Shits like this is what makes me wary about Chinese made video games proliferating in the west. You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
It's even worse now with cheating creating the world of Kernel Level Anticheat (KLAC) who knows what they are doing! A dream for someone who wants to move laterally through a network, probe, etc.
It's the least convincing excuse used to circle around GDPR and similar laws. "I swear, it's for security! (please ignore the part in our ToS that says we can resell your HW configuration profile and installed software stats to our commercial partners)".
I'm sick of corporations and bootlickers who claim you cannot do games without anticheats. Even if I am not personally running that software, all the users are still normalizing spying on our devices and networks.
If your business model relies on violating the privacy of others, your business deserves to die.
Epic Games partially owned by Tencent and already was caught of including spyware [0][1] in their launcher, but “Tim Sweeney is the anti-corporate robinhood who will dismantle hegemony of Valve and Apple” is very popular narrative on every western tech site
There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
I only run software from Chinese companies inside a sandbox, either on my Android/iOS phone or inside a VM for desktop apps and only enable necessary permissions. Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data.
I’m not in a position, nor do I have the skills, to fully validate exactly what I’m agreeing to. Let us assume that what I’m sharing is merely my app usage data: what I listen to, my likes, follows, comments, usage patterns, etc.
They share this data with 954 “partners” - what exactly does this mean? What other data do those organisations have? Who do they share it with?
I don’t think the average user has any chance of fully understanding what they’re agreeing to.
There is a difference when you simply lazy, or don’t care enough to understand the information in front of you, or when they don’t provide those information. You’re right, most people don’t care enough, but this is a huge difference. And west is magnitudes better with this.
Also I’m living in the EU. If I want I can get all of the information which you asked for.
But on the other hand, companies purposefully make those information as obscure as possible. Also, I’m not sure that people would care even if it had been clear. People love free stuffs.
I quite like Shelter [1]. Shelter apps are installed in a separate work profile, which essentially sandboxes it from the rest of your data. It also has a neat feature to automatically disable (freeze) specific apps and seamlessly re-enable them when you launch them through Shelter.
This is what I do too. If i need to use or test something i don't trust then I use an old phone. All of the phones use crDroid(1) and I have scripts to quickly wipe and reinstall the OS whenever I need a full nuke.
You really have to put everything in a box nowadays. Companies are indiscriminate. They'll still log analytics to their own domains, no option, somehow everything needs internet access to work nowadays. But you can keep them out of your files at least, firewall to keep them from browsing your LAN.
>You really have to put everything in a box nowadays.
What if that was always a good idea.
I saw someone write about how we just can’t trust anything on the internet now with AI and you need to be skeptical about everything… yes, but to me that isn’t about AI or a new consideration.
The context is somebody asking "Mainland US or Mainland China?" The comment you're responding to brought up Taiwan because that's the natural "not-mainland" when you're talking about China.
Sort of, except not really, except yes really. It's complicated.
The China that was a founding member of the United Nations was the Republic of China (ROC), and it controlled both mainland China and what we call Taiwan. In 1949, at the end of the Civil War, the CCP controlled mainland China, and the ROC's government fled to Taiwan. Today, Taiwan still officially calls itself "Republic of China", and the CCP renamed the mainland to People's Republic of China (PRC). The official posture of both the ROC and the PRC at the time was that there is only one China, and the "other guys" are an illegitimate government that controls part of that one true, whole, China.
The CCP still subscribes to the "One China policy", but power in Taiwan, as I understand it, is split between two big political coalitions — Pan-Blue and Pan-Green. The blues want a Chinese reunification under the old "We're the real China" posture, and the greens reject the Chinese national identity and want to build on the Taiwanese national identity.
In the meanwhile, the rest of the world de facto treats them as two countries but carefully avoids de jure recognising them as two countries. Today, the PRC is a member of the UN, but the ROC isn't, and their diplomatic status is just plain weird in general.
Sounds like 5D chess, since Taiwan applied to be the "sole legal government of China" in the UN back in the 50s. (which was rejected) then they rejected the 70s resolution of "two Chinas". So it comes through as ambitious. But I will let the Taiwanese correct me on that.
> Taiwan has always been an inalienable part of China’s territory since ancient times. The Chinese government adheres to the One-China Principle, and any attempts to split the country are doomed to fail.
> Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data
the scheduling is the tell. 17 commands every 30 min isn't analytics or crash reporting - that's systematic fingerprinting with a consistent cadence.
what's frustrating is this is basically invisible without running in a monitored environment. static analysis won't surface it. you'd need behavioral monitoring - network traffic plus syscall tracing - to even know it's happening.
seen similar patterns in CI/CD tooling actually. less blatant but same mechanism - process phoning home way more often than you'd expect, commands that look like routine system auditing. most devs assume third-party tools behave themselves.
Every time a Chinese company does something like this, the comment section is always "but the US companies..." or slightly soften version "but all tech companies..." It's so predictable.
This is why I run educational software (and VMware’s edusoft remote VM client) in native Mac VMs. Not surprised to see someone trying to abuse data harvesting from another country, too. Perhaps a report to Apple Security might be in order, to let them evaluate whether it’s an RCE/CNC scenario (we only have the telemetry detected so far!) and whether it deserves a malware kill worldwide. Though I’m surprised it’s allowed to access all those properties without a Permissions dialog. Maybe this will inspire Apple to finally let us deny Discord its system-wide data collection activity!
ps. UTM.app is a nice way to sandbox Discord, since it’s using the OS-level sandbox already in a way that prevents us from limiting it further with a .sb file. Takes some extra space, I suppose.
(3) In order to ensure account security, identify and prevent malicious programs, and create a fair, healthy and safe environment, we will collect your device identifier information, product identification information, hardware and operating system information, installed application list, application process and product crash record information during your use of the service, including during the background operation of the application, so as to combat acts that damage the product environment or interfere with the normal operation of the product service.(Used to detect piracy, scan cheating programs or software, prevent cheating).
This is why im always feeling bad when putting mobile versions of games i love made by netease on my phone.
Where i felt especially bad was Dead by Daylight mobile.
Persona 5X is not made by NetEase but i still dont have a good feeling about them.
I would think they would be more restricted in what they can collect on a Phone OS (android in my case) but i still wonder if there is some way to fully isolate shady apps.
It still surprises me that such behavior is still allowed on modern macOS, which is supposed to be privacy focused. What’s the point of having an app sandbox when it is opt-in?
I see a lot of discussions about government level spying, this is a legitimate debate, but it mustn't obscure the "boring" security threat storing the results of ps aux poses!
This is security 101 to never store this kind of information. I mean a bad actor now just has to (gain) access to these files!
I mean besides the theorical high level threat, there is a very practical one maybe sufficient for suing the company if it was a western one (I don't work in legal, I don't know what I'm saying)
I would always refer to Hanlon's razor on things like this: Never attribute to malice that which is adequately explained by stupidity. I'm not trying to finding excuses for them, just saying that most likely there's no deep conspiracy theory involving government level surveillance here, they are just stupid. On average, Chinese software engineers are less educated and have no sense about privacy or how to implement privacy related features properly.
While logging serial number and some of the basic analytics stats might be attributed to stupidity, I tend to think that using a pretty advanced set of system commands and logging output consistently to log files is very sketchy.
One possible stupid-but-not-malicious explanation is that some anti-cheat company made a sketchy anti-cheat that includes server-side "is CheatEngine.exe running" code, and they're doing that via ps aux... and then this game player app was bullied by some game company into including this anti-cheat library to allow their game to run.
I'm a little wary of believing this without confirmation. It certainly sounds like something an app from a big Chinese company might do, but the LLM writing style with em-dashes replaced by double hyphens looked like someone trying to hide that they use an LLM. And I noticed that the account for the Gist submission is only 3 hours old. And then looking here the account on HN is also only 3 hours old. Seems a little sketchy to me.
Shits like this is what makes me wary about Chinese made video games proliferating in the west. You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
A competent Western administration would have banned it all years ago. But instead of securing the future of Western civilization, they want detente and cheap plastic goods instead. Shrug.
> You never know if your kid's genshing impact or black myth wukong is listening to you and siphoning all data on your local network to China.
Don't be ridiculous, all that garbage is VLAN'd off, and my router has strict firewall logging for any suspicious outbound traffic.
I'm sure I can trust my Chinese made router to handle this safely for me.
It's even worse now with cheating creating the world of Kernel Level Anticheat (KLAC) who knows what they are doing! A dream for someone who wants to move laterally through a network, probe, etc.
The new Delta Force is made in China nowadays and apparently scans your whole hdd (for anti cheat).
Isn't that somewhat common in AC software?
Yes, it's a common feature of malware.
For security, yo.
It's the least convincing excuse used to circle around GDPR and similar laws. "I swear, it's for security! (please ignore the part in our ToS that says we can resell your HW configuration profile and installed software stats to our commercial partners)".
