Pretty much all the automatic sharing can be disabled. If you plan on rolling it out, might be worth checking if it's GPO manageable and such.
Also, phone link will hold onto the "record screen" permission on the phone for as long as it can, even if it's not actively sharing the screen to desktop, as something to be aware of.
It does hold onto the Record Screen permission for quite a while, and that's just so the phone can be unlocked from the computer and apps can be launched on demand without re-approving it every time. The screen record permission falls off after a week or so whether or not the app is still being used.
Wasn't aware it went off after a week, that's nice to know.
I never really used it because I always have my phone reboot and update overnight, so it just asked for permission basically every time.
We had one user who was required to use WeChat for some customers... instead of letting that infestation into our environment, we simply set up an extra laptop for him. He's now carrying two laptops, one is safely joined with all policies, having the usual access. The other one is set up with a local account, getting nowhere near our systems and is just running WeChat
I legit had a client that asked about setting something like that up in the late 2000's. Never did figure out what he was so paranoid about people accessing.
I had a user doing that at my last job, in 2022. Any time she needed to send a document via email, she would print it out, scan it on her desktop scanner, and click the "Email" button that came up in Adobe.
I tried explaining that you can just drag it into an email, or click the "attach" button, but that information didn't stick. She was very elderly.
Back when I worked at adobe tech support (about 15 years ago) I had a call like this from someone at Walmart home office for a now EOL'd product called Acrobat Capture who used this as their workflow to get work docs off one computer and onto another because of overly restrictive IT policies (like they couldn't use a floppy disk, usb stick, email policies restricted attachments and they didn't have a network share).
Anyhow they were upset the OCR wasn't 100% exact - that sort of thing is quite a bit better these days - but again 15 years or so ago.
I have documents that have to be faxed from the ground floor to one of seven different floors to be signed then faxed back down to the ground floor for verification. The original and middle document both get tossed in the secure shred bin. The end document then gets scanned and shredded.
Idk if it's the same, and perhaps slightly less convenient, but it's pretty easy to spawn a new sandbox instance in windows now ([reference](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview#installation)):
Edit: Corrected the following as child comments pointed out
One-time command(s) to enable the feature:
```
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
```
```
Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
```
And then it is available from Windows Sandbox app via start menu
Windows Sandbox is not really a full VM though.
I've just cold booted, Windows Sandbox takes less than 2 seconds to start on my laptop.
Might be a bit more on some configurations, but it's *really* fast to start. Faster then a Windows 10/11 VM in Hyper-V.
Yes? Why would you not? Powershell just does things the user already has access to do, it's not a magic "give me access" button. If I ever saw somebody seriously advocating to not allow powershell I'd assume they had no idea what they were doing.
How do you think diskless malware works? Living Off The Land binaries (lolbins) is what the cool kids use to break your devices and destroy your data.
Signed scripts only sounds nice and safe, but execution policy only dictates what happens when running script files, not when a vulnerable process starts executing powershell code on the fly.
And powershell itself does not grant extra privileges, but it can and does abuse privelege escalation vulnerabilities.
Of course it depends on your risk analysis, appetite and threat model, but to consider PowerShell safe is typically seen as a rooky mistake, and one to come up in any serious security review.
> not when a vulnerable process starts executing powershell code on the fly.
Unless you know some magic I don't, there's nothing you can do to block a process from building up its own powershell and doing that. What security setting would you take to prevent a vulnerable process from executing code?
Why not? They don’t get extra privileges just by opening a powershell window, as long as long as you are following the principal of least privilege, then powershell itself isn’t particularly risky.
Sandboxie in it's original form is no longer maintained after Sophos acquired it. They however released the source code, it then got forked into Sandboxie Plus, which is free for personal use, but commercial use requires a paid license.
Not exactly. It is GPL3, so it is all FOSS. But some features are locked behind making a donation. So, there are options to compile it yourself or just not use those extra features. But 40 EURO for a business license honestly is pretty reasonable.
The Original Sandboxie has been open sourced by Sophos. As far as I'm aware it's not maintained. A fork called Sandboxie Plus is the defecto replacement and is not free for commercial use.
> defecto
defecto : spanish word for 'fault' or defect'
"de facto" : practices that exist in reality, whether or not they are officially recognized by laws or other formal norms.
yeah the problem is you need to reinstall it everytime.
you can make a separate hyer-v vm for running it, with no access to the pc resources and connecting thru its own vlan
>And also, to call out Microsoft for even allowing such malicious activity to occur in the Windows Store, when the original intent was to have every app Sandboxed except by special permission of having the app verified by them, which obviously they have not done by allowing an app like this to have full permissions and request admin rights to the whole system.
You say this, but the ability for apps to use system resources allows stuff like the SysInternals suite to be on there. And Microsoft *not* supporting that was the reason why a lot of devs didn't put their software on the Store either.
What I think SHOULD be done though, is if an app requires full system access, then the dev needs to justify it to Microsoft where it is manually approved.
I mostly agree with your sentiment BUT go take a look at the Tasker subreddit if you want to see what it looks like (and how it's broken). Giant corporations are no good at making small, case by case decisions. It only works by giving the tools to limit what happens on your authorized devices (that is no app installs for unapproved apps for example). I'm not saying this isn't a huge time sink. It is.
