Read on Twitter
Okay, wish my dumb ass luck
and remember Signal and those sociopathic China correspondents who claim to care *so much* KNOW this but didn't say or do shit because fuck our lives, they need clickbait.
In order to enter Chinese on any device we use an IME
https://www.google.com/inputtools/services/features/input-method.html
and remember Signal and those sociopathic China correspondents who claim to care *so much* KNOW this but didn't say or do shit because fuck our lives, they need clickbait.In order to enter Chinese on any device we use an IME
https://www.google.com/inputtools/services/features/input-method.html
There are several different methods, with a common one I type "Ni" on my normal QWERTY keyboard (phonetic is one way to do it) and every character with that sound pops up-
I select "你" (or hit space) for "You" and keep going.
I select "你" (or hit space) for "You" and keep going.
This goes for all mobile and desktop devices. You want to write Chinese, you need an IME. Apple/Microsoft/Linux/Google all have their own IME, but they aren't very good- typing on them is SLOW. Most Chinese use this: https://en.wikipedia.org/wiki/Sogou or Baidu's IME
Between those two, they are installed on 80/90% of Chinese computers and phones. This creates a major issue:
https://www.symantec.com/avcenter/reference/ime.as.a.possible.keylogger.pdf
http://web.cse.ohio-state.edu/~lin.3021/file/SEC15.pdf
https://www.symantec.com/avcenter/reference/ime.as.a.possible.keylogger.pdf
http://web.cse.ohio-state.edu/~lin.3021/file/SEC15.pdf
When you install Signal- you still have to get Chinese text into it. Gboard (assuming you trust Google) does not come on Chinese phones (Google everything is blocked). We all just install Sogou, sometimes Baidu IME. I'm unaware of any self-contained, audited IME that's an option.
For Chinese who are used to a specific IME- like Sogou, trying to type on something else is a tiny bit like a QWERTY user suddenly faced with Dvorak- we can make it work, but it's slow enough day to day that 50/50 they just install Sogou because what's the big deal right?
Signal is aware of this vulnerability because it exists accidentally-on-purpose for English also. If you use Gboard you're trusting Google.
https://www.reddit.com/r/CopperheadOS/comments/7j57zd/gboard_privacy_and_security/
(who will totally ignore a NatSec warrant amiright?)
https://www.reddit.com/r/CopperheadOS/comments/7j57zd/gboard_privacy_and_security/
(who will totally ignore a NatSec warrant amiright?)
The Signal "fix" is "Incognito Mode" aka for the app to say "Pretty please don't read everything I type" to the virtual keyboard and count on Google/random app makers to listen to the flag, and not be under court order to do otherwise.
This works about as well as expected (and intended):
https://twitter.com/SecEvangelism/status/961605671513939968
https://github.com/signalapp/Signal-Android/issues/6985
Needless to say, Sogou/Baidu dos not respect the IME_FLAG_NO_PERSONALIZED_LEARNING flag.
So basically all hardware here is self-compromised 5 minutes out of the box.
https://twitter.com/SecEvangelism/status/961605671513939968
https://github.com/signalapp/Signal-Android/issues/6985
Needless to say, Sogou/Baidu dos not respect the IME_FLAG_NO_PERSONALIZED_LEARNING flag.
So basically all hardware here is self-compromised 5 minutes out of the box.
So give a Chinese the Signal app- their phone or computer will most likely already have Sogou, give them a "clean" phone with Signal, they still need a way to write in Chinese- so unless journalists tell them otherwise, which they have not been doing- users will install Sogou.
So in nearly all use cases- because assholes don't care about what happens outside Western environments, Signal is immediately compromised. Which I'm pretty sure is how that journalist lady got all those Shenzhen college kids rolled up and disappeared. https://twitter.com/RealSexyCyborg/status/1086811226376523777
