Forgot your password?
typodupeerror
China Security

Best Practice: Travel Light To China 334

Posted by timothy
from the micro-sd-in-dental-work dept.
Hugh Pickens writes "What may once have sounded like the behavior of a raving paranoid is now considered standard operating procedure for officials at American government agencies, research groups and companies as the NY Times reports how businesses sending representatives to China give them a loaner laptop and cellphone that they wipe clean before they leave and wipe again when they return. 'If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,' says Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence. The scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010 when the chamber learned that servers in China were stealing information from four of its Asia policy experts who frequently visited China. After their trips, even the office printer and a thermostat in one of the chamber's corporate offices were communicating with an internet address in China. The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them 'to certain countries,' notably China. 'Everybody knows that if you are doing business in China, in the 21st century, you don't bring anything with you,' says Jacob Olcott, a cybersecurity expert at Good Harbor Consulting. 'That's "Business 101" — at least it should be.'"
This discussion has been archived. No new comments can be posted.

Best Practice: Travel Light To China

Comments Filter:
  • by Anonymous Coward

    Read the subject line.

    • Re: (Score:2, Funny)

      by Anonymous Coward
      I see the Chinese shills are on the job here at /. as usual. You get a cup of tea and a biscuit for being so diligent and getting at FP!
    • by 1s44c (552956) on Monday February 13, 2012 @09:57AM (#39018259)

      pot calling kettle

      My cooking pots are stainless steel. My kettle is likewise stainless steel. Nether can talk and as far as I'm aware nether has racist tendencies.

      It's time that whole pot/kettle thing was just forgotten about.

      • Re: (Score:2, Informative)

        by xaxa (988988)

        My cooking pots are stainless steel. My kettle is likewise stainless steel. Nether can talk and as far as I'm aware nether has racist tendencies.

        Racist? The phrase has nothing to do with racism. A cooking pot or kettle, when used over an open fire, get sooty (i.e. black).

        (Or, alternatively, the kettle is clean and shiny, as it's not put on an open fire. Then the pot's accusation is based on its own reflection in the kettle.)

  • I wonder... (Score:5, Insightful)

    by Anonymous Coward on Monday February 13, 2012 @09:14AM (#39017965)

    ...if people traveling from Russia or China to here are told the same thing?

    • by Lehk228 (705449)
      if they are smart they are. and between russia and china too.

      these days we are all frienemies
    • Re: (Score:3, Interesting)

      by vlm (69642)

      ...if people traveling from Russia or China to here are told the same thing?

      1) Our security forces focus exclusively on taking peoples shoes off, punishing them for traveling by irradiating travelers, and molest traveling women and children. Definitely the laughingstock of the world's security and customs personnel.

      2) Russia occasionally innovates something worth stealing (occasionally...) but China never innovates. Individual Chinese visit the US to go to research colleges etc and innovate, but nothing comes out of China worth stealing. Other than plots to put melamine in baby

      • Re: (Score:2, Interesting)

        by 1s44c (552956)

        1) Our security forces focus exclusively on taking peoples shoes off, punishing them for traveling by irradiating travelers, and molest traveling women and children. Definitely the laughingstock of the world's security and customs personnel.

        Commiting minor sexual assult as a matter of routine isn't considered a laughing matter in most countries, it's considered sick.

        2) ...China never innovates...

        That's the pro-US point of view is it? Who do you think has been supporting the mighty US empire with loans for the last few decades? Who does the US now owe more to than it could ever hope to pay back?

        Off the top of my head china invented gunpower and fireworks, paper money, the use of iron, and china ( The stuff cups are made out of ).

        • by vlm (69642)

          Who do you think has been supporting the mighty US empire with loans for the last few decades? Who does the US now owe more to than it could ever hope to pay back?

          First order answer is nothing stops the mint from printing a single $100T bill, and declaring it paid off.

          Second order answer is that messes up oil import costs. Once the M.E. is drained dry, or Iran closes the straits, or "whatever", then there is no further point in maintaining the charade. China gets a couple more years of interest payments, then they get something about as valuable as a box of confederate money.