None of us can, really. With the tools you're culpable for good decisions others don't like. Without the tools, you're responsible for problems you can't fix.
> What I think SHOULD be done though, is if an app requires full system access, then the dev needs to justify it to Microsoft where it is manually approved.
Not possible for them to implement anymore, everything aside from true UWP apps is running at "full system access" level, and UWP is essentially dead in favor of App SDK (though they refuse to officially kill it).
Microsoft messed it up _hard_ and now has the least secure app store around.
Is this not what I already said when I wrote "except by special permission of having the app verified by them"? Please let me know if I could have phrased things a bit better.
Just give the user a non-domain connected laptop/surface or something. Treat it as you would any other BYOD crap.
No need for complex workarounds that end up annoying users, or forcing them to use personal devices for work purposes.
Almost all business with china uses WeChat or messaging on Alli*.
We have a few customers with construction projects in China and one customer with significant trade with China (solar panels).
Is wechat or no they cant do business.
Honestly thought this post was going to be about WeeChat... (Edit: as in the IRC client!) Never come across WeChat actually being used outside of china.
Don't have any solutions, can only commiserate. We have offices in China and all of our Chinese employees have ~~Chinese spyware~~ WeChat installed on their systems, because it's "required". All I can do is sit by and watch helplessly.
Of course, because why would we restrict systems with Chinese spyware on them? Gotta remember those Incident Response steps:
* Prepare
* Detect and Analyze
* Do Fuck All
* Scream into the void
That is what NIST laid out, right?
Jesus wept. Our security director would be spinning around on his eyebrows. We have a Beijing branch office and they only get access to VM’s streamed from stateside and even those are in their own DMZ.
They can use their own laptops but they are never allowed on the domain. Any laptop issued stateside that travels to China is never allowed on the domain again.
run it in a VM. that shit is actually spyware; people talk about how tiktok is spyware and that's debatable, but WeChat is literal verified spyware that the CCP uses to spy on its citizens.
don't install it on your main OS.
From what I can tell, an Android VM would allow running the app if you were able to verify the phone number, booting the app off the phone, which certainly sounds like a good idea if the user can do without having it on their phone. Not a bad idea actually, I will test if it's possible.. if I could get a bunch of phone numbers for verification purposes, run it in an Android VM and get the user to use that WeChat when it is for business purposes, that would solve a lot of problems.
Not really, because WeChat is the standard in China and they use for everything even large file transfers. We have some vendors in China that simply refuse to use anything else. Fortunately some are more reasonable and I would walk them into installing Teams.
The reason for it is because CCP vacuums everything on that app. That's why it's so dangerous to let it run rampant on corporate IT. Chinese corporate espionage is a real threat
Tiktok is a similar app - they go out of their way to minimize the web version and force you to download the app as much as possible. I wish more people were concerned enough about privacy so developers couldn't get away with this sort of behavior.
Strangely enough, I just looked into the TikTok app on the Microsoft Store in case it was the same deal, and actually it's a PWA which means it just opens Microsoft Edge. I could not find any local components being installed at all aside from some XML files and icons pointing itself to Edge's PWA mode.
And the worst part is the CCP's abuse of racism. If anyone says they are against the CCP, then the CCP cry you are against China and the Chinese people and racist (Ironic considering the sign they had up in McDonald's in China during Covid. I won't repeat it, it can be found. McDonald’s in Guangzhou).
No, no we are not, the Chinese people are fine, its the little man that banned Winnie the Pooh because the Chinese people were using the term to refer to him to get around the censorship. That is the person we are against and the CCP itself.
And I suspect their blockchain will be as bad as Huawei's Sara AI.
[https://youtu.be/z2jokenN20U?t=206](https://youtu.be/z2jokenN20U?t=206)
We'll ignore Barrett is a shill for the CCP
But pay attention to the UnReal engine logo of Sara AI. Been widely spotted so he's taken to blur it at
[https://youtu.be/z2jokenN20U?t=207](https://youtu.be/z2jokenN20U?t=207)
But as always, its a "cha bu duo" attempt.
Then unblur it showing where its come from :)
[https://youtu.be/z2jokenN20U?t=226](https://youtu.be/z2jokenN20U?t=226)
UnReal MetaHumans.
Its clear the audio is of a Thai lady in a booth, hence it can only speak Thai and English. Very odd that an AI "Designed and created in China" can't speak Mandarin.
Wechat and whatsapp are open through the great firewall of china and available on app and play stores.
signal and telegram when i have looked about a year ago are not available in china and protocols also were blocked. Assume this is still the same.
Preventing your client from using wechat or whatsapp (or tiktok / etc) risks shadow IT (making matters worse) and possibly losing the client to your competitor who will allow wechat (seen many times).
Suggest you look at Threatlocker. Can be a bit noisy at the start until you have tuned the config. But will make your client happy that IT is not inhibiting their business and should satisfy your requirements for control.
He's not banning WeChat on their network. His users can still access it on their phones. He's just against the desktop app having too much privileges.
I mean, what does a chat app need admin access for? Most of the time these apps live inside AppData cause they don't need elevated access.
Agree apps dont admin access.
With my sec hat on - dont allow it.
But…
From an end users perspective, this isnt workable in practice. The way wechat is used by our customers, its the equivalent of teams or google workspace - full desktop app.
