Slashdot Mirror
Best Practice: Travel Light To China
Hugh Pickens writes "What may once have sounded like the behavior of a raving paranoid is now considered standard operating procedure for officials at American government agencies, research groups and companies as the NY Times reports how businesses sending representatives to China give them a loaner laptop and cellphone that they wipe clean before they leave and wipe again when they return. 'If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,' says Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence. The scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010 when the chamber learned that servers in China were stealing information from four of its Asia policy experts who frequently visited China. After their trips, even the office printer and a thermostat in one of the chamber's corporate offices were communicating with an internet address in China. The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them 'to certain countries,' notably China. 'Everybody knows that if you are doing business in China, in the 21st century, you don't bring anything with you,' says Jacob Olcott, a cybersecurity expert at Good Harbor Consulting. 'That's "Business 101" — at least it should be.'"
...if people traveling from Russia or China to here are told the same thing?
Good to see companies waking up to a very obvious threat. Next will be if they can figure out that sharing IP for a little bit of extra market share over there is NOT a good long term investment.
Since your laptop can be confiscated legally at the border.
DNA in your Linux: DNALinux
When there are risks of company devices being hacked and used to spy on corporate data, is it any wonder that many companies still refuse to allow personal devices to be connected to the company networks?
Still, you have to wonder how much of these issues are due to poor maintenance and management of the corporate infrastructure enabling the penetrations and attacks.
I've heard of ONE incident where a penetration was actually a zero-day exploit and did not happen because someone didn't upgrade a server or change passwords after employees left the company. 25 years. A quarter century. And only ONE incident that wasn't someone's failure to perform due diligence of maintenance?
That doesn't say much for North America's corporate security policies, does it?
I do not fail; I succeed at finding out what does not work.
This has been standard practice in many places for years. And not just when travelling to China. Even if you're not working with high value information, there's usually not any justification for taking equipment full of company information abroad.
My T510 Came from china in the first place...
For this purpose notebook with ChromeOS (or ChromiumOS) seems like good solution.
839*929
Since your laptop can be confiscated legally at the border.
I'm not saying it's right for them to be able to do that but they do catch individuals engaged with corporate and even economic espionage that way. The key difference here is that it's intended to be an open action against you by US Customs whereas in China the intent is for you to never know anything happened and the key logger or stolen information being covertly used without your knowledge of who did it or even what's going on. I think one is much worse than the other but I guess that's just my opinion.
My work here is dung.
I read it as... laptop taken to China, infected with something which then wormed it's way into all the systems it could when reconnected to the corporate network, which happened to include some network controllable thermostats.
i.e. the Chinese aren't after the thermostat, it was just part of a system which got compromised.
These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
If you travel to China, this is old news.
Yes, some businesses are beginning to require wiped travel laptops for entering the US. I have to say that I do not know anyone personally who has had laptop issues at the US border (although I know that there are some people who are on some sort of list and have them frequently). The assumption is, if you go to China, you will probably be hacked, and it's not going to happen at Customs.
By the way, in my experience Chinese firms are incredibly paranoid about this, much more so than US firms. I suspect that paranoia has some justification.
Sigh.
Cue all the "BUT THE US IS WORSE THAN CHINA!" posts. You should log off WoW and read a little on Amnesty International about China. Could the USA do much better? Absofreakinglutely - But I can tell you as a Canadian business traveller that the USA is orders of magnitude less intrusive when it comes to visitors to their country. The next time you're in China go try to surf Tibet videos on Youtube and let me know how that goes for you.
Stop doing businees in and with China, entirely. /radical concept I know.
Bring manufacturing and jobs back to your home country/state and improve your own damn economy.
So rise up, all ye lost ones, as one, we'll claw the clouds.
So take a laptop filled with misinformation, science fiction, and totally bogus stuff. If enough people do this, your adversary will bankrupt himself trying to figure it all out. Extra points for the size of the server farms you can get trying to decrypt output from /dev/random.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Exactly.
I'm much more worried about how the U.S is allowing drones to be used by police agencies in this country to spy on us, etc., etc., etc.
I'm sure if you were a major stakeholder in a company with valuable IP, that had business with China you would have a different attitude. The reason you don't need to worry about either is because you don't have any IP of worth that the Chinese want and you are not doing anything illegal. I'm not saying either is OK, just that jet fuel is expensive and following your every move is not worth their time, and how exactly can a drone invade your privacy any more then a manned plane?
Knowledge = Power
P= W/t
t=Money
Money = Work/Knowledge so the less you know the more you make
China is 1.5 billion people. all of anglosphere and europe AND russia combined, cannot match that market. and its a growing market. not a saturated one.
Read radical news here
The lesson to take from this is: don't store valuable information on your thermostat.
pot calling kettle
My cooking pots are stainless steel. My kettle is likewise stainless steel. Nether can talk and as far as I'm aware nether has racist tendencies.
It's time that whole pot/kettle thing was just forgotten about.
how exactly can a drone invade your privacy any more then a manned plane?
Lower cost. Virtually all of your privacy(especially if you are just Joe Sixpack) isn't protected by some fancy set of 'rights' or a 'judicial system', it's protected by the fact that watching you is too expensive to be worth the likely results.
