Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.

  • godless@lemmy.world
    link
    fedilink
    English
    arrow-up
    359
    arrow-down
    7
    ·
    1 year ago

    I live in China and this software is cancerous not just in the encryption failure, it also nestles into a computer like a trojan. Creates 2 fallback installations and will reinstall itself after removal if you reboot in between, unless you get rid of all 3 installations at once, where they are deliberately trying to obfuscate the uninstall button (triple confirmation, swapping the confirm/cancel buttons and button background colors, etc.).

    It’s a nasty piece of crap that come preloaded on any phone (android, at least) and Windows-PC here.

    • Anamana@feddit.de
      link
      fedilink
      English
      arrow-up
      32
      arrow-down
      3
      ·
      1 year ago

      Do people generally try to circumvent it? Are they too scared to uninstall it? Or do they just not care?

        • Anamana@feddit.de
          link
          fedilink
          English
          arrow-up
          26
          arrow-down
          3
          ·
          edit-2
          1 year ago

          Why? Useful for safety and security of the society?

          Edit: Why downvotes? I’m trying to put myself in their shoes, it’s not how I view it lol

          • godless@lemmy.world
            link
            fedilink
            English
            arrow-up
            10
            ·
            1 year ago

            Comes with a built in translator and spell checker, and since access to Google translate is blocked, that’s often the only alternative.

              • godless@lemmy.world
                link
                fedilink
                English
                arrow-up
                3
                ·
                1 year ago

                Nah. They don’t know Google translate. Or Google, for that matter. They know what they are supposed to know.

                Of course some people know better, and those are the ones who will eventually get around the block - finding and installing a VPN is not rocket science, not even here. But if you keep 98% of the population contained, the rest won’t reach critical mass.

              • Rai@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                8
                ·
                1 year ago

                Yeah, wtf is that equivalency?

                “Why do people smoke”

                “Well some people like to eat at restaurants or watch movies with their friends so”

              • coffeebiscuit@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                ·
                1 year ago

                It was a “what about” analogy. It compares a app that steals data without the users consent and the other one is the keyboard app. Both seem to be wanted by consumers despite the steeling parts.

                • Anamana@feddit.de
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Yeah but a social media platform has completely different qualities. Therefore the reasons for people how and why they use them will be completely different. Also the keyboard app is forced on the phones by the state while the use of social media platforms is optional. Just too many different factors at play here imo.

          • Rai@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            10
            arrow-down
            1
            ·
            1 year ago

            Some weird downvotes, and I want to know too. Why does a keyboard app mean anything to anyone? The keyboards included on iOS and latest Android versions are great.

            • thekinghaslost@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              1 year ago

              Don’t know about this keyboard or Chinese, but a language specific feature might be one of the reason.

              I use SwiftKey and I love how it supports multilingual autocorrect and prediction for Indonesian and English without needing to switch between keyboard language.

              iOS built in keyboard supports multilingual typing for some languages, but not Indonesian.

              I assume people love it also because some specific feature that doesn’t exist in the stock keyboard.

      • boooooboo@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        My guess is that it might either be more accurate in predictions or some additional convenience factors that makes typing this logographic language much easier and faster lol.

        Or people are also simply used to it since it’s everywhere.

      • godless@lemmy.world
        link
        fedilink
        English
        arrow-up
        17
        ·
        1 year ago

        Sure. Foreigners aren’t really sanctioned though, that’s more of a risk for the locals. But even then usually only if they want to get someone disappeared and don’t have anything substantial against them.

  • SnowdenHeroOfOurTime@unilem.org
    link
    fedilink
    English
    arrow-up
    326
    arrow-down
    66
    ·
    1 year ago

    Alright China shills, you can stop changing the subject to how Google and the US are the “same”.

    The troops advanced into central parts of Beijing on the city’s major thoroughfares in the early morning hours of 4 June and engaged in bloody clashes with demonstrators attempting to block them, in which many people – demonstrators, bystanders, and soldiers – were killed. Estimates of the death toll vary from several hundred to several thousand, with thousands more wounded.[15][16][17][18][19][20]

    https://en.m.wikipedia.org/wiki/1989_Tiananmen_Square_protests_and_massacre

    If you lived in China you’d likely not know about this, since people who talk about it go to prison.

    Yeah the US is exactly like this so let’s not talk about the Chinese government being awful to their citizens /s

  • nomadjoanne@lemmy.world
    link
    fedilink
    English
    arrow-up
    170
    arrow-down
    19
    ·
    edit-2
    1 year ago

    Didn’t swiftpad or whatever its called send every key pressed to Microsoft?