          Third order answer is we simply tell them "no". They can't even invade Taiwan... what are

      • Re:I wonder... (Score:5, Insightful)

        by mbone (558574) on Monday February 13, 2012 @11:03AM (#39019009)

        I deal with Chinese companies on a regular basis, and can assure you that they are innovating like mad. China is following the same classic development arc, which goes something like copy, steal, make, innovate, that the Japanese did ~ 50 years ago.

    • by Darinbob (1142669)

      This is a patently obvious security thing to do. It has nothing to do with rampant paranoia as the summary suggests. Security on phones is next to non-existent, WiFi is swiftly crackable, and most users do not follow necessary security procedures because security and convenience do not co-exist. Modern office workers have essentially been trained to be lax with security because ignoring security is more productive.

      We get away with it for the most part because the domestic dangers tend to be trivial (viru

  • A good start (Score:5, Insightful)

    by gtvr (1702650) on Monday February 13, 2012 @09:17AM (#39017979)
    Good to see companies waking up to a very obvious threat. Next will be if they can figure out that sharing IP for a little bit of extra market share over there is NOT a good long term investment.
    • "Little bit ?" (Score:4, Informative)

      by unity100 (970058) on Monday February 13, 2012 @09:43AM (#39018165) Homepage Journal

      China is 1.5 billion people. all of anglosphere and europe AND russia combined, cannot match that market. and its a growing market. not a saturated one.

      • China is 1.5 billion people. all of anglosphere and europe AND russia combined, cannot match that market. and its a growing market. not a saturated one.

        China as a nation has a big GDP yes, but the per capita GDP is right down there with the Dominican Republic. There are a lot of people in China, but as a market western companies can only target the relatively small subset with relatively large disposable incomes. All of the migrant workers etc need their money to eat and clothe themselves and don't have much left over. Also you need to bear in mind that the rules aren't the same across China, some businesses are only possible in the Special Economic Zon

        • by Cytotoxic (245301) on Monday February 13, 2012 @10:37AM (#39018663)

          The Chinese "middle class" surpassed the population of the entire United States or Europe several years ago. Sure, that still leaves roughly a billion poor people, but with nearly a half-billion doing well, they have some serious internal market power. This also bodes well for political change within China.... a half-billion people with iPhones (or clones) and cars are going to start asking why they don't have more control over their lives at some point.

          Of course, with twice as many people stuck in rural poverty while seeing a growing bourgeoisie, there's another potential road to political change....

  • by stm2 (141831) <sbassi&genesdigitales,com> on Monday February 13, 2012 @09:19AM (#39017993) Homepage Journal

    Since your laptop can be confiscated legally at the border.

    • by eldavojohn (898314) * <eldavojohnNO@SPAMgmail.com> on Monday February 13, 2012 @09:29AM (#39018061) Journal

      Since your laptop can be confiscated legally at the border.

      I'm not saying it's right for them to be able to do that but they do catch individuals engaged with corporate and even economic espionage [slashdot.org] that way. The key difference here is that it's intended to be an open action against you by US Customs whereas in China the intent is for you to never know anything happened and the key logger or stolen information being covertly used without your knowledge of who did it or even what's going on. I think one is much worse than the other but I guess that's just my opinion.

      • Re: (Score:3, Insightful)

        by Moskit (32486)

        How do you know that USA does not do similar "covert" operations"?

        Echelon is just one example of a covert industrial espionage mechanism established and run by Americans. I would not think US does not do the same things as China, Russia, France or other countries. China is just so convenient to be a scapegoat. If you believe this is just to "catch criminals", you've been convinced by the dark side ;-)

        In any case this article is a valuable reminder that nothing is "private" these days, that every electronic

      • by Hentes (2461350)

        I'm not saying it's right for them to be able to do that but they do catch individuals engaged with corporate and even economic espionage that way.

        Bullshit. Why would anyone try to smuggle data physically through the border instead of sending it on wire?

