
>People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc
I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
>Why are you so upset about Xiaomi getting called out?
Only annoyed at the obviously biased language.
chomp 1139 days ago [-]
I know you were referring to Google, that is why I made the point about Google. Xiaomi is a tech company with a personal data spying program and is worth maybe 50 billion, and supposedly the "4th most valuable startup in the world," if you trust Wikipedia. My point is that the valuation is based on the profit potential that investors see, not how ethical either company actually is. And both derive a non-zero amount of that value from spying on humans.
The Russian oligarchs are a group of people that grabbed large amounts of wealth by reaping the downfall of the Soviet Union. They are a very specific, well connected group of people outside of normal Russian billionaires. The reason specifically that they are oligarchs instead of just normal billionaires is that they are very plugged into the government and sway its operation. And I know there's some cynics out there that will be like "well that's just billionaires in general" but I encourage you to learn about the leverage this group of people have on normal government operations.
With regards to the observation that no one refers to Google as spyware, I don't think I see this either. But I do see tons of mainstream articles raising the point that Google spies on users. The problem is that (it feels like, at least) only us tech-inclined seem to care:
>The report found that 80% of Americans think at least one tech giant is listening in on their conversations: Facebook at 68%; TikTok at 53%; and Google at 45%. But only 18% said they had deleted Facebook because of privacy concerns.
I fully agree Google is just an advertising company dressed up, and also further propose that its open source contributions and tech projects are its robing. I think there's still room to criticize other companies however, especially since privacy issues from companies like Xiaomi don't often get featured on HN.
ckozlowski 1139 days ago [-]
There's a big difference between Google exploiting private data to sell you more things, and a different company exploiting private data to hand over to a police agency that arrests individuals for having the wrong political views.
I'm not suggesting the former is without fault, and fault by one does not absolve another. But you're right in that these are two very, very different things.
chomp 1139 days ago [-]
Oh, yeah definitely. I just dislike getting into those weeds specifically because it gets people weighing wrong on scales instead of actually calling out both wrongs individually.
pferdone 1138 days ago [-]
Did we forget about PRISM[0]? It's all the same, just different labels depending which side you're on.
How much political influence do you think someone like Bezos really has? Everyone in washington hates him. No one wants to do favors for him. They drag him in front of congress do get a bunch of soundbites to play next election cycle.
They win elections on shutting down his headquarter plans. They want to break up his company, raise his taxes on unrealized capital gains, they want to force him to divest his personal investments like WaPo.
Same goes for other billionaires. You think there's a lot of love for Ken Griffin? Or the Google founders? Or Jamie Dimon? Of course not.
Billionaires are a common bogeyman for the populists that have ruled the capitol for the last 10 years or so.
AlexandrB 1139 days ago [-]
On the flip side, there were municipal governments literally giving Amazon powers over taxation and spending[1] to get them to set up their headquarters in their city. I think this is quite a bit of political power myself.
I wouldn't call someone with sway over municipal governments an oligarch though.
rchaud 1139 days ago [-]
> Everyone in washington hates him.
In public, sure. Behind the scenes, they're taking meetings with his lobbyists, and somehow the tax raise never happens despite politicians talking about ad nauseam.
Part of modern politics is running a kabuki theatre of performative populism on the campaign trail. Not much happens once they are in office, because you need quick wins ahead of the next election.
varjag 1138 days ago [-]
You write this on the same day the President called for Amazon workers to unionize.
rchaud 1138 days ago [-]
Which is a performative act of solidarity with warehouse workers. What happens if those in right-to-work states unionize and get sacked? Biden isn't shouldering any of the risks they are.
Actions matter more than words. At this time, it's not even clear if Biden will go to the mat for a nationwide $15/hr minimum. That would do far more to incentivize Amazon to improve working conditions, as its $15/hr starting rates would no longer be competitive.
varjag 1138 days ago [-]
This is some 5d chess rationalization. There would be no calls to unionize Amazon if the govt was in Bezos' pocket.
john2010 1138 days ago [-]
+ 1
also note that the Asian billionaires are learning for people like bezos/gates. In public they may be hate figures - but everyone orders from Amazon. Tax breaks for large companies.
(i.e) use thinktank to pass legislation to make everything they do legal.
Daho0n 1139 days ago [-]
>the populists that have ruled the capitol for the last 10 years or so.
So the instant someone is elected they start calling Random Joe for funding their next campaign? Of course not. Politicians talk to people who help fund them, that or they are out. Having a politician's ear is power that Random Joe doesn't have. Using Bezos is disingenious. How about Musk or Bill Gates or one of the many rich oligarch families who have the same name as former presidents? Don't pretend money has less power in US politics than in Russian politics. If anything it is worse.
godelski 1139 days ago [-]
> I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
You seem pretty active on HN so I'm a bit skeptical that you honestly believe this. But I'll respond in good faith anyways. Here's the first result from Google (didn't even use DDG)
- (Washington Post) Goodbye, Chrome: Google’s Web browser has become spy software[0]
But since you're active I'm sure you know about The Social Dilemma, Snowden, etc. I've seen episodes on 60 Minutes, CNN, Fox, and pretty much everywhere that calls criticism to companies like Google and Facebook. Does China get called out more often? Yeah. Why? Because we're in a cold war with them. But still in many of these pieces I've seen them make slights at American tech companies. Things like saying that what they do is bad, but what China does is worse.
I see people calling out Google regularly but rarely is Chrome explicitly termed "spyware", although it very much is: I had to configure G Suite managed browser settings recently and there are like 4 different backdoor ways that big G can "incidentally" process your web traffic and keystrokes: enhanced safe browsing, image alt text accessibility service, uploading your downloads to a scanning service, browser profile history sync, "make the web better" history upload opt-in, et c et c et c.
We should be more consistent in our terminology.
varjag 1139 days ago [-]
Re (3), explore why Russians themselves call them oligarchs in first place.
stevewodil 1139 days ago [-]
>1.) Xiaomi worth billions of dollars, not 1.4 trillion, but way more than most companies.
They're referring to Alphabet's (Google) market cap, not Xiaomi's.
totalZero 1139 days ago [-]
Pretty clear that GP understands this, since his next point specifically addresses Google. I think he's saying that Xiaomi is also a big company, albeit less big. Seems like a fair point.
pedrosorio 1139 days ago [-]
This is a very interesting chain on how people interpret comments. To me (and you) it is obvious that GP only had one reason to mention Google (the 1.4 trillion valuation), but both the OP and the person you are responding to were convinced the GP "didn't get it". Fascinating.
stevewodil 1139 days ago [-]
Actually, it's certainly not "pretty clear".
The GP responded to each line in the original comment with a number. So, their point about Google (point #2) was seemingly unrelated to their point about Xiaomi's market cap (point #1) as they addressed different parts of the original comment.
The GP mentioned Google perhaps not because of the market cap mentioned in point #1, but rather as a response to the original comment's mention of American companies.
This is further evidenced by their use of point #3 to refer to the term oligarch, which was the third topic raised in the original comment.
You can see how not clear this is based on other replies to the comment as well.
yumraj 1139 days ago [-]
Chinese browser collects data for CCP which will use it for spying and for action against you, your family and your country.
American company will collect data to show you ads and profit.
Are they really same?
itsoktocry 1139 days ago [-]
>American company will collect data to show you ads and profit
Unless you get a target on your back, in which case the American company will provide the American law enforcement agencies with whatever data they want to take action against you and your family.
Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
godelski 1139 days ago [-]
FWIW I didn't read the gp as supporting data collection, only noting a difference between corporations gathering data and governments. I don't support data collection, but I do think the distinction is useful.
yumraj 1139 days ago [-]
> Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
Really, that is what you got from my comment.
In the case of CCP it can even be who you are, as in Tibetan, Uighur and so on.. Or, a national of a different country that China wants to spy on, or a relative of someone that China thinks has a differing opinion from CCP and so on..
It's not even on the same planet, let along in the same ballpark..
zeusk 1139 days ago [-]
well under the trump administration, we were at the state where ICE was getting tips from unlawful traffic stops and deporting said immigrants/refugees.
They're both evil, just that US is less so.
aww_dang 1138 days ago [-]
Immigration violations are crimes the world over. Disliking the CCP's policies, not so much.
AlexandrB 1139 days ago [-]
> American company will collect data to show you ads and profit.
7 years later and it's like Snowden never even existed.
Fair enough, if we want argue along those lines - if you're in country X, would you like to be spied on by your country's gov AND China?
I, for one, would prefer, if I have a choice, it to be just my Gov and not a foreign Gov that I consider to be hostile..
wbsun 1139 days ago [-]
> I, for one, would prefer, if I have a choice, it to be just my Gov and not a foreign Gov that I consider to be hostile..
This seems intuitive at first sight but doesn't make sense to me: is it your Gov or a foreign Gov that can more likely bother your life?
Daho0n 1139 days ago [-]
Would I rather have some data harvested by the local three letter agency and some by a random Chinese company versus all my data harvested by an American entity (most western three letter agencies share with the US)? I would most definitely rather have them out of the reach of US spying even if it means sending it to China instead. You might consider PRC hostile but how much do you think it takes for your data to get US agents come knocking on your door versus PRC agents? Sure today it might not happen but in your parents youth it could have. In your children's lifetime your words today might harm them.
The short version is that unless you live inside the PRC data harvested on you is highly unlikely to matter no matter what you do. Inside the US or US allies? Be careful.
yibg 1139 days ago [-]
I would go the other way. What can China do to me unless I go there? Vs what can the US do to me since I live there, and even if I don’t live there, the US government reach is a lot wider.
serf 1139 days ago [-]
American agencies routinely collect data from the internet that results in actions against people.
One could say the motives are different, but to act as if American groups collect data purely for profit isn't true.
>Are they really the same?
No, but acting similarly doesn't imply identical similarity.
godelski 1139 days ago [-]
I think this point is very debatable, but I do think there's at least 2 good distinctions. 1) there's a difference between a corporate entity gathering data and a government. There's a difference those entities could potentially have on your life. In the latter case there is a bit of an arms race, like Google trying to grab all your data but also not sharing it with Facebook. In the latter case a government can consolidate all the data. 2) There's a big difference between your government collecting my data and my government collecting my data. This can go both ways too, but there's a lot of factors that dictate this: are our governments friendly with one another? Do I trust my government? How much? Do I trust your government? Etc.
They really aren't the same and personally I'd rather not have my data collected, but I'd rather it be dispersed with a corporate arms race who aren't allowed to set laws than an aggregate that belongs to a party that has much more control over my life.
frashelaw 1138 days ago [-]
Remember anything about Snowden's leaks? American companies happily share all the data they collect with local police departments and intelligence agencies, in bulk, with absolute impunity.
If anything, you face a much greater threat from the American intelligence apparatus than one in a foreign country.
nuker 1139 days ago [-]
> American company will collect data to show you ads and profit. Are they really same?
And your kids data. Grades, searches, web history, pics, diaries. I can totally see new private APIs for recruiters, banks, insurances - like personal assessment scores.
approxim8ion 1139 days ago [-]
to show you ads and profit, filter what you see online, decide your eligibility for housing and credit, imply your guilt by association or poor classification... and so on.
Don't try to whitewash it.
karaterobot 1139 days ago [-]
I don't grant your premise that the U.S. government's level of access to Google data is the same as the Chinese government's access to Xiaomi's. I also don't grant that the two governments are equivalent threats to privacy. You would need to demonstrate both of those things for me to be on board with your argument.
But, the point I actually want to make is that this implies that people aren't concerned with Google's use of their private data, which I think is demonstrably not true, given that they've got multiple open lawsuits against them over it.
Daho0n 1139 days ago [-]
> I also don't grant that the two governments are equivalent threats to privacy
So for someone like me, living in a 14 eyes country, are you saying it is worse for my privacy that a government on the other side of the earth that my government doesn't really like might have access to some of my data is better compared to a country my government are sharing data with who also have access to pretty much everything that happens online? I know for a fact that no matter what I say or do online PRC agents will never knock down my door. US agents? That would be quite a lot easier. In less serious waters, privacy is also worse as we know from Snowden that the US not only harvest everything it can but it also share it with US businesses. Will I ever see ads based on an algorithm trained on data from both sides? No idea, but I know which one would be worse for me by a long shot.
somethingwitty1 1139 days ago [-]
I'm not sure oligarch means what you are thinking it does. Here is a wiki article which might help clarify why you'll sometimes hear the term used when describing certain Russian billionaires and why you won't generally hear the term used for billionaires from other countries: https://en.wikipedia.org/wiki/Russian_oligarch
Note: it also isn't a derogatory term, as it appears to be implied here, it just is an identifier of how wealth was accumulated.
burntoutfire 1139 days ago [-]
> This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
Russian billionaires came to their wealth purely through corruption - i.e. using via their connections during the crucial years of transformation to market economy to buy huge state-owned industrial companies for 0.1-1% of their real value.
toss1 1139 days ago [-]
Ummm, Xaomi also has a high valuation, and Google gets called out on privacy all the time, including many times in this very discussion.
Russian Oligarchs are called that because they are about two dozen people who looted about 95% of the country's wealth and are basically a transnational crime syndicate masquerading as a govt.
I can't tell of you are deeply clueless, trolling, or spreading dezinformatziya. Either way, perhaps you should remember this quote from famous American author Mark Twain: "It is better to remain silent and let people think you are a fool, than to open your mouth and remove all doubt".
theropost 1139 days ago [-]
But does the Chinese company fund your pension plans, pay wealth back to the government, and employ tax paying citizens in America? Where do you want to asset valuations to be located - in your own nation, or another?
tpmx 1139 days ago [-]
> This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
Seriously, this is what you're going with?
