Forgot your password?
typodupeerror
China Portables Security IT

The Trouble With Bringing Your Business Laptop To China 402

Posted by Soulskill
from the laptops-are-the-panda's-favorite-food dept.
snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"
This discussion has been archived. No new comments can be posted.

The Trouble With Bringing Your Business Laptop To China

Comments Filter:
  • by dtmos (447842) * on Tuesday December 04, 2012 @08:37PM (#42186713)

    The other -- and, I would submit, more important -- reason for not taking your business laptop to China (if you're from the US) is US export control laws. The definitions of "export" and "controlled technology" have been so generalized that it is an even-money bet that the laptop of a given technologist contains information that, were he to travel to China, would result in at least a technical violation of the law -- and the penalties are severe.

    • by ZorinLynx (31751) on Tuesday December 04, 2012 @08:44PM (#42186771) Homepage

      Considering these laptops are for the most part manufactured in China anyway, how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?

      • by DragonWriter (970822) on Tuesday December 04, 2012 @08:47PM (#42186809)

        Considering these laptops are for the most part manufactured in China anyway, how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?

        Controlled technology includes software as well as hardware.

        • Industrial espionage (Score:4, Interesting)

          by Taco Cowboy (5327) on Tuesday December 04, 2012 @09:02PM (#42186947) Journal

          I travel all the time, for business.

          China is not the only country where industrial cloak and dagger stuffs happen.

          The other countries that I've personally encountered industrial espionage activities includes Japan, Korea, Vietnam, France, Italy, India, Indonesia, Egypt, Turkey, and you will be surprised, I had had similar encounters in Canada, UK, Australia, and also US of A, although not that often.

          • by hendridm (302246) on Tuesday December 04, 2012 @09:18PM (#42187097) Homepage

            I've surprised by many of the countries on your list.

            Can you give some examples of what you've observed that we non-travelers might find surprising/interesting?

          • by nihaopaul (782885)

            Photos or it didn't happen!

          • Re: (Score:3, Insightful)

            by DNS-and-BIND (461968)
            Industrial espionage is one thing. This is a government employee entering your hotel room to install software on your laptop and image your hard drive. It has been happening for years in China (but has just now made Slashdot). It is practically a signature move of theirs.
          • by AaronW (33736) on Tuesday December 04, 2012 @10:07PM (#42187501) Homepage

            As you said, France is also notorious for this sort of thing which surprises a lot of people.

      • by dtmos (447842) * on Tuesday December 04, 2012 @08:54PM (#42186871)

        how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?

        It's the information the technologist has stored on it that is the problem. The export control laws are enforced by the Bureau of Industry and Security [doc.gov], and they are arcane, complex, and woefully out of date. Just to give one example, if you're a microprocessor designer, and have a design that operates at temperatures exceeding 125C, that design is controlled; carrying that design in your laptop when you go to China is a violation of the law -- whether or not it is even accessed while in China. (It's also illegal to show that design to any person of Chinese citizenship, even if you both are in the US at the time; that, too, is considered export under the law.)

  • by ackthpt (218170) on Tuesday December 04, 2012 @08:40PM (#42186733) Homepage Journal

    Take a TRS-80 and watch them try to figure it out.

    • A good old model 100 would do wonders. Do they make powerpoint and outlook for one?
    • by kawabago (551139) on Tuesday December 04, 2012 @09:27PM (#42187183)
      and infect them right back!
  • encryption (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 04, 2012 @08:41PM (#42186741)

    Why doesn't your business mandate HDD encryption?

    China isn't the only place this goes on...

    • Re: (Score:3, Funny)

      by Qzukk (229616)

      Why doesn't your business mandate HDD encryption?

      Not that it would matter, some person would decide its too much trouble entering the password all the time and just leave the laptop on.

    • Re: (Score:3, Interesting)

      by able1234au (995975)

      Encryption but to be extra paranoid, don't bring a laptop. You need to assume that there will be spies on your own payroll. Someone supplementing their pay and being patriotic at the same time. Paranoia is a good thing. Encryption is critical but don't assume it is a magic bullet. If they video or capture you typing in your password then you will have a false sense of security.