      • by jackhererUK (992339) on Monday February 13, 2012 @11:37AM (#39019471)
        They only catch the moronic ones that way. If you want to move data from country x to country y there is this new fangled thing called "the internet" that allows you to move data from one place to another without having to pass through customs. If you are dumb enough to try and smuggle illicit data from one country to another by carrying a laptop across the border containing said illicit data then you deserve to get caught because you are a moron.
    • by N1AK (864906) on Monday February 13, 2012 @09:32AM (#39018083) Homepage
      I have no intention of defending the USA's often excessive intrusions; however, as with many other issues, trying to make out that they are operating on the same level as China is misleading and counter-productive. Unless you actually have, or can provide links to a credible source showing, evidence that the US is routinely compromising the electronic devices of a vast number of foriegn visitors then you're just spreading FUD.
    • by jellomizer (103300) on Monday February 13, 2012 @09:35AM (#39018107)
      Or anywhere in the world.
      General rule of thumb when traveling is to always travel light and poor. The more valuable things you bring with you the more liability that you are lugging around, which may be stolen, confiscated, or make you prime bate to be kidnapped.
      Sure you may be street smart enough in your area to see the difference between a criminal and an honest folk, but in a different culture you are green all over again, and prime bate. Even if you are going across the US. In the country and need assistance often you can get help from those guys walking down the street with large riffles in hand (as they are probably just hunting) for those who live in the country these people are not threatening they are just out having a good time. In the City you should avoid the guy walking down the street with a riffle.
      Or up in the Northeast, People usually go straight to business with less pleasantries, down south there is more talk and gentlemen behavior. For a Northern folk if someone comes up to you and starts talking all friendly like, you get warning bells that this guys is trying to distract you. If down south someone gets straight to business this guy is just being rude and hiding information so you shouldn't trust him.
      • by vlm (69642) on Monday February 13, 2012 @10:05AM (#39018319)

        If down south someone gets straight to business this guy is just being rude and hiding information so you shouldn't trust him.

        I spent a year in the south in the 90s and the reason is people see themselves as instruments of tradition. Historically mobility was low in the south, so a simple business transaction well become a lifetime economic marriage, so there's lots of courting going on. Your GGGgrandpa and his GGGgrandpa probably served in the same civil war regiment, and in fact there probably is a distant genealogically tenuous connection between you two assuming you're genuine southern natives. If nothing bad happens, your kids might very well be expected to continue the business transaction. Also there exists a massive gossip network such that you can assume everyone is all into your business, so if they truly don't know you, they will be mystified as to what you're up to simply due to curiosity. I heard some hilarious jokes that probably only make sense in the rural south about old forgetful people simply relying on their gossip hound neighbors to remind them of stuff, like a human peer to peer network. In the go go go north economic transactions are more of a one night stand or fling at most, so no one cares what church if any you attend, or what military unit you or your GGGgreatgrandpa served in. Its an article of faith amongst the southerners I knew that tradition and reputation (both individual and familial) are extremely valuable, they believe in that about as much as their church, more or less.

        Northern business transactions are like a single hand of poker. Southern business transactions are like a multigenerational game of chess or Go. Before you freak out, obviously these stereotypes are only about 75% accurate.

      • In the country and need assistance often you can get help from those guys walking down the street with large riffles in hand (as they are probably just hunting)

        Yep. I'm Canadian - I still remember being lost while driving in rural Colorado (pre-GPS days) so I asked some guys who happened to have a bunch of guns for directions. They were very friendly and helpful

    • by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Monday February 13, 2012 @09:37AM (#39018121) Journal

      Yep this is a point on which it is fair to say that America is no better.

      The only safe way to take devices there is to wipe your devices clean (an uncertain and damaging act on flash storage) and carry a hard drive with a deniable hidden encrypted partition (including duress key to unlock a decoy partition) containing backups of the devices. Or store the backup online (connecting with an anti-MITM system and using proper encryption of course, that means ONLY YOU have the key and there is no "recovery" option) if you have a shit-ton of bandwidth and time.

      Even then they may take your hardware and do who-knows-what to it, as happened to Moxie Marlinspike's phone. Or you may just not get it back at all.

      • by ios and web coder (2552484) on Monday February 13, 2012 @09:49AM (#39018201) Journal

        Yep this is a point on which it is fair to say that America is no better.