    Not a China shill. China is horrible. Microsoft less so as they don’t commit genocide in slow motion. But still, I think this sort of thing is more common than we think.

    Use FOSS.

  • Goodie@lemmy.world
    link
    fedilink
    English
    arrow-up
    109
    arrow-down
    1
    ·
    1 year ago

    It’s stories like this that don’t surprise me as much as make me ask: How the fuck do you store and process this much data to get anything useful out of it.

    • toofpic@lemmy.world
      link
      fedilink
      English
      arrow-up
      64
      ·
      1 year ago

      You just save the first 50 digits typed after some email is typed, and you have all the passwords you need!

      • Goodie@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        1 year ago

        This only applies if a username is a email

        And if it is then what happens when people actually email someone? Autocorrect during login?

        • ultimate_question@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          ·
          edit-2
          1 year ago

          I don’t think they’re saying that method would yield 100% clean data but it would give you all the “necessary” data with the absolute bare minimum storage requirement. At some point people will log into their email and for most people if you have their email password you have the password they use for everything

        • WarmSoda@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          They weren’t describing a use case for every single type of situation.

    • WarmSoda@lemm.ee
      link
      fedilink
      English
      arrow-up
      44
      arrow-down
      2
      ·
      1 year ago

      I could be wrong, and this is a generalization of any country you can name, but my impression is data is stored on everyone so when they decide someday to look you up they already have all the data collected. It’s not really processed until needed.

      • TheEntity@kbin.social
        link
        fedilink
        arrow-up
        7
        ·
        1 year ago

        Did you ever see how an average person types? It’s not the amount of data that is the problem. We have too much dumb data!

      • Steeve@lemmy.ca
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 year ago

        The real answer is compute power. At the moment it’s very expensive to run the computations necessary for big LLMs, I’ve heard some companies are even developing specialized chips to run them more efficiently. On the other hand, you probably don’t want your phone’s keyboard app burning out the tiny CPU in it and draining your battery. It’s not worth throwing anything other than a simple model at the problem.

  • thorbot@lemmy.world
    link
    fedilink
    English
    arrow-up
    82
    arrow-down
    7
    ·
    1 year ago

    Oh wow, who would have ever thought they’d do that? What a fucking surprise.

  • punseye@lemmy.world
    link
    fedilink
    English
    arrow-up
    74
    arrow-down
    8
    ·
    1 year ago

    As if other keyboard apps are any different, I don’t think Microsoft bought SwiftKey just for fun?!

  • kicksystem@lemmy.world
    link
    fedilink
    English
    arrow-up
    58
    arrow-down
    2
    ·
    1 year ago

    I don’t get it? Why are they talking in the article about not using the right type of encryption. The problem isn’t the encryption, but the fact that it is sending your keystrokes to the mothership, right?

    • TeddE@lemmy.world
      link
      fedilink
      English
      arrow-up
      26
      arrow-down
      1
      ·
      1 year ago

      I recommend free and open source software for everyone. Everything on this list is curated to feature the best alternatives to common proprietary software (according to Linux Cafe):

      https://gitlab.com/linuxcafefederation/awesome-alternatives/-/blob/master/README.md

      This list is good free, open source (FOSS) Android keyboards:

      https://github.com/offa/android-foss#-keyboard

      I think the best two are Simple Keyboard and AnySoftKeyboard. Simple Keyboard is pleasant to use, but is missing a several advanced features. ASK would be perfect if the swipe typing worked (it’s currently listed as beta, and is mostly actuate, but unfortunately when it does make a mistake fixing it is almost painful).

      Finally, try to get comfortable going to alternativeto.net when you get frustrated with software. Worst case scenario you get frustrated with different software for a bit and switch back. Of course it notes the price and license model for each alternative.

      • Cosmic Cleric@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        ASK would be perfect if the swipe typing worked (it’s currently listed as beta, and is mostly actuate, but unfortunately when it does make a mistake fixing it is almost painful).

        It crashes for me so often that I finally gave up using it.

        Also there was a weird bug of where if you were working on a long document, towards the bottom of the document all of a sudden it will drag you all the way up to the top of the document, so then you had to scroll all the way back to where you were before, at the bottom of the document.

