The Trouble With Bringing Your Business Laptop To China

snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"

That's only one of the problems

[dtmos]

The other -- and, I would submit, more important -- reason for not taking your business laptop to China (if you're from the US) is US export control laws. The definitions of "export" and "controlled technology" have been so generalized that it is an even-money bet that the laptop of a given technologist contains information that, were he to travel to China, would result in at least a technical violation of the law -- and the penalties are severe.

Re:That's only one of the problems

[ZorinLynx]

Considering these laptops are for the most part manufactured in China anyway, how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?

Re:That's only one of the problems

[DragonWriter]

Considering these laptops are for the most part manufactured in China anyway, how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?

Controlled technology includes software as well as hardware.

Re:That's only one of the problems

[dtmos]

how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?

It's the information the technologist has stored on it that is the problem. The export control laws are enforced by the Bureau of Industry and Security, and they are arcane, complex, and woefully out of date. Just to give one example, if you're a microprocessor designer, and have a design that operates at temperatures exceeding 125C, that design is controlled; carrying that design in your laptop when you go to China is a violation of the law -- whether or not it is even accessed while in China. (It's also illegal to show that design to any person of Chinese citizenship, even if you both are in the US at the time; that, too, is considered export under the law.)

Re:That's only one of the problems

[neyla]

True !

Fun Fact

encryption*SOFTWARE* was classified as munitions and restricted, meanwhile free speech laws meant that printed words could very seldom be stopped.

I was part of exporting PGP from USA legally, by way of printing the (zipped, uuencoded + checksums) source-code, mailing it physically to norway, scanning it, OCRing it and manually proofreading all lines where the checksum failed.

Re:That's only one of the problems

[chthon]

Even better, heat a samovar with it.

Re:That's only one of the problems

[rioki]

I bow before you for your great achievement! I have heard of that epic tale, but have never the option to thank anybody about it.

Re:That's only one of the problems

[neyla]

I still have the envelope, containing the 50 pages of source-code that I proofread. (it was spread over a few dozen volunteers)

Fix 'em good.

[ackthpt]

Take a TRS-80 and watch them try to figure it out.

Re:Fix 'em good.

[Dr_Barnowl]

Even more vulnerable - your compromised host machine could be screen-scraping the virtual image for all it's worth and sending the snapshots to Uncle Chang (side note - what is the Chinese equivalent of "Uncle Sam"?).

The guest machine also needs an unencrypted bootloader - because it's a virtual computer with the same BIOS implementation, which could be compromised in exactly the same way as the host.

UEFI Secure Boot? Not a defence. If you can get access to the machine, you can swap the BIOS out with one that trusts the signing key of Chinese Intelligence, and will load their signed bootloader. Or they'll just filch the Microsoft signing key and use that.

Boot from a USB that you keep on your person? Doesn't preclude your compromised laptop running some kind of hypervisor that captures all your keystrokes and again, mails them to Uncle Chang.

At the basic level they could just insert a traditional hardwired keylogger between your keyboard and motherboard, and you'd never detect it unless you were around when it decided to phone home (some models will run commands to send their logs out).

The only defence is not to leave your hardware unattended. Maybe this is a good use case for a Raspberry Pi in a physically secure case - powerful enough for basic productivity computing but portable enough to keep on your person. For maximum security you'd also have to carry the display and any input devices, so a visor display (like Google Glass), and a roll-up USB keyboard and mini-mouse would be reasonable.

Re:Fix 'em good.

[Electricity+Likes+Me]

This is also unreasonable.

While it is technically possible to do most of these things, for low-grade espionage it's way too expensive to do and requires a well-defined target (i.e. building up a stock of compromised ROMs, of every laptop you're likely to hit, would be expensive as hell and even then you might end up tripping something or damaging the hardware doing it).

The BIOS swap for example would be particularly troublesome - you'd need to pull apart the laptop, desolder the BIOS chips and solder new ones. No matter how good you are, that's not going to be done in anything less then a few hours, presuming you had all the tools, the chips, and it went flawlessly. And it would require knowing the exact make and model of the target machine.

encryption

Why doesn't your business mandate HDD encryption?

China isn't the only place this goes on...