        I'm not sure I'd agree with that.
        This is a case of them planting trojans on your equipment in China, then exercising that, when you get back to the US.
        In the US, this can be (and I'm sure, is) done by folk like the CIA and NSA. However, folks like me don't do it. Foreigners can come to my office, exchange files and information, use my network, and even use my USB fobs with no worries that I'll plant spyware on their machines (I am quite capable of doing so, as, I'm sure, are a significant number of /. readers).
        To have it so prevalent in a nation is a serious, serious indictment. The NSA does not come to my office and demand that I arbitrarily plant trojans on our partners' and customers' machines. If they did, I would fight them fang, tooth and claw.
        What is happening in China is very dangerous. Not just for us, but also for the Chinese. They may think they have this tiger by the tail, but they will really be shocked when it turns around and bites them.

        • Re: (Score:3, Interesting)

          by GameboyRMH (1153867)

          The NSA does not come to my office and demand that I arbitrarily plant trojans on our partners' and customers' machines. If they did, I would fight them fang, tooth and claw.

          Consider the AT&T interception room, the people working there weren't as upstanding as you. I know it's server-side spying rather than client-side but it's not much better.

          Also consider the laws that allow the US government unfettered access to Gmail, Blackberry comms., cellular data...is that so different from the Chinese government asking Chinese companies to spy for them?

          And if the Chinese citizens think their government isn't a danger to them, they're morons. They were a danger to their own citizens

    • by CohibaVancouver (864662) on Monday February 13, 2012 @10:38AM (#39018671)

      Since your laptop can be confiscated legally at the border.

      Yes, but you know it's happened. They scan your laptop for CP and bomb plans, then hand it back. In China, your privacy is raided without you ever knowing. This is the crucial difference.

  • Travel with a "travel phone" it's a basic phone that does not contain anything important.... EVER.. and yes, wipe it a lot, but a wipe will not help if they flashed a new firmware with spy additions in it.

    I would never even think of bringing my daily phone overseas. Bring a disposable that you dont care about.

  • by msobkow (48369) on Monday February 13, 2012 @09:21AM (#39018005) Homepage Journal

    When there are risks of company devices being hacked and used to spy on corporate data, is it any wonder that many companies still refuse to allow personal devices to be connected to the company networks?

    Still, you have to wonder how much of these issues are due to poor maintenance and management of the corporate infrastructure enabling the penetrations and attacks.

    I've heard of ONE incident where a penetration was actually a zero-day exploit and did not happen because someone didn't upgrade a server or change passwords after employees left the company. 25 years. A quarter century. And only ONE incident that wasn't someone's failure to perform due diligence of maintenance?

    That doesn't say much for North America's corporate security policies, does it?

  • by million_monkeys (2480792) on Monday February 13, 2012 @09:23AM (#39018017)
    This has been standard practice in many places for years. And not just when travelling to China. Even if you're not working with high value information, there's usually not any justification for taking equipment full of company information abroad.
    • This has been standard practice in many places for years. And not just when travelling to China. Even if you're not working with high value information, there's usually not any justification for taking equipment full of company information abroad.

      Wiping your HD after a trip to remove almost all types of malware so you don't bring anything back to the company is new, using a throw away phone so your phone can't be compromised is something new, having a thumb-drive with all your passwords on it so a key logger can't get them is something new. Not taking sensitive data overseas has been a policy for a long time but these new measures are something totally different. This is just the next evolutionary step in the battle to steal IP vs protect IP.

  • Hang on,,. (Score:5, Funny)

    by Anonymous Coward on Monday February 13, 2012 @09:23AM (#39018023)

    My T510 Came from china in the first place...

  • I can see how compromising a printer could be useful if you sent back documents of everything sent to it. But a thermostat? Unless the thermostat was also bugged, I don't see what good infiltrating a thermostat would do. Or why a thermostat would be Internet accessible.

    • Re:A thermostat? (Score:4, Insightful)

      by Captain Hook (923766) on Monday February 13, 2012 @09:30AM (#39018067)
      I read it as... laptop taken to China, infected with something which then wormed it's way into all the systems it could when reconnected to the corporate network, which happened to include some network controllable thermostats.

      i.e. the Chinese aren't after the thermostat, it was just part of a system which got compromised.
      • by vlm (69642)

        Not only just another windows box, but a windows box that cannot be upgraded without violating the extremely expensive software support contract.
        Seen this happen with numerically controlled machine tools, PBXs, some internet accessible "software as a service" type of apps, some weird embedded stuff I don't think I can talk about ... the stereotype is if there is an expensive support contract, that machine is gonna get owned.

