this post was submitted on 16 Nov 2024
52 points (96.4% liked)

Selfhosted

40200 readers
778 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Some people my server admin uncle included believe that bringing any device to China automatically compromises it even if you reinstall a new OS. Is this warranted as some random person?

Can I go to my public sites and/or VPN into my servers?

Edit: I go there all the time. Also, I can take these precautions but I can’t expect my family to take them. What about family members phones?

A lot of great replies, thank you! Would love the read more specifics so I can know exactly the threats and my actions

Also, this is not an anti-China post. My field is Chinese related. Just learning more about the hosting side :)

all 24 comments
sorted by: hot top controversial new old
[–] [email protected] 19 points 22 hours ago* (last edited 22 hours ago)

A lot of these comments are downright unreasonable.

It's important to evaluate your threat model critically. The average tourist (that isn't going to Western China) or student is not a target for surveillance or data extrication attempts, especially firmware level attacks that are very specific to devices and are expensive to research and implement.

Companies tend to require employees to carry burner devices for international travel because that's just good practice. You're far more likely to lose your device when traveling, border officials have broad discretion to search for and access your devices, and companies tend to have high value information available to their devices past the corporate gateway, like trade secrets, technical designs, accounting records or employee data. That applies to any country, even Western countries.

Take your privacy seriously, but the notion that anything that touches Chinese soil means your devices are instantly compromised is a bit of a fallacious claim. Critically evaluate your role, the information you carry and why you might be the target of anything.

Anyways, as far as VPNs go - technically not illegal. Companies, universities, etc. all have sanctioned MLP gateways in Hong Kong to bypass the firewall. Every expat in China uses a VPN. There's only one public case of anyone ever being arrested for using a VPN (and it was under a catch-all law), the others were all operators of ShadowSocks/V2Ray airports.

Tailscale and WireGuard is dicey in Mainland China. If you're just a short term visitor, just buy a 3HK roaming sim for China and call it a day. As a best practice, you don't really want to expose your self hosted services to the web anyways, so I would probably not even bother trying to VPN from a mainland connection directly.

I never got Plex or Jellyfin to work well on actual Mainland internet connections, simply because the Chinanet backbone that most people in China use is excruciatingly bottlenecked to the point that torrenting from other Chinese peers is just a much more pleasant experience.

[–] [email protected] 15 points 23 hours ago

When you enter China, you have to run their application on your phone to fill the immigration form. Way more convenient compared to the paper slip, right? 😉

It's this https://apkpure.com/zhong-guo-ling-shi/com.gov.mfa

Luckily, you don't need to install full malware but only medium malware, there's a way to run it as a web app inside tencent WeChat by scanning a special qr code.

I run this stuff inside insular because tencent is tencent and even on fully patched Android 15 without any file access permission they still manage to drop fingerprinting files disguised as images in /pictures/.gs_fs0

For connecting to my servers, technically ssh on standard ports isn't blocked (otherwise it would hurt their bots, no?) but I don't want to show my server IP address, so I use a hysteria2 proxy hosted on a Oracle VM in the Japan datacenter. There are services like doggygo that rent access to those proxys for literal pennies (like $2 per month) but payment need to do with alibaba's alipay or tencent wepay which is ultra traceable (linked to Chinese id+Chinese bank account+Chinese phone number) and very stupid. Honeypot?

There are reports of evil maid attacks where a secret service agent poses as room cleaner in your hotel room and tampers with your laptop when you're away, but for normal people this seems unlikely. Keep your electronics with you at all times, always use a VPN, check hashes of executables if really need to run them (better not) and you're going to be ok

[–] [email protected] 39 points 1 day ago* (last edited 1 day ago) (1 children)

Do not bring your normal personal devices to China. They are notorious for injecting spyware on foreign devices at every opportunity. Use a freshly formatted device and create all new accounts to use with it.

Regarding services: do not use self-hosted services unless you you spin up fresh, isolated instances of your services for use while abroad and spin them down afterwards, including formatting any OS they were hosted on.

Regarding VPN: because we are assuming that any device used in China is compromised, do not connect to your VPN unless you have set up a segregated VLAN and are connecting through a VPN server instance created specifically for use while in China.