Re:encryption

[Qzukk]

Why doesn't your business mandate HDD encryption?

Not that it would matter, some person would decide its too much trouble entering the password all the time and just leave the laptop on.

Re:encryption

[able1234au]

Encryption but to be extra paranoid, don't bring a laptop. You need to assume that there will be spies on your own payroll. Someone supplementing their pay and being patriotic at the same time. Paranoia is a good thing. Encryption is critical but don't assume it is a magic bullet. If they video or capture you typing in your password then you will have a false sense of security.

Re:encryption

[dnaumov]

Mandatory and automatic lock-up of a computer after a period of inactivity is neither new nor hard to enforce.

Re:encryption

[lister+king+of+smeg]

better yet live cd let them try installing malaware on there then, encrypt the whole drive and only use it for data storage, when chinless agents tries booting and no OS is found so he simply images you drive for later analysis let him stew for a few billion years trying to decrypt it.

Re:encryption

[homer_ca]

A hardware keylogger inline with the keyboard cable takes care of that. It only means they'll have to break in twice instead of once.

Re:encryption

[besalope]

And USB Switchblade still gets around it with ease depending on the Operating System.

Re:encryption

What good is HDD encryption when they have/had physical access to the device? If you get physical access tot he HW all you have to do is take a copy of the HDD (erm, DD will do this for you) and crack it at your leisure.

There was a story from a few years back where a fellow had his laptop confiscated. It was encrypted with TrueCrypt and the US govt tried, and failed, to break the encryption for months. So no, it's not an easy thing

Besides this, the article is bollocks made up by people who have had too much pot/coffee and not enough exposure to the real world. China's govt doesn't give a shit about your crappy companies secrets

China most certainly does care about your companies secrets if the company is involved in military contracts. Even if you don't travel, they are trying to get at the data that is here. Some of the recent fighter aircraft programs have had problems in particular with data theft.

Re:encryption

[Qzukk]

And if the laptop has a firewire port, i'm fairly certain RAM can be dumped on ANY operating system.

Re:encryption

[war4peace]

Keyboard cable... on a LAPTOP? Or do you mean they will take the laptop apart, insert a hardware keylogger INSIDE the laptop and then break in again, take the laptop apart AGAIN, read the password, etc.? That sounds a bit far-fetched, TBH.

Re:encryption

[homer_ca]

Sure, not feasible on a glued-together Macbook, but most business-class laptops have easily removed keyboards attached by a ribbon cable. On something like a Dell Latitude, it's easily a 1 minute job. The keylogger hardware isn't isn't exactly off the shelf, but not out of the question for a state-sponsored attack. Still, you have a point. Any target that's worth attacking with such sophisticated equipment is probably paranoid enough not to be traveling around a foreign country with the digital crown jewels, encrypted HDD or not.

Re:encryption

[ColdWetDog]

And if the laptop has a firewire port, i'm fairly certain RAM can be dumped on ANY operating system.

Ah, this must be the reason that Apple is dropping Firewire in it's laptops. Always looking out for us. Thanks Steve! (wherever you are)

Re:encryption

[mikeiver1]

The wise money would go a couple of steps further. Install nothing more than a plain jane out of the box live Linux CD image. Boot the thing and store/work out of a fast USB thumb drive on which all data is encrypted with the latest and greatest super kick ass encryption and a key that is very strong. You take the USB key with you around your neck. For extra points you could have the OS start the camera and record upon boot as well as screen capture every few seconds to the HDD unless a special key combo is used to shut it down.

Re:encryption

[Jeremi]

You take the USB key with you around your neck.

Still insecure, someone could grab it and run. For enterprise-level security, swallow the USB key. That will keep the USB key well and truly secure, while still giving you access to your data every 48 hours.

Re:encryption

[ramsun]

when chinless agents tries booting and ...

Oh, I say, don't mix up your countries, old boy. We chinless agents are proud to serve in Her Majesty's Secret Service. The agents of the country you're thinking of have other distinctive facial features.

Re:encryption

[Vegan+Cyclist]

As a vegan it's probably more like every 16hrs. ;)

Re:encryption

[Dr_Barnowl]

They defeat your HDD encryption by attacking the weak spot - the non-encrypted bits on your laptop.