Russigan oligarchs are people who just straight out stole national assets from the Soviet Union/Russia, with the help of the current ruler. There's a relatively clear definition:
I don't know why you're being downvoted, the word has a very precise meaning. As much as we can whine about Google and such, all of them solved a valid problem many people were facing, and they did it brilliantly. For a really long time Google Search really was the only game in town.
The problem we have is with their externalities. For oligarchs, the main line of business <<is>> the problem.
passivate 1139 days ago [-]
They're just labels. Good polls are hard to do, and so it is quite hard to know whether these labels hold value in mainstream thought. For e.g. Do people under oppressive/spying regimes see Google in the same light when it comes to data collection?
emptyparadise 1139 days ago [-]
I find both to be disturbing and wrong. What do I win?
sexy_seedbox 1139 days ago [-]
You can start championing for a resource-based economy?
wendyshu 1139 days ago [-]
"What about..."
mads 1139 days ago [-]
Yes, I think everyone got the memo about American companies. Thanks though..
firebaze 1139 days ago [-]
I use a Huawei matebook D14 as my personal device. Its primary use is in a WiFi-network (as in 99% of the time). Since I also use MS devices in the same network I log all IPs being accessed from my network (https://www.raspberrypi.org/documentation/configuration/wire...)
I'll leave the log results of accessed IPs as an exercise to the reader. Hint: no chinese/russian IP addresses are being accessed.
I'd guess a lot more people use Huawei devices (before they were outlawed) than explicitly using a Xiaomi browser.
And a lot of people didn't forget Snowden.
Addendum: I use a MacBook pro (32gig, I7) and a Win10 pro work device (32gig, I7) as well. Neither contacts China or russia. Both of them submit ~10x of unknown traffic than the Huawei device.
I don't want to paint the chinese dictatorship as "good", not at all. But I do want to remind that the US is - as experienced by an EU consumer - worse. Not now, but maybe in the future, at least according to collected data.
MauranKilom 1139 days ago [-]
> Hint: no chinese/russian IP addresses are being accessed.
As Snowden revealed, the NSA itself is way above that playing field. They (quite unsurprisingly) use IPs in the respective country, or just false-flag IPs in "enemy" countries. And the data is not actually sent as plain packets but tacked in the form of metadata onto normal, innocent packets going elsewhere. Then servers on intermediate hops exfiltrate that data. And none of it might happen if you're not actually targeted.
That of course underlines your main point. I don't see "sends nothing to foreign IPs" as an argument though.
ckozlowski 1139 days ago [-]
I suspect that your point is that "a Chinese device doesn't mean it's reporting to China." I think it's good not to make this assumption.
That said, I also think it's incredibly naive to think that a collection system wouldn't make use of a local proxy to mask the ultimate destination of the information. It's such a trivial task to do, and provides a host of benefits to obfuscate and sow doubt as to where the data is going and will be ultimately used for.
I'm not assuming that "it must be reporting back to China through a proxy!", but rather, the absence of certain national IPs in that list shouldn't be used to rule out scenarios either. An idea scenario for me would be that the device didn't call back period, or if it did, it did so to endpoints that could be authenticated and audited.
firebaze 1139 days ago [-]
It's incredibly naive to assume NSA/* doesn't do the same, even if that affects your daily life as a human/business owner about as much.
I despise the chinese government - may it concern Uighurs or the treatment of Tibetans. Still I have a hard time believing none of my data collected by google is used by the US administration, which, as we know, is not always lead by a trustful person. Still, if I had to choose whom to embargo, I'd definitely choose china/russia.
Since it's so easy to cheat traffic, there are two options: only china/russia needs to cover traffic, or ...?
purecoolnesss 1139 days ago [-]
The difference between china and US collecting data is one is evil one is not but in reality that kind of data collection is unethical no matter who is doing it.
To some of us there is not much difference.
pferdone 1138 days ago [-]
Which is which? I'm very curious.
tkinom 1139 days ago [-]
I have a 5 years old oppo phone and decide to use it as podcast device. A few odd thing about this phone:
1) My Google, IG accounts both sent me security alert about successful login attempt from from Thailand, Vietnam. I 100% sure I only created the IG from this phone once and have not used that password from anywhere else.
IG Username / password was taken from this phone and attempt to be login from somewhere else.
2) I can't get the phone to disconnect from wifi. I put the phone on airplane mode, disable wifi, bt, etc. Manually change the wifi password to something else. it always successfully reconnected back after a few days with old password. There are logic in the phone can try very hard to state connected online. It remembers old password and successfully connect successfully with it after a few days.
Only rename the wifi ap in my router seems to finally permanently disconnect it from the network.
3) I have let the phone back online and created Google account that is 100% unique to this phone. Love know how long would it take for the login attempt for that G account from Thailand/Vietnam start to show up.
lovelyviking 1139 days ago [-]
Why don't we address the root of the problem? Who controls computer? If user of computer (with phone features) doesn't have a full control over it then this situation can and will be abused by some one who does. It seems a logical consequence of not having full control over your own computer.
Why we discuss mostly the degree of such abuse and not the core of the problem ?
Another core of the problem is dealing with communist regimes. We never learn? Communists are literally responsible for millions of deaths in the 20th century.(https://www.youtube.com/watch?v=NDTbNmUgeXk) They have a good record of disrespecting human rights. Why someone sane would expect them to respect any of his rights now?
tomc1985 1139 days ago [-]
Because there is a lot more money to be made when you don't control the computer.
We are in the middle of a data gold rush. Business types can't resist.
lovelyviking 1136 days ago [-]
Reminds me a bit logic of a thief which just can't resist.
SilverRed 1139 days ago [-]
Because it hardly makes a difference to power users, let alone average people. The Pixel phones come loaded with Google spyware, but you can flash your own rom on it to do whatever you want. But unless someone is out there developing an alternative rom without spyware that does everything you need, it may as well be locked down.
superkuh 1138 days ago [-]
I couldn't agree more. Software companies have latched on to the idea that they can sell software but the users can never own the software. This naturally led to worse abuses when the software could be loaded over a network. But the core problem is the assertion of ownership and control.
monkeyingaround 1139 days ago [-]
Xiaomi phones are insane, at least BlackShark. They replace virtually all the major user level stuff of Android with extreme data collecting alternatives. They then make it so that you cannot disable many of them (via adp, custom ROMs etc.) without bricking the phone, I'm talking wallpaper or clock apps that run with full, non-modifiable privileges. They subsidize cheap hardware with truly insane level of tracking.
They will also stop allowing custom ROMs once they've built up enough reputation, some newer models already will never have custom ROMs.
trasz 1139 days ago [-]
So how is it different from a regular Android again?
monkeyingaround 1139 days ago [-]
stock android apps have sensible default permissions and are modifiable, e.g. clock does not have unmodifiable access to every aspect of your phone. clearer?
techrat 1139 days ago [-]
If you cannot replace the software on the Black Shark with alternatives without possibly bricking the phone, I would say that's a substantial deviation from the norm where most other devices have unlockable bootloaders and Rom support using LineageOS.
a_imho 1138 days ago [-]
A run of the mill iphone is much worse in that regard.
phpisatrash 1139 days ago [-]
Really interesting. But whether what Xiaomi browser does it's a spyware, what's is Google?
Does Google collects our navigation data? (Yes if we are using chrome or android and logged in)
Does Google knows what videos and what kind of videos do we watch? (Do you need an answer?)
Call it's a spyware because is a chinese company? Really? Nah. Google does the same or at least worst than it.
I'm neither defending Xiami nor Google. The question is: almost every application does data collection. And if you call it as spyware, therefore every app which does data collection is a spyware.
dangwu 1139 days ago [-]
They're definitely both spyware at this point. Shoutout to Firefox, which makes a conscious effort to block tracking cookies and not collect data.
okl 1139 days ago [-]
By the grace of their benefactor (Google)?
Kelamir 1139 days ago [-]
Could you elaborate your point?
neltnerb 1139 days ago [-]
Apologies for not finding citations, but as an example of... suspicious behavior... Firefox had a big campaign about blocking Facebook tracking with a big push to install an addon to reduce Facebook data collection. They did not do that with Google. That's the one that stood out to me as especially asymmetric, others may have other examples they remember.
Don't get me wrong, Firefox is clearly the best of the options available. I use it all the time. But I'm also very aware that there is a bigger bias against Facebook (don't actually care since I don't go near it and block its javascript and cookies) than against Google. Of course, it's not obvious that this is Firefox's fault, Google is extremely good at finding probably-shouldn't-be-legal workarounds to just about any attempt to retain privacy.
You'd think making clear you want to retain your privacy should be enough, legally, but I guess there are no consequences.
Daho0n 1139 days ago [-]
Firefox puts Google in its own container just like Facebook. It also block third party cookies and is way better at avoiding fingerprinting than chrome.
okl 1139 days ago [-]
Google pays a lot of money to Mozilla to be the default search provider in Firefox. This creates a conflict of interest.
Or Google being spyware somehow makes Xiaomi spyware less shitty?
Decker87 1139 days ago [-]
I think it comes down to which companies and governments are on the other end. I'm far from trusting the US government, but I trust the Chinese government even less.
guerrilla 1139 days ago [-]
I'm sure you have your reasons but for me I feel like I have nothing to worry about from China living permanently outside of their jurisdiction.
_jal 1139 days ago [-]
There is a natural tendency to compare and contrast. And especially in cases where people are speculating about political motives, you're going to see that.
> Or Google being spyware somehow makes Xiaomi spyware less shitty?
Absolutely not, but both of them doing it defangs certain types of criticism.
techrat 1139 days ago [-]
>What does Google have to do with Xiaomi spyware?
False equivalence. If people in here actually broke down the differences, they would have to admit that their "Grr, Google just as bad!" hyperbole is more than just a tad disingenuous.
keepper 1139 days ago [-]
Yes, it does matter that it's outside of US laws. Just like the inverse matters too. ( an American company collecting Chinese user data should matter to Chinese users ).
This "whataboutism" is getting tiring. What Xiaomi does here is really bad. if google does/did the same thing it would ALSO be bad.
There is no "but they do it too!". It's bad, period.
nicolas_t 1139 days ago [-]
Well yes, I also call Chrome a spyware and don't use it. That's why I use firefox. And from what I read on HN, other people say the same thing about Chrome.
Darmody 1139 days ago [-]
Google doing something bad is not an excuse for others doing the same thing.
Also Google isn't under the control of an authoritarian government who is committing genocide as we speak.
I'm no Google fan and I dislike what big tech have become but I rather let Google have my data than the CCP.
sandworm101 1139 days ago [-]
>>The article accuses Xiaomi of exfiltrating a history of all visited websites.
Is this our definition of spyware? I see countless articles float by on HN about super cookies, spy pixels and browser fingerprinting. Those do effectively the same things, track users against their expressed wishes, but we just don't call them spyware.
gkbrk 1139 days ago [-]
>We just don't call them spyware.
Who doesn't call trackers spyware? Everyone with a slightly-above-average sense of privacy has been calling them spyware and blocking them for years.
Daho0n 1139 days ago [-]
Chrome is popular on HN so you are wrong, sadly.
1139 days ago [-]
powerapple 1139 days ago [-]
Unfortunately, xiaomi's business model is to sell hardwares with little to none profit margin and make profit as a internet company, I.e. advertising and so on. I give them the benefit of doubt that 90 days renewal was added and didn't work due to not unit tested maybe. Still, it is the same ad business as fb. I love the look of their phones, but I would pay for an iPhone for the benefit of secure os and better privacy
dicomdan 1139 days ago [-]
They give away low cost hardware because it's a military branch of the government whose purpose is establishing a global surveillance network. Being profitable is a nice to have but not a primary purpose as they get subsidized by the state regardless.
powerapple 1138 days ago [-]
Okay. So Chinese government keeps pumping money into Huawei, Xiaomi, Tencent, Alibaba, Tiktok and many other businesses so that they can ..... make money? You have to ask an economist for how this works, I am not intelligent enough to figure it out.
Darmody 1139 days ago [-]
I'm using a firewall to block tens of IP addresses and several apps.
Why would Xiaomi tell me to download a 26MB update from their store if the one from Google Play, where I downloaded the app it's less than 15MB?
I'll be getting rid of this phone by the end of the month.
La1n 1139 days ago [-]
Most Xiaomi phones are relatively easy to root/unlock and install a new rom on.
kuratkull 1139 days ago [-]
I have had 3 Xiaomi phones over the years. Their proprietary bootloader-unlocker tool has always taken a good day or two of work to get the phone unlocked when I don't have adb tools /drivers installed from the get-go. Their utility gives me failures/errors/denials/"your social credit is too low" (i don't live in/near China) dozens and dozens of times before it finally decides to unlock my phone for me. I'm pretty sure my next phone won't be a Xiaomi, though it's hard to find sanely priced non-Chinese phones with good ROM coverage these days.
But why would you have to root and reflash it? Couldn't they, you know, respect their customer instead?