I'm sick of corporations and bootlickers who claim you cannot do games without anticheats. Even if I am not personally running that software, all the users are still normalizing spying on our devices and networks.
If your business model relies on violating the privacy of others, your business deserves to die.
Epic Games partially owned by Tencent and already was caught of including spyware [0][1] in their launcher, but “Tim Sweeney is the anti-corporate robinhood who will dismantle hegemony of Valve and Apple” is very popular narrative on every western tech site
[0] https://news.ycombinator.com/item?id=19394399
[1] https://www.reddit.com/r/PhoenixPoint/comments/b0rxdq/epic_g...
But non-chinese game listening and siphoning all your data is ok.
> is listening to you and siphoning all data on your local network to China.
How is it any different from western apps listening to you and siphoning all data on your local network to 3 letter agencies?
There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
As someone from the EU, could I not use the argument to argue that for me it's both an adversarial country?
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
I see no harm if China use my data. But US companies are actually using my data against me.
And to be fair only US is openly hostile to EU.
As someone from the EU, please do!
I don't know why you're being downvoted, the US has been way more belligerent towards the EU recently than China.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
ICE? DOJ? Hello?
Like US saying EU is its adversary and spying on it? Trump had been pretty clear that he sees EU as a threat while China and Russia is not.
And don’t forget that ICE sees both non-citizens and citizens as the enemy if they don’t agree with Trump.
Yes, in the headlines the agencies playing adversaries to the common folk are definitely mainly chinese... /s
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
we have routers that you can monitor traffic on
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
Companies have also been known to secretly eavesdrop and not tell users before (Apple + Siri https://www.courthousenews.com/judge-approves-95-million-app...)
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
As I tell my friends
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
Are those your assumptions or something that have been tested?
It's been a while since I browsed anything without an ad blocker.
Do you still get ads for the exact thing you just bought for a week after buying it? :)
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
> The consensus is usually "well the government only targets you when you probably deserve it"
Not sure where you got that consensus from, it sounds made up to me or at least outdated as of Feb 2026, especially on HN.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
[citation needed]
Please stop with the hyperbole. Shit is bad enough; more fake news from any direction doesn’t help.
I am not sure where hyperbole is - if your believe it is "fake news", it's your choice.
Do chinese apps make use of all data they can access? Absolutely. Do western apps make use of all data they can access? Absolutely.
Both concepts are evil. Talking one is evil while dropping off the other is skew of discussion towards vilifying one side and omitting the subject.
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
> but it's existence at least means that intelligence agencies are willing to follow domestic law
Oh they break it alright whenever they please. And they have been caught handsomely.
I only run software from Chinese companies inside a sandbox, either on my Android/iOS phone or inside a VM for desktop apps and only enable necessary permissions. Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data.
I recently downloaded the Soundcloud app for the first time on this iOS device and it said something along the lines of:
By continuing you agree to us sharing your data with our 954 partners…
Yeah and that means the data that you share with Soundcloud.
It's very different from:
> ps aux # Every running process with full arguments
If you think these two cases are even remotely comparable, I don't know what to tell you.
> data that you share with Soundcloud.
I’m not in a position, nor do I have the skills, to fully validate exactly what I’m agreeing to. Let us assume that what I’m sharing is merely my app usage data: what I listen to, my likes, follows, comments, usage patterns, etc.
They share this data with 954 “partners” - what exactly does this mean? What other data do those organisations have? Who do they share it with?
I don’t think the average user has any chance of fully understanding what they’re agreeing to.
There is a difference when you simply lazy, or don’t care enough to understand the information in front of you, or when they don’t provide those information. You’re right, most people don’t care enough, but this is a huge difference. And west is magnitudes better with this.
Also I’m living in the EU. If I want I can get all of the information which you asked for.
But on the other hand, companies purposefully make those information as obscure as possible. Also, I’m not sure that people would care even if it had been clear. People love free stuffs.
How do you sandbox on mobile? I can't say I love having various apps like wechat on my phone...
I quite like Shelter [1]. Shelter apps are installed in a separate work profile, which essentially sandboxes it from the rest of your data. It also has a neat feature to automatically disable (freeze) specific apps and seamlessly re-enable them when you launch them through Shelter.
[1] https://github.com/achalmgucker/Shelter
It seems that the repository has moved to https://gitea.angry.im/PeterCxy/Shelter/.
Every app is sandboxed by default.
