The Trouble With Bringing Your Business Laptop To China

snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"

Re:That's only one of the problems

[DragonWriter]

Considering these laptops are for the most part manufactured in China anyway, how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?

Controlled technology includes software as well as hardware.

Re:encryption

[homer_ca]

A hardware keylogger inline with the keyboard cable takes care of that. It only means they'll have to break in twice instead of once.

Encryption: Not allowed

[jabberwock]

From The New York Times in February:

Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.

Re:throw away laptops

[swillden]

ChromeOS encrypts all user data by default, automatically verifies the integrity of all software during startup, and reverts to a known-good version in the event any compromise is discovered. Boot verification is based on code and data stored in ROM, so subverting it requires modifying the hardware. Run-time compromise must be done by leveraging web-style attacks (cross-site scripting, etc.) and can normally only achieve what web-style attacks can achieve which is access to data from other sites, etc. In the event deeper compromise is achieved, it's lost as soon as the device is restarted, until the user visits the malicious web site again.

Use a Chromebook, connect only to trusted sites and only over SSL, and you become an extremely hard target for compromise. Little if any of your data is actually stored on the device, what is cached on it is encrypted. When you get home, reboot and you're very, very likely to have a trustworthy system again. Do a factory reset and it's guaranteed to be clean (barring hardware hacks), since all data will be gone, and any modified code will be detected by the verified boot process. And, as a last resort, you only paid $200 for the thing, so if you fear hardware hacks, just chuck it and buy a new one. It's unlikely to add more than about 5% to the cost of your trip.

http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview

Re:Shred of Evidence

[Man+On+Pink+Corner]

US export law is no joking matter. It is impossible to exaggerate how goofy the rules are, and how much trouble you can get in for violating them. It doesn't matter if you're a hacker in a basement or a Fortune 100 defense contractor -- you do not want to mess around with these people.

Some examples of the evidence you're asking for.

More here. I think my favorite is the veterinary supply wholesaler in Waukee, Iowa who was fined $250,000 for sixteen unlicensed exports of cattle prods to Mexico.