Sebb767 1139 days ago [-]
They're basically the only company allowing you to root a phone without loosing warranty. And it's not like other manufacturers come without FB installed as system app - yes, they're a bit worse on privacy by default, but it's not like they're the black sheep within a pile of innocents.
kzawisto 1139 days ago [-]
They respect their customer by selling hardware 50% off compared to Samsung and 80% off compared to apple. Having this with custom rom is a bargain imho.
sodality2 1139 days ago [-]
How do you trust the hardware? Granted, how do you trust the hardware in any phone. But the risk may be higher if the entire production chain is in the one country with privacy/surveillance abuses.
kzawisto 1139 days ago [-]
Well you don't, but 1) no one can be trusted anyway. 2) one can analyze traffic after flashing to see if it is still phoning home. I won't expect it to, it's just too much hassle compared to doing it with software, just for sake of someone who flashed custom ROM. If you have real reasons to be worried about Chinese spying (like business/government work) then obviously you wouldn't buy any hardware like that anyway.
approxim8ion 1139 days ago [-]
Like which other manufacturer of the size and scale of Xiaomi? Every single one of them has locked bootloaders, Samsung even bundles ads, and all of them without fail use Google Play Services and all kinds of other proprietary nonsense that can and maybe should be categorized as spyware.
La1n 1139 days ago [-]
>Couldn't they, you know, respect their customer instead?
I think the phone vendors that do that are in the vast minority.
okl 1139 days ago [-]
I don't know. I agree that it's not a customer friendly policy. But if your already stuck with a Xiaomi phone you have to either return it or bite the bullet, not much else you can do.
xioxox 1139 days ago [-]
Unfortunately Google is making it much harder to run ROMs now due to the new Safety-Net bootloader checks. You'll no longer to be able to use many bank apps (or even the McDonalds app!).
LegitShady 1139 days ago [-]
You can never be sure what's hiding in the hardware, if you already don't trust the software.
Darmody 1139 days ago [-]
Yeah, that's what I wanted to do but the power button doesn't work anymore so if I turn it off, there's no way to bring it back to life.
yc12340 1139 days ago [-]
> Why would Xiaomi tell me to download a 26MB update from their store if the one from Google Play, where I downloaded the app it's less than 15MB?
Because, unlike Google, they don't use app bundles and partial updates?
1139 days ago [-]
firebaze 1139 days ago [-]
Chrome is the definition of spyware, just by widely know facts. Doesn't make Xiaomi browsers better, I know.
Still 90%+ use Chrome. I know noone using a Xiaomi browser.
antonzabirko 1139 days ago [-]
Did you really need to investigate this to realize it's spyware?
This and chrome and most web browsers are spyware at this point.
BelenusMordred 1139 days ago [-]
Chromes "Software Reporter Tool" basically scans your whole computer and sends that data off to Google/NSA. It's literal spyware.
Firefox doesn't do this.
throwawei369 1139 days ago [-]
Instead Firefox uploads your geographical location to their servers every time it starts up. And before you ask, this telemetry cannot be stopped.
And when you finally manage to do some therapeutic dissonance from the above default behaviour.
Whenever you use the inbuilt DoH on Firefox, FF shares this stats with Cloudflare too.
BelenusMordred 1138 days ago [-]
Thankfully geographic location is simple on the internet
utbabya 1138 days ago [-]
Quick scrolling through the comments, I wonder how many people actually RTFA?
Looking at the list of things they collect, how could it possibly be legitimate, or compared to what "western" or any other companies are doing?
- Full URL history
- Full search history: engine and terms etc
- Full download history
- Full youtube activities: search, which video, for how long
This is full blown home phoning trojan horse.
wooptoo 1139 days ago [-]
What's worse is that the whole OS is actually spying on you, not just the Mi browser. Even when idle my phone is trying to send bits of data to their servers.
Xiaomi are great but for me this is the end of the line with their phones. Privacy comes at a premium nowadays and lots of us are willing to pay for it.
Those affected can block the following domains from resolving:
- data.mistat.intl.xiaomi.com
- sdkconfig.ad.intl.xiaomi.com
Daho0n 1139 days ago [-]
Using pihole is effective but don't try blocking a Chromecast like this. I did and even using two piholes the network got killed by these hundreds of DNS requests per second to Google.
throwawei369 1139 days ago [-]
> data.mistat.intl.xiaomi.com
Ah. I'd recognize this spy domain anywhere since it regularly features in my pihole's top 5 blacklisted ones
aembleton 1139 days ago [-]
Also tracking.intl.miui.com
Roritharr 1139 days ago [-]
I wonder more about their routers. For their specs they are extremely price competitive. Their AX6000 features a 2,5GBE Port, 4*4 5GHZ Antennas with supposedly 4800mbit/s max throughput over all clients for 120€ with shipping to the EU. The Netgear Orbi Pro is the only AP I could find that is similarly equipped and costs a handsome 400€.
The mostly chinese and russian reviews on YouTube seem to show those numbers to be at least not ouright lies, but people on the OpenWRT Forums talk about the Routers talking quite a lot back to China.
I really wish for somebody credible to do a teardown to look into these boxes.
nirui 1139 days ago [-]
Well, if you're patient enough to sit through all the Chinese text, here is the teardown (with picture) you've been looking for: https://www.acwifi.net/12621.html.
There are rumors says Xiao Mi has somewhat subsidized their line ups with intention to create their own ecosystem. If true, that's one of the reason why their devices can have such low price.
On the other hand, ¥599 is not exactly cheap in China. Somebody can literally survive a entire month on that amount of money. A "normal" price for a "regular" router is around ¥70~¥200.
nicolas_t 1139 days ago [-]
On the other hand, ¥599 is not exactly cheap in China. Somebody can literally survive a entire month on that amount of money. -> Not in any major tier 1 or tier 2 cities. Used to be possible a long time ago but nowadays, that'd be really tough
stephc_int13 1139 days ago [-]
For anyone trying to be privacy conscious, by deleting their FB accounts, not using all the Google services etc. It should be obvious that a good rule of thumb would also be to not use software built in China.
Even if they were not built with malicious purpose, they have both excellent state-funded hackers and poor security practices in most of their consumer products.
Unfortunately, from what I've seen, I think the same can be said about software from Korea/Japan...
novaRom 1139 days ago [-]
> Xiaomi now announced that they will turn off collection of visited websites in incognito mode. That’s a step in the right direction, albeit a tiny one.
They may also collect fingerprints and other biometrics (voice, pictures) in a similar misleading way. There's a lot of wise tricks others have learned from Google. IMO only strict laws forbidding data collection from smartphones completely will change that.
Xiaomi devices are usually at sweet spots price/performance-wise (not really great hardware imo, but well). With custom ROMs (including my GSIs, but other custom ROMs are fine as well), buy a phone for their hardware, not for their software. (BTW my daily driver is a Pixel 5... not running Google adwares! Only high-end-ish device that fits my hand).
However, Xiaomi devices are bricks for like a month, because before being able to install your own software, you need to be approved (connecting a smartphone on a Windows computer), and it's only once you get your smartphone that you can install your own software.
lostmsu 1139 days ago [-]
My problem with GSI was last I checked (1 year ago) it still did not support storage encryption (Max 3), and SELinux was off.
Awesome project though.
phh 1134 days ago [-]
Uh, both have been forever wrong using my GSIs?
I've never made any GSI without storage encryption, and My GSI have always been running SELinux enforcing.
Some kinds of GSIs have those kind of issues, but it's only those that are binary ports from OEM ROMs, like port from Xiaomi or OnePlus ROMs, but proper source-based GSIs shouldn't have those issues.
lostmsu 1134 days ago [-]
Hm, I distinctly remember using specifically your GSIs mid 2019 (and would love to return to them) on Mi Max 3.
In early 2020 XDA thread [1] I was suggested to use phh-securise to reenable SELinux, which suggests that it was not enabled by default at least back then. Never got to try phh-securise, since the encryption part of the response was not definitive.
Prompted by your comment I reflashed my Xiaomi today with the latest A/B GSI [1], and the phone seems to be encrypted. Many thanks for your great work!
Replace Xiaomi with Google and article will still be valid.
aboringusername 1139 days ago [-]
Are [computers] spyware? Yes, they are (2000) should be the title.
If you use a computer, smartphone or IoT device then yes, it collects data, just as Facebook runs ads.
What's collected these days:
Your social circle,
every time you connect to the mobile network, when, which tower you connected to, tx/rx bytes, who you phoned, where the callee is located
Whether you're in a car, walking (sensors)
Whether your sleeping...(a recent Google blog post talked about a new "sleep tracking" API).
You generate data as a human, interested parties (governments) collect that and will store it for the rest of time. I suspect there's a database of every URL visited by any human in the last 20 years.
This is not surprising and should surprise nobody.
t0astbread 1139 days ago [-]
Do you mind providing citations?
1139 days ago [-]
dheera 1139 days ago [-]
In other news, Xiaomi Roborock vacuum cleaners require you to enable GPS permissions and transmit back Wi-Fi PASSWORDS and floor maps back to their server.
They've really been on a privacy invasion spree lately.
LegitShady 1139 days ago [-]
...I returned a scale to amazon that required an app on my phone and location be on when its registered. For a scale. Wouldn't work without it.
dheera 1139 days ago [-]
Did it require SMS confirmation too? lol
In any case I hope you gave it a 1-star review.
LegitShady 1139 days ago [-]
I did but looking for truth in amazon reviews is a work in futility anywas
kzawisto 1139 days ago [-]
Xiaomi is awesome phone for it's price tag you just needs to flash custom ROM like LineageOS. And they don't even make this problem contrary to other manufacturers like Samsung.
ignoramous 1139 days ago [-]
> Xiaomi is awesome phone for it's price tag you just needs to flash custom ROM like LineageOS.
There is likely tonnes of binaries that run outside of Android, so OEM you choose matters too.
ComodoHacker 1138 days ago [-]
I believe Xiaomi being Chinese is kind of red herring here.
The thing about big data is you never know in advance what kind of data can turn into a gold mine for your business. So the strategy "collect as much as you can afford and get away with" is economically reasonable if not optimal. Until this changes, nothing will change. And Xiaomi is not an exception here.
unnouinceput 1139 days ago [-]
Quote: "However, you have to make sure that you have “Incognito Mode” turned on and “Enhanced Incognito Mode” turned off – that’s the only configuration where you can have your privacy."
Does the article's author really believe this or is put there because of outside pressure? I, for one, would not believe that for a single second.
usr1106 1138 days ago [-]
I know close to nothing about Android development in general and absolute nothing about Xiaomi in particular.
When looking at the code snippets in the article I wonder about the variable names. This doesn't look like decompiled code. And I don't think their whole browser is open source. What am I missing here?
kartoshechka 1138 days ago [-]
To make discoveries like that harder and protect software from commercial standpoint, its code obfuscated before shipping. Something similar modern JS frameworks do to make code smaller and ship it through network faster
usr1106 1138 days ago [-]
Sure, that's what one would expect. But the code snippets in the article where surprisingly readable. That's what I didn't understand.
jmacjmac 1138 days ago [-]
Xiami is widespread brand in many countries because its products are really cheap and looks like this trend will continue for the next years. It's very frustrating to see this. Western world should impose standards to prevent it.
crazypython 1139 days ago [-]
A very good rule of thumb: Freedom-respecting (fully, 100% open-source) software won't screw you.
Simply knowing someone could be watching you and your source code reduces the chance of malicious code.
userbinator 1139 days ago [-]
The Linux kernel is 100% open-source. Yet it's growing user-hostile features --- https://news.ycombinator.com/item?id=26285683 --- and guess what all the locked-down Android phones run...?
Open-source doesn't mean anything for freedom if all you can do is look, because you don't have the signing keys and such to modify what you want. It just means they get to show you exactly how they put the noose on you, that's all.
Firefox is also chock-full of "telemetry" and it's 100% open-source. That one you do get to modify, but it's still a bloody bastard to strip it all out and recompile to your liking.
crazypython 1139 days ago [-]
> The Linux kernel is 100% open-source. Yet it's growing user-hostile features --- https://news.ycombinator.com/item?id=26285683 --- and guess what all the locked-down Android phones run...?
That feature is optional, and depends on proprietary, closed-source TPM firmware. You just proved my point– it has to be 100% open-source to respect your freedom.
> Open-source doesn't mean anything for freedom if all you can do is look, because you don't have the signing keys and such to modify what you want. It just means they get to show you exactly how they put the noose on you, that's all.
I agree. That's why I prefer the term freedom-respecting software. Under the free software definition, that is no longer FLOSS, because users do not have the right to modify the software.
> and guess what all the locked-down Android phones run...?
Alas, Linux is not under GPLv3, which ensures that users have an equal right to modify their software.
> Firefox is also chock-full of "telemetry" and it's 100% open-source. That one you do get to modify, but it's still a bloody bastard to strip it all out and recompile to your liking.
That it's fully open-source checks Mozilla's power to do abusive things. Telemetry can be disabled in Firefox settings.
I've used both of your examples to advance my point further. 100.0% open-source = freedom-respecting and non-abusive.
0xbadcafebee 1138 days ago [-]
My old Huawei phone is still my favorite phone ever. I don't care if they spy on me. Take my data, I don't care! I just want another phone that good and that cheap.
api 1139 days ago [-]
I assume that anything is spyware unless proven innocent, especially on mobile where surveillanceware is effectively the whole purpose for the platform's existence.
asien 1139 days ago [-]
>
If you use Mint Browser (and presumably Mi Browser Pro similarly), Xiaomi doesn’t merely know which websites you visit but also what you search for, which videos you watch, what you download and what sites you added to the Quick Dial page
Yet people in Europe they LOVE Xiaomi. I swear I’ve seen so many of my friends with those high end 500$ phones.
Even if they are tech guys it’s like they just don’t care , they want the most powerful phone with the most features at the cheapest price.
At this game Xiaomi and other Chinese brands have become very good.
That being said Google as been doing the exact same thing for 30 years. Nobody ever considered banning google from anything.
