Slashdot Mirror
Best Practice: Travel Light To China
Hugh Pickens writes "What may once have sounded like the behavior of a raving paranoid is now considered standard operating procedure for officials at American government agencies, research groups and companies as the NY Times reports how businesses sending representatives to China give them a loaner laptop and cellphone that they wipe clean before they leave and wipe again when they return. 'If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,' says Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence. The scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010 when the chamber learned that servers in China were stealing information from four of its Asia policy experts who frequently visited China. After their trips, even the office printer and a thermostat in one of the chamber's corporate offices were communicating with an internet address in China. The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them 'to certain countries,' notably China. 'Everybody knows that if you are doing business in China, in the 21st century, you don't bring anything with you,' says Jacob Olcott, a cybersecurity expert at Good Harbor Consulting. 'That's "Business 101" — at least it should be.'"
Read the subject line.
...if people traveling from Russia or China to here are told the same thing?
Good to see companies waking up to a very obvious threat. Next will be if they can figure out that sharing IP for a little bit of extra market share over there is NOT a good long term investment.
Since your laptop can be confiscated legally at the border.
DNA in your Linux: DNALinux
Travel with a "travel phone" it's a basic phone that does not contain anything important.... EVER.. and yes, wipe it a lot, but a wipe will not help if they flashed a new firmware with spy additions in it.
I would never even think of bringing my daily phone overseas. Bring a disposable that you dont care about.
Do not look at laser with remaining good eye.
When there are risks of company devices being hacked and used to spy on corporate data, is it any wonder that many companies still refuse to allow personal devices to be connected to the company networks?
Still, you have to wonder how much of these issues are due to poor maintenance and management of the corporate infrastructure enabling the penetrations and attacks.
I've heard of ONE incident where a penetration was actually a zero-day exploit and did not happen because someone didn't upgrade a server or change passwords after employees left the company. 25 years. A quarter century. And only ONE incident that wasn't someone's failure to perform due diligence of maintenance?
That doesn't say much for North America's corporate security policies, does it?
I do not fail; I succeed at finding out what does not work.
This has been standard practice in many places for years. And not just when travelling to China. Even if you're not working with high value information, there's usually not any justification for taking equipment full of company information abroad.
My T510 Came from china in the first place...
I can see how compromising a printer could be useful if you sent back documents of everything sent to it. But a thermostat? Unless the thermostat was also bugged, I don't see what good infiltrating a thermostat would do. Or why a thermostat would be Internet accessible.
Since North American Telecom use Chinese made equipment from the likes of Hua Wei does this bode well at all?
This is done in every totalitarian country. For example, when David Smick was in Singapore, he called home and made a comment about being dissatisfied with the hotel room provided to him. When he was picked up the next day, the person "escorting" him apologized for his hotel room not being good.
Here in the States, we're monitored under the auspices of the "War on Drugs" or Terrorism or Child Porn or what have you. When folks say we live in a free country, I have to ask, "Is being monitored being Free?" The fact that I have to show id to buy suphedrine because a couple of addicts burnt their houses down is freedom? (As an aside, I live in white trash America and there has been maybe one meth lab in my area that has been raided in the last decade. One. But yet people and the police act like there's one on every block.)
In this day and age, the tin foil hat brigade are usually right
Bill Clinton's BFF!
For this purpose notebook with ChromeOS (or ChromiumOS) seems like good solution.
839*929
Since your laptop can be confiscated legally at the border.
I'm not saying it's right for them to be able to do that but they do catch individuals engaged with corporate and even economic espionage that way. The key difference here is that it's intended to be an open action against you by US Customs whereas in China the intent is for you to never know anything happened and the key logger or stolen information being covertly used without your knowledge of who did it or even what's going on. I think one is much worse than the other but I guess that's just my opinion.
My work here is dung.
If you travel to China, this is old news.
Yes, some businesses are beginning to require wiped travel laptops for entering the US. I have to say that I do not know anyone personally who has had laptop issues at the US border (although I know that there are some people who are on some sort of list and have them frequently). The assumption is, if you go to China, you will probably be hacked, and it's not going to happen at Customs.