  • Diabolo96@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    138
    arrow-down
    99
    ·
    edit-2
    1 year ago

    The people here acting like their Gboard doesn’t do the same is so funny.

    Edit : never used nor installed tiktok.

    • Paige (she/her)@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      120
      arrow-down
      8
      ·
      1 year ago

      It probably doesn’t though. Obviously it’s closed source making it harder to tell what’s actually happening, but there’s nothing stopping security analysts from looking at network usage and such. I would imagine that Google doesn’t install a keylogger on every Android phone, not out of the goodness of their hearts, but because they don’t want the bad publicity and lawsuits when it would inevitably be discovered.

      • voxel@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        44
        arrow-down
        2
        ·
        edit-2
        1 year ago

        they do collect usage stats by default though.
        which include typed sentences passed through their ai model and words usage counts.
        it can all be turned off and gboard seems to respect these options. it doesn’t access online services unless requested with these options off.

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          English
          arrow-up
          8
          ·
          edit-2
          1 year ago

          If you mean by “collect usage stats” train their AI model on-device and send the training result to Google, then yes. If you mean that the actual words get sent to Google’s servers, then no. There was a study shared recently that looked into this. Only metadata about what’s typed is sent. That’s not nothing of course, but it’s not what Tencent does at all.

          E: Found it.

      • knock@lemmy.world
        link
        fedilink
        English
        arrow-up
        17
        arrow-down
        4
        ·
        1 year ago

        I mean he’s not wrong, but also not really the same thing. Gboard does send a substantial amount of data about the things you typed to google. It is supposedly anonymous, but they do this to get anylitics, and they use this data to improve the suggestions given to you.

        There has been at least one article where someone intercepted the data leaving from Gboard and found it’s either unencrypted or just hashed into something like base64. This was a while back so things hopefully changed.

        While google does try not to phone home users passwords, how can you tell what is and isent private?

      • Diabolo96@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        30
        ·
        1 year ago

        Even if i had it, do you honestly think i would waste my life to be completely forgotten and left to rot for disclosing it like Snowden. Yep, no one will ever reveal anything after that shit show.

    • SnowdenHeroOfOurTime@unilem.org
      link
      fedilink
      English
      arrow-up
      50
      arrow-down
      19
      ·
      1 year ago

      I’m going to guess you’re one of the people who defends tiktok and compares it to every other social media app by saying the US government is basically the same as the Chinese government

        • prole@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          9
          arrow-down
          1
          ·
          1 year ago

          No it’s not a “warning,” it’s just boring old whataboutism.

          The first part of your comment is like a textbook example of the fallacy.

          • assassin_aragorn@lemmy.world
            link
            fedilink
            English
            arrow-up
            6
            ·
            1 year ago

            It seems to be a very common fallacy in geopolitics to believe that a rival of the US must automatically be morally better. You see plenty of “left wing” imperialism defenses that blame Ukraine for the invasion and insist they should give up and do whatever Russia wants them to do.

            It’s apparently disappointingly complex for some people to believe that X can oppose Y and both of them can be horrible bastards. They can’t take criticism of China or Russia because they automatically see an implicit “America better” that’s not really there.

              • assassin_aragorn@lemmy.world
                link
                fedilink
                English
                arrow-up
                4
                ·
                1 year ago

                Absolutely, yeah. I’d like to think I’m able to give a more objective take since I got into TikTok late, but I honestly don’t know that I do.

        • Diabolo96@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          4
          ·
          edit-2
          1 year ago

          It seems people can’t understand this. Am not American so i have an outside view that’s free from any patriotic feeling and the spoon fed propaganda since childhood.

      • linearchaos@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        1 year ago

        Not op, I know for sure that China’s been trying to grab as much intelligence as possible going as far as installing sniffing type software in network controllers and servers, and grabbing keystrokes from a keyboard is absolutely despicable and something they would do to grab more intelligence.

        The thing I have trouble figuring out is why in the hell people would care about TikTok. What signal intelligence is coming from my wife swiping through 14,000 cat and home organization videos.

        Location is turned off The app is sandboxed It’s not allowed to access the camera or the speaker without giving some minor notification that they’re on and people would notice.

        I totally get the China will do bad if they can but I fail to see the ultimate danger of TikTok.

        • Dark Arc@social.packetloss.gg
          link
          fedilink
          English
          arrow-up
          7
          ·
          edit-2
          1 year ago

          From “the olden times” (Reddit link):

          The type and scale of the data that TikTok collects is different than other Chinese apps.

