Slashdot Mirror
The Trouble With Bringing Your Business Laptop To China
snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"
The other -- and, I would submit, more important -- reason for not taking your business laptop to China (if you're from the US) is US export control laws. The definitions of "export" and "controlled technology" have been so generalized that it is an even-money bet that the laptop of a given technologist contains information that, were he to travel to China, would result in at least a technical violation of the law -- and the penalties are severe.
Take a TRS-80 and watch them try to figure it out.
A feeling of having made the same mistake before: Deja Foobar
Why doesn't your business mandate HDD encryption?
China isn't the only place this goes on...
Hardcore gay porn as the only contents of the laptop. not even an OS. just a drive full of pronotron of the rankest variety. compute on an sd card that you keep in your person...or on your person. depends how paranoid you are :)
Who leaves their business secrets in the open. Especially laptops, they get lost stolen, or as the article says people examining it. Really you can use a truecrypt container and hide it somewhere.
If you are travelling anywhere without HDD encryption, then you kinda deserve this. By the way, let's see them trying to put spyware on a PowerPC Linux laptop. :)
They're there in their room. You're on your own.
I'd love to know how! Do you have any idea how difficult it is to reach for a stupid RSA key while one-hand-surfing in my hotel room?
I keep the mounting screws out of my laptop hard drive's carrier, so I can easily swap in multiple drives. If I ever visit China, I'll make sure to carry the drive with me at all times in my coat pocket unless I'm actually using my laptop! (Plus, I encrypt the entire drive with TrueCrypt.)
Find me one case of this happening. The article can't find one and I sure as hell don't think it's as common as they want you to think.
I see a great market opportunity here; a system whereby if your keychain dongle isn't inserted into the usb port, the laptop battery goes critical on bootup.
That scenario is completely the fault of the user and/or the IT infrastructure employed at their company. Do you think this doesn't happen when foreign nationals visit the USA? F-Bait.
http://www.schneier.com/blog/archives/2009/07/laptop_security.html
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
Full disk encryption with BIOS level password? Nah.
Keep it locked in a steel tamper-proof suitcase? Nah.
Physical locks on laptop exterior? Nah.
Log on email notifications and alerts? Nah.
Cover it with hello kitty stickers and used condoms? ***dons shades***...OPPAS GANGNAM STYLE HURR DURR
'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
I had this problem when I was doing work with associates in China when I was working to develop some software to use there. After going out one night I noticed the next day my laptop had been gotten into. Sure they poked around, but I didn't care. Not stupid enough to actually bring any data physically there with me. Checked the machine for anything funky, but seemed he was poking around to copy any interesting data. In the end they ended up trying to screw us & do the job we were doing which was they found really hard without our actual software in their hands. We just ran pointers that always pushed data from China back to the US where we churned through the data because I was a paranoid maniac. Sucks the company went under due to them, but felt a sort of sick satisfaction they ended up looking really dumb when everything ground to a halt suddenly.
She's REAL!
"Flyin' in just a sweet place,
Never been known to fail..."
Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.
there are 3 kinds of people:
* those who can count
* those who can't
There are several ways around this, with increasing levels of overhead.
0) don't bring the laptop to begin with. (Hehe.. har.. yeah, who am I kidding?)
1) yank the HDD completely, boot the laptop using a custom knoppix DVD, with an RDP client. Save your work in the cloud/at the enterprise, behind a strong enterprise password. Malware magically vanishes when the laptop powers down. No local data to collect.
2) use something like black ice defender.
3) use whole disk encryption with almost reigious zeal.
Personally, I prefer the live dvd approach. It has fringe benefts of always being a fresh, clean environment, and a complete black hole for forensic data recovery. Only the rubber hose method to get you to reveal the RDP account password remains as a reliable method of intrusion, though this assumes you aren't an idiot, and weren't so stupid as to package a keyring on the live DVD. (The whole idea is to keep sensitive data OFF the system!) If you absolutey NEED a keyring, find some way to use an actual usb keyfob to store it, and always carry your keys.