By the way, in my experience Chinese firms are incredibly paranoid about this, much more so than US firms. I suspect that paranoia has some justification.
Sigh.
Cue all the "BUT THE US IS WORSE THAN CHINA!" posts. You should log off WoW and read a little on Amnesty International about China. Could the USA do much better? Absofreakinglutely - But I can tell you as a Canadian business traveller that the USA is orders of magnitude less intrusive when it comes to visitors to their country. The next time you're in China go try to surf Tibet videos on Youtube and let me know how that goes for you.
Stop doing businees in and with China, entirely. /radical concept I know.
Bring manufacturing and jobs back to your home country/state and improve your own damn economy.
So rise up, all ye lost ones, as one, we'll claw the clouds.
So take a laptop filled with misinformation, science fiction, and totally bogus stuff. If enough people do this, your adversary will bankrupt himself trying to figure it all out. Extra points for the size of the server farms you can get trying to decrypt output from /dev/random.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Lets face it. Most companies are ill equipped to defend against compromise and it stems from people treating business computing resources like their personal equipment. Most places find out theyve been compromised by sheer accident. If the Pentagon, NSA, and US military can't keep from being owned* I think there are bigger problems to address.
* http://www.bibliotecapleyades.net/ciencia/secret_projects2/project396.htm
* http://www.codemysafety.com/?p=1143
Join the Slashcott! Feb 10 thru Feb 17!
OK, I understand the point that any equipment that could have been in Mallory's hands unsupervised needs to be considered compromised, and that it will spread the compromise if you give it a chance. I totally agree.
And I understand that thermostats have IP stacks.
But what attacker then goes and compromises the thermostat? This is the Chamber of Commerce. You're not going to use the last guy turning the heat off in the evening as the time to start your black ops raid. Thermostats don't have microphones (please, please let me be right on this).
What POSSIBLE reason would you do this, with the obvious cost that it increases the chance you'll get caught?
You got to wonder when the next stage in this story will come out; that with all those computers we purchase being made in China, they have hacked the chipsets to allow backdoors for their use. Probably the only reason this hasn't happend so far is that they make too much money with the current situation and breaking into M$ computers is too easy to make such a step necessary. But the Defense department better be thinking about this!
That said. If you are a CEO of a major corporation, you need to be careful. That is good advice. If I was CEO of Intel, I would be just as careful in the US as in China.
China is 1.5 billion people. all of anglosphere and europe AND russia combined, cannot match that market. and its a growing market. not a saturated one.
Read radical news here
The lesson to take from this is: don't store valuable information on your thermostat.
A few years ago a visiting Chinese exchange student was a guest at a party at my home and I caught her sneaking out of my home office where I keep my computer running 24/7. I scanned the computer in my office the next day and found a keylogger. For the past five years my wife has told me that I was crazy to think that the exchange student put it on there.
When my wife read the story in the NY Times, she finally said "You were right."
I am convinced that the woman who brought the exchange student to my home, a first generation Chinese-American, knew exactly what the exchange student was up to and brought her to the party for that purpose.
Oh, and about the Slashdot-standard post titled "pot and kettle". Their problems are no concern of us, Ok? We're trying to solve *our* problem here, not theirs.
I personally trust them to be completely up to the task of concealing whatever useful IP they might have when they come here.
Perhaps one day we'll realize we should have kept manufacturing capability from bottom (raw materials) to top IN COUNTRY. Ah well. Since we now have to work with countries that have governments that may find themselves in opposition to ours, and depend on them for all our various tech products, well... I guess we're screwed, since there's no way I can know if my computer's chips are secretly radioing home to Thailand or China or Taiwan or Waitan, or wherever. Guess that means I daren't use my computer for anything I don't want others to know about.
Or... I keep a second computer that never attaches to a network, and keep all my secret stuff on that, and use my internet connected computer to do stuff involving the outside world. I also should keep the secrets machine in a Faraday cage, complete with a completely isolated power system about which nothing could be inferred from without, i.e., it's powered by batteries which are swapped out for charging so there's no way to tell what I'm doing with it by looking at power consumption over time... etc.