    • by Lehk228 (705449)
      a fancy thermostat and a printer would both have a web interface panel, if the firewall did not isolate those devices from outside http requests both could have been being accessed from china without compromising anything, for that matter it could have been one of their own people tried to print something while they were in china, and that put the printers address in memory with the great firewall, and chinas security guys were following up (probably automated but sometimes china will do things manually th
    • by andydread (758754)

      Or why a thermostat would be Internet accessible.

      Want to know why a thermostat would be Internet accessible? see here [nest.com]

      Want to know why a garage door opener would be Internet accessible? see here [sears.com]

      More and more things are becoming that way. like it or not.

  • by Anonymous Coward

    This is done in every totalitarian country. For example, when David Smick [amazon.com] was in Singapore, he called home and made a comment about being dissatisfied with the hotel room provided to him. When he was picked up the next day, the person "escorting" him apologized for his hotel room not being good.

    Here in the States, we're monitored under the auspices of the "War on Drugs" or Terrorism or Child Porn or what have you. When folks say we live in a free country, I have to ask, "Is being monitored being Free?" The

    • I could see that going either way. Perhaps his phone was bugged. But think of this scenario. Imagine him never making a phone call mentioning anything about his hotel. Would it have been out of line for that same person to apologize about his room not being properly made? Perhaps one of the maids ratted out her fellow co-worker in order to earn brownie points (backstabbing is notorious in China I've been told). It could also have been SOP at a major star hotel too. As an American, one thing I've learned abo

    • Please tell me how you have been monitored, have your phone conversations been recorded? Has you computer been seized? All these things require a warrant so their must be probable cause. Your only example of you rights being trampled is you have to show identification to get cold medicine, this is your battle cry? There has been a trend with the Supreme Court to rule in favor of individual rights protected in the constitution in the past few years, GPS tracking is the most recent, Justice Sonia Sotomayor
    • by greg1104 (461138)

      If you think needing to show an ID is bad, you still live in one of the lucky states for pseudoephedrine. In Oregon and Mississippi [wikipedia.org], you need a prescription to buy it.

  • Chromium OS (Score:4, Insightful)

    by should_be_linear (779431) on Monday February 13, 2012 @09:28AM (#39018057)
    For this purpose notebook with ChromeOS (or ChromiumOS) seems like good solution.
  • this is old news (Score:5, Interesting)

    by mbone (558574) on Monday February 13, 2012 @09:30AM (#39018071)

    If you travel to China, this is old news.

    Yes, some businesses are beginning to require wiped travel laptops for entering the US. I have to say that I do not know anyone personally who has had laptop issues at the US border (although I know that there are some people who are on some sort of list and have them frequently). The assumption is, if you go to China, you will probably be hacked, and it's not going to happen at Customs.

    By the way, in my experience Chinese firms are incredibly paranoid about this, much more so than US firms. I suspect that paranoia has some justification.

  • sign (Score:5, Insightful)

    by CohibaVancouver (864662) on Monday February 13, 2012 @09:31AM (#39018073)
    Sigh.

    Cue all the "BUT THE US IS WORSE THAN CHINA!" posts. You should log off WoW and read a little on Amnesty International about China. Could the USA do much better? Absofreakinglutely - But I can tell you as a Canadian business traveller that the USA is orders of magnitude less intrusive when it comes to visitors to their country. The next time you're in China go try to surf Tibet videos on Youtube and let me know how that goes for you.
    • by X.25 (255792)

      But I can tell you as a Canadian business traveller that the USA is orders of magnitude less intrusive when it comes to visitors to their country. The next time you're in China go try to surf Tibet videos on Youtube and let me know how that goes for you.

      I can tell you that Chinese did not require my fingerprints and were very polite to me. Guess who was exactly the opposite?

      I also don't care about watching Tibet videos on YouTube when visiting China, I don't watch them at home either.

      Have fun watching Al Qaeda videos while killing time in your US hotel.

      • by gmhowell (26755)

        I can tell you that Chinese did not require my fingerprints and were very polite to me. Guess who was exactly the opposite?

        Oh, for shit's sake, America was rude to you?! Is everyone from your home country a little pantywaist, or is your dipshittery unique?