Regardless of the method used, remember that allowing unauthorized persons access to the physical system is practically synonymous with being pwned. The live dvd method only gives them physical access to a terminal.
I assume this happens principally to people who use Windows and don't use:
a- a BIOS password
b- a password protected user account
c- a (different password) password protected admin account
d- an OS that's secure (meaning obviously nothing from Microsoft!)
e- tamper-evident seals on all access points on the machine
d- a physical lock on the computer preventing or at decreasing the odds of the computer wandering off.
e- the common sense not to take anything important with you on your computer, or sensitive, data-wise.
My own approach when I travel on business is to use a computer that doesn't have a hard drive. I have mine configured to boot from CD-ROM, have a MintLinux distro on CD that I boot from, and a card-reader, and files I use are stored on the card, (MicroSD HC, and on my most recent trip, SDXC and a Extreme Capacity-compatible card reader) so that if the computer is lost or stolen, I still have the disc and removable media with the data on it.
I also have a netbook with a similar setup, except that the distro is on a separate chip, in a very neat little card reader from Elago.
I carry the removable media and the CD (also technically RM) with me, on my person under these circumstances, even if I have to leave the machine at a hotel.
I haven't personally resorted to the tamper-resistant measures I mentioned above, but if I went to China, I think I would. But I'm just paranoid that way.
You take a laptop to China. In your coat pocket is a "live" thumbdrive, which remains on you at all times. You don't care what's on the laptop, because you boot the thumbdrive to do work.
When you leave China, toss the (presumably compromised) laptop in a dustbin in the airport restroom.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I recommend using a hosts file to prevent spyware. I also use this as my wallpaper to prevent people from searching my computer.
I travel all the time, for business.
China is not the only country where industrial cloak and dagger stuffs happen.
The other countries that I've personally encountered industrial espionage activities includes Japan, Korea, Vietnam, France, Italy, India, Indonesia, Egypt, Turkey, and you will be surprised, I had had similar encounters in Canada, UK, Australia, and also US of A, although not that often.
Muchas Gracias, Señor Edward Snowden !
So how do they get in and install stuff?
I see a lot of unsubstantiated opinions. How about some credible sources that this is happening?
I work for IBM and it is mandatory for all employees to have BIOS bootup password and PGP encryption no matter what OS your laptop is running and these requirements apply to desktops too.
One is a Sony Vaio piece of junk. Super small, super thin, super light, and super slow. It works great for email and office, though. It has truecrypt full disk encryption, and a BIOS password. (which aren't the same).
My "real" laptop is a Macbook Air. It has file vault turned on and the EFI boot password enabled.
I seriously think anyone have a problem getting a drop of data off of either of them. Installing Spyware is difficult if they can't decrypt the drive. Even if there are secret back-doors into Truecrypt or FileVault, I would rather suspect they are shared with NSA or MI6, not the Chinese Government.
I think it would be 100x easier to hack my Dropbox Account.
And besides, anything really important is usually saved on OpenOffice format with a separate password (so that I don't mind having in Dropbox for a backup).
Do you have a shred of evidence that anyone who was not engaged in arms trafficking has been indicted for an ITAR violation?
You stand more of a chance of having your laptop data stolen in the U.S. than China, or almost any other country.
Travel 101: don't leave your valuables in the room.
IT 101: secure laptops. You don't need China to lose your laptop or have it stolen, inside or outside the hotel.
The best thing to use is and Ironkey with a virtualized OS using a product like Moka5. Moka5 does not use any memory on the host and ensures that no keyloggers are in place. Ironkey is a DOD level security memorystick which will kill its self if a person violates the rules you set on the web. If you were to loose the stick the next time its on the internet it will contact the ironkey host and lock itself up and or wipe itself.
and infect them right back!
At minimum a good windows log on password, bios set to not boot from cd & usb drives and a bios password will stop most entry level snoopers. If your worried, take your battery and PS with you in a backpack or keep them in a friends/co workers room. Bring a small motion activated spy cam to leave in your room, see if your fears are true. Keep your data encrypted or have someone back in the office email (encrypted files) it to you, or get it off your companies secure servers before your meeting.