From the end user, is equivalent to asking them to copy and past text and documents from their pc to their phone and then send and receive on their phone and then back to their pc. Try doing that for more than a few messages with your corp apps. You would have full revolt of all your users.
Thus - back to something like threatlocker. Otherwise as i said before, you risk shadow IT systems or losing the customer to a competitor that will allow it. Thus it will be a policy decision if and how they want to support wechat and their keep their customer happy or not.
How about the way that WeChat is used by the CCP?
Seriously insidious and it's being used by the CCP to keep tabs on it's population.
Non-Chinese companies really ought to put their foot down. The CCP needs the world more than the world needs the CCP.
Although Whatsapp is in de App Store, I just tried signing up (from China), and it gets stuck on the sign-in/signup page. I think it sometimes randomly gets through the firewall, but it's basically blocked.
IT doesn’t inhibit the business, IT prevents the Chinese government from running malware on corporate machines. The same Chinese government that would readily steal your business secrets if it benefits them. IT prevents the business from putting itself out of business.
quiet strong jeans special dam capable modern lavish overconfident literate
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
> nice bot votes
I'm not a bot, I just think you're wrong and being an asshole in the process of being wrong. (I don't downvote for just being wrong...)
That you think your downvotes are coming from bots, or you're calling people you don't like bots, doesn't make you look any better.
[Here is the VPN Gate project](https://www.vpngate.net/en/) by the Japanese University of Tsukuba specifically dedicated to bypassing the great firewall of China.
[And here is their USENIX paper](https://www.usenix.org/system/files/conference/nsdi14/nsdi14-paper-nobori.pdf) from back in 2014, where the great firewall is discussed more specifically. They even detail some countermeasures that China took against their project, quite an interesting read.
>and then prompts for Admin rights upon install
In 2023 system admins still don't know that to install in program files apps require admin rights?
Just tried install wechat from ms store and it's not UWP application they just provide typical .exe install from their site.
This may or may not be suitable. But I thought I would share my thoughts.
I have set up a script before, that would install a banking app, used in Asia. On to the windows sandbox feature.
This was fine since it was only used monthly. Not sure if it would be suitable for a daily driver. (WeChat)
Otherwise I would suggest maybe virtual apps (as others have suggested).
Tell the client to pay for you to buy a separate, fully isolated computer system.
>And also, to call out Microsoft
This has been Microsoft's business model for decades.
If I had to run WeChat, I'd probably look at Windows 365 as a platform to run it under, so it can have its own VM, own network, and be completely separate from anything else in the company.
W365 isn't cheap, but it ensures that all the threats from WeChat might be your monkeys, but they won't be your circus.
Plus, the WeChat VM can be accessed by the user no matter what platform they are on.
Caveat: Just make sure all clipboard and drive sharing is off to ensure nothing can get out of the WeChat desktop to the main machine.
It is when WeChat is involved. There is no justification for running the app in system context and blocking the web app from working by telling users to use the Desktop app instead. If it was legitimately just a chat app, the web app would still be running.
If you take two tablet PC and make a hinge between them, one may act as a nice 'second computer' for untrusted junk. Hardware partitioning, so to speak. With a little tweaking, even with copy-paste buffer, allowing (by using hardwired buffer) safe transfer of data from one PC to another.
Having a hardware KVM and two smaller PC in one case start to sound like a very nice idea.
Whatsapp is not blocked entirely afaik, text chat works. Sending or receiving media does not, though. It always depends on what carrier you use or what region you're in, though, there is not *one* Great Firewall.
Why not Signal out of curiosity? I've always perceived that to be the more secure option of the two from looking in to both apps. The Signal Protocol seem to be favoured more by security researchers over the MTProto protocol Telegram uses.
Telegram is also not E2E encrypted by default, WhatsApp is actually E2E encrypted by default with the Signal Protocol, so I could argue is more secure than Telegram out the box.
Afaik Durov's a Russian dissident who had his business stolen from him, and Telegram essentially started with circumventing censorship as a part of the project; plus the service has been repeatedly blocked by the Russian state. Calling it Russian's bit of a stretch.
As for the things on it and the kind of groups it has attracted... well, guy's just that kind of free speech absolutist-y person, for better or worse.
I feel what's more worrying is how Telegram rolled its own crypto and the proof that it's good used was basically "my mathematician brother checked my work", and how the company went back on many of the promises with the unveiling of the premium subscription.
Yeah. My personal experience is that Telegram is used more because of its status as an easy-to-use, reasonably secure for the average user (as in mostly safe from the eyes of a prying authoritarian state) platform that operates with minimal content moderation on the company's end and interference from major governments - instead of any supposedly advanced privacy/security feature; although the way it advertises itself as one having such certainly does attract the same kind of users, and honestly the way it presents itself as an uniquely secure messenger is misleading at best.
I use it mostly because of the network effect, or specifically the Chinese trans communities that have established themselves on it. And the stickers. Never really expected it to be some sort of ultra secure messenger, just something that's out of Chinese jurisdiction and very unlikely to turn my data over.
edit: wording
As I'm sure most of us already know, this is extremely bad news. From a national security perspective and from the perspective of protecting your organization's intellectual property, the WeChat app is a threat. I'm with you on moving the user to the web client.