The same physical attack pattern would work for VPN - keylogger, hypervisor, whatever, because it's still a compromised machine with access to the sensitive data.

The only defence is not to be separated from your hardware - which means carrying your laptop on your person at all times. They can still arrange to have it stolen by a "mugger", but it was all encrypted, right? But if the police conveniently "find" the culprit and give it back, you can't use it.

Re:encryption

[phoenix_orb]

China has a law prohibiting the importation of encrypted devices. They want you to boot up latptops at the airport to verify that TrueCrypt or something similar isn't running.

That's what encryption is for.

[stevenh2]

Who leaves their business secrets in the open. Especially laptops, they get lost stolen, or as the article says people examining it. Really you can use a truecrypt container and hide it somewhere.

Re:That's what encryption is for.

[sconeu]

If your boot partition is encrypted, and you can't boot without entering the password, it's harder to put a trojan or a keylogger on the system.

Re:That's what encryption is for.

[dslbrian]

This exactly. Encrypt the laptop but don't actually keep anything important on it. Instead use Truecrypt and a USB thumb drive. Have the thumb drive keyed to a different password than the laptop.

Further, as far as customs, drop a live CD of any variety in the CD drive, and have the laptop default to booting the CD. Now when custom guys asks to inspect your laptop, say sure, and let it boot the live CD. You can be amused while they laugh at how slow your laptop boots. In the end let em clone the HD, whatever, even if the NSA cracks it there is nothing on it. Everything important is on the thumb drive that you have "hidden" away (usually in plain sight on a keychain).

As far as the article, carrying your corporate secrets encrypted in your pocket will make any thieves job harder, and having the laptop encrypted will force them to install keylogger hardware, a more time consuming and harder thing to get away with. If I were such an executive and had real concerns I would just get a throwaway laptop, or better yet have some fun and epoxy all the case screws in. There are possibilities.

Re:That's what encryption is for.

[blueg3]

If your boot software is encrypted, how does your system boot at all?

Oh, I see, you're thinking of something like Truecrypt. So, when you boot, where does the code that knows how to decrypt your hard drive live? Why can't the attacker put the keylogger there?

Re:That's what encryption is for.

[Anubis+IV]

Why does everybody think that crypto has to be done in software?

Better question: why does everyone forget that keyloggers don't need to exist in software? As someone pointed out up above, a hardware keylogger spliced into the keyboard cabling could easily recover your boot password, allowing them to turn around and use that password to access the rest of your "secure" system. It does add an extra inconvenience for them, since they'll need to get access to your computer twice, but if you're there for a business trip, it's likely that they can part you from your laptop during a meal, some socializing, or even if they convince you it's easier to just leave things set up where they are while you go to a different part of the building for another meeting.

Re:That's what encryption is for.

[bWareiWare.co.uk]

Hardware key-loggers can phone-home the next time the user is on-line, negating the need to access the computer twice.

However you can still defeat hardware key-loggers in software. Just ask for the characters in a random order, ideally with a extra characters that are ignored.

The problem always remains how do you know the software presenting the prompt is yours?

Always encryption

[rbprbp]

If you are travelling anywhere without HDD encryption, then you kinda deserve this. By the way, let's see them trying to put spyware on a PowerPC Linux laptop. :)

some reading

[zerro]

http://www.schneier.com/blog/archives/2009/07/laptop_security.html

https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices

Hah, I had this problem...

[DDLKermit007]

I had this problem when I was doing work with associates in China when I was working to develop some software to use there. After going out one night I noticed the next day my laptop had been gotten into. Sure they poked around, but I didn't care. Not stupid enough to actually bring any data physically there with me. Checked the machine for anything funky, but seemed he was poking around to copy any interesting data. In the end they ended up trying to screw us & do the job we were doing which was they found really hard without our actual software in their hands. We just ran pointers that always pushed data from China back to the US where we churned through the data because I was a paranoid maniac. Sucks the company went under due to them, but felt a sort of sick satisfaction they ended up looking really dumb when everything ground to a halt suddenly.