Daho0n 1139 days ago [-]
I live in Europe. If I weren't a privacy nut I'd pick Xiaomi any day over Apple or Google. Now I use Android with OPNsense in front of it via VPN. Chinese phones doesn't log more than the other smartphones.
happppy 1138 days ago [-]
block every company that tries to compete with US companies. First it was Huawei, now its Xiaomi. Fb, Google are both US companies nd they literally track the hell out of their users to target ads but they are doing great, never had much issue except Zuckerberg was in the news a few months ago but US didn't block them, because they are US companies nd bring $$$ into the country
de6u99er 1139 days ago [-]
That's why I will never vecomr a billionaire. I would never do something to someone else, that I don't eant to be done to me.
throwawei369 1138 days ago [-]
I can tell your age by this comment. I'll leave you with this quote.
"You either die a hero, or you live long enough to see yourself become the villain"
dirtyid 1139 days ago [-]
Xiaomi makes money off services. Tracking subsidizes hardware. It's a business model. There's always option to unlock.
systemvoltage 1139 days ago [-]
I am truly appalled at the level of discussion from intellectuals as I consider on HN. Comments here are repeatedly evaluating whether the same thing would apply to US.
I expect more from HN. Can we please discuss the problem in isolation and especially the interesting technical bits? Ask yourself, this kind of exploitation is bad regardless of whether any country does something similar. It's anti-user in every possible interpretation.
La1n 1139 days ago [-]
> Can we please discuss the problem in isolation and especially the interesting technical bits?
Sure, but you also see this problem doesn't exists in a vacuum. Noted by you bringing up concentration camp numbers in this exact comment section. Maybe you should listen to your own advice?
systemvoltage 1139 days ago [-]
I think this is a general trend in China based discussions. Problem does exist in a vaccuum. Xiaomi phones have nothing to do with Google or any US based tech.
I am highlighting the absurdity of evaluating US ad-tech to 2 million people in concentration camps.
Karunamon 1139 days ago [-]
The only difference there is what the exfiltrated data is being used for. The real problem is one level higher, that the data is being exfiltrated in the first place.
hungryhobo 1139 days ago [-]
i think it provides context, if what they are doing is status quo, then maybe we should question the status quo rather than an individual company.
zouhair 1138 days ago [-]
Oh, well. I was just about to buy a Poco m3 2 days ago. I guess I wont. A Moto G Power I guess.
victorfonseca 1139 days ago [-]
Sorry, but... it's not the same thing Google and Facebook are doing from the last forever?
cavendish3313 1138 days ago [-]
As an app developer, I found no serious APP did not collect user actions for optimizing.
justplay 1139 days ago [-]
It is not just Xiaomi; oppo/vivvo/realm too, track every things.
panpanna 1138 days ago [-]
Xiaomi devices are officially sold in EU. Wouldn't a GDPR violation basically kill the company??
Note that Xiaomi is a Chinese startup hub, started by former googlers. 90% of what they sell is produced by Chinese startups.
(That being said, I would use never Xiaomi software myself. I only use their hardware with open source 3rd party apps)
cwkoss 1139 days ago [-]
How does this compare to google chrome's data collection?
Daho0n 1139 days ago [-]
On its own? Worse than Google. With all things Google have access to from else where? Way better.
shostack 1139 days ago [-]
What does that have to do with the subject at hand?
charcircuit 1138 days ago [-]
Spyware is based off intent. Collecting data doesn't necessarily make you spyware. You can literally call anything spyware depending on how schizo you want to be at this point.
unionpivo 1138 days ago [-]
This is bad argument nowadays.
Even if they just collect the data now, they might sell it 5 years down the line.
You have to consider the worst possible interpretation, even if its not true today. Companies can be sold or taken over, go bust and their assets get sold.
Companies can change too.
Look at google. In 2000's I trusted google a lot more than I trust it now. You can bet google still has all my data from 2000's.
rbrbr 1138 days ago [-]
And so is Google Chrome. Basically everything Android. Just don’t use that platform if you care about your privacy. And stop pretending just because millions use it or because it is supposedly more customizable. Google is Google.
I think that its the first time I see a headline with a question mark and the answer next to it...
bobthechef 1138 days ago [-]
Not surprising.
I don't see how you can expect any less of this, even in the US. American companies collect vast amount of information that are either acquired by the state later on, acquired via some deal with the state, or some network of revolving doors is further entrenching US-style state capitalism which erases the distinction. Frankly, American corporations are effectively more powerful than the government at this point, at least in certain domains (like where freedom of speech is concerned). It'll only get worse until something gives.
And given that American greed funded the wealth and power of the CCP in the first place, given the massive investments in China, I do not expect the globalist American imperial oligarchy to change course. Why would they? They like what the CCP is doing. They share more in common with the Chinese ruling class than with most Americans.
bronlund 1139 days ago [-]
This is stupid. Google and Android is way worse than this.
f430 1139 days ago [-]
This surprises no one.
o_p 1139 days ago [-]
Xiaomis are pretty good and cheap, funny that one would care about the browser (which is optional, as you can install any browser you want) while Google owns your entire OS, but China bad US good amrite?
monkeyingaround 1139 days ago [-]
i can't remember the last time i felt fear expressing my beliefs on my phone here in the USA so you tell me
o_p 1139 days ago [-]
Sure unless you are someone whos beliefs actually matters like a reporter and the CIA hacks your car driving assistance or you are found dead by suicide of two shots in the head.
monkeyingaround 1139 days ago [-]
...and the goalposts shift
guerrilla 1139 days ago [-]
I guess that means you're pretty mainstream then. Sucks for Muslims, anarchists, journalists, activists, etc.
monkeyingaround 1139 days ago [-]
as a muslim i can confirm you have nothing of content behind your ideology
samstave 1139 days ago [-]
ARE YOU FN KIDDING ME:
Anything from CCP is pyware - especially when the FN namesake is XI Jinpooh.
pid_0 1139 days ago [-]
Are all chinese products spyware? Yes, they are.
Don't use chinese brands for phones, software, etc.
gchrome 1139 days ago [-]
Exactly! Fully agree with you pid_0.
People, please just use Google Chrome and stop with all these Chinese spyware!
shostack 1139 days ago [-]
This comments section is getting hit hard with people trying to deflect by using Google Chrome as a scapegoat.
justicezyx 1139 days ago [-]
Hmm, I mean why Chinese capitalism is so powerful? Because the government sanctioned and allowed the capital's all-reaching power.
Do you believe CCP is so capable to utilize such tools?
If the answer is yes, then you should ask yourself is there any realistic chance of overpowering such a technologically advanced "government". And how much more powerful the private sectors would be. Think about how much gap is between silicon valley and US government in technological capabilities.
This framing of pin everything as government sponsored activities make it very difficult to correct such behavior effectively. Because they were easily brushed off as intentional attack on the nation.
Why not just put it as what is?
I mean 996 in Chinese high tech industry is killing the quality of the work. That's obviously the right reasoning right?
LegitShady 1139 days ago [-]
I don't think whatever point you're trying to make is very clear. There's a lot of insinuations and suggestions, but you're not actually making a point here.
anovikov 1139 days ago [-]
The whole notion of "spyware" in today's world is relative. Everything is a spyware these days.
lucideer 1139 days ago [-]
Interesting to see the quite loaded (and slightly archaic in 2020?) term "spyware" used to refer to Chinese software. I haven't seen it used to describe Facebook or Google software, even alongside all of the recent news stories highlighting their apps' tracking footprint by Apple's newer iPhone AppStore requirements.
ed25519FUUU 1139 days ago [-]
Our schools are dumbing down math and removing advanced classes (if you can even go to school) because of “white supremacy”, meanwhile China is investing full speed into engineering disciplines and is performing extremely effective espionage against virtually all Americans.
I don’t know if there will ever be a sino-American war, but if there ever is one it’s going to be very painful for us.
Rendered at 18:39:53 GMT+0000 (Coordinated Universal Time) with Vercel.
Well, on cursory examination, the Aqara/Xiaomi hub was talking to a bunch of Chinese servers constantly. I didn't dive too deep into what all they were actually for. When I blocked the device from phoning home with my router, all the connected devices stopped working! None of the buttons or sensors would work, the RGB light on the hub couldn't even be changed. As soon as it lost the ability to ping its servers in China, the thing actually started strobe light flashing blue. Re-enable the outside network access on it, starts working again. This was totally antithetical to why I use HomeKit in the first place, so I removed the hub and paired all the Aqara accessories with a generic open source Zigbee hub (ConBee II) and added it to HomeKit with HomeBridge.
In the future I plan to give brands more scrutiny before investing time/money in them and granting them unfettered access to my LAN...
Their phones running Android One are also fine and can be reflashed. But the rest of the items are quite shady. I have sniffed on the network traffic some devices generate and it's quite scary.
The same thing applies to other Chinese industrial equipment. For example, I know some labs put BGI sequencers inside airgapped subnetworks because of industrial espionage fears.
The whole idea of connecting everything to the internet is getting out of hand.
1. Internet and digital infrastructure has no integrity as how it is currently.
2. Anything for home, machinery, all should work when there is NO internet connection. Just like an app should work (to some extend) in airplane mode. It really comes down to the idea of data/device sovereignty.
Is this my device or not? If I need to ping some place in China to get this working. Then make it clear on your front page that it is is a lease.
(And now I'm half expecting someone to respond that IKEA also collects our data. I don't know if they do, and I'd expect them not to, but I'd really like to know if they do.)
I think what the GP is stating is that Ikea's model is based on selling home goods, so the incentives align to sell you home goods not collect data for the Dutch government. Apple could steal all your most private data as well, but their business is luxury electronics so it's not in their best interest. Could this change? asolutely, but are you more concerned with what could be, or what currently is?
People are on average far more predictable than companies. A company is like a person with a very unstable personality. And the predictable component of a company's behavior is usually selfish and evil, whereas the predictable component of a person's behavior is usually good.
It's owned by a dutch foundation which serves to "promote and support innovation in the field of architectural and interior design" (via [0]). Oh and something about kids in developing countries.
[0]: https://en.wikipedia.org/wiki/Stichting_INGKA_Foundation
Also, read the criticisms section of that link. Only after publication of the criticism in the Economist did the family who owns IKEA take action. Now imagine what happens if the family has less control in the future. Also, supporting innovation and supporting developing countries does not mean "don't track users", etc.
I could see IKEA using their "good behavior" as a marketing expenditure or selling point. Much like Apple does. This would align well with their general brand perception vis-a-vis sustainability and whatnot.
My mom isn't going to care, she's going to get something because she thinks it looks cool and the brand is eco-friendly or some shit.
There is a demand for bulletproof cars and blackout curtains, but judging by what I see in my neighborhood, I wouldn't invest heavily in a company that makes those things. But the latest fashions, made sustainably, in POC & women owned business, OMG SO AWESOMEMMEMEME
I trust that if I buy a can of coke, it will contain coke because coke want to keep selling me coke. They don't need to be good people, they just have to care about making money in the future. The fact that I think they care about that is why I can trust that the can of coke in fact contains coke with high probability.
Perhaps but if the company could sell you more coke by having your personal data, it would be silly to assume they would not explore that route.
The question is what happens at the purchase time, and afterwards. To bring back the coke you love, there’s Coca-Cola vending machine that will accept payment from a cell phone, linking with the vending machine through NFC.
What happens to you info when you download the app, what do they do with your purchase history ? Do your data stay in the ‘coke’ silo or move to all the other sister brands and partner marketing firms to infinity and beyond ? Do they scan the other apps on your phone to better profile you ? Do they lobby where you live to get rid of blocking rules when they track you buy less because of them ?
That’s the questions that would come with ‘buying a coke’
You don't even know what coke is, since that formula is kept secret (well, Coca Cola's at least). Also, in some countries, you'll get high-fructose corn syrup instead of cane sugar, which is believed to increase the risk of fatty liver disease, obesity etc. (caveat: Some believe the evidence is not conclusive enough for certainty.)
And why don't they just "sell you coke" everywhere? Because it makes them more money. And the raison d'etre of a commercial company/corporation is pecuniary gain. Profiting. Making money. Management is obligated to act so as to maximize profit (under legal obligations etc. etc.)
This brings us to your first point:
> it's a pretty paranoid take on the market economy.
No, it's literally what commercial companies' charters and fundamental structure requires. No conspiracy theory or paranoia.
In context of spying - if the company has determined their profits would improve by them spying on you, and that they can get away with it - then it's pretty likely they will indeed spy on you.
'Companies are out to make money' is not the debate trump card you seem to think it is. In fact the same view is embedded in my previous comment. The question is, given it's true what's the range of phenomena that result, what works well, what badly etc?
If your argument for the market economy working in a way that shouldn't inspire paranoia is based on trust and distinguished consumer choice, you've not been paying attention to world news or you're arguing in bad faith.
No, I think you missed the point. It's based on greedy organisations being predictable. Amazon will send stuff we order so that we buy more stuff from them. Electricity grid with zero regulation will fail to invest in preventative measures against extreme events. Trust or distrust arises from the particular game theoretic situation we're talking about. Simply thinking every corporation will screw us at every moment is the paranoia.
It's not only Xiaomi issue: many Chinese top and noname smartphones stealing user data and show ads inside their UIs. Cheap hardware & users data mining - great business model.
The same with apps: https://www.vietnambreakingnews.com/2019/01/es-file-explorer...
No real roundtrip happening.
If you're into writing your own code, https://ruuvi.com/ has bluetooth low energy sensors that transmit temperature/humidity/air pressure/3d-acceleration data with an open protocol, also their firmware is open source. They have a mobile app that displays readings from sensors, but for anything else you'd need to set up your own data logging or home automation server.
edit: and -> a
Wait, why would Zigbee devices require Wi-Fi connection? That would be a red flag for me, I would have avoided products like this.
https://www.home-assistant.io/integrations/xiaomi_aqara/
There is however no reason why the hub should have internet access though.
