Slashdot Mirror
Best Practice: Travel Light To China
Hugh Pickens writes "What may once have sounded like the behavior of a raving paranoid is now considered standard operating procedure for officials at American government agencies, research groups and companies as the NY Times reports how businesses sending representatives to China give them a loaner laptop and cellphone that they wipe clean before they leave and wipe again when they return. 'If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,' says Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence. The scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010 when the chamber learned that servers in China were stealing information from four of its Asia policy experts who frequently visited China. After their trips, even the office printer and a thermostat in one of the chamber's corporate offices were communicating with an internet address in China. The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them 'to certain countries,' notably China. 'Everybody knows that if you are doing business in China, in the 21st century, you don't bring anything with you,' says Jacob Olcott, a cybersecurity expert at Good Harbor Consulting. 'That's "Business 101" — at least it should be.'"
...if people traveling from Russia or China to here are told the same thing?
Good to see companies waking up to a very obvious threat. Next will be if they can figure out that sharing IP for a little bit of extra market share over there is NOT a good long term investment.
Since your laptop can be confiscated legally at the border.
DNA in your Linux: DNALinux
When there are risks of company devices being hacked and used to spy on corporate data, is it any wonder that many companies still refuse to allow personal devices to be connected to the company networks?
Still, you have to wonder how much of these issues are due to poor maintenance and management of the corporate infrastructure enabling the penetrations and attacks.
I've heard of ONE incident where a penetration was actually a zero-day exploit and did not happen because someone didn't upgrade a server or change passwords after employees left the company. 25 years. A quarter century. And only ONE incident that wasn't someone's failure to perform due diligence of maintenance?
That doesn't say much for North America's corporate security policies, does it?
I do not fail; I succeed at finding out what does not work.
This has been standard practice in many places for years. And not just when travelling to China. Even if you're not working with high value information, there's usually not any justification for taking equipment full of company information abroad.
For this purpose notebook with ChromeOS (or ChromiumOS) seems like good solution.
839*929
Since your laptop can be confiscated legally at the border.
I'm not saying it's right for them to be able to do that but they do catch individuals engaged with corporate and even economic espionage that way. The key difference here is that it's intended to be an open action against you by US Customs whereas in China the intent is for you to never know anything happened and the key logger or stolen information being covertly used without your knowledge of who did it or even what's going on. I think one is much worse than the other but I guess that's just my opinion.
My work here is dung.
I read it as... laptop taken to China, infected with something which then wormed it's way into all the systems it could when reconnected to the corporate network, which happened to include some network controllable thermostats.
i.e. the Chinese aren't after the thermostat, it was just part of a system which got compromised.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
Sigh.
Cue all the "BUT THE US IS WORSE THAN CHINA!" posts. You should log off WoW and read a little on Amnesty International about China. Could the USA do much better? Absofreakinglutely - But I can tell you as a Canadian business traveller that the USA is orders of magnitude less intrusive when it comes to visitors to their country. The next time you're in China go try to surf Tibet videos on Youtube and let me know how that goes for you.
Stop doing businees in and with China, entirely. /radical concept I know.
Bring manufacturing and jobs back to your home country/state and improve your own damn economy.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Exactly.
I'm much more worried about how the U.S is allowing drones to be used by police agencies in this country to spy on us, etc., etc., etc.
I'm sure if you were a major stakeholder in a company with valuable IP, that had business with China you would have a different attitude. The reason you don't need to worry about either is because you don't have any IP of worth that the Chinese want and you are not doing anything illegal. I'm not saying either is OK, just that jet fuel is expensive and following your every move is not worth their time, and how exactly can a drone invade your privacy any more then a manned plane?
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
how exactly can a drone invade your privacy any more then a manned plane?
Lower cost. Virtually all of your privacy(especially if you are just Joe Sixpack) isn't protected by some fancy set of 'rights' or a 'judicial system', it's protected by the fact that watching you is too expensive to be worth the likely results.
The cheaper surveillance gets, the further down the food chain you can expect it to go, and the more frequent(and effective, unlike the grainy camera at EZ-mart that has been recording over the same grungy VHS tape since 1997...)
Unless surveillance has some atypically wonky demand curve, which doesn't seem to be the case, lowering the price will increase the amount done.
Because once the cost is driven down so much by the commoditization of the hardware that it becomes ubiquitous, they will not stop at looking for marijuana crops.
The argument is called a slippery slope and perfectly valid. For popular media references see everything from The Simpsons to the Clint Eastwood classic Magnum Force.
The distinction isn't manned or unmanned surveillance, it is the frequency and pervasiveness.
[Note: The Magnum Force reference is to the slippery slope argument in general, not necessarily total surveillance in specific.]
Learning HOW to think is more important than learning WHAT to think.
I apologize if I was insufficiently clear on this aspect of the 'price' argument:
Historical legal norms, governing what is/isn't protected, what does/doesn't require special permission, etc. are crafted in response to the situations that the lawmakers have to confront, either hypothetically, when crafting legislation, or in actuality, when a case comes before a court. In no small part, those actual and hypothetical situations are influenced by technology, what it costs and what it can do. If something is impossible or economically prohibitive in virtually all cases, there isn't any impetus for legal norms or institutional protections to grow up and prevent it.
Consider, for example, the notion that things done in public spaces are fair game without any sort of warrant. Historically, that seems plausible enough: cops are a limited resource, and people have lousy memories, so everybody who is acting normally enough to be forgotten quickly, and isn't interesting enough to justify the expense of having one or more agents tailing them with a notebook is safe. Thus, in practice the historical standard was not'anything is fair game in public', it was 'anything notable enough for Joe Citizen to remember it later, and anyone worth the expense of tailing manually is fair game'. If, through some innovation in cameras and machine vision, say, it becomes technologically and economically viable to track everybody all the time, the formal 'in public, no problem' standard hasn't been violated; but the previous actual 'only stuff of note, and people suspected enough to spend real money on for some reason' standard is overwhelmingly weakened.
Overflights would be a similar thing: as long as aircraft time costs some hundreds of dollars or more an hour(depending somewhat on your chosen craft and method of cost accounting), the de-facto standard for aerial observation is actually fairly high. It doesn't demand a warrant; but it demands some internal explanation good enough to move those resources. If flyovers cost $10/hour or $1/hour, that de-facto standard would vastly weaken.
That's the real core of the argument: outside of specific, dramatic, cases(like getting evidence stricken from a trial because it was illegally obtained, where your protections are essentially purely legal, since the practical side has already happened and gone against you), the real standards that governed relations between people and the state(or one another) have always been governed to a great degree by logistics, with law stepping in in situations where logistics seemed to be providing a bad result. If you merely examine those accumulated legal fixes, without reference to the logistical situation under which they were enacted, you grossly distort the actual protection(or lack thereof, as in the stereotypical gossipy small town where everybody knows everybody) which a given legal standard implied in practice. Technological change tends not to attack specific, legally formulated, protections/nonprotections very much, it just massively changes their operational significance.