Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping.
Can you point to where it says that in the report? It actually says:
an IME will commonly reach out over the network to a cloud-based service for suggestions if suitable suggestions are not available in the input method’s local database.
So it doesn’t send “every key typed”.
Until you realized what sequence of letters most commonly not have any suggestion. That’s right, when you type your password.
Literally says in bold even:
the keystrokes of Sogou Input Method users can be decrypted by a network eavesdropper, informing the eavesdropper of what users are typing as they type.
AKA every keystroke
I assume they mean “if suitable suggestions are not available in the input method’s local database”. Like you start typing a word, and when it doesn’t find any match locally, it goes to the server. After that, any additional keystroke gets reported to the server “as they type”.
What do you expect from leftists?
Same with Microsoft keyboard and almost every other keyboard app.
Imagine willingly installing a keylogger, lol
Naomi Wu has literally been talking about pwnd Chinese IMEs for years in her sidechannel critiques of Signal.
And gboard or SwiftKey don’t?
I prefer OpenBoard, it doesn’t send keystrokes to any server
The fork even has support for swipe, autocorrect, word prediction, clipboard management, etc, and is way more lightweight than Gboard and the rest. Zero reason to use anything else at the moment.
What’s the fork? I’ve been using Florisboard beta (ehich is also opensource) and pretty happy with it. The only things I miss is swipe for dictionary words
https://github.com/Helium314/openboard
Important to note that you need to install a library from inside the app’s settings to enable swipe typing. Ctrl+F “enable gesture typing” on the Github page to see where to get it.I loaded the library but couldn’t see a toggle to turn it on.
Uhhh it’s pretty blatant.
OpenBoard Settings > Gesture Typing > Enable Gesture Typing
Every single time something sketchy is happening in Chinese tech a Lemmy user will slide the conversation and accusations to American tech. It’s a rule.
Is not about American/Chinese government, is about privacy. ANY company or government storing your data can be extremely problematic in the future.
Yeah the Sogou Keyboard send data to Tencent, the same thing happens or could happens with others proprietary keyboards in the future. How about trying a FOSS one?
It’s absolutely about the American/Chinese government, I don’t see comments forum sliding into Chinese tech on every post about Google.
But no, swift and gboard don’t send your data to the American government.
There’s also a dangerous misconception around here that FOSS == privacy safe. It doesn’t.
There is also a differece between invading your privacy and compromising your security. Both are bad, but one is much worse at least in my view. Keylogging and then sending those keystrokes back to base with a dodgey custom rolled encryption framework is not just a breach of privacy.
On all social media, that seems to happen and it makes me sick.
People not knowing how scary the Chinese government is speaks volumes about the future of other countries. We had all the opportunity to see it happen and avoid it and these morons dismiss the truth and whatabout every damned thing
Well, we have actual evidence here of dodgy shit happening, but what about this other thing I assume is also happening based on absolutely nothing? See, both just as bad!
removed by mod
This “they’re all bad” shit aimed at the Chinese government makes me so sad. How many of you dullards have even heard of Tienanmen square
The downvotes tell me some people need to Google Tienanmen square. From outside China. Inside china, it didn’t happen. Erases from history
It’s not called the ‘Tiananmen Square’ by the Chinese - that’s just the name of the place. Either 六四屠殺 (June 4 massacre) or 六四鎮壓 (June 4 crackdown) would be more likely. And yes, expect loads of downvoting on Lemmy if you’re ever critical of China.
While GBoard is closed source, they have documented that they use federated learning. Meaning their model is generated on-device and only the inferences are sent to Google.
That being said, I use OpenBoard.
Plus it also has the feature where you can drag on the space bar to move the letterhead!
Not if you block internet connection at system level. I think it can be done if GBoard in installed as an user app, not as a system one.
Might as well just use Open Board.
Of course. My “problem” is that I need to write in 3 languages at the same time and switching languages manually in Open board is a bit cumbersome, while in GBoard it happens automatically.
Gboard doesn’t at least. It does send some stuff but not keystrokes
It sends whole words instead!
Any data you submit to Google is stored and analysed. That’s different from sending keystrokes as they happen though.
I’m all for criticising invasive data use and collection which Google is definitely guilty of. It’s not the same as keylogging though which is not just a privacy concern but a pretty serious security one as well. Also we have actual evidence here of Tencent doing this which makes a difference to me at least.
We can’t know for sure if they’re not open source
I’m not sure if that’s true. You know, it’s Google. Every keystroke in your gmail email is analysed, so can’t imagine gboard is any different to them.
So when the Chinese do it it’s scary, but when the Americans do it it’s just “established practice”?
It’s stories like this that don’t surprise me as much as make me ask: How the fuck do you store and process this much data to get anything useful out of it.
you just look for users that have power in their governments. Getting a senators username/password would be invaluable to china
And how can autosuggest / autocorrect be so bad with so much training data
The real answer is compute power. At the moment it’s very expensive to run the computations necessary for big LLMs, I’ve heard some companies are even developing specialized chips to run them more efficiently. On the other hand, you probably don’t want your phone’s keyboard app burning out the tiny CPU in it and draining your battery. It’s not worth throwing anything other than a simple model at the problem.
Did you ever see how an average person types? It’s not the amount of data that is the problem. We have too much dumb data!
deleted by creator
You just save the first 50 digits typed after some email is typed, and you have all the passwords you need!