Obviously Xiaomi devices do not work in my network anymore.
Not that that is at all ok - it’s really not. But China is a country where there’s no concept of privacy - when companies are actually required to keep tabs on their customers and report data back to the state on a regular basis without legal oversight from an independent judiciary, the notion that the company isn’t entitled to peek in on you must be an alien idea.
It doesn't mean Xiaomi doesn't learn everything about my air quality, temperature and humidity, but it at least decreases the attack surface.
I'm not at all surprised the hub thing constantly chats with its family back in China, but a properly security-paranoid home automation aficionado wouldn't be caught dead giving some proprietary black box power and network inside their own home.
[0] https://shop.homeseer.com/products/nortek-usb-zigbee-zwave-i...
That sounds like the definition of a cell phone.
Is the answer just to find zigbee-only gear?
Out of curiosity do you want Chinese companies to use US servers? Or where would servers be ideally placed for a Chinese brand to be accepted? I genuinely am curious to know.
Aren't most processing chips/hardware made in China for all major western tech companies anyway? I get the RU/China server suspiciousness but as far as I can tell, US unicorns are up to the same tricks and openly/brazenly pillaging data without any threat or fear.
Otherwise most consumer products (devices or software) phone home for one reason or another, whether it's telemetry and data collection, basic functionality that's implemented exclusively via cloud, or more advanced cloud features. It's down to deciding whether you trust western legal system and increased transparency to deal with the nefarious aspect of data collection, rather than the Russian, Chinese, etc. legal systems and transparency.
Almost every device or software with network connectivity I played with phoned home: the Philips Hue gateway (Netherlands), Tado (Germany), Apple Homepod (US), Amazon Alexa/Fire* stuff (US), Synology (Taiwan), Unifi Controller (US), LG/Samsung smart TVs (South Korea), Google Chromecast (US), random assortment of network connected cameras (China, Taiwan), and a big etc. here. Some do a better job than others and just connect for basic stuff as far as I can tell, some enabled telemetry without asking and after the backlash ask again after every update, some have no option to disable this connectivity, etc.
One thing that trips most people looking at this for the first time is when they start off with blocking internet connectivity for the least trustworthy devices (Chinese brands) and immediately see a zillion attempts being blocked, even if the device keeps working. They conclude the devices are trying to exfiltrate that much data. They're most likely constantly reattempting until they get a response. Some of my network cameras would try every second but after a successful connection the flood stopped and they barely sent anything.
I chose to "complicate" my life a bit and buy hardware that I can flash with some open source firmware cutting out the cloud features completely, or connecting via "home made" solutions everywhere I can then using my home VPN to control them if needed. Whether China or the US have that data is of little real consequence to me right now but it's a matter of principle and I'd rather not shift my principles based on geography.
> just asking the question is enough to get flak
You are definitely right about that!
If you are outside of China then surely there is nothing to really be scared of? What could the Chinese government do with your data that could cause harm?
I get it's the principle but ultimately we are all scared of sharing our data with China and I am not sure why?
Exactly! It seems that the propaganda machine is still rolling heavy.
Look what happened to Alexei Navalny.
Look what happened to Sergei and Yulia Skripal in UK?
Again, I am not saying the other governments are saints, but I feel you have much more options in democratic countries.
The UK is Russia's poison playground so in this instance it would seem that realistically no one is safe, even if you reside in a democratic country. But then again these were people with major clout or enemies of the state.
A far better assumption than: "well others do it too, therefore nothing about it can be more nefarious."
I do not want anyone getting their hands on my data, but in order of regions collected data this is my 'preference': EU >>> US > RU >> CN
To each there own, but I think China will have to fundamentally change at this point for me to have any trust in any Chinese companies. Just look at Alibaba. If they are not safe from CCP influence, then it is safe to assume that all Chinese companies are just shells, or under influence of, the CCP.
I'm genuinely curious what people fear will happen to them and their data if it went to a Chinese server. What are the consequences? What is the difference between Amazon running A/B tests to get as much money from you as quickly as possible VS TikTok trying to improve their suggestion algo to improve their engagement for increased ad revenue?
Imagine if China could stop all smart homes from working if a politician said something about concentration camps.
Do you think the average american cares more about their garage door opener working or the camps?
> The intention here seems to be that aigt is the timestamp when the ID was generated. So if that timestamp deviates from current time by more than 7776000000 milliseconds (90 days) a new ID is going to be generated. However, this implementation is buggy, it will update aigt on every call rather than only when a new ID is generated. So the only scenario where a new ID will be generated is: this method wasn’t called for 90 days, meaning that the browser wasn’t started for 90 days. And that’s rather unlikely, so one has to consider this ID permanent.
If we assume that Xiaomi aren't literally trying to spy for a government and are in fact just poorly calibrated on what's legitimate to collect for product analytics purposes, this paragraph highlights why that's still incredibly dangerous despite "good intentions".
I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice.
This paragraph seems to suggest a similar problem at Xiaomi. This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points. The fact it wasn't suggests that these stages either don't exist or are insufficient.
Open source and verifiable down to the firmware is the only chance we have at any real level of trust, otherwise as is always apparent in these conversations, it often falls otherwise to who you think could compromise your device and making your bed with it, like USA not China or vice versa
[0] https://puri.sm/posts/purisms-ceo-todd-weaver-testifies-at-s...
[1] https://wp.puri.sm/posts/breaking-ground/
While I agree with your intent, the problem is that, many open source software is not verifiable.
Remember that a Kaggle competitor was openly cheating with his published code? (cf. https://www.theregister.com/2020/01/21/ai_kaggle_contest_che... ) Eventually he got caught, but it's sometimes extremely difficult to spot a well-hidden malicious code in a plain sight. We need to be much better at analyzing software.
> While I agree with your intent, the problem is that, many open source software is not verifiable.
To me, this sentence reads as "That a nice idea, but untenable in practice." rather than "Open source is necessary, but shouldn't be considered sufficient." which strikes me as counter-productive to the objective of easily verifiable software.
Open source software is more verifiable than closed source though.
I think maybe some replies have interpreted my comment as naively assuming that open source firmware would would mean complete trust. I just think it is a good step on the journey.
This can work where everything is in the open except a private firmware signing key.
It's very different than if I modified the firmware on my hard drive or UEFI on a PC. I might fuck up my stuff but it doesn't affect you. I can fiddle with my hard drive firmware all day but I'm not going to block a 911 call you're trying to make.
Also a company giving out modem firmware is an exception and not a rule. It re-classes the device as a hobbyist/experimental device and if they go traipsing around with it they could potentially face fines (unlikely but possible).
Again it's not about lobbying it's about a limited spectrum and people being stupid/assholes not realizing or caring their pocket radio affects others. You live in a world where shitheads try to make their cars louder on purpose and you can pick up dozens of WAPs because everyone sets the power to the highest number the interface allows.
Cell phones only work because the millions of devices run within strict limits and behave reasonably. There's not a lot of difference between a properly operating radio and a radio jammer. Purism isn't going to find a baseband vendor that's going to risk their licenses by allowing for open source firmware.
As far as I know, there is no licensing whatsoever for baseband makers?
Where did you get that it is?
This is why a baseband processor is a fully separate component from a device's application processor(s). Since the AP doesn't talk directly to the radio it doesn't need to be certified and can be updated without recertification. The BP can also get certification and any manufacturer using that BP doesn't need to re-certify it. The interfaces are also such that the AP can't (or shouldn't be able to) tell the BP firmware to boost the output power above legal limits or something.
Radios that have "open" soft modems don't typically have fully software controlled radio front ends. The radio front end will have its statutory limits baked in electrically or have very limited software control. The modulation on the back end isn't as important as the front end. Broken modulation just means you can't talk to anyone, an overdriven transmitter is effectively a radio jammer or can give someone an RF burn.
Can you point where it is stated?
If you're actually interested read the regulations and look up some FCC IDs for devices.
Completely agree.
> Open source and verifiable down to the firmware is the only chance we have at any real level of trust
The hardware itself could be compromised though. There's just no way to know what's really inside these black boxes.
https://youtu.be/_eSAF_qT_FY
We'll never have real trust until we get the ability to fabricate our own processors in our own home just like we already have the ability to write our own software.
https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html
Not very likely on a broader scale, though.
What happens when I install the FB app on a Purism enabled device?
My way to go until now has been installing as many OSS apps on my smartphone as possible, to the point that even the keyboard and the launcher on my smartphone are installed through f-droid.
That's the main reason why I prefer Android phones over Apple ones.
If the very first people (presumably the "higher ups"/more prestigious designers) in the design process miss such things, it is very hard to call them out in a societal construct that is the business construct that has become Xiaomi and the Chinese Government.
It's hard enough in some companies for QA to question software engineers and not catch backlash in the US when making games. Companies like EA, Atari and Nintendo are notorious for it. Apple used to shitcan QA who didn't treat "the talent" nice enough, and they weren't a quasi governmental entity.
You're right, of course. But man, that's a big frog in your throat to go up to your manager and say, "Sir, I'm sorry but this whole process has issues. Here's the fix, but it means a redesign of a core process." That's tough. That's double tough.
There are many ways to work around this, having teams whos incentives are tied to finding issues, maybe in a different reporting chain or office or country to those writing the software is one way.
But, here we are. In the real world =/
ASFAIK, Xiaomi does not sell any critical infrastructure equipment, nor is it installed anywhere; not entirely sure why GCHQ or NCSC would be involved, especially when there is ambiguity around which/what equipment they should be conducting a code review upon?
With regard to Huawei, there was no decisive conclusion, despite a comprehensive security review. Furthermore, it has been business as usual for currently installed equipment. All future decisions will be based around the 5G infrastructure.
You'd have to be a complete idiot to believe that the CCP isn't happily digging through all the data they send back.
Is that even allowed by Chinese law?
At this point, this is table stakes for big tech and it's completely anti-democratic. China may have a very good domestic dragnet but clearly it's playing catch up compared to the foreign intelligence assets the USG (and five eyes) has.
Remember that one of the leaks was that the NSA tapped unencrypted Google backhaul in transit without Google's knowledge.
There's a difference between panopticon fearmongering and citing specific information we should be wary of. The former leads to apathy. The latter leads to action.
To be clear, evidence that some telecoms have, or that some major tech companies have is insufficient.
Extrapolating some into all is unreasonable. Do you have more proof it's the latter?
Also, there's these nuggets:
https://www.fastcompany.com/40481463/facebook-wants-to-hire-...
https://www.rt.com/usa/399256-mattis-amazon-bezos-trump/
Thinking America's largest monopolies and America's government and foreign policy are at odds over more than superficial things is probably not an accurate view of the world. America uses our corporations to advance nebulously defined "national security interests" and corporations use the government to get rich(er).
https://support.google.com/transparencyreport/answer/9713961
... it is the same as China. Or is that the joke?
I know Xiaomi is not the best brand to buy for privacy, but I consider their products one of the best in terms of value for money
I own a few Xiaomi devices, I simply install Blokada on each one of them and I think you would be surprised by how many non Chinese domains it blocks, Google being one of the worst offenders.
EDIT:
see this screenshot
https://imgur.com/a/UO0BGCy
EDIT 2: paradoxically knowing that Xiaomi is a Chinese company make buyers more aware of the privacy risks involved. It breaks that false sense of security associated with electronic devices that many people believe in.
Or maybe the US government knows it can't legally collect certain information on its own citizens, but can rely on China to collect it, and then purchase it from the Chinese government.
Then there's the overall argument against: I don't want any government collecting data about me, period. It's none of their damn business, regardless of the chances of me having to interact with them in any capacity.
The pessimist in me assumes that's because it's a good cover for the intelligence agencies data sharing agreements between the US, China, India, Russian, North Korea, et al.
Also, these fingerprinting bits in their code-base doesn't inspire confidence either [2][3].
I'd not consider Blokada a serious security app at this point, though it does have the potential to be one.
disclosure: I co-develop a similar foss app.
[0] https://github.com/blokadaorg/blokada/blob/65992cdc/android5...
[1] https://github.com/blokadaorg/blokada/blob/8702350602b/andro...
[2] one identifier too many for a user-agent: https://github.com/blokadaorg/blokada/blob/8702350602b/andro...
[3] unique identifier per installation: https://github.com/blokadaorg/blokada/blob/04efb84e06e1/andr...
what's the name of the app you co-developed?
https://news.ycombinator.com/item?id=26133661
But according to the logs on my router Blokada is working.
p.s. blokada actually also blocks ads on the formula 1 official app that are served through websockets
Seems more likely this was done on purpose so if they got caught they could say "Junior engineer made a mistake. So sorry."
https://www.google.com/search?client=firefox-b-d&q=china+mss...
This is the same reason that Zoom is banned at my workplace and many other partner companies.
You've actually got two problems here. One is the commercial advertising/for-profit related data sharing problem described in the article. The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
So while I assume they're tracking users, I don't think the calculator having a privacy policy is as shocking as it initially sounds.
You are saying that if you can find a single example of X happening in domain A and a single example of X happening in domain B, then "apparently" A and B must be "no different" with respect to X. People are murdered in Japan. People are murdered in Brazil. Thus Japan is no different than Brazil with respect to murders.
Please please tell me that you are just being inflammatory and that this "find one example" criteria isn't how you go about making assessments of things.
Could China possibly have infiltrated as much of global communications networks as the NSA & Five Eyes have for the past decade and a half? Not likely! If we didn't have such successful digital espionage programs, would we instead rely on our corporations to spy on our behalf? Very likely, seeing as we've already done that too.
