Slashdot Mirror
The Trouble With Bringing Your Business Laptop To China
snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"
The other -- and, I would submit, more important -- reason for not taking your business laptop to China (if you're from the US) is US export control laws. The definitions of "export" and "controlled technology" have been so generalized that it is an even-money bet that the laptop of a given technologist contains information that, were he to travel to China, would result in at least a technical violation of the law -- and the penalties are severe.
Take a TRS-80 and watch them try to figure it out.
A feeling of having made the same mistake before: Deja Foobar
Why doesn't your business mandate HDD encryption?
China isn't the only place this goes on...
Hardcore gay porn as the only contents of the laptop. not even an OS. just a drive full of pronotron of the rankest variety. compute on an sd card that you keep in your person...or on your person. depends how paranoid you are :)
Who leaves their business secrets in the open. Especially laptops, they get lost stolen, or as the article says people examining it. Really you can use a truecrypt container and hide it somewhere.
If you are travelling anywhere without HDD encryption, then you kinda deserve this. By the way, let's see them trying to put spyware on a PowerPC Linux laptop. :)
They're there in their room. You're on your own.
I keep the mounting screws out of my laptop hard drive's carrier, so I can easily swap in multiple drives. If I ever visit China, I'll make sure to carry the drive with me at all times in my coat pocket unless I'm actually using my laptop! (Plus, I encrypt the entire drive with TrueCrypt.)
Find me one case of this happening. The article can't find one and I sure as hell don't think it's as common as they want you to think.
I see a great market opportunity here; a system whereby if your keychain dongle isn't inserted into the usb port, the laptop battery goes critical on bootup.
http://www.schneier.com/blog/archives/2009/07/laptop_security.html
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
I had this problem when I was doing work with associates in China when I was working to develop some software to use there. After going out one night I noticed the next day my laptop had been gotten into. Sure they poked around, but I didn't care. Not stupid enough to actually bring any data physically there with me. Checked the machine for anything funky, but seemed he was poking around to copy any interesting data. In the end they ended up trying to screw us & do the job we were doing which was they found really hard without our actual software in their hands. We just ran pointers that always pushed data from China back to the US where we churned through the data because I was a paranoid maniac. Sucks the company went under due to them, but felt a sort of sick satisfaction they ended up looking really dumb when everything ground to a halt suddenly.
She's REAL!
"Flyin' in just a sweet place,
Never been known to fail..."
Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.
there are 3 kinds of people:
* those who can count
* those who can't
There are several ways around this, with increasing levels of overhead.
0) don't bring the laptop to begin with. (Hehe.. har.. yeah, who am I kidding?)
1) yank the HDD completely, boot the laptop using a custom knoppix DVD, with an RDP client. Save your work in the cloud/at the enterprise, behind a strong enterprise password. Malware magically vanishes when the laptop powers down. No local data to collect.
2) use something like black ice defender.
3) use whole disk encryption with almost reigious zeal.
Personally, I prefer the live dvd approach. It has fringe benefts of always being a fresh, clean environment, and a complete black hole for forensic data recovery. Only the rubber hose method to get you to reveal the RDP account password remains as a reliable method of intrusion, though this assumes you aren't an idiot, and weren't so stupid as to package a keyring on the live DVD. (The whole idea is to keep sensitive data OFF the system!) If you absolutey NEED a keyring, find some way to use an actual usb keyfob to store it, and always carry your keys.
Regardless of the method used, remember that allowing unauthorized persons access to the physical system is practically synonymous with being pwned. The live dvd method only gives them physical access to a terminal.
You take a laptop to China. In your coat pocket is a "live" thumbdrive, which remains on you at all times. You don't care what's on the laptop, because you boot the thumbdrive to do work.
When you leave China, toss the (presumably compromised) laptop in a dustbin in the airport restroom.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I travel all the time, for business.
China is not the only country where industrial cloak and dagger stuffs happen.
The other countries that I've personally encountered industrial espionage activities includes Japan, Korea, Vietnam, France, Italy, India, Indonesia, Egypt, Turkey, and you will be surprised, I had had similar encounters in Canada, UK, Australia, and also US of A, although not that often.