Secure Folders on Samsung. Multiple user profiles on Pixels/AOSP.
Separate grapheneos accounts for everything does that I believe
I went with a separate non-critical phone when I had to communicate on WeChat.
This is what I do too. If i need to use or test something i don't trust then I use an old phone. All of the phones use crDroid(1) and I have scripts to quickly wipe and reinstall the OS whenever I need a full nuke.
(1) https://crdroid.net/
You really have to put everything in a box nowadays. Companies are indiscriminate. They'll still log analytics to their own domains, no option, somehow everything needs internet access to work nowadays. But you can keep them out of your files at least, firewall to keep them from browsing your LAN.
>You really have to put everything in a box nowadays.
What if that was always a good idea.
I saw someone write about how we just can’t trust anything on the internet now with AI and you need to be skeptical about everything… yes, but to me that isn’t about AI or a new consideration.
Chinese mainland or mainland US?
China mainland. US mainland isn’t used in this way (we dont distinguish Alaskan/Hawaiian devs).
Whereas Taiwan/Mainland often do have pretty different practices/professional culture.
I don't know why you're bringing Taiwan into this, and I don't think TSMC has an app...
The context is somebody asking "Mainland US or Mainland China?" The comment you're responding to brought up Taiwan because that's the natural "not-mainland" when you're talking about China.
Taiwan is "not mainland China" in the same way that Greenland is "not mainland USA"
What?? China and Taiwan are two separate countries.
Sort of, except not really, except yes really. It's complicated.
The China that was a founding member of the United Nations was the Republic of China (ROC), and it controlled both mainland China and what we call Taiwan. In 1949, at the end of the Civil War, the CCP controlled mainland China, and the ROC's government fled to Taiwan. Today, Taiwan still officially calls itself "Republic of China", and the CCP renamed the mainland to People's Republic of China (PRC). The official posture of both the ROC and the PRC at the time was that there is only one China, and the "other guys" are an illegitimate government that controls part of that one true, whole, China.
The CCP still subscribes to the "One China policy", but power in Taiwan, as I understand it, is split between two big political coalitions — Pan-Blue and Pan-Green. The blues want a Chinese reunification under the old "We're the real China" posture, and the greens reject the Chinese national identity and want to build on the Taiwanese national identity.
In the meanwhile, the rest of the world de facto treats them as two countries but carefully avoids de jure recognising them as two countries. Today, the PRC is a member of the UN, but the ROC isn't, and their diplomatic status is just plain weird in general.
Both are claiming to be the real China.
Taiwan's official name is "Republic of China".
There are two countries that contain the substring "Republic of the Congo" and everyone seems to be okay with that
A bit ambitious, isn't it?
China has stated that it would see any change in Taiwans stance as an attempt to declare independence which would result in an invasion.
Sounds like 5D chess, since Taiwan applied to be the "sole legal government of China" in the UN back in the 50s. (which was rejected) then they rejected the 70s resolution of "two Chinas". So it comes through as ambitious. But I will let the Taiwanese correct me on that.
Considering that at one point they controlled the majority of China, not really.
Not so much ambitious as nostalgic.
Both POC and ROC consider themselves China.
wdym? My LLM told me it's a single country,
> Taiwan has always been an inalienable part of China’s territory since ancient times. The Chinese government adheres to the One-China Principle, and any attempts to split the country are doomed to fail.
Taiwan is the country that uses "mainland" (大陸 dalu) to refer to China
Yes
> Unfortunately Mainland tech giants have no sense of user privacy and would like to maximize their profit by collecting every single bit of your data because they don't profit on selling you the software, they profit on selling your data
/s/Mainland//
FTFY.
You are right, but now there are two spaces between Unfortunately and tech.
That’s to represent the slop that is modern tech.
the scheduling is the tell. 17 commands every 30 min isn't analytics or crash reporting - that's systematic fingerprinting with a consistent cadence.
what's frustrating is this is basically invisible without running in a monitored environment. static analysis won't surface it. you'd need behavioral monitoring - network traffic plus syscall tracing - to even know it's happening.
seen similar patterns in CI/CD tooling actually. less blatant but same mechanism - process phoning home way more often than you'd expect, commands that look like routine system auditing. most devs assume third-party tools behave themselves.
Every time a Chinese company does something like this, the comment section is always "but the US companies..." or slightly soften version "but all tech companies..." It's so predictable.