It's more that consumers around the world have been brainwashed into believing huge markups are the default and must be accepted.
That of course does not alleviate the data collection concerns about Xiaomi, but it is unfair to say that given the production apparatus to produce at scale and the ability to absorb losses initially, it is not possible to make devices this cheap.
It would be very interesting to see a random sampling of 20 'non technical' users presented with such a phone, and given instructions simply "here is your new phone, please unbox it and connect it to the wifi and do things on the internet for three hours". Record a video of their interactions with the screen.
In my experience the vast, overwhelming majority of people when presented with a software popup like "Do you accept the license agreement to use this calculator?" will simply click yes/accept/okay/proceed as quickly as possible and disregard what it actually means.
I have a theory that a very small percentage of persons would actually balk or become suspicious of seeing something like a privacy policy agreement for a photo gallery or music player.
Generally, if you interrupt the user's flow of thought (if that's a thing) with something unrelated, they'll do the easiest thing possible to rid themselves of that annoyance, like a modal alert you threw at them, to get back on track doing whatever they intended to do. That's what all those consent popups are about. And that's why dark patterns work more often than not.
I roughly categorize UI/UX patterns into those that respect the user and those that don't. Showing a modal and making them decide something right now and right there is very disrespectful and off-putting. iOS of all things does this for system updates, low battery, and some urgent as hell alerts about your Apple ID. What you should be doing instead is use something non-blocking that can be ignored, like a notification, an icon badge, or a clickable bar at the top of the screen. Anyway, I digress.
And then, if you need a calculator, but the one that came with your phone quits unless accept the terms of use, what are you gonna do, as a non-technical person? Go to Google Play and look for a better one? Probably not.
I think most users even accept this as general setup things. When I, as a developer, want my device set up as quickly as possible, I mostly just proceed with everything.
The Xiaomi phone is better and more attractive in any other way, except privacy.
The level of surveillance in Xinjiang vastly exceed that of anywhere else in the world except for military installations.
US (or any) surveillance, especially over data, requires no such ownership or control.
Our laws are so damn barbaric in relation to security that it's scary.
It's gotten to the point where I nearly gave up on security. Who's compromised?
I definitely missed out on a job because I was Australian. (Confirmed later over drinks with one of the devs who I am friends with).
I'm an aussie dev, and I hadn't even considered my eligibility to foreign companies may be compromised.
You only need to look at the past several years of news from Hong Kong and the Uyghur/Xinjiang province situation to see the stark real world difference in human rights, political freedoms and press freedoms.
(a). China is bad (yes, known)
(b). The US is not quite as bad (debatable but for the sake of argument lets agree that this is true)
(c). The US is benign
My comment was only refuting the 3rd supposition. I'm not sure if you actually believe this is true. Though terms such as "country with a functioning democracy" make me think you might...
https://theintercept.com/2014/07/25/nsas-new-partner-spying-...
US Intelligence has too long a history of its own largely consequence-free abuses too. Someone else having a surveillance state doesn't make the one at home any better.
The country is an imperfect union. Although the country attempts at every turn to work towards "A more perfect Union"; clearly we have similar issues that other countries do.
In a comparative analysis, OP was merely saying the US is head and shoulders above a country that suppresses freedom of speech, eliminates political dissent and the people who promote freedom and sends them away to actual concentration camps under the guise of "re-education".
They're unproductive and flame-war prone. I downvoted your comment.
It's difficult to look past such biases if they're deeply ingrained but I think this can definitely be productive to do so. If you can empathise better with conscious xiaomi users, and understand why people use non-optimal software, such understanding can have a lot of benefits.
A dominant China is interested in promoting their own values of Xi thought. And they're working very hard to promulgate it. Their coercive ability is remarkable in how it's already transformed Hollywood. Their ability to do so will only increase.
[1] https://en.wikipedia.org/wiki/Document_Number_Nine
For the last decades, the US has been actively trying to undermine -- mostly covertly, sometimes more openly -- leftist parties and organizations in Latin America (more often than not completely unrelated to China), so...
You have quite literally also just described the US.
"China and Communism are a threat which we should seek to undermine". It works both ways.
[1]: https://www.politico.eu/article/xi-jinping-turned-me-into-a-...
If you're anywhere near any scene you might consider not liked by the current government (which surely also includes journalists and the likes), your domestic agencies are a far bigger threat than the MSS, as long as you don't choose to go to China - and even then, you're probably fine, unless you're fighting against the Chinese regime in particular.
And yes, the patriot act and the NSA are no joke. It's not like subpoenas are never head of (and the EU is, at least in parts, not much better).
Fixed that for you. Xiaomi offer an official bootlock unloader for their shitty MIUI roms which no one else on the planet does and is one of two companies out there that sells stock android phones. They are the easiest mobiles on the planet to install LineageOS on.
Imagine being on HackerNews and not at least slightly acknowledging the fact this company makes the most hacker friendly phones on Earth. It's honestly embarrassing.
Feel free to sniff the packets on any other device and realise how prevalent phonehomes are and how the eyes can access all of it on a whim if it's going to non-Chinese companies.
If you were an activist in the Western world I would only recommend a Chinese phone to protect yourself.
Cointelpro is still roaring hard today.
https://en.wikipedia.org/wiki/COINTELPRO
Consider that your country is likely either already a five eyes member, or a "five eyes plus" member with a historical record going back 45+ years of intelligence/law enforcement data sharing between the various NATO governments' intelligence agencies.
And take a risk calculation, based on what you're doing in your life, if all your metadata and traffic was in the hands of the NSA, what's the most likely end result that might affect you adversely?
Are you actually at risk of being persecuted for anything you're doing socially, religiously, politically? For instance, if you're a German, is all of your data being in the hands of the BND going to result in anything bad happening to you?
I really don't think that's unreasonable, the fall of the berlin wall was within living memory. I hope that the NSA isn't going to do anything too, but the idea that they can't or won't is clearly not true. Staying under the radar might feel pragmatic, but I think a lot of people realize that's entirely inadequate with constantly shifting political environments.
The simple fact that this explanation can exist and is somewhat commonly agreed by tech-savvy people is... disturbing in some way.
I mean, underlying are freedom, rights, security, surveillance, But also geopolitics, economics, philosophy maybe.
Just behind some daily tech.
The paradox of tolerance and an open society is that if you allow actual fascism to flourish (and Le Pen is absolutely a fascist, in my opinion), you risk ending up with something much worse in the long run.
The latest version of "terrorist", "activist" or "heretic".
But whose opinion is canon in matters of censorship? Le Pen is also a valid political candidate with fair support in her electorate.Consider this - If a "fascist" is democratically elected, what wins: anti-fascism (presumably from the perspective of an opposing 3rd party, as Le Pen doesn't describe herself as a fascist); or democracy?
so you say "if you allow actual fascism to flourish.. something much worse in the long run" - who gets to decide what is "allowed", and what isn't?
Seems to me the basis for such stability would have nothing to do with subjective judgements of what constitutes "fascism" - and more to do with principles of democracy - i.e. a fascist entity can be democratically elected - it just can't be given powers that would allow it to override democracy, or escape legal oversight. Perhaps the key word is "extralegal"?
The problem is that too many political entities (not just far-right) seek extralegal, overreaching powers; believing it OK so long as "they can be trusted"; but if the king of today is a good king, his heir might still be bad. And the good government that allows for overreach enables the bad government that does the same.
This actually happened in recent history. Just because Hitler (and yes I must unfortunately rely on such a reference, and no, Le Pen is not Hitler, but it provides a good example of far-right vs democracy) was elected doesn't mean the entire world should roll over.
The election of the Nazis didn't justify the sweeping power transfer that resulted, including control of the press, a private party militia (Brownshirts) etc etc etc
I'm criticising efforts to interfere with who is allowed to be elected, versus limiting what powers can be obtained through election.
Remember when this was the other way around? How did we come to this in ~two decades?
I have no idea whether it's equally bad at Google/Android or Apple. I have the feeling it's not.
I don't think China really dominates in software world-wide. Xiaomi seems more like an exception to me. Hardware is a different story.
For us that don't live in the US or China, it is just a matter of choosing between two evils. And in being pragmatics, the 90% of the population outside of China and the US does not give a damn if the US or China are spying in their mundane conversations.
You recall incorrectly. By extension of the First Amendment, US companies are protected from being forced to introduce functionality so as to collect or decrypt information (or for any other purpose). Carrying out original work for the government is considered to be speech, and as a result cannot be compelled. If the data is already collected and available in a decrypted form to the company a court order can compel the data to be turned over as evidence, as is the case with any data (or any thing) held by anyone (with narrow exceptions related to the 5th amendment).
This was a topic of national attention several years ago when the FBI tried (and failed) to compel Apple to create and sign a custom software update to unlock an iPhone.
https://en.m.wikipedia.org/wiki/FBI–Apple_encryption_dispute
Given the choice, I'd choose Cisco every day of the week. It's not perfect but then again there's no such thing as perfect security.
With an E2E messenger, you can be sure that most likely your communications are not being intercepted. With a Chinese company, your communications are never secure.
Not only are Chinese software products not secure, but they'll lie to you about their security. Zoom claimed to have E2E encryption on calls which turned out to be an egregious fabrication (on top of them exporting calls to Chinese servers).
I dislike results of either, replacement of both is on my oversized TODO list - and was there since at least two years.
I dislike that USA government, China government and God knows who else has full (partial?) copy of whatever I ever typed on my phone but I did nothing beyond selecting Android Zero, declining "send all what I typed to Google" and declining gloud sync.
(I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited)
Anyway, you're right. In practice, protecting your privacy is a massive hassle. I just do it step by step, knowing that even half-assing it is better than nothing.
For email I basically gave up (for now) as it will likely leak on other side anyway.
But I aggressively avoid cloud sync, and my files on cloud are either public or locally encrypted before uploading. Well, at least it protects against non-targeted attacks.
> I have massive respect for OSM maintainers. People don't appreciate how much work goes into the map data.
:)
Just in case that you have an Android phone - I recommend StreetComplete, it allows limited editing with zero OSM-specific knowledge. Registering for OSM account is the most difficult part.
It works by asking about already mapped elements, while you are in front of them. See https://github.com/streetcomplete/StreetComplete#screenshots
I am glad that you like SC :)
Because outside US it doesn't really matter whether it's Chinese or American company that has your data.
EDIT: you have to understand that the cold war is over and you can't replace USSR with modern China, my country has good relationships with both the US and China so it doesn't really matters who's spying on you, they are "good friends" anyway...
- Australia has similar laws.
- Snowden releases showed the US don’t even ask, they just take it.
So it’s not like there is a huge amount of difference around the world.
I am not familiar with Australia privacy law, could you give me a rough idea what is look like?
Snowdon case made the US government look bad, please don't use the same reason to make the Chinese Communist Party look good or OK.
It's kind weird when something bad happens, everyone just points at the US and says they do that too! The CCP did something bad, Somehow it's OK because the US government did something bad.
If you are an US national and living in the US, you can complain and bitch about your government all you want and not worrying about your safety, hence you can talk about the Snowdon case or berate the president, and things might change. Would you dare doing that in Chinese soil even if your are not Chinese.
This isn't excusing the behaviour, it's pointing out that "privacy" is not a justification for not using Chinese goods, because American goods have evidence of exactly the same compromise.
I assume it's the Australian Assistance and Access Bill that's being referred to here. It has nothing to do with privacy. It's prime job (which isn't hidden - it's spelt out in the explanatory notes) is to circumvent encryption by accessing the data at the end points, where it isn't encrypted. It must be unencrypted at the end points because humans can't read or listen to encrypted data. https://searchsecurity.techtarget.com/definition/Australian-...
The bill gives several government agencies the legal right to coerce any software company to "assist" them by writing a bug that is invisible to the OS. The "access" part gives them right to coerce a software company to distribute software to any device they target (there is legal oversight on who they can target).
To fill this out with a concrete example, they could compel Google to provide a version of the Android Google Keyboard that records all key strokes and the name of the application it is are sending them to. They can then force Google to install that keyboard via their auto update mechanism. Notice that using an open source program like Signal that securely and correctly encrypts everything, and comes from a trusted source is not a useful defence against this.
Both of these powers are accompanied by an automatic gag mechanism, meaning if Google revealed they were asked to do either of these things someone would go to jail. The provisions in the act for reporting when and where these powers are used, so the voters could have some say are to put it mildly weak.
Although Australia is very clearly a country that operates around "the rule of law", in the end the only difference that has made is we know they are doing it, whereas China could deny they are doing it. In reality, I don't think China tries to deny the Great Firewall of China, or the invasive probes they force citizens to install to support their social credits system.
So yeah in my view OP is quite correct. If there are differences they revolve around how widely these things are deployed, not over whether they exist. I presume my home country, Australia, deploys them a lot less, but they go to a great deal of trouble to ensure there is no way to be sure.
Even without wifi access it is vastly superior to previous choices. At similar pricing to my previous one.
I’m quite wary of the whole monitoring scene but my next air filter purchase will be a Xiaomi again.
Can’t really speak to their other products but on that front they have made a convert out of me despite my aversion to questionable data practices.
Also apparently it’s home assistant compatible. So HA it and firewall it off is the plan
https://smartairfilters.com/en/blog/xiaomi-purifier-auto-mod...
I know, I know, you're thinking that doesn't either, but you can control it remotely through an app or website, and automate certain actions. You might want your air cleaner to start running when you leave your office, for example so that your air is dust-free when you get home.