Or... I don't need to do anything like that anyway, so I don't worry about the whole problem myself anymore than I worry about the possibility of getting hit in the head by a meteorite while typing on my com... OWWWW! WTF?!? I think a meteorite just... owwwww....
China, Russia, or the USA: which is the next great superpower?
The EU is sitting this one out.
There can be only one superpower, or we're in a state of global cold war like in the 1980s.
So who will it be?
So...the Chinese can install "key-logging software" (not just hardware) but they can't install software to read screens, capture clipboard data, or traipse through storage devices? (FTA: He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”)
I guess it goes without saying that his laptop is even now trying to steal my chem 201 notes.
China is 1.5 billion people. all of anglosphere and europe AND russia combined, cannot match that market. and its a growing market. not a saturated one.
China as a nation has a big GDP yes, but the per capita GDP is right down there with the Dominican Republic. There are a lot of people in China, but as a market western companies can only target the relatively small subset with relatively large disposable incomes. All of the migrant workers etc need their money to eat and clothe themselves and don't have much left over. Also you need to bear in mind that the rules aren't the same across China, some businesses are only possible in the Special Economic Zones. The other big problem is it is really hard to judge how big the market is, the only accurate figures are a state secret and that makes a lot of businesses nervous.
Did they wipe their firmware? Personally I would bring a burner phone and laptop. Take devices that are about to be retired and dispose of them upon returning.
A noodled firmware would allow the bypassing of any level of HD encryption.
Also assume that the devices are hacked the moment you board the plane. Keep the important bits in your head and don't tell them to the sexy lady who finds you so interesting.
Now a good question would be -- yet again -- why do people connect everything to the internet? It just opens them up to attack. Have an intermediary between the internet and important systems to protect the more important computers and technology from external control. This is something I'm yet to see in even the most sophistocated systems. The fact is, you need the internet for a few things, not everything, and there are computers containing secure information which can (and should) be isolated rather than connected to the internet. Otherwise, when your toaster starts spitting out toast with angry kanji burnt into it, it's your fault and yours alone for connecting the damn thing to the internet...
Pot Kettle Black
Hypothetically, for an entity larger than some smallish business just trying to keep its head down, wouldn't not travelling light provide more useful information?
Any device you bring, and your good buddies then bug, is now a device that you cannot trust; but also a device that can be analyzed for insight into the state of bugging techniques. Turning unknowns into knowns is generally a Good Thing(tm), and ought easily to cover the cost of a bit of burner hardware.
Since you are dealing with threats that don't necessarily wait for you to get on the plane(they can go over the internet, or even in person, if the reward is large enough), it would seem that gathering samples of the attack techniques, exploit kits, etc. in use would be a good idea...
Nato has been an espionage networ that is called echelon for around 2-3 decades, and its now publicly acknowledged. i have a hard time believing that u.s. did not use the non-military information it intercepted through that or other means, for the benefit of its own corporations - the very corporations which back governments into power there by the way.
Its naive to think that way. abusive parties abuse power, public or private. the only difference in between the chinese and what goes on in the west, is probably chinese do not care much to put a storefront up.
Read radical news here
in any country, the likelihood of planting software in your phone is less likely than actually bugging your audio line. wouldn't the smarter course of action be to bring your wiped smart phone, have an encoded chat software on it, and get all the contacts you'll need to make new secured accounts on the same encoding software, and talk that way? it seems to make more sense than bringing a crappy burner phone and having all your conversations monitored and recorded via the central feed.
AFAIK, Skype voice chats are encrypted, but i don't know to what degree because there are no options for encryption.
The same happens in the US - I am not allowed to bring company hardware across the US borders for the same reason. We had Bill Clinton steal for Boeing, and it's not going to happen again.
Religion is what happens when nature strikes and groupthink goes wrong.