          There will be replies that talk about advanced ML and predictive algorithms. There will be replies that talk about potential hacks the app can use to bypass iOS or Android policy. That’s a threat, sure, but we don’t even need to go there. We can just focus on the basic data that companies like Google, Meta and TikTok explicitly tell us that they collect in their privacy policy.

          Every time you open TikTok, you should assume that the Chinese government knows exactly where you are at that moment, because the app gives them access to your location through GPS. If you use the app frequently, they not only have time and location data, but they know your travel patterns too!

          They know who you interact with and who those people interact with. They know what kinds of content you like and what you dislike. They can use this information to intentionally feed you with disinformation in ways that make you more likely to believe it.

          The misinformation feed attack risk is not unique to TikTok. Others have already been misused in this exact way. The important difference is that when information is housed by companies like Meta and Google which are incorporated in the US, its use and storage is subject to US regulation. We can simply disallow use and storage of data and practices that we don’t approve of.

          If you’ve done something illegal or embarrassing on TikTok, it could be used to compromise you for a foreign nation’s interest. If you are a 20 year old wild child, they won’t have any interest in doing anything with that information right now. In a few decades, if TikTok continues its dominance in social media, China will have compromising information on an uncomfortably high number of powerful leaders and politicians. You don’t even have to do something obvliviously stupid like say something racist or admit to a crime in a DM. For example, with just location data they can know if a politician cheated on their spouse and with whom! Imagine a politician publicly saying that they did not meet with some business leader or politician about some scandalous thing. Well, in a world where everyone has TikTok, the Chinese government knows if that’s a lie or not. In theory Verizon/Meta/Apple wouldn’t know that since that data is purported to be anonymized. Even if they did have that information, it’s hard to imagine any US tech company using it for their own interest. A US company would likely not survive that kind of act - it would be corporate suicide. On the other hand, it is hard to imagine a foreign adversary NOT engaging in that type of blackmail when given the opportunity.

          Now consider companies like Tencent. How can information on League of Legends play sessions can be used to blackmail a politician, manipulate an election or foment widespread social unrest? It might be possible, but it’s not easy to think of how it could be done. With TikTok, it’s blindingly obvious how all of those things could happen.

          Most other Chinese apps don’t collect anywhere near as much personal and sensitive information. The ones that do collect the same level of sensitive data, like Tencent’s QQ, aren’t used by enough people where it would be realistic to speculate that this information can be used in a similarly widespread and extremely damaging way. Even then, the US government should seriously think through the damage that could be done with the information QQ collects by assuming the Chinese government has complete access to all collected data and hostile intent. With TikTok, you don’t need to spend more than a few seconds thinking about this to frighten yourself.

        • SnowdenHeroOfOurTime@unilem.org
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          3
          ·
          1 year ago

          I don’t know what you mean by sandboxed but I’m pretty sure it cannot be as private as it seems, even if you’re using a VPN. But regardless, 99.99% of tiktok users are not taking steps to protect their data. hundreds of billions of data points that help an authoritarian government know how people think is nothing to shrug at.

          • linearchaos@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            1 year ago

            Mobile apps aren’t in the wild west anymore. They don’t get access to the other apps and can’t wander around unlimited on your device without clear permission. If you say no location, they don’t get location. It used to be different, but apple and google are on the same page now and they don’t let apps abuse you without clear permission anymore.

            Even pulling your IP and giving them a vague city level location, They’re correlating that with liking 30 second random content videos and music. This isn’t even the level of intelligence you 'd get from FB or Youtube people aren’t searching tictok to see how to use software or edit code or how public infrastructure works. You’re getting organziation, cat videos, kids coming home from the dentist saying crazy things. I just don’t really see it as a big deal.

            • SnowdenHeroOfOurTime@unilem.org
              link
              fedilink
              English
              arrow-up
              2
              arrow-down
              2
              ·
              1 year ago

              you say all this and trillions of dollars still ride on their ability, which we very much knows exists, to stitch together billions of datapoints to know things about their users.

      • Diabolo96@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        31
        ·
        1 year ago

        I will now answer any questions that boils down to “but we’re the good guys” to “not American”

        • SnowdenHeroOfOurTime@unilem.org
          link
          fedilink
          English
          arrow-up
          28
          arrow-down
          9
          ·
          1 year ago

          What the fuck are you talking about? This has nothing to do with America, the problem here is you’re falsely equating a horrifyingly authoritarian government and basically writing it off as the “sAmE aS gOoGlE”

          • Diabolo96@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            5
            arrow-down
            24
            ·
            edit-2
            1 year ago

            I don’t know. What i read on Wikileaks made me believe they’re not that different you know. Go read it, it will open your mind.