      • by arbiter1 (1204146)
        if its business you probably need it. Personally if you are international traveler for business, i would use true encrypt and encrypt the entire drive, maybe throw in like usb drive/SD card that needs to be inserted with a password to access the laptop.
        • Re:encryption (Score:5, Interesting)

          by lister king of smeg (2481612) on Tuesday December 04, 2012 @09:07PM (#42186967)

          better yet live cd let them try installing malaware on there then, encrypt the whole drive and only use it for data storage, when chinless agents tries booting and no OS is found so he simply images you drive for later analysis let him stew for a few billion years trying to decrypt it.

          • Re: (Score:3, Interesting)

            by mikeiver1 (1630021)
            The wise money would go a couple of steps further. Install nothing more than a plain jane out of the box live Linux CD image. Boot the thing and store/work out of a fast USB thumb drive on which all data is encrypted with the latest and greatest super kick ass encryption and a key that is very strong. You take the USB key with you around your neck. For extra points you could have the OS start the camera and record upon boot as well as screen capture every few seconds to the HDD unless a special key comb
          • China has a law prohibiting the importation of encrypted devices. They want you to boot up latptops at the airport to verify that TrueCrypt or something similar isn't running.

    • Re:encryption (Score:5, Informative)

      by homer_ca (144738) on Tuesday December 04, 2012 @09:12PM (#42187019)

      A hardware keylogger inline with the keyboard cable takes care of that. It only means they'll have to break in twice instead of once.

      • Keyboard cable... on a LAPTOP? Or do you mean they will take the laptop apart, insert a hardware keylogger INSIDE the laptop and then break in again, take the laptop apart AGAIN, read the password, etc.? That sounds a bit far-fetched, TBH.

        • by homer_ca (144738)

          Sure, not feasible on a glued-together Macbook, but most business-class laptops have easily removed keyboards attached by a ribbon cable. On something like a Dell Latitude, it's easily a 1 minute job. The keylogger hardware isn't isn't exactly off the shelf, but not out of the question for a state-sponsored attack. Still, you have a point. Any target that's worth attacking with such sophisticated equipment is probably paranoid enough not to be traveling around a foreign country with the digital crown jewels

    • by blueg3 (192743)

      If you're really paranoid, you should keep in mind that encryption doesn't really provide data integrity, it only provides confidentiality. That is, if someone steals your laptop and looks at your hard drive, they should get no information, provided your passphrase is sufficiently unguessable. It does not necessarily protect you against someone changing the data on your hard drive, though that might be rather inconvenient. Do not treat an encrypted hard drive as protection against physical attacks!

      You shoul

      • If you're really paranoid, you should keep in mind that encryption doesn't really provide data integrity, it only provides confidentiality. That is, if someone steals your laptop and looks at your hard drive, they should get no information, provided your passphrase is sufficiently unguessable. It does not necessarily protect you against someone changing the data on your hard drive, though that might be rather inconvenient. Do not treat an encrypted hard drive as protection against physical attacks!

        It's protected in the sense that information cannot be stolen.
        Also, it does offer some level of integrity protection - if someone alters encrypted data, it's very likely that I will be able to tell, since it would mean that parts of my disk now contain rubbish.

    • by mjwx (966435)

      Why doesn't your business mandate HDD encryption?

      China isn't the only place this goes on...

      What good is HDD encryption when they have/had physical access to the device? If you get physical access tot he HW all you have to do is take a copy of the HDD (erm, DD will do this for you) and crack it at your leisure.

      If you're that worried about corporate/govt espionage, there is only one defence... Don't keep the data on a mobile device. Yep it's a PITA doing everything via VPN, but it's the only secure way.

      Besides this, the article is bollocks made up by people who have had too much pot/coffee an

      • Re: (Score:2, Informative)

        by Anonymous Coward

        What good is HDD encryption when they have/had physical access to the device? If you get physical access tot he HW all you have to do is take a copy of the HDD (erm, DD will do this for you) and crack it at your leisure.