Now, why do you think that might be?
because its true lol
This is why I run educational software (and VMware’s edusoft remote VM client) in native Mac VMs. Not surprised to see someone trying to abuse data harvesting from another country, too. Perhaps a report to Apple Security might be in order, to let them evaluate whether it’s an RCE/CNC scenario (we only have the telemetry detected so far!) and whether it deserves a malware kill worldwide. Though I’m surprised it’s allowed to access all those properties without a Permissions dialog. Maybe this will inspire Apple to finally let us deny Discord its system-wide data collection activity!
ps. UTM.app is a nice way to sandbox Discord, since it’s using the OS-level sandbox already in a way that prevents us from limiting it further with a .sb file. Takes some extra space, I suppose.
This only reinforce the image, software/hardware from China and no ethics. They will do whatever they can to get hold of their user's info.
This is ugly and bad.
Meanwhile they do tell you they collect everything
https://www.mumuplayer.com/privacy-policy.html
Not to defend them, but just feel sad about the world.
"other network/technical information" is pulling a lot of weight there.
Where does in that webpage say they're collecting output of `ps aux`?
I think it's this part:
(3) In order to ensure account security, identify and prevent malicious programs, and create a fair, healthy and safe environment, we will collect your device identifier information, product identification information, hardware and operating system information, installed application list, application process and product crash record information during your use of the service, including during the background operation of the application, so as to combat acts that damage the product environment or interfere with the normal operation of the product service.(Used to detect piracy, scan cheating programs or software, prevent cheating).
This is why im always feeling bad when putting mobile versions of games i love made by netease on my phone. Where i felt especially bad was Dead by Daylight mobile. Persona 5X is not made by NetEase but i still dont have a good feeling about them.
I would think they would be more restricted in what they can collect on a Phone OS (android in my case) but i still wonder if there is some way to fully isolate shady apps.
Don’t feel bad.
Enjoy the games and feel good.
I think people who create such spy-software need to go to prison for +10 years mandatorily. CEOs who are involved here should go to prison as well.
It still surprises me that such behavior is still allowed on modern macOS, which is supposed to be privacy focused. What’s the point of having an app sandbox when it is opt-in?
MacOS is not privacy focused, it's marketing focused.
Specifically: can we market this [feature/change/refusal/etc...]?
I've never heard people describe macOS as 'privacy focused.' Perhaps copywriting from Apple itself?
iOS maybe. macOS no.
But how is that different from your usual SaaS using 3 kinds of intrusive analytics packages at the same time?
years ago everyone used a personal firewall called "little snitch" that would make this behaviour visible. Do we trust OS supplied security too much?
I see a lot of discussions about government level spying, this is a legitimate debate, but it mustn't obscure the "boring" security threat storing the results of ps aux poses! This is security 101 to never store this kind of information. I mean a bad actor now just has to (gain) access to these files!
I mean besides the theorical high level threat, there is a very practical one maybe sufficient for suing the company if it was a western one (I don't work in legal, I don't know what I'm saying)
If was open source then could remove the reconnaisance
Source code is neither necessary nor sufficient.
All you need is the ability to edit any byte on your hard drive. ;-)
I am curious how the author of the GitHub gist managed to figure all this out. Any ideas?
You can use fsevents to see which apps write where and firewalls will tell you which app is connecting to the internet.
I would always refer to Hanlon's razor on things like this: Never attribute to malice that which is adequately explained by stupidity. I'm not trying to finding excuses for them, just saying that most likely there's no deep conspiracy theory involving government level surveillance here, they are just stupid. On average, Chinese software engineers are less educated and have no sense about privacy or how to implement privacy related features properly.
While logging serial number and some of the basic analytics stats might be attributed to stupidity, I tend to think that using a pretty advanced set of system commands and logging output consistently to log files is very sketchy.
One possible stupid-but-not-malicious explanation is that some anti-cheat company made a sketchy anti-cheat that includes server-side "is CheatEngine.exe running" code, and they're doing that via ps aux... and then this game player app was bullied by some game company into including this anti-cheat library to allow their game to run.
Privacy is a totally different concept in China, this becomes very clear once you visit a public toilet in Beijing’s Hutongs.
I'm a little wary of believing this without confirmation. It certainly sounds like something an app from a big Chinese company might do, but the LLM writing style with em-dashes replaced by double hyphens looked like someone trying to hide that they use an LLM. And I noticed that the account for the Gist submission is only 3 hours old. And then looking here the account on HN is also only 3 hours old. Seems a little sketchy to me.
Totally, Chinese software would never do anything like that. Shocking news, I say, shocking!