Muchas Gracias, Señor Edward Snowden !
So how do they get in and install stuff?
I see a lot of unsubstantiated opinions. How about some credible sources that this is happening?
The best thing to use is and Ironkey with a virtualized OS using a product like Moka5. Moka5 does not use any memory on the host and ensures that no keyloggers are in place. Ironkey is a DOD level security memorystick which will kill its self if a person violates the rules you set on the web. If you were to loose the stick the next time its on the internet it will contact the ironkey host and lock itself up and or wipe itself.
and infect them right back!
At minimum a good windows log on password, bios set to not boot from cd & usb drives and a bios password will stop most entry level snoopers. If your worried, take your battery and PS with you in a backpack or keep them in a friends/co workers room. Bring a small motion activated spy cam to leave in your room, see if your fears are true. Keep your data encrypted or have someone back in the office email (encrypted files) it to you, or get it off your companies secure servers before your meeting.
Dont bring a standard laptop. You can easily outsmart them.
Grab a ARM based laptop (chromebook) and install linux. The China spooks will not have any clue as to why their spyware is not running.
Do not look at laser with remaining good eye.
Just encrypt your actual work files then leave one unencrypted on the desktop called "Work Documents". Inside each file contains an endless string of the text "All work and no play makes Jack a dull boy"". Hundreds and hundreds of files all with the same repeated text. Not only will they avoid your room but you can tell who was doing the spying, they're the maid that turns and runs when they see you in the hallway.
Or any other form of encryption for that matter - I see no reason to use PGP in particular.
See the sad case of Prof. John Roth, of the University of Tennessee.
We don't even have people that travel outside the country and yet your security standards state that:
A. The laptop is wiped and re-imaged upon return. Every time.
B. The user simply uses the laptop to VPN into our corporate network which is protected by a random keyfob plus all the usual security.
C. Corporate laptops never leave the site of the user. You take it with you everywhere you go. Period.
Granted, I don't think C gets followed all that much. But A and B are pretty solid. Who the hell keeps a personal laptop for work anymore?
Nothing else to say.
* Carthago Delenda Est *
1) Buy this: http://www.newegg.com/Product/Product.aspx?Item=N82E16822168002
2) Get a Laptop that has A TPM. Preferably a Panasonic Toughbook or Dell Latitude. Put Drive from #1 in it. (or better yet. Buy the system with a Encrypting hard drive built in.)
3) Encrypt the hard drive. I don't care how, either with bitlocker or Truecrypt.
4) Set your laptop to boot from ONLY the Hard drive in the BIOS
5) Password protect the hard drive at the BIOS level. also password the bios.
6) Backup your system (Preferably, Using A Drive form #1). put backup in a safe deposit box. set a Password on that drive or backup file if you can. Do this monthly like clockwork or a hard drive crash will screw you.
7) If uber paranoid, look into a BIOS Level remote protection system such as computrace or Lojack to remote wipe the PC, but considering who you're dealing with, most likely it will never see the internet again, but its good to thwart casual theves.
In Soviet Russia, Trojan exploits YOU!
From The New York Times in February:
Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.
How about just carrying some of those "warranty void" stickers with you and place one so that it bridges the keyboard and screen on the opposite edge to the hinge.
Now the "maid" can't open your laptop without knowing their intrusion would be very obvious to the owner.
I wonder if they still would?
Just as when Nixon died, I asked, "From whom are the next generation of politician going to learn?"
I do that with any portable machine I use, all the time. Why would anyone not do so?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
You're welcome
If you use Windows, you can install Truecrypt, and change the bootloader so it shows "Operating System Not Found".
If you use Linux, set up encrypted LVM, and have your boot partition on a separate USB flash drive, which you attach to your keyring, and carry around with you all time.
There is no actual information in that article. Some dude says: a lot of business people go to China and come back with spyware, but nobody finds the spyware or when they find it they don't report it... So how the fuck does that guy know it actually happens?
That's the paid expert version of Baghdad Bob or Tokyo Rose, only instead of doing propaganda for a country it's just for ads and traffic. Lame.
lucm, indeed.