        There was a story from a few years back where a fellow had his laptop confiscated. It was encrypted with TrueCrypt and the US govt tried, and failed, to break the encryption for months. So no, it's not an easy thing

        Besides this, the article is bollocks made up by people who have had too much pot/coffee and not enough exposure to the real world. China's govt doesn't give a shit about your crappy companies secrets

        China most certainly does care about your companies secrets if the company is involved in military contracts. Even if you don't travel, they are trying to get at the data that is here. Some of the recent fighter aircraft programs have had problems in particular with data theft.

  • by stevenh2 (1853442) on Tuesday December 04, 2012 @08:43PM (#42186761)
    Who leaves their business secrets in the open. Especially laptops, they get lost stolen, or as the article says people examining it. Really you can use a truecrypt container and hide it somewhere.
    • by marcushnk (90744)

      because its a jail-able offence.

      If they think you are trading in state secrets (like Stern Hu http://en.wikipedia.org/wiki/Stern_Hu [wikipedia.org] ) they will take and detain you and your equipment.
      At that point they'll ask for you encryption key, if you refuse then you'll be jailed indefinitely and possibly executed.

      best thing to do is to not take any data with you, or "burn" / wipe / replace your equipment after visiting.

      • by dtmos (447842) *

        It's not just trading in state secrets ("espionage"). In the US it's also the trading in controlled technologies. The difference is, a controlled technology can be transferred to any US citizen with no legal issue at all, but cannot be transferred to (certain) foreign citizens. A state secret, on the other hand, may not be transferred even to another US citizen without authorization.

    • by dslbrian (318993) on Tuesday December 04, 2012 @09:07PM (#42186971)

      This exactly. Encrypt the laptop but don't actually keep anything important on it. Instead use Truecrypt and a USB thumb drive. Have the thumb drive keyed to a different password than the laptop.

      Further, as far as customs, drop a live CD of any variety in the CD drive, and have the laptop default to booting the CD. Now when custom guys asks to inspect your laptop, say sure, and let it boot the live CD. You can be amused while they laugh at how slow your laptop boots. In the end let em clone the HD, whatever, even if the NSA cracks it there is nothing on it. Everything important is on the thumb drive that you have "hidden" away (usually in plain sight on a keychain).

      As far as the article, carrying your corporate secrets encrypted in your pocket will make any thieves job harder, and having the laptop encrypted will force them to install keylogger hardware, a more time consuming and harder thing to get away with. If I were such an executive and had real concerns I would just get a throwaway laptop, or better yet have some fun and epoxy all the case screws in. There are possibilities.

    • by jabberwock (10206) on Tuesday December 04, 2012 @10:23PM (#42187625) Homepage
      From The New York Times in February [nytimes.com]:

      Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.
  • by rbprbp (2731083) on Tuesday December 04, 2012 @08:43PM (#42186769) Homepage
    If you are travelling anywhere without HDD encryption, then you kinda deserve this. By the way, let's see them trying to put spyware on a PowerPC Linux laptop. :)
  • I see a great market opportunity here; a system whereby if your keychain dongle isn't inserted into the usb port, the laptop battery goes critical on bootup.

    • by cheros (223479) on Tuesday December 04, 2012 @08:55PM (#42186877)

      the laptop battery goes critical on bootup

      Nah. Dell tried that already..

    • by PaulBu (473180)

      Good idea!

      Now, let's try to implement it... I suggest to start with Lenovo laptops, and we only need to outsource USB dongle and exploding battery production somewhere, I suggest China, they have experience mass-producing thing!

      Wait! All your matching parts (laptop, dongle, battery) are made where? In... China? ;-)

      Paul B.

  • by DDLKermit007 (911046) on Tuesday December 04, 2012 @08:49PM (#42186825)
    I had this problem when I was doing work with associates in China when I was working to develop some software to use there. After going out one night I noticed the next day my laptop had been gotten into. Sure they poked around, but I didn't care. Not stupid enough to actually bring any data physically there with me. Checked the machine for anything funky, but seemed he was poking around to copy any interesting data. In the end they ended up trying to screw us & do the job we were doing which was they found really hard without our actual software in their hands. We just ran pointers that always pushed data from China back to the US where we churned through the data because I was a paranoid maniac. Sucks the company went under due to them, but felt a sort of sick satisfaction they ended up looking really dumb when everything ground to a halt suddenly.
  • throw away laptops (Score:5, Interesting)

    by lophophore (4087) on Tuesday December 04, 2012 @08:56PM (#42186887) Homepage

    Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.

