Hacker News new | ask | show | jobs
by solarkraft 1977 days ago
I'll file this under "security tips". Signal should probably give its users tips for communicating securely - but that's at least one degree separate from "warn users about insecure IMEs".

Additionally, if you're already using a chinese phone, why does it matter whether your IME is compromised? Doesn't the CCP already have its nose in all of the manufacturers' OSes already? Maybe Signal should warn about that as well.

I'm all for helping people communicate securely, something Signal should be very interested in, but the hyper focus on IMEs is confusing.
1 comments
jstanley 1977 days ago
> Doesn't the CCP already have its nose in all of the manufacturers' OSes already?

What specifically are you saying here? Are you suggesting that every Chinese person's phone is sending off their keyboard inputs to the Chinese government even if they don't use a compromised IME? Because if not, then yes it matters whether or not your IME is compromised. Otherwise your position is just "the phone might be compromised in ways I don't know, so I won't even bother fixing the ways I do know".

link
solarkraft 1976 days ago
> Are you suggesting that every Chinese person's phone is sending off their keyboard inputs to the Chinese government even if they don't use a compromised IME?

Yes.

You have a point about the rest, though, especially when it comes to more secure systems.

link
beervirus 1977 days ago
I would assume that any phone purchased in China is compromised by the CCP.
link
jstanley 1977 days ago
In what way though? Are you arguing that people should just ignore security vulnerabilities that they are aware of, on the basis that you think there might be some vulnerabilities that they're not aware of?
link
esrauch 1977 days ago
The linked paper literally just says "(assume the default IME app does not have these problems)" in it without justification.

This thirdparty IME concern seem really more relevant for e.g. Japan being worried about it's citizens using a compromised Baidu IME instead of a more trustworthy preinstalled Japanese one. All IMEs all can be keyloggers and the Chinese government can necessarily access Baidu data, and any smaller Chinese IMEs will be outside the auditing and enforcement jurisdiction of the Japanese government.

If you're inside China using the preinstalled OnePlus IME that "untrustworthy supposition" just already holds to the preinstalled one, and there's little reason to believe at least some of these third party IMEs are more likely to be compromised than the preinstalled one instead of less likely.

link