I'm surprised nobody has video recorded this actually happening and posted it to YouTube. You would think a repeat visitor would have brought along a Nanny-Cam or some such.
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
Troll like a pro, carry lots and lots of "super sekrit" docs in a poorly truecrypted volume (password on a sticky note under the mouse)
gigabytes and gigabytes of detailed looking prototype data from your projects that failed due to a fatal and truly unsolvable flaw, but fudge the data and info to mask the unsolvable part
bonus points for anything that will cost them 100 million to fail to reproduce
more bonus points at the billion, 10 billions and 100 billion level
cold fusion, hot fusion, electric vehicle, atomic reactors, there must be trillions of dollars worth of hopelessly flawed design proposals kicking around collecting dust in company archives. -- Put them to good^H^H^H^HLulzy use
Snowden and Manning are heroes.
That was all just a part of my master plan! Now our poor business process and software design will destroy them from the inside! Had they just opted to design their software on their own, they wouldn't have been plagued by our constant bugs, server crashes, database outages or our pathetically slow storage capabilities! I have single-handedly set the Chinese software industry back by two decades! Muahahhahahaha! Plus their operatives should enjoy the two gigabytes of furry, zombie and skeleton porn I loaded onto the system in advance. Because I knew they'd be digging through it. Yeah...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Put your laptop in a metal briefcase. Modify the briefcase to have a dark blue light on it that slowly pulsates.
On the top, put: Chinese text for "Dangerous - deadly voltage". The dark blue light is a color associated with death, mourning and funerals. Red, on the other hand, is considered very lucky. That's a detail that will stick in their minds like a splinter under your nail.
It won't stop them of course, but it might give them a bit of a pause. Of course, if you actually follow through and hook a taser up to the thing, you're gonna have some very frizzy, highly pissed off Chinese security agents wanting to speak with you.
[End Of Line]
Just partition the HD, install MSDOS 3.11 and set it as the default boot. Make your 2nd partition nothing but randomized noise. Setup camera and prepare to send to AFV... Then carry an encrypted Flash drive and let it boot your OS of choice. Don't ever let the flash drive out of your sight. Be sure to scrub your laptop prior to reusing it once you are back home, or just throw it out.
"Computer Scientists can count to 1024 on their fingers" (non-mutant, non-mutilatated, human computer scientists)
Well it appears that he chose to "employ" spies and then give them controlled technology. It's hardly sad when one is busted for near-treasonous activities.
I work for a major multi-national corporation with big interests in China. Every transportable computer in the company has strong full-disc encryption installed by default, and NO ONE is allowed to divulge the ID/password required to boot it. If you are going to travel internationally, you back up your system before you leave. If some border agency demands the keys to your kingdom, you give them the laptop, but not the keys. Then the company ($40+B and major presence in every country) will bang on a few heads until the system is returned and some poor schlub is hung out to dry...
Yeah this stuff happens everywhere but China is like the world's capital of industrial espionage. It happens by several orders of magnitude more in China than any other place.
US export law is no joking matter. It is impossible to exaggerate how goofy the rules are, and how much trouble you can get in for violating them. It doesn't matter if you're a hacker in a basement or a Fortune 100 defense contractor -- you do not want to mess around with these people.
Some examples of the evidence you're asking for.
More here. I think my favorite is the veterinary supply wholesaler in Waukee, Iowa who was fined $250,000 for sixteen unlicensed exports of cattle prods to Mexico.
Well, when travelling to the US, I have been asked at customs to unlock my (corporate-owned) laptop. It was then taken away for 20m before being returned to me. I wonder what customs did with it during that time; they would not say.
We have the same problem. With an obscure little country called the USA.
Sorry, but the hypocrisy is staggering. We are NOT allowed to even bring an encrypted laptop across US borders.
Religion is what happens when nature strikes and groupthink goes wrong.
confiscate your laptop like the U.S. does at the border.
Lock your laptop in a hard case while you're out.
Who is the idiot that leaves the laptop with sensible info not password protected and data encrypted?
And how this differ from sensible documents not being physically secured from 3rd party?