When I did time in China, nothing happened. (Sure there was lots of software in the bicycle market, and about half those CDs did what it said on the cover). My lasting impression though was that Chinese people, at all levels, already knew a lot more than I had gone to tell them, and had a more disciplined structure for making the best of it. Can't see them bothering to spy.
So sorry, was I a bit late to this party? This is another reason pro-copy[entitlement] legislation must never pass in Western jurisdiction: it would open the floodgates for ever more penetrative eavesdropping, to the point where peer to peer encryption is outlawed (since the content of such streams cannot be intercepted in any meaningful way without the key). Bye bye, Skype.
Operation Guillotine is in effect.
Isn't this exactly like how foreign business travelers avoid going to the USA, where your laptop is subject to search and theft upon arrival, and even upon departure if a TSA clerk decides they want it?
This also bodes well for political change within China.... a half-billion people with iPhones (or clones) and cars are going to start asking why they don't have more control over their lives at some point.
like how the people in u.s. has, isnt it.
Read radical news here
As an employee of an EU corp, making buisness trips in US and china, I can tell that government spying industrials happens much more at the USA border.
aaaaaaa
So now realities of travel are forcing companies to follow "IT Best Practices".
As always, only the IT staff understands how the real world works.
What about when visiting New York Times? Or is that just an innocent paywall they put up on the linked article?
now we need to go OSS in diesel cars
Have your execs "forget" to wipe their "personal" camera card or "personal" camera's built-in memory or some personal item that is reasonably overlooked before they go in. Make sure the card contains carefully faked information.
Then when the guy gets back, hook the camera up to a fake network that has fake information on it. Keep updating the info as if it were a real network.
Then see how your adversary reacts.
As lulz it's expensive, but as counter-espionage it may be cheap.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If I'm China and want to spy on a major American company, I might have more success if I tricked his kids into visiting a compromised web site using their home computer.
If I do this to enough employees and the company isn't super-anal about security, one of them will infect a flash drive off of his home computer and eventually take that flash drive to work. I win.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
>> I trust it enough that when I teleconference I insist that Skype is used
Skype ? are you kidding ?
Single point of failure for huge corporate insight.
Proprietary crypto, whatever.
P2P protocol means the attacker can (and will) control the relays
Security by obscurity : shown to always have failed
Must be bugged long ago. By USA agencies, who else.
aaaaaaa
You know, how they'll confiscate your computer because it might have something illegal on it, so you don't take a computer into the USA AT ALL?
Certainly sounds familiar.
I would imagine there'd be some possibility at least some of the stuff being imported to the US and elsewhere contains hardware backdoors for them to use. IMO it's naive to think they haven't at least tried, and it's stupid for them to not even have tried. And if they've tried, I'd think Apple would be a HUGE target.
Sanity.html - Error 404 not found
If you want old civilizations with long histories, try Ancient Egypt: 5500 BCE (until arguably 30 BCE) according to Wikipedia. Yes I know Sumer and all that are old too, but they didn't last quite as long...
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Bring malware or false information on your electronics and turn the tables on the people getting your information?
Have the malware lie low and just phone home so you can gather information on their information gathering techniques?
How about loads of FAKE credit card identities that trigger "silent" fraud alerts that law enforcement can then trace back to the fraudsters?
Poison the well of exploitable information enough and you will "kill" all the bad guys!
--PM
The easiest way to protect your infomation while traveling is to use and Ironkey with MokaFive. With these 2 products you have a secure vm which runs everything from the Ironkey. No memory is used other that to open the ironkey to run your windows or linux desktop. I have used this to run windows server with exchange in a class I tought. This combonation also blocks keyloggers and other spy tools which may be on the client machine.
The Ironkey is a secure USB memory stick which requires a password and is ras/dod incription. If you try to guess the password to many times the administrator of the stick can either have the stick kill itself or just lock until returned to an administrator.
If you would like more information on this you can contact me at tivoligardens@yahoo.com.
Isn't this the simplest solution? If they plant bugs, don't continue to do business with them.
If they lose enough business, they will stop the bad behavior.