            • SnowdenHeroOfOurTime@unilem.org
              link
              fedilink
              English
              arrow-up
              24
              arrow-down
              8
              ·
              1 year ago

              How many times has the US military ever murdered 900+ protestors in broad daylight then censored it from all media and imprisoned anyone who talks about it decades later?

              Educate yourself. Jesus fucking Christ.

              For the record I don’t need to read more about the US government corruption, that’s known. The fact that you’re comparing the two is disturbing af

              • Landrin201@lemmy.ml
                link
                fedilink
                English
                arrow-up
                7
                arrow-down
                4
                ·
                1 year ago

                Several in fact. Most famously they bombed Tulsa oklahoma when black people there got too wealthy. But now multiple states are banning the teaching of it, alongside banning the teaching of our genocide of the Native Americans.

                We do most of our murder of innocent people these days abroad though which isn’t really much better, but most Americans are apparently completely fine with children being murdered so long as they aren’t white and they aren’t here, or they aren’t in an American school being shot by one of their peers.

              • Diabolo96@lemmy.dbzer0.com
                link
                fedilink
                English
                arrow-up
                10
                arrow-down
                8
                ·
                1 year ago

                Starting with the native American or i don’t count it ? I don’t know ? Is shooting a bus full of kids and laughing about it saying they’ll grow up to be terrorist anyway isn’t that far off and this is the tip of the iceberg buddy. USA is good at hiding murdering brown people by prefixing the word terrorists.

              • echo64@lemmy.world
                link
                fedilink
                English
                arrow-up
                5
                arrow-down
                4
                ·
                1 year ago

                if you wanted to make this a whataboutism is bad argument i’d be with you, but you’re still toeing the line of “oh but it’s okay when america does bad stuff, it’s not the same”

      • Diabolo96@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        6
        ·
        edit-2
        1 year ago

        Did you read it ? Can you share the part with relevant info. I tried to read it but it kept going abouts how Gboard and the Microsoft keyboard both gather huge amount of data and yet that both are opaque and you can’t know what data is sent to the server backend.

        Also, ever heard of 5,9 and 14 eyes ?

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Google doesn’t sell to data brokers. Not yet at least. They have a competitive advantage they will lose if they sold their data (our data) to third parties, especially third party resellers. If/when they begin circling the drain, that may change.

      • ShovelLiz@lemmy.zip
        link
        fedilink
        English
        arrow-up
        30
        arrow-down
        7
        ·
        1 year ago

        I mean… Does It change anything? They are owned by a board of directors that want profits over anything else

      • Diabolo96@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        19
        arrow-down
        3
        ·
        1 year ago

        Man, Snowden wasted his entire life to tell you USA literally spy on everything you do and when caught their answer was : yeah, so what you gonna do about it, maybe you should do the same.

      • echo64@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        5
        ·
        edit-2
        1 year ago

        no they are just compelled by the state and secret courts which is totally different obviously

      • Hazdaz@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        17
        ·
        1 year ago

        I love how people overlook this part. You get all the knuckledraggers who want to claim the US is somehow just as bad as China is.
        The anti-American sentiment in here is obnoxious.

        • SnowdenHeroOfOurTime@unilem.org
          link
          fedilink
          English
          arrow-up
          6
          arrow-down
          13
          ·
          1 year ago

          I’ve never thought that the knuckledraggers were anti-american. I think they are anti-intellectual. Using tiktok is more important to them than the future of humanity.

          • Hazdaz@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            3
            ·
            edit-2
            1 year ago

            Some of the knuckledraggers are. I guess I should have added that a lot of the edgel0rds like to rustle some feathers by posting anti-American views.

  • sugarfree@lemmy.world
    link
    fedilink
    English
    arrow-up
    39
    ·
    1 year ago

    These findings underscore the importance for software developers in China to use well-supported encryption implementations such as TLS instead of attempting to custom design their own.

    lol.

    • PutangInaMo@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      2
      ·
      1 year ago

      And this is the only point of the article. Idk what all these other comments are on about, but this article is outlining lack of standardized protocols that made the software vulnerable to network eavesdropping.

      This doesn’t point to a big CCP conspiracy, it’s just bad design.