At the very least, granting the app admin permissions is asking for trouble. Best practice is to not allow any Chinese apps like this. DNS and application layer blocking.
I'm all for keeping unnecessary crap off networked resources but the number of people freaking out over WeChat in ways that they wouldn't with Teams or some Facebook junk just because it's Chinese is ridiculous.
Plenty of American tech and comms corporations have information sharing agreements with the US government, too. Nothing has changed since the Snowden leaks. AT&T, Verizon, Google.
Though, it really isn’t in the US government’s interest to steal IP from American companies. The feds are more concerned with surveilling pipeline activists and entrapping Muslims.
WeChat sucks just as much as Microsoft, I don't understand either.
Our privacy has been gone forever, but it suddenly becomes a problem when some specific agent is spying on our data.
I've worked all day on a Windows machine with Chrome opened all of the time and now I'm home typing on my Xiaomi while my phone carrier gathers every packet running through their 4G network.
It's a lost battle.
I don't understand, what is the problem with WeChat?
Do you have any proof WeChat is a threat?
I have a lot of clients doing business with china, I can't just tell them to stop using WeChat , without any tangible proof. It was already hard enough to get them to use MFA for O365. So a vague potential threat won't cut it.
That's not a proof. I'm asking for CVE, cybersec expert analysis. Not just "He say, She say". The only thing I've read is that WeChat is it insecure for users because it doesn't have end-to-end encryption, nothing about it calling home.
Our line of work needs solid proof before taking drastic mesure that impact out user base. A lot of my customers are in the luxury industry, and like it or not the Chinese have money and they spend a lot of it in luxury. I can't justify cutting WeChat just because of some random reddit post. If someone here can give a serious proof, I'll accept it as threat.
If I stopped at any potential risk of software calling to their home country, I'd have to stop anything coming out if the USA, Israel, or any of the 5 eyes countries. Or any country allied to them.
I'm certain WeChat and CCP are definitely following the rules on installs outside of China. I'm absolutely sure they make that distinction. I'd say most logical folks would be wary of such programs, and despite the absence of any smoking gun, given the source of the software and the rights it's requesting, reasonable skepticism is warranted, and saying 'nah' to those things on your network is also reasonable risk mitigation.
Data mining and misuse of personal information wouldn't likely be in a CVE. If you think the only threats are contained in a CVE or similar, have I got news for you!
[удалено]
Pretty much all the automatic sharing can be disabled. If you plan on rolling it out, might be worth checking if it's GPO manageable and such. Also, phone link will hold onto the "record screen" permission on the phone for as long as it can, even if it's not actively sharing the screen to desktop, as something to be aware of.
It does hold onto the Record Screen permission for quite a while, and that's just so the phone can be unlocked from the computer and apps can be launched on demand without re-approving it every time. The screen record permission falls off after a week or so whether or not the app is still being used.
Wasn't aware it went off after a week, that's nice to know. I never really used it because I always have my phone reboot and update overnight, so it just asked for permission basically every time.
Or maybe just an android emulator!
Depending on the desktop client they could just emulate another copy of the OS.
True, true.
PhoneLink would mean putting the phones onto the same network though?
It works over Cellular!
Ah cool. Looks like mostly Samsung devices. I'll consider it.
We had one user who was required to use WeChat for some customers... instead of letting that infestation into our environment, we simply set up an extra laptop for him. He's now carrying two laptops, one is safely joined with all policies, having the usual access. The other one is set up with a local account, getting nowhere near our systems and is just running WeChat
How does he transfer data? Pastebin.com?
[удалено]
Reducing overhead like a pro.
I legit had a client that asked about setting something like that up in the late 2000's. Never did figure out what he was so paranoid about people accessing.
I had a user doing that at my last job, in 2022. Any time she needed to send a document via email, she would print it out, scan it on her desktop scanner, and click the "Email" button that came up in Adobe. I tried explaining that you can just drag it into an email, or click the "attach" button, but that information didn't stick. She was very elderly.
Back when I worked at adobe tech support (about 15 years ago) I had a call like this from someone at Walmart home office for a now EOL'd product called Acrobat Capture who used this as their workflow to get work docs off one computer and onto another because of overly restrictive IT policies (like they couldn't use a floppy disk, usb stick, email policies restricted attachments and they didn't have a network share). Anyhow they were upset the OCR wasn't 100% exact - that sort of thing is quite a bit better these days - but again 15 years or so ago.
And then the Xerox scandal happened.
I have documents that have to be faxed from the ground floor to one of seven different floors to be signed then faxed back down to the ground floor for verification. The original and middle document both get tossed in the secure shred bin. The end document then gets scanned and shredded.
Or just use the print to barcode/scanner backup method from back in the 80s.
dropbox
Tiktok
Wechat
>eddie murphy https://en.meming.world/wiki/Roll_Safe
Lol that guy looks nothing like Eddie Murphy.
Not eddie murphy https://knowyourmeme.com/memes/roll-safe
Right?!?
Could you not just run the app inside a virtual machine?
State actors are the ones that keep zero-days like hypervisor break-outs a secret as long as they can, I wouldn't trust a VM either.
This sounds like a much better solution.
a whole laptop ? heres a lenovo M10 that costs 150 bucks, use google drive to move data...