        I like the implications later on:

        I also don't care about watching Tibet videos on YouTube when visiting China, I don't watch them at home either.

        IOW, 'fuck Tibet [freetibet.org], but Americans were rude to me, so let me start my Intarweb jihad against them.'

        Boy, talk about first world problems.

  • by IWantMoreSpamPlease (571972) on Monday February 13, 2012 @09:34AM (#39018099) Homepage Journal

    Stop doing businees in and with China, entirely.
    Bring manufacturing and jobs back to your home country/state and improve your own damn economy. /radical concept I know.

    • by siddesu (698447)

      Too bad the captains of the industry already decided it cannot work. To paraphrase the best one of them, workers in your home country/state are no longer flexible enough, smart enough and diligent enough to contribute enough to your shareholders' returns.

      Also, you're not a common radical, you're a delusional and dangerous communist.

      • by Chas (5144)

        Too bad the captains of the industry already decided it cannot work. To paraphrase the best one of them, workers in your home country/state are no longer flexible enough, smart enough and diligent enough to contribute enough to your shareholders' returns.

        Also, you're not a common radical, you're a delusional and dangerous communist.

        Translation: They won't work for something that makes poverty wages look generous and lock themselves into a Company Store setup on top of that...

    • Stop doing businees in and with China, entirely. Bring manufacturing and jobs back to your home country/state and improve your own damn economy. /radical concept I know.

      And go out of business because your competitors did not and Labor costs here 20x's higher ($0.60/hr vs $12/hr). It is quite radical and the only way it won't be is if US labor costs go down and tarrifs/Made in the US tax exemptions are used to make the US manufacturing industry globally competitive at least in the US markets.

    • by couchslug (175151)

      The US exports, among other things, BMWs to China.

      When Americans choose to compete, they can. Automation is the counter to "Asian hordes of cheap labor", which is why companies like Stihl can produce in the US at close to Chinese costs.

      "Buy American and subsidise inefficiency" doesn't help US _GLOBAL_ competitiveness.

    • by CohibaVancouver (864662) on Monday February 13, 2012 @10:46AM (#39018797)

      Stop doing businees in and with China, entirely. Bring manufacturing and jobs back to your home country/state and improve your own damn economy. /radical concept I know.

      You do realize many of these business travellers (like the ones from my company) are selling stuff *to* China, right? So we're actually generating jobs here....

  • by Maximum Prophet (716608) on Monday February 13, 2012 @09:34AM (#39018103)
    So take a laptop filled with misinformation, science fiction, and totally bogus stuff. If enough people do this, your adversary will bankrupt himself trying to figure it all out. Extra points for the size of the server farms you can get trying to decrypt output from /dev/random.
    • by MiniMike (234881)

      So take a laptop filled with misinformation, science fiction, and totally bogus stuff. If enough people do this, your adversary will bankrupt himself trying to figure it all out. Extra points for the size of the server farms you can get trying to decrypt output from /dev/random.

      Why encrypt /dev/random, when you can have them working to unencrypt pictures from goatwhatever.com? Or if you don't want to have the goat pictures in the first place, encrypt a bunch of demotivational posters. Or if you want to mess with them, use steganography to embed the goat pictures in the posters.

      • Yes, that works too, but stay away from something that might be illegal in the target country.

        I propose a new form of encryption called Turtles. Under Turtles when you decrypt an encrypted text, you get another text, that may or may not be the "real" text. You can then decrypt that, and get another text, on and on. The "Key", is knowing when to stop. (Implementation details are left to the reader)
      • by greg1104 (461138)

        You should take a look at the pornography laws in China [wikipedia.org] before you do that. That's a good way to land in jail a few years.

  • Lets face it. Most companies are ill equipped to defend against compromise and it stems from people treating business computing resources like their personal equipment. Most places find out theyve been compromised by sheer accident. If the Pentagon, NSA, and US military can't keep from being owned* I think there are bigger problems to address.

    * http://www.bibliotecapleyades.net/ciencia/secret_projects2/project396.htm [bibliotecapleyades.net]
    * http://www.codemysafety.com/?p=1143 [codemysafety.com]

  • OK, I understand the point that any equipment that could have been in Mallory's hands unsupervised needs to be considered compromised, and that it will spread the compromise if you give it a chance. I totally agree.