Dont bring a standard laptop. You can easily outsmart them.
Grab a ARM based laptop (chromebook) and install linux. The China spooks will not have any clue as to why their spyware is not running.
Do not look at laser with remaining good eye.
Just encrypt your actual work files then leave one unencrypted on the desktop called "Work Documents". Inside each file contains an endless string of the text "All work and no play makes Jack a dull boy"". Hundreds and hundreds of files all with the same repeated text. Not only will they avoid your room but you can tell who was doing the spying, they're the maid that turns and runs when they see you in the hallway.
Or any other form of encryption for that matter - I see no reason to use PGP in particular.
We don't even have people that travel outside the country and yet your security standards state that:
A. The laptop is wiped and re-imaged upon return. Every time.
B. The user simply uses the laptop to VPN into our corporate network which is protected by a random keyfob plus all the usual security.
C. Corporate laptops never leave the site of the user. You take it with you everywhere you go. Period.
Granted, I don't think C gets followed all that much. But A and B are pretty solid. Who the hell keeps a personal laptop for work anymore?
Nothing else to say.
* Carthago Delenda Est *
just bring a laptop that infected with USB virus. So when the spy plug in their USB to download code to your laptop - your PC just infect
the USB device.
1) Buy this: http://www.newegg.com/Product/Product.aspx?Item=N82E16822168002
2) Get a Laptop that has A TPM. Preferably a Panasonic Toughbook or Dell Latitude. Put Drive from #1 in it. (or better yet. Buy the system with a Encrypting hard drive built in.)
3) Encrypt the hard drive. I don't care how, either with bitlocker or Truecrypt.
4) Set your laptop to boot from ONLY the Hard drive in the BIOS
5) Password protect the hard drive at the BIOS level. also password the bios.
6) Backup your system (Preferably, Using A Drive form #1). put backup in a safe deposit box. set a Password on that drive or backup file if you can. Do this monthly like clockwork or a hard drive crash will screw you.
7) If uber paranoid, look into a BIOS Level remote protection system such as computrace or Lojack to remote wipe the PC, but considering who you're dealing with, most likely it will never see the internet again, but its good to thwart casual theves.
In Soviet Russia, Trojan exploits YOU!
Of course, the same exact thing happens in the US, France, or Israel because your laptop doesn't magically become insecure when you cross the border into China and magically secure everywhere else.
But the only bad guys are in China,
So fully partition your drives with TrueCrypt and be done with it.
From The New York Times in February:
Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.
How about just carrying some of those "warranty void" stickers with you and place one so that it bridges the keyboard and screen on the opposite edge to the hinge.
Now the "maid" can't open your laptop without knowing their intrusion would be very obvious to the owner.
I wonder if they still would?
Just as when Nixon died, I asked, "From whom are the next generation of politician going to learn?"
I do that with any portable machine I use, all the time. Why would anyone not do so?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
You're welcome
Been in and out of China more often than a maiden's prayer and have always had full disc encryption and never experienced a problem.
With most multi-nationals having offices in China, the local employees are a a far bigger security risk than James Bond's foreign cousin rifling through your draws.
If you use Windows, you can install Truecrypt, and change the bootloader so it shows "Operating System Not Found".
If you use Linux, set up encrypted LVM, and have your boot partition on a separate USB flash drive, which you attach to your keyring, and carry around with you all time.
More succinctly: "While you were out to dinner that first night, someone examined the contents of your Windows-based laptop and installed Windows-based spyware on the computer — without your having a clue."
See the problem?
(Oh, and given the Windows laptop, the "not having a clue" bit goes without saying.)
There is no actual information in that article. Some dude says: a lot of business people go to China and come back with spyware, but nobody finds the spyware or when they find it they don't report it... So how the fuck does that guy know it actually happens?