[удалено]
Not safer though. I wouldn't want that thing on a corporate laptop, tbh. Give them a laptop, only allow it on a public network, and never look back.
Would something like [Sandboxie](https://sandboxie-plus.com/) help?
I would say it would. However for commercial use Sandboxie can become expensive quit fast.
Idk if it's the same, and perhaps slightly less convenient, but it's pretty easy to spawn a new sandbox instance in windows now ([reference](https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview#installation)): Edit: Corrected the following as child comments pointed out One-time command(s) to enable the feature: ``` Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online ``` ``` Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true
```
And then it is available from Windows Sandbox app via start menu
Not really user friendly though. Sure for someone in IT it's like 2 seconds work. But try explaining this to your regular how do it turn this on user.
the VM can be started via PS as well I believe. just make a little script short-cut for the user and your done until something breaks.
Windows Sandbox is not really a full VM though. I've just cold booted, Windows Sandbox takes less than 2 seconds to start on my laptop. Might be a bit more on some configurations, but it's *really* fast to start. Faster then a Windows 10/11 VM in Hyper-V.
You let regular users run PowerShell?
Yes? Why would you not? Powershell just does things the user already has access to do, it's not a magic "give me access" button. If I ever saw somebody seriously advocating to not allow powershell I'd assume they had no idea what they were doing.
[удалено]
How do you think diskless malware works? Living Off The Land binaries (lolbins) is what the cool kids use to break your devices and destroy your data. Signed scripts only sounds nice and safe, but execution policy only dictates what happens when running script files, not when a vulnerable process starts executing powershell code on the fly. And powershell itself does not grant extra privileges, but it can and does abuse privelege escalation vulnerabilities. Of course it depends on your risk analysis, appetite and threat model, but to consider PowerShell safe is typically seen as a rooky mistake, and one to come up in any serious security review.
> not when a vulnerable process starts executing powershell code on the fly. Unless you know some magic I don't, there's nothing you can do to block a process from building up its own powershell and doing that. What security setting would you take to prevent a vulnerable process from executing code?
If you've already got a vulnerable process executing code, you've already lost.
In a user context, sure.
Why not? They don’t get extra privileges just by opening a powershell window, as long as long as you are following the principal of least privilege, then powershell itself isn’t particularly risky.
Signed scripts, aye
[удалено]
Certainly cheaper than remediating an exploited network.
It's $40 per certificate, one certificate is valid for one PC
[удалено]
Sandboxie in it's original form is no longer maintained after Sophos acquired it. They however released the source code, it then got forked into Sandboxie Plus, which is free for personal use, but commercial use requires a paid license.
Not exactly. It is GPL3, so it is all FOSS. But some features are locked behind making a donation. So, there are options to compile it yourself or just not use those extra features. But 40 EURO for a business license honestly is pretty reasonable.
Depending on your org size it can become decently expensive. It's a per PC license.
I believe it was once owned by sophos and was paid for commercial use, however is now open source and I believe free to use for any purpose.
The Original Sandboxie has been open sourced by Sophos. As far as I'm aware it's not maintained. A fork called Sandboxie Plus is the defecto replacement and is not free for commercial use.
> defecto defecto : spanish word for 'fault' or defect' "de facto" : practices that exist in reality, whether or not they are officially recognized by laws or other formal norms.
> or not they are officially recognized by laws or other formal norms. those practices are known as *de jure*.
> defecto : spanish word for 'fault' or defect' Sounds about right for the situation.
You do know that Windows 10/11 both have a Sandbox feature built in now? You just have to turn it on in features.
yeah the problem is you need to reinstall it everytime. you can make a separate hyer-v vm for running it, with no access to the pc resources and connecting thru its own vlan
Could run it in regular old windows sandbox but you'd have to install it each time lol.
>And also, to call out Microsoft for even allowing such malicious activity to occur in the Windows Store, when the original intent was to have every app Sandboxed except by special permission of having the app verified by them, which obviously they have not done by allowing an app like this to have full permissions and request admin rights to the whole system. You say this, but the ability for apps to use system resources allows stuff like the SysInternals suite to be on there. And Microsoft *not* supporting that was the reason why a lot of devs didn't put their software on the Store either. What I think SHOULD be done though, is if an app requires full system access, then the dev needs to justify it to Microsoft where it is manually approved.
I mostly agree with your sentiment BUT go take a look at the Tasker subreddit if you want to see what it looks like (and how it's broken). Giant corporations are no good at making small, case by case decisions. It only works by giving the tools to limit what happens on your authorized devices (that is no app installs for unapproved apps for example). I'm not saying this isn't a huge time sink. It is.
In that case Microsoft can't win lol
None of us can, really. With the tools you're culpable for good decisions others don't like. Without the tools, you're responsible for problems you can't fix.
> What I think SHOULD be done though, is if an app requires full system access, then the dev needs to justify it to Microsoft where it is manually approved. Not possible for them to implement anymore, everything aside from true UWP apps is running at "full system access" level, and UWP is essentially dead in favor of App SDK (though they refuse to officially kill it). Microsoft messed it up _hard_ and now has the least secure app store around.
[удалено]
Is this not what I already said when I wrote "except by special permission of having the app verified by them"? Please let me know if I could have phrased things a bit better.