    • by Anonymous Coward on Tuesday December 04, 2012 @09:05PM (#42186959)

      Yup, that's how we deal with it. We're frequently in China to do software and hardware testing at our facilities (I work for a large US transportation company), and we have "China laptops". These are encrypted machines that are specifically loaded with the bare minimum stuff we need when we leave and immediately blown away when we get back. Installation of anything beyond the bare minimum (which is pretty much Win7 and VS2005) is strictly disallowed. Source is kept on a separate, encrypted sd card which is not to be kept in the machine, but even then it's just not that interesting. It's all internal source for package sort controllers and such, and we don't even have the ability to check code back in from these machines. It's purely for debugging and sending problem reports back home.

      There's a big sticker on them that even says "China laptop, do not connect to corporate network"

    • by AHuxley (892839)
      Same for entry into the USA or any country. The software needed on brand new storage media, replace when returning home.
      The option to inspect any laptop that enters a country is getting to be a reality rather than having to be a 'suspect'.
      When a state views your laptop as a "container" - you have no legal protection.
      Diplomats and travellers to the Soviet Union knew what they faced at any hotel - why would Communist China be any different?
      • by Minupla (62455) <minupla@gmDEBIANail.com minus distro> on Tuesday December 04, 2012 @10:22PM (#42187613) Homepage Journal

        I have in the past provided the following instructions to an exec:

        1) Go to local computer store
        2) Purchase off the shelf hard drive with this model:xxx-xxxx-xxx - pay with local cash
        3) Purchase philips screw driver
        4) Remove HDD (more details here on how to remove a HDD) and replace with local drive.
        5) Drive over old HDD with rental SUV. Repeat until fragments. Ensure HDD platters are fragments.
        6) drop into at least 3 random trash bins in tourist areas
        7) If questioned during exit, inform them that the computer crashed and that IT had you take it to a local repair shop but it's not working still.

        Such is life in the odd world we live in.

        Min

    • by swillden (191260)

      Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.

      Nah. Take a $200 Chromebook. Factory reset it when you get back and you don't have to destroy it.

  • solutions: (Score:4, Informative)

    by wierd_w (1375923) on Tuesday December 04, 2012 @08:57PM (#42186893)

    There are several ways around this, with increasing levels of overhead.

    0) don't bring the laptop to begin with. (Hehe.. har.. yeah, who am I kidding?)

    1) yank the HDD completely, boot the laptop using a custom knoppix DVD, with an RDP client. Save your work in the cloud/at the enterprise, behind a strong enterprise password. Malware magically vanishes when the laptop powers down. No local data to collect.

    2) use something like black ice defender.

    3) use whole disk encryption with almost reigious zeal.

    Personally, I prefer the live dvd approach. It has fringe benefts of always being a fresh, clean environment, and a complete black hole for forensic data recovery. Only the rubber hose method to get you to reveal the RDP account password remains as a reliable method of intrusion, though this assumes you aren't an idiot, and weren't so stupid as to package a keyring on the live DVD. (The whole idea is to keep sensitive data OFF the system!) If you absolutey NEED a keyring, find some way to use an actual usb keyfob to store it, and always carry your keys.

    Regardless of the method used, remember that allowing unauthorized persons access to the physical system is practically synonymous with being pwned. The live dvd method only gives them physical access to a terminal.

  • by roc97007 (608802) on Tuesday December 04, 2012 @08:58PM (#42186903) Journal

    You take a laptop to China. In your coat pocket is a "live" thumbdrive, which remains on you at all times. You don't care what's on the laptop, because you boot the thumbdrive to do work.

    When you leave China, toss the (presumably compromised) laptop in a dustbin in the airport restroom.

    • why toss it? you could give it to the kids to play flash games and minecraft on.

      • by roc97007 (608802)

        I'm thinking because you don't want to connect it to a network (that you care about) until the disk is scrubbed and the bios is reflashed. (And perhaps, the back is taken off to make sure the box hasn't been physically compromised.) Laptops are, like, $200 apiece. Safer just to dump it.