That's the paid expert version of Baghdad Bob or Tokyo Rose, only instead of doing propaganda for a country it's just for ads and traffic. Lame.
lucm, indeed.
I'm surprised nobody has video recorded this actually happening and posted it to YouTube. You would think a repeat visitor would have brought along a Nanny-Cam or some such.
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
Just take a linux on a flash drive, and have your laptops' disk empty, and take the flash drive ( encrypted of course) with you when you leave the room.
Duh
Troll like a pro, carry lots and lots of "super sekrit" docs in a poorly truecrypted volume (password on a sticky note under the mouse)
gigabytes and gigabytes of detailed looking prototype data from your projects that failed due to a fatal and truly unsolvable flaw, but fudge the data and info to mask the unsolvable part
bonus points for anything that will cost them 100 million to fail to reproduce
more bonus points at the billion, 10 billions and 100 billion level
cold fusion, hot fusion, electric vehicle, atomic reactors, there must be trillions of dollars worth of hopelessly flawed design proposals kicking around collecting dust in company archives. -- Put them to good^H^H^H^HLulzy use
Snowden and Manning are heroes.
All these people talking about throwing it away, why not donate it? If you're willing to let it go into an airport dustbin where it will likely be scavenged, you should be willing to let it go to a local school or some homeless guy. They'll image the drive anyway.
That was all just a part of my master plan! Now our poor business process and software design will destroy them from the inside! Had they just opted to design their software on their own, they wouldn't have been plagued by our constant bugs, server crashes, database outages or our pathetically slow storage capabilities! I have single-handedly set the Chinese software industry back by two decades! Muahahhahahaha! Plus their operatives should enjoy the two gigabytes of furry, zombie and skeleton porn I loaded onto the system in advance. Because I knew they'd be digging through it. Yeah...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Are you fuckin serious Infoworld?
Let me fix that for you:
When in (insert any country), don't leave your laptop alone.
took me a while but i found it :
http://it.slashdot.org/story/12/02/13/0158207/best-practice-travel-light-to-china
Put your laptop in a metal briefcase. Modify the briefcase to have a dark blue light on it that slowly pulsates.
On the top, put: Chinese text for "Dangerous - deadly voltage". The dark blue light is a color associated with death, mourning and funerals. Red, on the other hand, is considered very lucky. That's a detail that will stick in their minds like a splinter under your nail.
It won't stop them of course, but it might give them a bit of a pause. Of course, if you actually follow through and hook a taser up to the thing, you're gonna have some very frizzy, highly pissed off Chinese security agents wanting to speak with you.
[End Of Line]
Just partition the HD, install MSDOS 3.11 and set it as the default boot. Make your 2nd partition nothing but randomized noise. Setup camera and prepare to send to AFV... Then carry an encrypted Flash drive and let it boot your OS of choice. Don't ever let the flash drive out of your sight. Be sure to scrub your laptop prior to reusing it once you are back home, or just throw it out.
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
I work for a major multi-national corporation with big interests in China. Every transportable computer in the company has strong full-disc encryption installed by default, and NO ONE is allowed to divulge the ID/password required to boot it. If you are going to travel internationally, you back up your system before you leave. If some border agency demands the keys to your kingdom, you give them the laptop, but not the keys. Then the company ($40+B and major presence in every country) will bang on a few heads until the system is returned and some poor schlub is hung out to dry...
If I were to use a (wiped) laptop, say a Macbook Pro (nothing on the internal drive - maybe no internal drive at all, so the machine can't boot) and a bootable encrypted 256GB USB flash drive (USB 3.0, which the newer MBPs have), could I simple boot from the flash drive, do my stuff, then shut down and remove the flash drive, keeping the flash drive with me at all times? Would that prevent the pwned-in-my-absence attacks TFA talks about? I know it won't eliminate the usual hazards when I'm running my laptop, but won't this eliminate the unattended covert reading of data and installing malware problem?
A legal permanent resident (green card) can be a US person for export control. A US citizen can be a foreign person, if they represent or have certain business relationships with a foreign company.