Love many, trust a few, do harm to none.
Allegedly, the US, unlike China, does NOT use government resources to do economic espionage to help American business, which strikes me as bizarre.
If they aren't -- they should be. Certainly if I were in charge, I'd be making the intelligence community earn their keep.
Instead of just a "China laptop" that's a throwaway, I would imagine it would be interesting to have deep-installed monitoring software, stuff that can sit under the OS and record precisely what happens and when, even to the point of taking a surreptitious webcam pic of whoever is messing with your laptop.
-Styopa
That's a very unfair characterization of Roth's actions. He employed two graduate students, one from China and then one from Iran. He had the Chinese student send him a file while he, Roth, was in China, at a Chinese professor's e-mail address. The material in the file was deemed sensitive, as was the research. I think the professor ended up in prison primarily because he didn't understand that the FBI didn't appreciate him speaking with the professorial authority, like Moses from the mountain, that he was accustomed to use in his lab and within his field of study. but he did not hire spies, at least knowingly, not that anyone knows. And, I'll just drop this in: If I were a professor in the sciences I can imagine that I might want to employ non-American grad. students. I worked with and was friends with grad. students in the STEM fields, and there were a lot of "foreign" ones, and many of those foreign ones were much harder working than the American ones, many of whom seemed to think that grad. school was just more undergrad. school.
Wow, you have slow digestion.
My evening meal reappears the next morning...
The Chinese are only copying data, not "stealing" anything. At worst it's copyright infringement, and we all know that copyright infringement!=theft.
To have a right to do a thing is not at all the same as to be right in doing it
If I were in a position to travel to a place this was likely to happen and with important secrets (business or other) I wouldn't just not leave a laptop lying around... I'd leave a laptop with fake information. It would have bad designs, bad formulas, bad business strategies whatever fit my position. It would all be designed to fail on purpose. Remember all the bad capacitors?
Why just keep your competitors out of your stuff when you can do so much more? It serves them right if they are trying to steal from you in the first place!
I see a lot of people here talking about encrypting the laptop using truecrypt. live boot cd's etc or any number of other 'technical' solutions. Depending on the country you go to that could get you thrown in jail.
Remember, guns and jail time trump policy and technical expertise.
There are some practical consideration to take such as reviewing whether or not you have anything in terms of software or data that could run foul of export controls. You also need to assume that any data on your laptop will be copied. You also need to assume that your password will be obtained by a key logger or other means.
The easiest way to do things is to have a loaner pool of laptops that /never/ touch the corporate network. To make it easier to differentiate them I would suggest using a different model or make than you use elsewhere in your company. When it comes time to travel you have a laptop pre-configured by your IT department with only the bare minimum software and data that you need and is safe for legal purposes (foreign and domestic).
When you return the laptop is wiped and BIOS reset and it never touches the corporate network. Same thing for flash drives. The same thing /needs/ to happen with any passwords that you have.
If your extra paranoid you can weigh your laptop before and after the trip to see if a hardware keylogger is installed. Laptop models vary but the components inside are often common and a keylogger for one keyboard ribbon would likely work on a wide range of models from multiple vendors.
You can also configure your VPN to bring you to a sandbox server that is firewalled off from the rest of the network. That way if someone gains your credentials or steals your laptop they can't log in as you and start wholesale downloads of data using your credentials.
Remember as well that all of this advice applies just as much to your cell phone as it does to your laptop!
Keep in mind that his grad students were the ones that created the controlled technology in the first place, while working in his lab, and there is no evidence (nor any accusations made by the Prosecutor at his trial) that his students ever surreptitiously transferred the controlled technology outside the US. As another commenter notes elsewhere, it's impossible to exaggerate how goofy the rules are, and Prof. Roth ignored the "obviously illogical and irrational" regulations -- to his detriment.
And if you think he "chose" to employ foreign citizens as grad students, you haven't visited a US science, technology, engineering, or math graduate school since, say, 1980 or so. The ratio of foreign citizens to US citizens among the electrical engineering doctoral students at a major US state university with which I am familiar is approximately 20:1.