Re:Booby trap time

[cheros]

the laptop battery goes critical on bootup

Nah. Dell tried that already..

throw away laptops

[lophophore]

Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.

Re:throw away laptops

Yup, that's how we deal with it. We're frequently in China to do software and hardware testing at our facilities (I work for a large US transportation company), and we have "China laptops". These are encrypted machines that are specifically loaded with the bare minimum stuff we need when we leave and immediately blown away when we get back. Installation of anything beyond the bare minimum (which is pretty much Win7 and VS2005) is strictly disallowed. Source is kept on a separate, encrypted sd card which is not to be kept in the machine, but even then it's just not that interesting. It's all internal source for package sort controllers and such, and we don't even have the ability to check code back in from these machines. It's purely for debugging and sending problem reports back home.

There's a big sticker on them that even says "China laptop, do not connect to corporate network"

Re:throw away laptops

[AHuxley]

Same for entry into the USA or any country. The software needed on brand new storage media, replace when returning home.
The option to inspect any laptop that enters a country is getting to be a reality rather than having to be a 'suspect'.
When a state views your laptop as a "container" - you have no legal protection.
Diplomats and travellers to the Soviet Union knew what they faced at any hotel - why would Communist China be any different?

Re:throw away laptops

[Minupla]

I have in the past provided the following instructions to an exec:

1) Go to local computer store
2) Purchase off the shelf hard drive with this model:xxx-xxxx-xxx - pay with local cash
3) Purchase philips screw driver
4) Remove HDD (more details here on how to remove a HDD) and replace with local drive.
5) Drive over old HDD with rental SUV. Repeat until fragments. Ensure HDD platters are fragments.
6) drop into at least 3 random trash bins in tourist areas
7) If questioned during exit, inform them that the computer crashed and that IT had you take it to a local repair shop but it's not working still.

Such is life in the odd world we live in.

Min

Re:throw away laptops

[swillden]

Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.

Nah. Take a $200 Chromebook. Factory reset it when you get back and you don't have to destroy it.

Re:throw away laptops

[swillden]

ChromeOS encrypts all user data by default, automatically verifies the integrity of all software during startup, and reverts to a known-good version in the event any compromise is discovered. Boot verification is based on code and data stored in ROM, so subverting it requires modifying the hardware. Run-time compromise must be done by leveraging web-style attacks (cross-site scripting, etc.) and can normally only achieve what web-style attacks can achieve which is access to data from other sites, etc. In the event deeper compromise is achieved, it's lost as soon as the device is restarted, until the user visits the malicious web site again.

Use a Chromebook, connect only to trusted sites and only over SSL, and you become an extremely hard target for compromise. Little if any of your data is actually stored on the device, what is cached on it is encrypted. When you get home, reboot and you're very, very likely to have a trustworthy system again. Do a factory reset and it's guaranteed to be clean (barring hardware hacks), since all data will be gone, and any modified code will be detected by the verified boot process. And, as a last resort, you only paid $200 for the thing, so if you fear hardware hacks, just chuck it and buy a new one. It's unlikely to add more than about 5% to the cost of your trip.

http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview

solutions:

[wierd_w]

There are several ways around this, with increasing levels of overhead.

0) don't bring the laptop to begin with. (Hehe.. har.. yeah, who am I kidding?)

1) yank the HDD completely, boot the laptop using a custom knoppix DVD, with an RDP client. Save your work in the cloud/at the enterprise, behind a strong enterprise password. Malware magically vanishes when the laptop powers down. No local data to collect.

2) use something like black ice defender.

3) use whole disk encryption with almost reigious zeal.

Personally, I prefer the live dvd approach. It has fringe benefts of always being a fresh, clean environment, and a complete black hole for forensic data recovery. Only the rubber hose method to get you to reveal the RDP account password remains as a reliable method of intrusion, though this assumes you aren't an idiot, and weren't so stupid as to package a keyring on the live DVD. (The whole idea is to keep sensitive data OFF the system!) If you absolutey NEED a keyring, find some way to use an actual usb keyfob to store it, and always carry your keys.

Regardless of the method used, remember that allowing unauthorized persons access to the physical system is practically synonymous with being pwned. The live dvd method only gives them physical access to a terminal.