The cheaper surveillance gets, the further down the food chain you can expect it to go, and the more frequent(and effective, unlike the grainy camera at EZ-mart that has been recording over the same grungy VHS tape since 1997...)
Unless surveillance has some atypically wonky demand curve, which doesn't seem to be the case, lowering the price will increase the amount done.
The Chinese "middle class" surpassed the population of the entire United States or Europe several years ago. Sure, that still leaves roughly a billion poor people, but with nearly a half-billion doing well, they have some serious internal market power. This also bodes well for political change within China.... a half-billion people with iPhones (or clones) and cars are going to start asking why they don't have more control over their lives at some point.
Of course, with twice as many people stuck in rural poverty while seeing a growing bourgeoisie, there's another potential road to political change....
His phone probably doesn't accept cookies. ;-)
Lost at C:>. Found at C.
Because once the cost is driven down so much by the commoditization of the hardware that it becomes ubiquitous, they will not stop at looking for marijuana crops.
The argument is called a slippery slope and perfectly valid. For popular media references see everything from The Simpsons to the Clint Eastwood classic Magnum Force.
The distinction isn't manned or unmanned surveillance, it is the frequency and pervasiveness.
[Note: The Magnum Force reference is to the slippery slope argument in general, not necessarily total surveillance in specific.]
Learning HOW to think is more important than learning WHAT to think.
Your question has been answered. There is no difference, there's just more of it.
I can't make a solid legal argument because it has not been tested. SCOTUS refused to rule on whether GPS tracking, as ean example of constant monitoring, is an invasion of privacy, solely because trespass was involved on placing it there. So the question of whether it is legal to record someone's movements constantly is an unresolved legal question.
It is not a foregone conclusion, as you seem to believe, that non-stop monitoring is perfectly legal. It will be done until it is challenged. Tracking software on top of automated drones makes it possible to track individuals going about their daily lives in fairly good detail at this point, were it allowed to continue. That level of detail is excessive compared to what law enforcement needs to do its job.
I happen to believe that the Constitution and Bill of Rights make it clear that as long as you're not bothering anyone, you're free to act unimpeded. When you start setting off enough flags that someone thinks you're doing something illegal, law enforcement will put together a warrant request and then are allowed to investigate. Constant monitoring, license plate tracking, internet interception, and all of the modern surveillance techniques are so far removed from what the Founding Fathers even considered that there is no way you can just assert it's fine without a court test.
In other words, the question is to you, to argue that this is not an invasion of privacy. Until it is answered by the courts, who have already trampled on just about everything else using a combination of terrorism and commerce clause to steamroll whatever we have left. One side pushes for more surveillance, the other pushes back, and then it gets resolved in a court. Until then you're going to have to bring more to the table than this as a defense.
I apologize if I was insufficiently clear on this aspect of the 'price' argument:
Historical legal norms, governing what is/isn't protected, what does/doesn't require special permission, etc. are crafted in response to the situations that the lawmakers have to confront, either hypothetically, when crafting legislation, or in actuality, when a case comes before a court. In no small part, those actual and hypothetical situations are influenced by technology, what it costs and what it can do. If something is impossible or economically prohibitive in virtually all cases, there isn't any impetus for legal norms or institutional protections to grow up and prevent it.
Consider, for example, the notion that things done in public spaces are fair game without any sort of warrant. Historically, that seems plausible enough: cops are a limited resource, and people have lousy memories, so everybody who is acting normally enough to be forgotten quickly, and isn't interesting enough to justify the expense of having one or more agents tailing them with a notebook is safe. Thus, in practice the historical standard was not'anything is fair game in public', it was 'anything notable enough for Joe Citizen to remember it later, and anyone worth the expense of tailing manually is fair game'. If, through some innovation in cameras and machine vision, say, it becomes technologically and economically viable to track everybody all the time, the formal 'in public, no problem' standard hasn't been violated; but the previous actual 'only stuff of note, and people suspected enough to spend real money on for some reason' standard is overwhelmingly weakened.
Overflights would be a similar thing: as long as aircraft time costs some hundreds of dollars or more an hour(depending somewhat on your chosen craft and method of cost accounting), the de-facto standard for aerial observation is actually fairly high. It doesn't demand a warrant; but it demands some internal explanation good enough to move those resources. If flyovers cost $10/hour or $1/hour, that de-facto standard would vastly weaken.
That's the real core of the argument: outside of specific, dramatic, cases(like getting evidence stricken from a trial because it was illegally obtained, where your protections are essentially purely legal, since the practical side has already happened and gone against you), the real standards that governed relations between people and the state(or one another) have always been governed to a great degree by logistics, with law stepping in in situations where logistics seemed to be providing a bad result. If you merely examine those accumulated legal fixes, without reference to the logistical situation under which they were enacted, you grossly distort the actual protection(or lack thereof, as in the stereotypical gossipy small town where everybody knows everybody) which a given legal standard implied in practice. Technological change tends not to attack specific, legally formulated, protections/nonprotections very much, it just massively changes their operational significance.