I've actually used a Xiaomi light remote-controlled over the internet to simulate being home while on another continent so that anyone casing the place for a burglary might be dissuaded. I disabled its internet connectivity when I was done with that.
Also it is likely the Chinese are spying on me indirectly (data collection where the chinses military can access the data if they want to) but I really have nothing significant on me that the Chinese would want to be concerned with me.
Shouldn't that be a huge red flag? Any time someone offers something too good to be true, it never is.
> Also it is likely the Chinese are spying on me indirectly
Why?
> I really have nothing significant on me that the Chinese would want to be concerned with me.
It's not just about you, dammit. [0]
By accepting their offer, you validate their actions. You give them bigger reach and make it easier for them to get people that might be of interest.
https://nakedsecurity.sophos.com/2019/02/12/privacy-browser-...
Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable. Privacy should mean privacy, even if that means losing functionality on a select few sites.
> collects telemetry
https://brave.com/privacy-preserving-product-analytics-p3a/
> Honestly, when Brave makes the kind of claims that they do, an oversight like this is inexcusable.The claim was never about absolute privacy but rather as strong as default as possible while keeping the web functional. And in that department they are delivering more than any alternative - more than even Firefox out of the box. Not to mention that TFA itself states that the implementation was far from ideal.
Anyway, the biggest question I have for those that are so quick to criticize Brave is "what else do we have with a business model that can disrupt Surveillance Capitalism?". Apple could if they wanted, but where is Safari for Windows/Linux? Any of the others? Doubtful. Even Mozilla's dependency on ad revenue from Google makes them less credible. So why shit on Brave when there is absolutely zero potential alternatives?
does that include the free tiers that many US companies are offering?
For example: Google, Facebook, Twitter, YouTube
Surveillance Capitalism is bad and we should be fighting it.
So you give them your email passwords? After all, you have nothing to hide.
Xiaomi phones have much higher audio latency than Samsung phones.[1] As a VoIP user, I would rather use an entry level Samsung phone (e.g., a $150 A02s) than a Xiaomi flagship.
[1] https://superpowered.com/latency
But I agree that software from significantly non free nations is extra concerning.
And we can't forget many Euro citizens simply don't care.
I do think this shows the perks of open source software and being able to self-host or federated solutions.
Because it is much easier. I am already spending plenty of time on badgering local government about green spaces and bicycle infrastructure, massive amount of time on OpenStreetMap - and my time is limited.
I have no time to learn how to and run and maintain my own mail server.
https://github.com/awesome-selfhosted/awesome-selfhosted
They make cheap phones.
Zoom is banned as a result of marketing efforts of competitors like Microsoft and Google. I have worked in companies which have either Microsoft products banned or Google products banned.
Chrome is the most used browser despite Firefox doing nearly everything Chrome does the same and everyone knowing that Firefox doesn't track you like Chrome does.
It's obvious why. It's a little faster, it has more money behind it, it comes pre-installed (and unremovable) on most phones, etc.
1) make a Xiaomi account with
and
2) insert a SIM card to the device (!)
Is that not insane? Other people seem to think so too: https://android.stackexchange.com/a/186052
Apparently the only alternative to this is rooting the device, which may break it.
Apparently this is a huge problem in China, where there seems to be quite literally no trust at all on online shopping. This actually does seem to be the case if you try buying devices from any NON-xiaomi-official store Aliexpress shop. They're usually $0.01-$1.00 cheaper, and are guaranteed to be packed with massive amounts of malware. None of which can be pressed "disable" or "uninstall" (greyed out).
They use fake reviews and fake buyers much like Amazon in the west, to inflate their order count and ratings to be sorted above Xiaomi official store
The resellers get paid a few dollars for the malware install. I think the most common is people reselling to ship out to other countries, and not sold in China itself.
The aliexpress shops get shut down, negative feedback, but they just open another. Note that aliexpress actually shuts these down in the first place and is "reputable" end of things. Never ever buy devices from gearbest, wish, etc. - ever .
And no, you can't break an Android device by rooting it. Worst case you'll have to reflash the system partition through recovery.
Come on. Do better.
https://xiaomi.eu/community/
ps: Sadly, the Pinephone is permanently out of stock, otherwise I wouldn't even consider anything else.
For me this was enough of a reason to send the device back, but I started fiddling around and ended up being able to use USB debugging without an Xiaomi account. I don't remember how I managed to do this, I think I had to disable a specific MIUI optimization. No ADB had to be used for this. I think it was this https://android.stackexchange.com/a/185876
I'm also pretty sure that I did not insert a SIM card at that point, because I was still using the device-to-be-replaced on that and the following days.
I think it's just a lot of tactics which they use in order to push you to create an account, but ultimately it's not required.
That being said, I really despise their MIUI, all their modifications. Everything about it attempts to make you use their products, even if Google's apps are already installed.
For me, the Android experience which the Pixel devices give you are all I want. Even Motorola's minor enhancements are something I don't want on a new phone.
Yes I personnaly find it very schocking.
Bought a Samsung A20 for the same purpose, no need for a sim or any sort of dev account.
Plugged the usb cable and a few minutes later my nativescript app was running.
You need to insert a SIM AND use mobile data on it (ie. turn off wifi, enable mobile data). Just inserting a dummy SIM card won't work.
If Lineage starts supporting this device, I'll definitely move over from MIUI.
Get a pixel or a oneplus.
Mind, it's strictly a development phone. It sits on my desk plugged in, unless I debug those Android apps. No sim card in either. My personal phone is an iPhone XS.
And although Lenovo is now China-owned, the Moto line is still pure Android and no bloat.
Did a lot of research and the the last gen G Power is the best spec'd budget phone around this price point that is not a Samsung and sold in typical NA big box stores.
American company collects your data? $1,400,000,000,000 valuation.
This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
2.) People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc.
3.) We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Why are you so upset about Xiaomi getting called out?
I'm referring to Google with that valuation.
>We don't commonly call billionaires who live in the middle east, china, and other non-western countries "oligarchs", do you know why?
Propaganda? An oligarch is a rich person with a lot of political influence. Sounds like an average billionaire to me.
>People call out Google all. the. time. There's an article here weekly about dumping Google, finding alternatives, praying for antitrust regulation, etc
I don't think I have ever seen a mainstream publication refer to Google apps and services as spyware. Which of course is what they are.
>Why are you so upset about Xiaomi getting called out?
Only annoyed at the obviously biased language.
The Russian oligarchs are a group of people that grabbed large amounts of wealth by reaping the downfall of the Soviet Union. They are a very specific, well connected group of people outside of normal Russian billionaires. The reason specifically that they are oligarchs instead of just normal billionaires is that they are very plugged into the government and sway its operation. And I know there's some cynics out there that will be like "well that's just billionaires in general" but I encourage you to learn about the leverage this group of people have on normal government operations.
With regards to the observation that no one refers to Google as spyware, I don't think I see this either. But I do see tons of mainstream articles raising the point that Google spies on users. The problem is that (it feels like, at least) only us tech-inclined seem to care:
https://www.forbes.com/sites/jenniferhicks/2020/10/27/heres-...
>The report found that 80% of Americans think at least one tech giant is listening in on their conversations: Facebook at 68%; TikTok at 53%; and Google at 45%. But only 18% said they had deleted Facebook because of privacy concerns.
I fully agree Google is just an advertising company dressed up, and also further propose that its open source contributions and tech projects are its robing. I think there's still room to criticize other companies however, especially since privacy issues from companies like Xiaomi don't often get featured on HN.
I'm not suggesting the former is without fault, and fault by one does not absolve another. But you're right in that these are two very, very different things.
[0] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
They win elections on shutting down his headquarter plans. They want to break up his company, raise his taxes on unrealized capital gains, they want to force him to divest his personal investments like WaPo.
Same goes for other billionaires. You think there's a lot of love for Ken Griffin? Or the Google founders? Or Jamie Dimon? Of course not.
Billionaires are a common bogeyman for the populists that have ruled the capitol for the last 10 years or so.
[1] https://www.huffingtonpost.ca/entry/amazon-city-benefits-sec...
In public, sure. Behind the scenes, they're taking meetings with his lobbyists, and somehow the tax raise never happens despite politicians talking about ad nauseam.
Part of modern politics is running a kabuki theatre of performative populism on the campaign trail. Not much happens once they are in office, because you need quick wins ahead of the next election.
Actions matter more than words. At this time, it's not even clear if Biden will go to the mat for a nationwide $15/hr minimum. That would do far more to incentivize Amazon to improve working conditions, as its $15/hr starting rates would no longer be competitive.
also note that the Asian billionaires are learning for people like bezos/gates. In public they may be hate figures - but everyone orders from Amazon. Tax breaks for large companies.
(i.e) use thinktank to pass legislation to make everything they do legal.
So the instant someone is elected they start calling Random Joe for funding their next campaign? Of course not. Politicians talk to people who help fund them, that or they are out. Having a politician's ear is power that Random Joe doesn't have. Using Bezos is disingenious. How about Musk or Bill Gates or one of the many rich oligarch families who have the same name as former presidents? Don't pretend money has less power in US politics than in Russian politics. If anything it is worse.
You seem pretty active on HN so I'm a bit skeptical that you honestly believe this. But I'll respond in good faith anyways. Here's the first result from Google (didn't even use DDG)
- (Washington Post) Goodbye, Chrome: Google’s Web browser has become spy software[0]
But since you're active I'm sure you know about The Social Dilemma, Snowden, etc. I've seen episodes on 60 Minutes, CNN, Fox, and pretty much everywhere that calls criticism to companies like Google and Facebook. Does China get called out more often? Yeah. Why? Because we're in a cold war with them. But still in many of these pieces I've seen them make slights at American tech companies. Things like saying that what they do is bad, but what China does is worse.
[0] https://www.washingtonpost.com/technology/2019/06/21/google-...
We should be more consistent in our terminology.
They're referring to Alphabet's (Google) market cap, not Xiaomi's.
The GP responded to each line in the original comment with a number. So, their point about Google (point #2) was seemingly unrelated to their point about Xiaomi's market cap (point #1) as they addressed different parts of the original comment.
The GP mentioned Google perhaps not because of the market cap mentioned in point #1, but rather as a response to the original comment's mention of American companies.
This is further evidenced by their use of point #3 to refer to the term oligarch, which was the third topic raised in the original comment.
You can see how not clear this is based on other replies to the comment as well.
American company will collect data to show you ads and profit.
Are they really same?
Unless you get a target on your back, in which case the American company will provide the American law enforcement agencies with whatever data they want to take action against you and your family.
Your assertion is just a variation of "if you're not doing anything wrong you shouldn't worry about spying".
Really, that is what you got from my comment.
In the case of CCP it can even be who you are, as in Tibetan, Uighur and so on.. Or, a national of a different country that China wants to spy on, or a relative of someone that China thinks has a differing opinion from CCP and so on..
It's not even on the same planet, let along in the same ballpark..
They're both evil, just that US is less so.
7 years later and it's like Snowden never even existed.
https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
I, for one, would prefer, if I have a choice, it to be just my Gov and not a foreign Gov that I consider to be hostile..
This seems intuitive at first sight but doesn't make sense to me: is it your Gov or a foreign Gov that can more likely bother your life?
The short version is that unless you live inside the PRC data harvested on you is highly unlikely to matter no matter what you do. Inside the US or US allies? Be careful.
One could say the motives are different, but to act as if American groups collect data purely for profit isn't true.
>Are they really the same?
No, but acting similarly doesn't imply identical similarity.
They really aren't the same and personally I'd rather not have my data collected, but I'd rather it be dispersed with a corporate arms race who aren't allowed to set laws than an aggregate that belongs to a party that has much more control over my life.
If anything, you face a much greater threat from the American intelligence apparatus than one in a foreign country.
And your kids data. Grades, searches, web history, pics, diaries. I can totally see new private APIs for recruiters, banks, insurances - like personal assessment scores.
Don't try to whitewash it.
But, the point I actually want to make is that this implies that people aren't concerned with Google's use of their private data, which I think is demonstrably not true, given that they've got multiple open lawsuits against them over it.
So for someone like me, living in a 14 eyes country, are you saying it is worse for my privacy that a government on the other side of the earth that my government doesn't really like might have access to some of my data is better compared to a country my government are sharing data with who also have access to pretty much everything that happens online? I know for a fact that no matter what I say or do online PRC agents will never knock down my door. US agents? That would be quite a lot easier. In less serious waters, privacy is also worse as we know from Snowden that the US not only harvest everything it can but it also share it with US businesses. Will I ever see ads based on an algorithm trained on data from both sides? No idea, but I know which one would be worse for me by a long shot.
Note: it also isn't a derogatory term, as it appears to be implied here, it just is an identifier of how wealth was accumulated.
Russian billionaires came to their wealth purely through corruption - i.e. using via their connections during the crucial years of transformation to market economy to buy huge state-owned industrial companies for 0.1-1% of their real value.
Russian Oligarchs are called that because they are about two dozen people who looted about 95% of the country's wealth and are basically a transnational crime syndicate masquerading as a govt.
I can't tell of you are deeply clueless, trolling, or spreading dezinformatziya. Either way, perhaps you should remember this quote from famous American author Mark Twain: "It is better to remain silent and let people think you are a fool, than to open your mouth and remove all doubt".
Seriously, this is what you're going with?
Russigan oligarchs are people who just straight out stole national assets from the Soviet Union/Russia, with the help of the current ruler. There's a relatively clear definition:
https://en.wikipedia.org/wiki/Russian_oligarch
The problem we have is with their externalities. For oligarchs, the main line of business <<is>> the problem.