That said, the required "due diligence" is fairly sketchy.. Ask the person "Are you a US person for purposes of export control?".. they say yes, and you don't have any obvious reasons why not to believe them (holding a Chinese passport in their hand while they talk to you), and you just say " ok, here is this export controlled information, you understand the restrictions?"
From the article:
"While these things happen in the U.S., the difference is that, in addition to normal criminal activity, these countries also have government-sanctioned cyber espionage to back these thieves," Irvine says.
Now that's a sursprise to me. This means that the US has NO government-sanctioned cyber espionage? I would take this as a definite proof of the decline of the US.
While working on a big joint venture in China with a state owned company - I had an attempt to get into my PC
Except I was prepared - i was warned by a friend who had done deals in China before
So I removed the hard drive from my laptop and closed everything up again. I just kept my hard drive on me where ever I went - Including on flights, bathroom, everywhere!
Came back one evening after dinner to find that my bag had been neatly opened and the laptop inspected and returned - what they didn't know is that I had marked the joints of the laptop with a couple of tiny bits of dark tape that would be broken if you tried to insert a usb device or opened the lid.
Two of the five were broken - on the laptop lid and on one of the usb drive.
Two days later I was slipped something that made me damn sick that I had to go to a pharmacy and doctor - while out of my hotel room again - I had my laptop tampered with.
Needless to say - this all pissed me off. So we signed an temporary agreement with the view that we would renegotiate - On my Turf this time.
This time I was prepared and we fucked them up in negotiations. The most one sided legal agreement ever. So our Chinese "Partners" are still paying for it and they can't get out of the agreement without losing several million dollars worth of stock and paying us out several million in damages.
Make them bleed through their eyes!
Well, when travelling to the US, I have been asked at customs to unlock my (corporate-owned) laptop. It was then taken away for 20m before being returned to me. I wonder what customs did with it during that time; they would not say.
We have the same problem. With an obscure little country called the USA.
Sorry, but the hypocrisy is staggering. We are NOT allowed to even bring an encrypted laptop across US borders.
Religion is what happens when nature strikes and groupthink goes wrong.
Unless you want them to become Israel's secrets too.
confiscate your laptop like the U.S. does at the border.
Lock your laptop in a hard case while you're out.
Whenever I have to cross international borders (both ways), I make sure I zero my hard disk and reset any other electronic equipment like smartphones to factory state (making sure to zero all personal data, if it allows me). The customs are allowed to take an image of my disk, but all they will get is zeros.
Meanwhile at my destination I'll install some version of linux again, but I don't run anything but some personal stuff on it while I'm there, nothing of any sensitive nature will run on it.
I'm not bothering with full disk encryption in this case, since I assume they will already have access to everything I will access while I'm there.
This might be a bit inconvenient, but this should be the default mode of operation. Laptops should not contain sensitive data, since you cannot control access to them.
Who is the idiot that leaves the laptop with sensible info not password protected and data encrypted?
And how this differ from sensible documents not being physically secured from 3rd party?
Love many, trust a few, do harm to none.
Allegedly, the US, unlike China, does NOT use government resources to do economic espionage to help American business, which strikes me as bizarre.
If they aren't -- they should be. Certainly if I were in charge, I'd be making the intelligence community earn their keep.
Instead of just a "China laptop" that's a throwaway, I would imagine it would be interesting to have deep-installed monitoring software, stuff that can sit under the OS and record precisely what happens and when, even to the point of taking a surreptitious webcam pic of whoever is messing with your laptop.
-Styopa
Wow, you have slow digestion.
My evening meal reappears the next morning...
Both you and the previous commenter link to articles that simply repeat the *BELIEF* that these precautions should be taken, but what GP asked for was evidence of it *ACTUALLY* happening.
I too, encrypt everything, I too assume my PCs are bugged, however I don't believe its particular widespread.
Really. Where's the beef, boys? Where's the beef?
Or is it just that it's OK as long as you're *allowed* to complain about it, even though it still happens?