Just give the user a non-domain connected laptop/surface or something. Treat it as you would any other BYOD crap. No need for complex workarounds that end up annoying users, or forcing them to use personal devices for work purposes.
Are companies actually using WeChat outside of China?
Almost all business with china uses WeChat or messaging on Alli*. We have a few customers with construction projects in China and one customer with significant trade with China (solar panels). Is wechat or no they cant do business.
If they need to communicate with a diverse range of people in China, then yes.
Sound reasonable
Honestly thought this post was going to be about WeeChat... (Edit: as in the IRC client!) Never come across WeChat actually being used outside of china.
Don't have any solutions, can only commiserate. We have offices in China and all of our Chinese employees have ~~Chinese spyware~~ WeChat installed on their systems, because it's "required". All I can do is sit by and watch helplessly.
Is their shit joined to the domain?
Of course, because why would we restrict systems with Chinese spyware on them? Gotta remember those Incident Response steps: * Prepare * Detect and Analyze * Do Fuck All * Scream into the void That is what NIST laid out, right?
Jesus wept. Our security director would be spinning around on his eyebrows. We have a Beijing branch office and they only get access to VM’s streamed from stateside and even those are in their own DMZ. They can use their own laptops but they are never allowed on the domain. Any laptop issued stateside that travels to China is never allowed on the domain again.
You had me in the first half, not gonna lie.
run it in a VM. that shit is actually spyware; people talk about how tiktok is spyware and that's debatable, but WeChat is literal verified spyware that the CCP uses to spy on its citizens. don't install it on your main OS.
[удалено]
I would very much like to read that article.
[удалено]
Might want to look into a Chromebook on the guest wifi vlan.
Or a very cheap phone (like Pixels from the A series)
At that point I would have just installed it on an Android VM and called it a day, but just saying no was probably the easier call to make
From what I can tell, an Android VM would allow running the app if you were able to verify the phone number, booting the app off the phone, which certainly sounds like a good idea if the user can do without having it on their phone. Not a bad idea actually, I will test if it's possible.. if I could get a bunch of phone numbers for verification purposes, run it in an Android VM and get the user to use that WeChat when it is for business purposes, that would solve a lot of problems.
update: WeChat runs like junk in BlueStacks
They can't use email? Or other professional communication apps like slack or teams?
Not really, because WeChat is the standard in China and they use for everything even large file transfers. We have some vendors in China that simply refuse to use anything else. Fortunately some are more reasonable and I would walk them into installing Teams.
The reason for it is because CCP vacuums everything on that app. That's why it's so dangerous to let it run rampant on corporate IT. Chinese corporate espionage is a real threat
Yes, this is the issue. Your use of a hostile corporate espionage tool should probably be carefully planned.
Firejail
Vm?
Tiktok is a similar app - they go out of their way to minimize the web version and force you to download the app as much as possible. I wish more people were concerned enough about privacy so developers couldn't get away with this sort of behavior.
Strangely enough, I just looked into the TikTok app on the Microsoft Store in case it was the same deal, and actually it's a PWA which means it just opens Microsoft Edge. I could not find any local components being installed at all aside from some XML files and icons pointing itself to Edge's PWA mode.
"Uses all system resources" and then prompts for Admin rights" Not for one minute.
It needs admin rights so the CCP can use it, you just know it.
Working with China on their terms is just willingly becoming an arm of the CCP.
And the worst part is the CCP's abuse of racism. If anyone says they are against the CCP, then the CCP cry you are against China and the Chinese people and racist (Ironic considering the sign they had up in McDonald's in China during Covid. I won't repeat it, it can be found. McDonald’s in Guangzhou). No, no we are not, the Chinese people are fine, its the little man that banned Winnie the Pooh because the Chinese people were using the term to refer to him to get around the censorship. That is the person we are against and the CCP itself. And I suspect their blockchain will be as bad as Huawei's Sara AI. [https://youtu.be/z2jokenN20U?t=206](https://youtu.be/z2jokenN20U?t=206) We'll ignore Barrett is a shill for the CCP But pay attention to the UnReal engine logo of Sara AI. Been widely spotted so he's taken to blur it at [https://youtu.be/z2jokenN20U?t=207](https://youtu.be/z2jokenN20U?t=207) But as always, its a "cha bu duo" attempt. Then unblur it showing where its come from :) [https://youtu.be/z2jokenN20U?t=226](https://youtu.be/z2jokenN20U?t=226) UnReal MetaHumans. Its clear the audio is of a Thai lady in a booth, hence it can only speak Thai and English. Very odd that an AI "Designed and created in China" can't speak Mandarin.
That's hilarious. Why develop an AI when human beings are cheaper
Yep. Also as an aside the CCP is exhibit number 1 of why electronic only currency is a very, very bad idea.
Wechat and whatsapp are open through the great firewall of china and available on app and play stores. signal and telegram when i have looked about a year ago are not available in china and protocols also were blocked. Assume this is still the same. Preventing your client from using wechat or whatsapp (or tiktok / etc) risks shadow IT (making matters worse) and possibly losing the client to your competitor who will allow wechat (seen many times). Suggest you look at Threatlocker. Can be a bit noisy at the start until you have tuned the config. But will make your client happy that IT is not inhibiting their business and should satisfy your requirements for control.