  • Sources Please? (Score:2, Insightful)

    by Anonymous Coward

    I see a lot of unsubstantiated opinions. How about some credible sources that this is happening?

  • Dont bring a standard laptop. You can easily outsmart them.

    Grab a ARM based laptop (chromebook) and install linux. The China spooks will not have any clue as to why their spyware is not running.

  • Just encrypt your actual work files then leave one unencrypted on the desktop called "Work Documents". Inside each file contains an endless string of the text "All work and no play makes Jack a dull boy"". Hundreds and hundreds of files all with the same repeated text. Not only will they avoid your room but you can tell who was doing the spying, they're the maid that turns and runs when they see you in the hallway.
  • Silly (Score:4, Informative)

    by Charliemopps (1157495) on Tuesday December 04, 2012 @09:45PM (#42187323)

    We don't even have people that travel outside the country and yet your security standards state that:
    A. The laptop is wiped and re-imaged upon return. Every time.
    B. The user simply uses the laptop to VPN into our corporate network which is protected by a random keyfob plus all the usual security.
    C. Corporate laptops never leave the site of the user. You take it with you everywhere you go. Period.

    Granted, I don't think C gets followed all that much. But A and B are pretty solid. Who the hell keeps a personal laptop for work anymore?

  • Nothing else to say.

  • by Deathlizard (115856) on Tuesday December 04, 2012 @10:10PM (#42187525) Homepage Journal

    1) Buy this: http://www.newegg.com/Product/Product.aspx?Item=N82E16822168002 [newegg.com]
    2) Get a Laptop that has A TPM. Preferably a Panasonic Toughbook or Dell Latitude. Put Drive from #1 in it. (or better yet. Buy the system with a Encrypting hard drive built in.)
    3) Encrypt the hard drive. I don't care how, either with bitlocker or Truecrypt.
    4) Set your laptop to boot from ONLY the Hard drive in the BIOS
    5) Password protect the hard drive at the BIOS level. also password the bios.
    6) Backup your system (Preferably, Using A Drive form #1). put backup in a safe deposit box. set a Password on that drive or backup file if you can. Do this monthly like clockwork or a hard drive crash will screw you.
    7) If uber paranoid, look into a BIOS Level remote protection system such as computrace or Lojack to remote wipe the PC, but considering who you're dealing with, most likely it will never see the internet again, but its good to thwart casual theves.

  • by NewtonsLaw (409638) on Tuesday December 04, 2012 @10:28PM (#42187653)

    How about just carrying some of those "warranty void" stickers with you and place one so that it bridges the keyboard and screen on the opposite edge to the hinge.

    Now the "maid" can't open your laptop without knowing their intrusion would be very obvious to the owner.

    I wonder if they still would?

  • by fufufang (2603203) on Tuesday December 04, 2012 @10:59PM (#42187813)

    If you use Windows, you can install Truecrypt, and change the bootloader so it shows "Operating System Not Found".

    If you use Linux, set up encrypted LVM, and have your boot partition on a separate USB flash drive, which you attach to your keyring, and carry around with you all time.

  • troll them (Score:5, Funny)

    by Lehk228 (705449) on Tuesday December 04, 2012 @11:40PM (#42188023) Journal
    Troll like a pro, carry lots and lots of "super sekrit" docs in a poorly truecrypted volume (password on a sticky note under the mouse)

    gigabytes and gigabytes of detailed looking prototype data from your projects that failed due to a fatal and truly unsolvable flaw, but fudge the data and info to mask the unsolvable part

    bonus points for anything that will cost them 100 million to fail to reproduce
    more bonus points at the billion, 10 billions and 100 billion level

    cold fusion, hot fusion, electric vehicle, atomic reactors, there must be trillions of dollars worth of hopelessly flawed design proposals kicking around collecting dust in company archives. -- Put them to good^H^H^H^HLulzy use
  • Yeah (Score:3, Insightful)

    by bytesex (112972) on Wednesday December 05, 2012 @03:45AM (#42189253) Homepage

    We have the same problem. With an obscure little country called the USA.

    Sorry, but the hypocrisy is staggering. We are NOT allowed to even bring an encrypted laptop across US borders.

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...