Yes we say if you go to china "Your device will be penetrated" (middle school giggle) but I wouldnt be surprised if other countries tell there people "Look mate if youre going to america dont take anything, dont say anything, dont look at anybody, no sudden movements, dont tweet, dont email, dont check facebook, stay offline or else those american fucks will lock you up or throw you out"
Do that everywhere you go, if you're using a plane, crossing a border or otherwise expect to be searched by whoever. Upload the data you will need on your trip to a server. Back up the data you won't need. Wipe your devices. Or better still, copy a 100% legal, innocuous and plausible image (that doesn't look pristine but like a system you're actually using) to them and keep the stuff that matters on that well-hidden encrypted partition.
My son's physics class was visited by 3 Chinese teachers. As they walked into the classroom, his Macbook Air crashed. He tells me he was in gmail at the time. His laptop has never had a kernel crash before or since. Does this story prove anything? No. But it is conceivable that visiting teachers carry laptops that probe and spoof software such as gmail that the government has a keen interest in cracking. The teachers may be completely unaware of why their laptops seem to discharge batteries in a few hours even when the lids are closed.
Nice tin foil hat you have there.
If I were a major stakeholder in a company with valuable IP that had business with China; I would be doing my best to keep that IP completely out of China, and make sure that China was on the consumer side of my business and not the supplier side.
Neither the Chinese nor the American government are doing to do anything should your IP get into Chinese hands and they start doing what they want with it.
If someone is passing you on the right, you are an asshole for driving in the wrong lane.
The French openly admit to spying for economic reasons.
Here's me:http://slashdot.org/submission/1939555/it-will-only-get-more-complicated,
Here's timothy:http://it.slashdot.org/submission/1939613/travel-light-to-china/.
I'm giving up seeking fame on Slashdot!
Have you ever noticed that anybody driving slower than you is an idiot, and anyone going faster than you is a maniac?
That makes no sense.
If you're using a piece of technology that may have been compromised, then it makes absolutely no difference whether you type in a password or attach a USB drive, open a text file containing the password, display it on your screen and copy it to the clipboard. There are four simple vectors of attack just in that sentence, none of which require more access than a keylogger: Clone any drive as soon as it is mounted, copy every single file that is opened, record the screen, or store everything copied in the clipboard. (2 and 4 are probably the way to go, since they take the least time and resources while focusing on what is important to the user.)
As the rest of the article makes perfectly clear, hardware is only your hardware while it is not compromised. This policy must be followed rigorously. Regardless of how many layers of VPN, tor or whatever you connect through, you have to be certain that your end of the connection actually belongs to you, in order to be certain that your information is not leaked prior to encryption or after decryption. As for connecting through someone else's computer or a computer in a public location, hah.
Those who RTTFA (read the third fine article) may have noted the discrepancy between what Mr. Mark Bregman of Symantec does when he travels to China, versus what he sells to the rest of us: he uses a dedicated laptop for China trips, and wipes the device before and after travel. On the other hand, he defends farming out coding to China based on 1) all the big s/w vendors do it, and 2) why worry about malicious code from China, when there have been terrorist attacks on the US committed by US citizens?
Rebuttals, off the cuff:
1) Evidently, capitalists don't just sell the rope that hangs them, they'll also teach you how to tie the noose.
2) Timothy McVeigh and 8 "pro-life" murders over the course of 20 years, vs. opportunity to open back doors into virtually every PC in the United States. I think we need to check whether Mr. Bregman has registered as a lobbyist for the China Central News Agency.
Luke, help me take this mask off
We waste billions spying on our own citizens for the RIAA and MPAA, yet we still treat the Chinese like a civilized society while they rob us blind and try to poison us (literally sometimes) at every turn. WHY?
'Everybody knows that if you are doing business in China, in the 21st century, you don't bring anything with you
Wait, why are we doing any kind of business with these people?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Turn your device over and read where it was made:
a. China
b. Republic of China
It doesn't matter what they do to it while you've got it there, wiping it won't help because it was made there - if they want to own you they already did.