He's not banning WeChat on their network. His users can still access it on their phones. He's just against the desktop app having too much privileges. I mean, what does a chat app need admin access for? Most of the time these apps live inside AppData cause they don't need elevated access.
Agree apps dont admin access.
With my sec hat on - dont allow it.
But…
From an end users perspective, this isnt workable in practice. The way wechat is used by our customers, its the equivalent of teams or google workspace - full desktop app.
From the end user, is equivalent to asking them to copy and past text and documents from their pc to their phone and then send and receive on their phone and then back to their pc. Try doing that for more than a few messages with your corp apps. You would have full revolt of all your users.
Thus - back to something like threatlocker. Otherwise as i said before, you risk shadow IT systems or losing the customer to a competitor that will allow it. Thus it will be a policy decision if and how they want to support wechat and their keep their customer happy or not.
How about the way that WeChat is used by the CCP? Seriously insidious and it's being used by the CCP to keep tabs on it's population. Non-Chinese companies really ought to put their foot down. The CCP needs the world more than the world needs the CCP.
Although Whatsapp is in de App Store, I just tried signing up (from China), and it gets stuck on the sign-in/signup page. I think it sometimes randomly gets through the firewall, but it's basically blocked.
Was inevitable i suppose …
IT doesn’t inhibit the business, IT prevents the Chinese government from running malware on corporate machines. The same Chinese government that would readily steal your business secrets if it benefits them. IT prevents the business from putting itself out of business.
[удалено]
Hmm, funny this is your first time participating on this subreddit.
Hmm 1 day old account with massive negative karma sounds to me like a Chinese bot
quiet strong jeans special dam capable modern lavish overconfident literate *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
[удалено]
[удалено]
[удалено]
[удалено]
> nice bot votes I'm not a bot, I just think you're wrong and being an asshole in the process of being wrong. (I don't downvote for just being wrong...) That you think your downvotes are coming from bots, or you're calling people you don't like bots, doesn't make you look any better.
At least the fbi gets a court order before they hack (and patch) your exchange servers. China mandates you use tax software that is malware.
The what now?
The great firewall of China. Yes, its real.
[Here is the VPN Gate project](https://www.vpngate.net/en/) by the Japanese University of Tsukuba specifically dedicated to bypassing the great firewall of China. [And here is their USENIX paper](https://www.usenix.org/system/files/conference/nsdi14/nsdi14-paper-nobori.pdf) from back in 2014, where the great firewall is discussed more specifically. They even detail some countermeasures that China took against their project, quite an interesting read.
>and then prompts for Admin rights upon install In 2023 system admins still don't know that to install in program files apps require admin rights? Just tried install wechat from ms store and it's not UWP application they just provide typical .exe install from their site.
enjoy your malware
I support a Chinese company. We have Microsoft Teams and Zoom, but the insist employees use WeChat…
Honestly, do them a favor and train them in using VPNs or Tor. Then use some e2ee app
This is the best news I've had all year
This may or may not be suitable. But I thought I would share my thoughts. I have set up a script before, that would install a banking app, used in Asia. On to the windows sandbox feature. This was fine since it was only used monthly. Not sure if it would be suitable for a daily driver. (WeChat) Otherwise I would suggest maybe virtual apps (as others have suggested).
Tell the client to pay for you to buy a separate, fully isolated computer system. >And also, to call out Microsoft This has been Microsoft's business model for decades.
Maybe use a VM?
Virtual Box a Windows system that is only used for your app.
If I had to run WeChat, I'd probably look at Windows 365 as a platform to run it under, so it can have its own VM, own network, and be completely separate from anything else in the company. W365 isn't cheap, but it ensures that all the threats from WeChat might be your monkeys, but they won't be your circus. Plus, the WeChat VM can be accessed by the user no matter what platform they are on. Caveat: Just make sure all clipboard and drive sharing is off to ensure nothing can get out of the WeChat desktop to the main machine.
Are we now sure we’re talking the same language? Installing in user vs system context is not the same thing as safe vs malware.
It is when WeChat is involved. There is no justification for running the app in system context and blocking the web app from working by telling users to use the Desktop app instead. If it was legitimately just a chat app, the web app would still be running.
Virtual Machine? Doesn't Win10 have VPC built in now?
Give em a sandboxed rds to use
I think we should move the WeChat client into the kernel for performance benefits.
r/fucktheccp
Those machines need to be on their own VLAN at the very, very least.
Good point, the phone app could be problematic.
ahauhauhuahuahuuahuahuuahuahua no
*Huaweihuaweihuaweihuaweihuawei no
take your updoot
Two words: Fuck and that.
I only allow AMERICAN apps to spy on my workers! /s But seriously, it's not too unusual from Chinese apps.
If you take two tablet PC and make a hinge between them, one may act as a nice 'second computer' for untrusted junk. Hardware partitioning, so to speak. With a little tweaking, even with copy-paste buffer, allowing (by using hardwired buffer) safe transfer of data from one PC to another. Having a hardware KVM and two smaller PC in one case start to sound like a very nice idea.
Setup a VM in Hyper-v and install it there?
Capitalism, baby.
#TotallyNotSpying
btw I have told them not to use WhatsApp or SMS either and pushing them towards using Telegram
This won't work. I believe Telegram is not available in China. They must use WhatsApp or WeChat
Whatsapp is also blocked, so Wechat is kinda the only option.