I can think of many reasons not to use PGP in particular
Encrypted drives. Someone will have loads of fun booting up my laptop and not getting anything from it. Go go Truecrypt.
The Chinese are only copying data, not "stealing" anything. At worst it's copyright infringement, and we all know that copyright infringement!=theft.
To have a right to do a thing is not at all the same as to be right in doing it
Just take out the HDD and take it with you, You can then leave the laptop unattended. Problem solved.
This is more of an IT problem. Most people underestimate how vulnerable their machine is... and how vulnerable they are. When you leave the US and enter another country, you are no longer under US law or protection. Physical access to a machine trumps all security measures. I would suggest a new form of secure laptop... one that prevents you from opening or turning it on without fingerprint, retina and iris scans as well as an extremely long and complex passphrase... I highly recommend against security questions because most of this info can be obtained just by meeting you in person or a simple background check. Bring your machine with you everywhere and LOCK IT DOWN!!!
If you were learning English as a second language from documents stored on American laptops.
People think you spoke Chinese too.
Stop doing business in China. Will it hurt your bottom line? Probably, but the world would be a much greener place without cheap chinese labor.
Exactly same problem in Poland, personal experience
If I were in a position to travel to a place this was likely to happen and with important secrets (business or other) I wouldn't just not leave a laptop lying around... I'd leave a laptop with fake information. It would have bad designs, bad formulas, bad business strategies whatever fit my position. It would all be designed to fail on purpose. Remember all the bad capacitors?
Why just keep your competitors out of your stuff when you can do so much more? It serves them right if they are trying to steal from you in the first place!
If you think that the Chinese government can do this, what makes you think that your government isn't doing the same or worse ?
Seems like news from the Eastern front are all bad these days. what a reputation for a country boding 4000 yrs of "civilization" and the "middle country" pathetic
I see a lot of people here talking about encrypting the laptop using truecrypt. live boot cd's etc or any number of other 'technical' solutions. Depending on the country you go to that could get you thrown in jail.
Remember, guns and jail time trump policy and technical expertise.
There are some practical consideration to take such as reviewing whether or not you have anything in terms of software or data that could run foul of export controls. You also need to assume that any data on your laptop will be copied. You also need to assume that your password will be obtained by a key logger or other means.
The easiest way to do things is to have a loaner pool of laptops that /never/ touch the corporate network. To make it easier to differentiate them I would suggest using a different model or make than you use elsewhere in your company. When it comes time to travel you have a laptop pre-configured by your IT department with only the bare minimum software and data that you need and is safe for legal purposes (foreign and domestic).
When you return the laptop is wiped and BIOS reset and it never touches the corporate network. Same thing for flash drives. The same thing /needs/ to happen with any passwords that you have.
If your extra paranoid you can weigh your laptop before and after the trip to see if a hardware keylogger is installed. Laptop models vary but the components inside are often common and a keylogger for one keyboard ribbon would likely work on a wide range of models from multiple vendors.
You can also configure your VPN to bring you to a sandbox server that is firewalled off from the rest of the network. That way if someone gains your credentials or steals your laptop they can't log in as you and start wholesale downloads of data using your credentials.
Remember as well that all of this advice applies just as much to your cell phone as it does to your laptop!
Take a laptop full of advanced malware. Infect the entire Chinese spook network.
Or fill it with garbage designed to look important and encrypted. Let them waste their efforts trying to decrypt it.
Honestly, people, I'm tired of having to think of everything.
When I travel, I normally remove the hard drive and carry it with me in my pocket. Laptop drives are not exactly large, once you remove them from whatever adapters they use. Most fit into the palm of my hand, and are easily stored in my pocket.
If they ask me to boot at airport security, I typically allow the inspecting officer to clearly see me use a Linux or BSD live DVD to boot the system. They see this, and have never once failed to wave me on through. Not even most airports in the world use body scanners like the paranoid USA and UK.
So they ought to have the right to do whatever they want with their property, dont they? But you are **making business** there.