I'll leave the log results of accessed IPs as an exercise to the reader. Hint: no chinese/russian IP addresses are being accessed.
I'd guess a lot more people use Huawei devices (before they were outlawed) than explicitly using a Xiaomi browser.
And a lot of people didn't forget Snowden.
Addendum: I use a MacBook pro (32gig, I7) and a Win10 pro work device (32gig, I7) as well. Neither contacts China or russia. Both of them submit ~10x of unknown traffic than the Huawei device.
I don't want to paint the chinese dictatorship as "good", not at all. But I do want to remind that the US is - as experienced by an EU consumer - worse. Not now, but maybe in the future, at least according to collected data.
As Snowden revealed, the NSA itself is way above that playing field. They (quite unsurprisingly) use IPs in the respective country, or just false-flag IPs in "enemy" countries. And the data is not actually sent as plain packets but tacked in the form of metadata onto normal, innocent packets going elsewhere. Then servers on intermediate hops exfiltrate that data. And none of it might happen if you're not actually targeted.
That of course underlines your main point. I don't see "sends nothing to foreign IPs" as an argument though.
That said, I also think it's incredibly naive to think that a collection system wouldn't make use of a local proxy to mask the ultimate destination of the information. It's such a trivial task to do, and provides a host of benefits to obfuscate and sow doubt as to where the data is going and will be ultimately used for.
I'm not assuming that "it must be reporting back to China through a proxy!", but rather, the absence of certain national IPs in that list shouldn't be used to rule out scenarios either. An idea scenario for me would be that the device didn't call back period, or if it did, it did so to endpoints that could be authenticated and audited.
I despise the chinese government - may it concern Uighurs or the treatment of Tibetans. Still I have a hard time believing none of my data collected by google is used by the US administration, which, as we know, is not always lead by a trustful person. Still, if I had to choose whom to embargo, I'd definitely choose china/russia.
Since it's so easy to cheat traffic, there are two options: only china/russia needs to cover traffic, or ...?
To some of us there is not much difference.
1) My Google, IG accounts both sent me security alert about successful login attempt from from Thailand, Vietnam. I 100% sure I only created the IG from this phone once and have not used that password from anywhere else. IG Username / password was taken from this phone and attempt to be login from somewhere else.
2) I can't get the phone to disconnect from wifi. I put the phone on airplane mode, disable wifi, bt, etc. Manually change the wifi password to something else. it always successfully reconnected back after a few days with old password. There are logic in the phone can try very hard to state connected online. It remembers old password and successfully connect successfully with it after a few days.
3) I have let the phone back online and created Google account that is 100% unique to this phone. Love know how long would it take for the login attempt for that G account from Thailand/Vietnam start to show up.Why we discuss mostly the degree of such abuse and not the core of the problem ?
Another core of the problem is dealing with communist regimes. We never learn? Communists are literally responsible for millions of deaths in the 20th century.(https://www.youtube.com/watch?v=NDTbNmUgeXk) They have a good record of disrespecting human rights. Why someone sane would expect them to respect any of his rights now?
We are in the middle of a data gold rush. Business types can't resist.
They will also stop allowing custom ROMs once they've built up enough reputation, some newer models already will never have custom ROMs.
Does Google collects our navigation data? (Yes if we are using chrome or android and logged in)
Does Google knows what videos and what kind of videos do we watch? (Do you need an answer?)
Call it's a spyware because is a chinese company? Really? Nah. Google does the same or at least worst than it.
I'm neither defending Xiami nor Google. The question is: almost every application does data collection. And if you call it as spyware, therefore every app which does data collection is a spyware.
Don't get me wrong, Firefox is clearly the best of the options available. I use it all the time. But I'm also very aware that there is a bigger bias against Facebook (don't actually care since I don't go near it and block its javascript and cookies) than against Google. Of course, it's not obvious that this is Firefox's fault, Google is extremely good at finding probably-shouldn't-be-legal workarounds to just about any attempt to retain privacy.
You'd think making clear you want to retain your privacy should be enough, legally, but I guess there are no consequences.
https://www.zdnet.com/article/sources-mozilla-extends-its-go...
Or Google being spyware somehow makes Xiaomi spyware less shitty?
> Or Google being spyware somehow makes Xiaomi spyware less shitty?
Absolutely not, but both of them doing it defangs certain types of criticism.
False equivalence. If people in here actually broke down the differences, they would have to admit that their "Grr, Google just as bad!" hyperbole is more than just a tad disingenuous.
This "whataboutism" is getting tiring. What Xiaomi does here is really bad. if google does/did the same thing it would ALSO be bad.
There is no "but they do it too!". It's bad, period.
Also Google isn't under the control of an authoritarian government who is committing genocide as we speak.
I'm no Google fan and I dislike what big tech have become but I rather let Google have my data than the CCP.
Is this our definition of spyware? I see countless articles float by on HN about super cookies, spy pixels and browser fingerprinting. Those do effectively the same things, track users against their expressed wishes, but we just don't call them spyware.
Who doesn't call trackers spyware? Everyone with a slightly-above-average sense of privacy has been calling them spyware and blocking them for years.
Why would Xiaomi tell me to download a 26MB update from their store if the one from Google Play, where I downloaded the app it's less than 15MB?
I'll be getting rid of this phone by the end of the month.
I think the phone vendors that do that are in the vast minority.
Because, unlike Google, they don't use app bundles and partial updates?
Still 90%+ use Chrome. I know noone using a Xiaomi browser.
This and chrome and most web browsers are spyware at this point.
Firefox doesn't do this.
And when you finally manage to do some therapeutic dissonance from the above default behaviour.
Whenever you use the inbuilt DoH on Firefox, FF shares this stats with Cloudflare too.
Looking at the list of things they collect, how could it possibly be legitimate, or compared to what "western" or any other companies are doing?
This is full blown home phoning trojan horse.Xiaomi are great but for me this is the end of the line with their phones. Privacy comes at a premium nowadays and lots of us are willing to pay for it.
Those affected can block the following domains from resolving:
- data.mistat.intl.xiaomi.com
- sdkconfig.ad.intl.xiaomi.com
Ah. I'd recognize this spy domain anywhere since it regularly features in my pihole's top 5 blacklisted ones
The mostly chinese and russian reviews on YouTube seem to show those numbers to be at least not ouright lies, but people on the OpenWRT Forums talk about the Routers talking quite a lot back to China.
I really wish for somebody credible to do a teardown to look into these boxes.
Also that router is currently on sell on JD.COM (https://item.jd.com/100017450204.html) priced at ¥599.00, about 80€ I guess.
There are rumors says Xiao Mi has somewhat subsidized their line ups with intention to create their own ecosystem. If true, that's one of the reason why their devices can have such low price.
On the other hand, ¥599 is not exactly cheap in China. Somebody can literally survive a entire month on that amount of money. A "normal" price for a "regular" router is around ¥70~¥200.
Even if they were not built with malicious purpose, they have both excellent state-funded hackers and poor security practices in most of their consumer products.
Unfortunately, from what I've seen, I think the same can be said about software from Korea/Japan...
They may also collect fingerprints and other biometrics (voice, pictures) in a similar misleading way. There's a lot of wise tricks others have learned from Google. IMO only strict laws forbidding data collection from smartphones completely will change that.
Xiaomi devices are usually at sweet spots price/performance-wise (not really great hardware imo, but well). With custom ROMs (including my GSIs, but other custom ROMs are fine as well), buy a phone for their hardware, not for their software. (BTW my daily driver is a Pixel 5... not running Google adwares! Only high-end-ish device that fits my hand).
However, Xiaomi devices are bricks for like a month, because before being able to install your own software, you need to be approved (connecting a smartphone on a Windows computer), and it's only once you get your smartphone that you can install your own software.
Awesome project though.
I've never made any GSI without storage encryption, and My GSI have always been running SELinux enforcing. Some kinds of GSIs have those kind of issues, but it's only those that are binary ports from OEM ROMs, like port from Xiaomi or OnePlus ROMs, but proper source-based GSIs shouldn't have those issues.
In early 2020 XDA thread [1] I was suggested to use phh-securise to reenable SELinux, which suggests that it was not enabled by default at least back then. Never got to try phh-securise, since the encryption part of the response was not definitive.
[1] https://forum.xda-developers.com/t/guide-nitrogen-10-10-phh-...
https://github.com/phhusson/treble_experimentations/releases...
If you use a computer, smartphone or IoT device then yes, it collects data, just as Facebook runs ads.
What's collected these days:
Your social circle,
every time you connect to the mobile network, when, which tower you connected to, tx/rx bytes, who you phoned, where the callee is located
Whether you're in a car, walking (sensors)
Whether your sleeping...(a recent Google blog post talked about a new "sleep tracking" API).
You generate data as a human, interested parties (governments) collect that and will store it for the rest of time. I suspect there's a database of every URL visited by any human in the last 20 years.
This is not surprising and should surprise nobody.
They've really been on a privacy invasion spree lately.
In any case I hope you gave it a 1-star review.
There is likely tonnes of binaries that run outside of Android, so OEM you choose matters too.
The thing about big data is you never know in advance what kind of data can turn into a gold mine for your business. So the strategy "collect as much as you can afford and get away with" is economically reasonable if not optimal. Until this changes, nothing will change. And Xiaomi is not an exception here.
Does the article's author really believe this or is put there because of outside pressure? I, for one, would not believe that for a single second.
When looking at the code snippets in the article I wonder about the variable names. This doesn't look like decompiled code. And I don't think their whole browser is open source. What am I missing here?
Simply knowing someone could be watching you and your source code reduces the chance of malicious code.
Open-source doesn't mean anything for freedom if all you can do is look, because you don't have the signing keys and such to modify what you want. It just means they get to show you exactly how they put the noose on you, that's all.
Firefox is also chock-full of "telemetry" and it's 100% open-source. That one you do get to modify, but it's still a bloody bastard to strip it all out and recompile to your liking.
That feature is optional, and depends on proprietary, closed-source TPM firmware. You just proved my point– it has to be 100% open-source to respect your freedom.
> Open-source doesn't mean anything for freedom if all you can do is look, because you don't have the signing keys and such to modify what you want. It just means they get to show you exactly how they put the noose on you, that's all.
I agree. That's why I prefer the term freedom-respecting software. Under the free software definition, that is no longer FLOSS, because users do not have the right to modify the software.
> and guess what all the locked-down Android phones run...?
Alas, Linux is not under GPLv3, which ensures that users have an equal right to modify their software.
> Firefox is also chock-full of "telemetry" and it's 100% open-source. That one you do get to modify, but it's still a bloody bastard to strip it all out and recompile to your liking.
Get a prebuilt build of LibreWolf: https://librewolf-community.gitlab.io/
That it's fully open-source checks Mozilla's power to do abusive things. Telemetry can be disabled in Firefox settings.
I've used both of your examples to advance my point further. 100.0% open-source = freedom-respecting and non-abusive.
Yet people in Europe they LOVE Xiaomi. I swear I’ve seen so many of my friends with those high end 500$ phones.
Even if they are tech guys it’s like they just don’t care , they want the most powerful phone with the most features at the cheapest price.
At this game Xiaomi and other Chinese brands have become very good.
That being said Google as been doing the exact same thing for 30 years. Nobody ever considered banning google from anything.
"You either die a hero, or you live long enough to see yourself become the villain"
I expect more from HN. Can we please discuss the problem in isolation and especially the interesting technical bits? Ask yourself, this kind of exploitation is bad regardless of whether any country does something similar. It's anti-user in every possible interpretation.
Sure, but you also see this problem doesn't exists in a vacuum. Noted by you bringing up concentration camp numbers in this exact comment section. Maybe you should listen to your own advice?
I am highlighting the absurdity of evaluating US ad-tech to 2 million people in concentration camps.
Note that Xiaomi is a Chinese startup hub, started by former googlers. 90% of what they sell is produced by Chinese startups.
(That being said, I would use never Xiaomi software myself. I only use their hardware with open source 3rd party apps)
Even if they just collect the data now, they might sell it 5 years down the line.
You have to consider the worst possible interpretation, even if its not true today. Companies can be sold or taken over, go bust and their assets get sold.
Companies can change too. Look at google. In 2000's I trusted google a lot more than I trust it now. You can bet google still has all my data from 2000's.
I don't see how you can expect any less of this, even in the US. American companies collect vast amount of information that are either acquired by the state later on, acquired via some deal with the state, or some network of revolving doors is further entrenching US-style state capitalism which erases the distinction. Frankly, American corporations are effectively more powerful than the government at this point, at least in certain domains (like where freedom of speech is concerned). It'll only get worse until something gives.
And given that American greed funded the wealth and power of the CCP in the first place, given the massive investments in China, I do not expect the globalist American imperial oligarchy to change course. Why would they? They like what the CCP is doing. They share more in common with the Chinese ruling class than with most Americans.
Anything from CCP is pyware - especially when the FN namesake is XI Jinpooh.
Don't use chinese brands for phones, software, etc.
People, please just use Google Chrome and stop with all these Chinese spyware!
Do you believe CCP is so capable to utilize such tools?
If the answer is yes, then you should ask yourself is there any realistic chance of overpowering such a technologically advanced "government". And how much more powerful the private sectors would be. Think about how much gap is between silicon valley and US government in technological capabilities.
This framing of pin everything as government sponsored activities make it very difficult to correct such behavior effectively. Because they were easily brushed off as intentional attack on the nation.
Why not just put it as what is?
I mean 996 in Chinese high tech industry is killing the quality of the work. That's obviously the right reasoning right?
I don’t know if there will ever be a sino-American war, but if there ever is one it’s going to be very painful for us.