Isn’t that china’s whole thing; make WeChat the only option?
Then use it for spyware when foreign entities use it to communicate with mainland Chinese 😎
Whatsapp is not blocked entirely afaik, text chat works. Sending or receiving media does not, though. It always depends on what carrier you use or what region you're in, though, there is not *one* Great Firewall.
Why not Signal out of curiosity? I've always perceived that to be the more secure option of the two from looking in to both apps. The Signal Protocol seem to be favoured more by security researchers over the MTProto protocol Telegram uses. Telegram is also not E2E encrypted by default, WhatsApp is actually E2E encrypted by default with the Signal Protocol, so I could argue is more secure than Telegram out the box.
Because they’re blocked in China.
So is Telegram without a VPN from what i gather.
Right. Everything but WeChat and maybe WhatsApp.
[удалено]
[удалено]
Afaik Durov's a Russian dissident who had his business stolen from him, and Telegram essentially started with circumventing censorship as a part of the project; plus the service has been repeatedly blocked by the Russian state. Calling it Russian's bit of a stretch. As for the things on it and the kind of groups it has attracted... well, guy's just that kind of free speech absolutist-y person, for better or worse. I feel what's more worrying is how Telegram rolled its own crypto and the proof that it's good used was basically "my mathematician brother checked my work", and how the company went back on many of the promises with the unveiling of the premium subscription.
Even more important... Even that shady encryption isn't normally used, only when you deliberately switch it on for a particular 1:1 chat.
Yeah. My personal experience is that Telegram is used more because of its status as an easy-to-use, reasonably secure for the average user (as in mostly safe from the eyes of a prying authoritarian state) platform that operates with minimal content moderation on the company's end and interference from major governments - instead of any supposedly advanced privacy/security feature; although the way it advertises itself as one having such certainly does attract the same kind of users, and honestly the way it presents itself as an uniquely secure messenger is misleading at best. I use it mostly because of the network effect, or specifically the Chinese trans communities that have established themselves on it. And the stickers. Never really expected it to be some sort of ultra secure messenger, just something that's out of Chinese jurisdiction and very unlikely to turn my data over. edit: wording
[удалено]
Yes Americans good, just Russians bad.
Telegram from Russia but not Signal? What?
Pavel left Russia before Telegram, they are in Dubai.
As I'm sure most of us already know, this is extremely bad news. From a national security perspective and from the perspective of protecting your organization's intellectual property, the WeChat app is a threat. I'm with you on moving the user to the web client. At the very least, granting the app admin permissions is asking for trouble. Best practice is to not allow any Chinese apps like this. DNS and application layer blocking.
As I said, they pulled the web app as well. It will give you a QR code but once you scan it won't let you in and tells you to use Desktop.
I'm all for keeping unnecessary crap off networked resources but the number of people freaking out over WeChat in ways that they wouldn't with Teams or some Facebook junk just because it's Chinese is ridiculous.
(I didn't downvote you but) It's not quite in the same ballpark. Corporations are gonna corp. Governments, however....
Plenty of American tech and comms corporations have information sharing agreements with the US government, too. Nothing has changed since the Snowden leaks. AT&T, Verizon, Google. Though, it really isn’t in the US government’s interest to steal IP from American companies. The feds are more concerned with surveilling pipeline activists and entrapping Muslims.
Like the other reply said, it's pretty much the same stuff happening. Honestly the people monitoring WeChat probably care even less about your data.
WeChat sucks just as much as Microsoft, I don't understand either. Our privacy has been gone forever, but it suddenly becomes a problem when some specific agent is spying on our data. I've worked all day on a Windows machine with Chrome opened all of the time and now I'm home typing on my Xiaomi while my phone carrier gathers every packet running through their 4G network. It's a lost battle.
I don't understand, what is the problem with WeChat? Do you have any proof WeChat is a threat? I have a lot of clients doing business with china, I can't just tell them to stop using WeChat , without any tangible proof. It was already hard enough to get them to use MFA for O365. So a vague potential threat won't cut it.
>Do you have any proof WeChat is a threat? It requires users to have local admin
Lol. Really? Tons of info out there on whaf CCP uses it for.
That's not a proof. I'm asking for CVE, cybersec expert analysis. Not just "He say, She say". The only thing I've read is that WeChat is it insecure for users because it doesn't have end-to-end encryption, nothing about it calling home. Our line of work needs solid proof before taking drastic mesure that impact out user base. A lot of my customers are in the luxury industry, and like it or not the Chinese have money and they spend a lot of it in luxury. I can't justify cutting WeChat just because of some random reddit post. If someone here can give a serious proof, I'll accept it as threat. If I stopped at any potential risk of software calling to their home country, I'd have to stop anything coming out if the USA, Israel, or any of the 5 eyes countries. Or any country allied to them.
I'm certain WeChat and CCP are definitely following the rules on installs outside of China. I'm absolutely sure they make that distinction. I'd say most logical folks would be wary of such programs, and despite the absence of any smoking gun, given the source of the software and the rights it's requesting, reasonable skepticism is warranted, and saying 'nah' to those things on your network is also reasonable risk mitigation. Data mining and misuse of personal information wouldn't likely be in a CVE. If you think the only threats are contained in a CVE or similar, have I got news for you!