Basically, assume anything you use in China is compromised. And assume your connections are being monitored. And assume that any device you are connecting to from China is at risk of being compromised. So everything needs to be segregated from the rest of your network and set up specifically to be deleted after you're back home.

[–] [email protected] 13 points 1 day ago (1 children)

Do you have any links to read more about this? Thanks for a very detailed response.

Is there anyway to bring my phone and laptop without this risk? I can totally format my laptop completely but can’t do that with my phone.

[–] [email protected] 18 points 1 day ago (1 children)

Unfortunately, no, not really. They are absolutely able and willing to confiscate your devices at any time once you're on Chinese soil, and once you've lost physical control, that's the end of trust for that device. Even beyond that, it's not unheard of for there to be vulnerabilities in Wi-Fi, Bluetooth, etc that make your device susceptible to wireless attacks. IMO it's not worth the risk.

Here is just one example of this type of thing uncovered by The Guardian, New York Times, and others in a joint investigation: https://www.theguardian.com/world/2019/jul/02/chinese-border-guards-surveillance-app-tourists-phones

[–] [email protected] 3 points 23 hours ago (1 children)

I know both Australia and UK have laws that allow border to take and copy your phones, laptops and storage devices. It's not unusual.

[–] [email protected] 3 points 13 hours ago (1 children)

Most countries give customs and border agents broad latitude to do stuff like that. I've had it happen in Vietnam, the US, and Turkey, among others.

Burners, all the way

[–] [email protected] 0 points 8 hours ago

Agree - better safe to not risk it when crossing borders. Even if you don't have anything incriminating your identity can be stolen and used.

[–] [email protected] 4 points 21 hours ago (1 children)

I'm wondering if this is a real threat, or a conspiracy theory. If it's a real threat, wouldn't be the same with the NSA?

[–] [email protected] 3 points 19 hours ago (1 children)

Was just thinking that as well honestly. Wouldn’t the NSA do it if they could

[–] [email protected] 3 points 8 hours ago (1 children)

To be honest: After visiting both the US and China I was way more concerned after my US visit that my phone may have been compromised.

Using a VPN was no problem for me in China, but it has been a few years since I've been there.

[–] [email protected] 1 points 7 hours ago

That’s an interesting thought as well. Was talking with my partner, we agree both countries have the ability and feel Ike it’s almost sinophobic to say only China does this. I’m sure the US would if it could.

[–] [email protected] 24 points 1 day ago (1 children)

Get a new phone for use while traveling, then dump it when you're back home. Leave your services behind.

[–] [email protected] 7 points 1 day ago

Leave it on some form of mass transit before you leave

[–] [email protected] 26 points 1 day ago

Can I go to my public sites

I would not recommend. Remember, wherever you step, your feet are leaving traces. Your public sites may be a little too publicly well-known afterwards.

and/or VPN into my servers?

VPN's might not work from there, or the use may be considered a crime.

[–] [email protected] 22 points 1 day ago (2 children)

If your device is out of your sight, then yeah, you should probably assume it's compromised.

Of course, that's hardly JUST China doing funky shit with your devices, but depending where you're calling home, odds are customs/immigration when you head home will try to do the exact same thing, too.

And the answer to everything is yes, always use a VPN if you don't trust the network and you should never trust the network.

[–] [email protected] 3 points 1 day ago (1 children)

VPNs are illegal in China.

[–] [email protected] 2 points 22 hours ago

Illegal but tolerated: just think to all the Chinese companies thriving on Facebook ads sales

They crack down on it only when they need to punish a specific target/person

[–] [email protected] 3 points 1 day ago (2 children)

Well china does it to everyone, in the western countries usually it is targeted to individuals.

[–] [email protected] 1 points 1 day ago (1 children)

For sure, just wanted to mention that it's not just the China side of the trip you need to be vigilant about.

[–] [email protected] 0 points 1 day ago

What else then?

[–] [email protected] 0 points 1 day ago

Source? I would like to read more

[–] [email protected] 1 points 22 hours ago* (last edited 22 hours ago)

Grapheneos with a dedicated profile with those China apps. Dont allow the profile to run in the background. Then just use tor with snowflake or one of the many methods of tor to bypass the firewall of China.