The Trouble With Bringing Your Business Laptop To China 402
snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"
That's only one of the problems (Score:5, Interesting)
The other -- and, I would submit, more important -- reason for not taking your business laptop to China (if you're from the US) is US export control laws. The definitions of "export" and "controlled technology" have been so generalized that it is an even-money bet that the laptop of a given technologist contains information that, were he to travel to China, would result in at least a technical violation of the law -- and the penalties are severe.
Re:That's only one of the problems (Score:4, Interesting)
Considering these laptops are for the most part manufactured in China anyway, how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?
Re:encryption (Score:3, Interesting)
Encryption but to be extra paranoid, don't bring a laptop. You need to assume that there will be spies on your own payroll. Someone supplementing their pay and being patriotic at the same time. Paranoia is a good thing. Encryption is critical but don't assume it is a magic bullet. If they video or capture you typing in your password then you will have a false sense of security.
throw away laptops (Score:5, Interesting)
Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.
Industrial espionage (Score:4, Interesting)
I travel all the time, for business.
China is not the only country where industrial cloak and dagger stuffs happen.
The other countries that I've personally encountered industrial espionage activities includes Japan, Korea, Vietnam, France, Italy, India, Indonesia, Egypt, Turkey, and you will be surprised, I had had similar encounters in Canada, UK, Australia, and also US of A, although not that often.
Re:throw away laptops (Score:5, Interesting)
Yup, that's how we deal with it. We're frequently in China to do software and hardware testing at our facilities (I work for a large US transportation company), and we have "China laptops". These are encrypted machines that are specifically loaded with the bare minimum stuff we need when we leave and immediately blown away when we get back. Installation of anything beyond the bare minimum (which is pretty much Win7 and VS2005) is strictly disallowed. Source is kept on a separate, encrypted sd card which is not to be kept in the machine, but even then it's just not that interesting. It's all internal source for package sort controllers and such, and we don't even have the ability to check code back in from these machines. It's purely for debugging and sending problem reports back home.
There's a big sticker on them that even says "China laptop, do not connect to corporate network"
Re:encryption (Score:5, Interesting)
better yet live cd let them try installing malaware on there then, encrypt the whole drive and only use it for data storage, when chinless agents tries booting and no OS is found so he simply images you drive for later analysis let him stew for a few billion years trying to decrypt it.
Re:That's what encryption is for. (Score:4, Interesting)
If your boot software is encrypted, how does your system boot at all?
Oh, I see, you're thinking of something like Truecrypt. So, when you boot, where does the code that knows how to decrypt your hard drive live? Why can't the attacker put the keylogger there?
Re:Industrial espionage (Score:5, Interesting)
I've surprised by many of the countries on your list.
Can you give some examples of what you've observed that we non-travelers might find surprising/interesting?
Re:encryption (Score:5, Interesting)
And if the laptop has a firewire port, i'm fairly certain RAM can be dumped on ANY operating system [gnome.org].
Re:Industrial espionage (Score:5, Interesting)
As you said, France is also notorious for this sort of thing which surprises a lot of people.
Re:throw away laptops (Score:4, Interesting)
I have in the past provided the following instructions to an exec:
1) Go to local computer store
2) Purchase off the shelf hard drive with this model:xxx-xxxx-xxx - pay with local cash
3) Purchase philips screw driver
4) Remove HDD (more details here on how to remove a HDD) and replace with local drive.
5) Drive over old HDD with rental SUV. Repeat until fragments. Ensure HDD platters are fragments.
6) drop into at least 3 random trash bins in tourist areas
7) If questioned during exit, inform them that the computer crashed and that IT had you take it to a local repair shop but it's not working still.
Such is life in the odd world we live in.
Min
Full hard drive encryption (Score:4, Interesting)
If you use Windows, you can install Truecrypt, and change the bootloader so it shows "Operating System Not Found".
If you use Linux, set up encrypted LVM, and have your boot partition on a separate USB flash drive, which you attach to your keyring, and carry around with you all time.
Re:encryption (Score:3, Interesting)
Full disc encryption (Score:2, Interesting)
I work for a major multi-national corporation with big interests in China. Every transportable computer in the company has strong full-disc encryption installed by default, and NO ONE is allowed to divulge the ID/password required to boot it. If you are going to travel internationally, you back up your system before you leave. If some border agency demands the keys to your kingdom, you give them the laptop, but not the keys. Then the company ($40+B and major presence in every country) will bang on a few heads until the system is returned and some poor schlub is hung out to dry...
Re:That's only one of the problems (Score:5, Interesting)
True !
Fun Fact
encryption*SOFTWARE* was classified as munitions and restricted, meanwhile free speech laws meant that printed words could very seldom be stopped.
I was part of exporting PGP from USA legally, by way of printing the (zipped, uuencoded + checksums) source-code, mailing it physically to norway, scanning it, OCRing it and manually proofreading all lines where the checksum failed.