This only applies if a username is a email
And if it is then what happens when people actually email someone? Autocorrect during login?
I don’t think they’re saying that method would yield 100% clean data but it would give you all the “necessary” data with the absolute bare minimum storage requirement. At some point people will log into their email and for most people if you have their email password you have the password they use for everything
Yep, I only reacted to a “new requirement”: save space :)
They weren’t describing a use case for every single type of situation.
I could be wrong, and this is a generalization of any country you can name, but my impression is data is stored on everyone so when they decide someday to look you up they already have all the data collected. It’s not really processed until needed.
And in hopes of it being useful later, when processing power is better.
Hey GovGPT8, please rank the 10 citizens most likely to organize protests if we institute curfews.
Exaaaactly
deleted by creator
Is that really a surprise?
surprised pikachu face - who would’ve thought?
This is one of my favorite things about kbin over Reddit. So neat to see gifs in chat.
They’re viewable on Lemmy too!
deleted by creator
Not voyager yet
It just appears as a static image on Infinity. I had to tap on it to go fullscreen and start playing it. Though the app is still in beta, that might change.
It works on Sync
Thunder as well.
Dumb question, but how do you view the kbin page? I’m using Sync
I was talking about gifs
And my axe!
I wish there was a setting to get rid of them in the app I use, hate inline images and gifs
Reddit added the same functionality some time ago, I’m a bit sad it’s a thing here too but oh well. People seem to like it. My favourite thing about reddit was it being text-based though
I wish they were smaller, like maximum twice the size of an emoji, maybe bigger for gif type images.
You could have gifs on Reddit too
Through New Reddit, which was objectively awful.
If you think that’s a kbin thing, you’ve not used reddit in years, you haven’t looked at anything lemmy, etc.
It’s viewable in Memmy for lemmy as well, also been on Reddit for years just not used much due to the culture there dog piling it all the time.
How are you seeing gifs in kbin? All I’m seeing is a url link to the gif and have to click the media icon button next to the URL For it to load… is there a setting I need to enable to load pictures/gifs automatically?
I’m guessing it’s your app. I’m viewing through desktop and it works fine.
Wow, who would’ve thought?
And the Platinum Award for Least Surprising News Headline goes to…
Jeremy Clarkson:
“The Chinese are very good at this sort of thing.”The most popular Western OS (and probably the other commercial OSs too) sends every key typed back to base. Plus every website visited. Plus every document amended.
Any sources for this? I know Windows and probably MacOS send analytics but every keystroke and every document amended seems unlikely to me, maybe I’m wrong though.
Their source is their whataboutist rectum
Analytics is a broad concept, but every document is indeed a bit much.
The timeline feature on Windows that shows your info across devices when your account is signed in, contains websites, apps and services. They say you can see it for 30 days, but I doubt they delete it after, even if they say they do. They probably at minimum process the meta-data.
I don’t see why c/technology scream about privacy violations every other post, and then suddenly turn forgetful when geopolitics comes into play. I used to watch ‘exposés about China’ and anti-sjw stuff on youtube back in 2015 too - and then just as I stopped watching them, they became an ‘official geopolitical enemy’. The last decade has been a ride.
Because all the sinophobe tech bros have migrated to Lemmy and don’t actually understand the shit they’re talking about. They think the tech THEY use is super cool and want to keep using it, and also think China is scary and an imminent threat to them sitting in their gamer chair surrounded by doritos.
Or maybe, just maybe, people have been packet sniffing Microsoft’s shit for ages and haven’t found them to be doing things quite as egregiously. Go ahead, you can look this shit up.
Most of the spying features in Windows are able to be explicitly disabled through options Microsoft publishes themselves. It’s Group Policy, only available on Pro licenses, but anyone concerned about privacy should be on that anyway or spoofing their license using again, Microsoft published techniques (KMS). There’s also often registry keys to toggle it as well, but they tend to not be as reliable and change over updates.
There are also tons of ways to strip out entire components of Windows from the install media before installation, and also after it has been installed. Can’t collect telemetry “X” if the telemetry “X” service isn’t there.
Lastly, host file allows blocking network traffic to specific endpoints, and the very few times Microsoft has bypassed that it has made news. You can just block Microsoft’s entire IP block through host if you’re really paranoid.
Beyond that, I’ve seen plenty of people concerned about the US’s data collection. It’s just not always spoken about as a US thing but more as a general tech thing, likely because internet discussion is still very US centric outside the great firewall and most big tech in the English speaking world comes from the US. So i think the US connection often just goes without saying.
I’ll give you this: framing much of this as related to any nation state instead of just all tech’s hoovering up of data is disingenuous.
Also, if your threat model truly needs to be concerned about any nation state actors specifically then you’re probably already fucked.
Not that it would surprise me in any way, but do you have a source for this claim?
What, you don’t take whataboutist claims trying to deflect attention from CCP spyware at face value?
Nope (and neither do I abide the flip side of this, whattaboutist claims to deflect from US or European bullshit).
It’s actually all my fault, everyone.
deleted by creator
If you have a geopolitics bias, state it and then state your objection. Because atm you’re denying reality. And downvoteifgay.
deleted by creator
You know, network sniffers exist. You can verify if this is true yourself if you know how to use one. Kill all other network services and just start typing and see if it starts spewing packets.
The internet is not some black box where us regular users can’t see what’s going on.