    And I understand that thermostats have IP stacks.

    But what attacker then goes and compromises the thermostat? This is the Chamber of Commerce. You're not going to use the last guy turning the heat off in the evening as the time to start your black ops raid. Thermostats don't have microphones (

    • by vlm (69642)

      Its just a windows box with PLC control software type stuff. IT might not even know about it. It might not be possible to install security patches while maintaining a valid support contract, or maybe fly-by-night-inc.com went out of business and there is no support of any type at all, at which time you pray it never breaks, and never ever touch it or change anything. IT might want you to upgrade from XP, but they're not offering a multi-million dollar capital budget to replace the entire HVAC system, and

      • From TFA: "... the Chamber recently discovered a thermostat in a Chamber-owned apartment was communicating ..."

        That doesn't sound like a PC-PLC.

  • That said. If you are a CEO of a major corporation, you need to be careful. That is good advice. If I was CEO of Intel, I would be just as careful in the US as in China.

  • by Blahah (1444607) on Monday February 13, 2012 @09:45AM (#39018173)

    The lesson to take from this is: don't store valuable information on your thermostat.

    • by Ihmhi (1206036)

      The scene is a dark room with a solitary light bulb suspended by a cord. Two Chinese thugs hold an American businessman hostage.

      Thug: Give us the information on the chip fabrication process and we'll let you go. Otherwise, we may have to do something... unpleasant.

      Businessman: Do your worst!

      Thug: Very well! Turn his home thermostat up... to 71 degrees!

      Businessman: N-n-no! You bastards! YOU BASTARDS!

  • I'm glad to see a sensible attitude here. As in: don't get angry (as this won't solve anything), just take adequate measures to solve the problem.

    Oh, and about the Slashdot-standard post titled "pot and kettle". Their problems are no concern of us, Ok? We're trying to solve *our* problem here, not theirs.

    I personally trust them to be completely up to the task of concealing whatever useful IP they might have when they come here.

  • Did they wipe their firmware? Personally I would bring a burner phone and laptop. Take devices that are about to be retired and dispose of them upon returning.

    A noodled firmware would allow the bypassing of any level of HD encryption.

    Also assume that the devices are hacked the moment you board the plane. Keep the important bits in your head and don't tell them to the sexy lady who finds you so interesting.
  • Hypothetically, for an entity larger than some smallish business just trying to keep its head down, wouldn't not travelling light provide more useful information?

    Any device you bring, and your good buddies then bug, is now a device that you cannot trust; but also a device that can be analyzed for insight into the state of bugging techniques. Turning unknowns into knowns is generally a Good Thing(tm), and ought easily to cover the cost of a bit of burner hardware.

    Since you are dealing with threats that
  • by unity100 (970058) on Monday February 13, 2012 @10:40AM (#39018719) Homepage Journal

    Nato has been an espionage networ that is called echelon for around 2-3 decades, and its now publicly acknowledged. i have a hard time believing that u.s. did not use the non-military information it intercepted through that or other means, for the benefit of its own corporations - the very corporations which back governments into power there by the way.

    Its naive to think that way. abusive parties abuse power, public or private. the only difference in between the chinese and what goes on in the west, is probably chinese do not care much to put a storefront up.

  • Those who RTTFA (read the third fine article) may have noted the discrepancy between what Mr. Mark Bregman of Symantec does when he travels to China, versus what he sells to the rest of us: he uses a dedicated laptop for China trips, and wipes the device before and after travel. On the other hand, he defends farming out coding to China based on 1) all the big s/w vendors do it, and 2) why worry about malicious code from China, when there have been terrorist attacks on the US committed by US citizens?

    Rebuttals, off the cuff:
    1) Evidently, capitalists don't just sell the rope that hangs them, they'll also teach you how to tie the noose.
    2) Timothy McVeigh and 8 "pro-life" murders over the course of 20 years, vs. opportunity to open back doors into virtually every PC in the United States. I think we need to check whether Mr. Bregman has registered as a lobbyist for the China Central News Agency.

Mathematicians stand on each other's shoulders. -- Gauss

Working...