Re:solutions:

[Jeremi]

If they can plant an actual keylogger in the keyboard, even this won't help.

The trick is to bring a scale with you. Weigh your laptop before using it; if it's a bit heavier than usual, either you left a DVD in the drive or someone has added "special hardware" to it for you. ;)

I wonder if this will work?

[roc97007]

You take a laptop to China. In your coat pocket is a "live" thumbdrive, which remains on you at all times. You don't care what's on the laptop, because you boot the thumbdrive to do work.

When you leave China, toss the (presumably compromised) laptop in a dustbin in the airport restroom.

Re:I wonder if this will work?

[roc97007]

I'm thinking because you don't want to connect it to a network (that you care about) until the disk is scrubbed and the bios is reflashed. (And perhaps, the back is taken off to make sure the box hasn't been physically compromised.) Laptops are, like, $200 apiece. Safer just to dump it.

Industrial espionage

[Taco+Cowboy]

I travel all the time, for business.

China is not the only country where industrial cloak and dagger stuffs happen.

The other countries that I've personally encountered industrial espionage activities includes Japan, Korea, Vietnam, France, Italy, India, Indonesia, Egypt, Turkey, and you will be surprised, I had had similar encounters in Canada, UK, Australia, and also US of A, although not that often.

Re:Industrial espionage

[hendridm]

I've surprised by many of the countries on your list.

Can you give some examples of what you've observed that we non-travelers might find surprising/interesting?

Re:Industrial espionage

[nihaopaul]

Photos or it didn't happen!

Re:Industrial espionage

[DNS-and-BIND]

Industrial espionage is one thing. This is a government employee entering your hotel room to install software on your laptop and image your hard drive. It has been happening for years in China (but has just now made Slashdot). It is practically a signature move of theirs.

Re:Industrial espionage

[AaronW]

As you said, France is also notorious for this sort of thing which surprises a lot of people.

Re:Industrial espionage

[CoderJoe]

How about just doing a boot-time truecrypt volume? They can't boot the system from the hard drive, and booting from a live CD/USB is also useless, as the data on the hard drive is encrypted. (unless they want to take the time to image the whole hard drive so they can work on cracking it elsewhere)

Re:Industrial espionage

[halofan_sd]

not being able to formulate a sentence without grammatical errors is a strong (actually, perfect) indicator that the speaker is a product of the American educational system.

Re:Industrial espionage

[RocketRabbit]

I'm sure your lack of experience in capital letters and their proper usage increases the public's perceived veracity in your experience with this subject.

Re:Industrial espionage

[Zontar+The+Mindless]

The use of the awkward word "stuffs" has been, in my experience, a strong (actually, perfect) indicator that the speaker is Chinese.

I almost didn't post this for fear that the chicom astroturfers (you?) will adapt, but i think it's important to get the word out regardless.

Protip to westerners: keep your eyes open for awkwardly idiomatic phrases, especially when the speaker is defending China either directly or indirectly.

Protip to the other side: stuff is an uncountable plural word already. "stuffs" is just "stuff." it's like saying "mices."

I've been using "stuffs" from time to time as long as I remember. Native American English speaker here, not a bit of Chinese in my family, other than in-laws.

Now that I think of it, I've NEVER heard anyone but other Americans or Australians even use it.

Protip: My anecdote says your anecdote is full of crap.

Re:Industrial espionage

[Savage-Rabbit]

Makes you want to do something funny like boot up OS/2 or put up a fake boot up sequence resulting in massive crashes unless it is you booting your computer.

Bonus points if you activate the web cam and record the person's reaction.

Why so elaborate? Just show the Goatse picture... It should yield some interesting photographs.

Re:Industrial espionage

[Electricity+Likes+Me]

How does this protect you against anything?

You're still vulnerable if they replace the bootloader with say, a Truecrypt lookalike (the evil maid attack, which is what this refers to).

Re:Industrial espionage

[jonadab]

You can, of course, deduce things about a person's linguistic background by noticing what kinds of mistakes they make. Some examples...

* Consistently confusing certain phonemes with one another even though they in fact sound nothing alike at all is a strong indicator that the native language doesn't contain either of them. Japanese people, for example, have a terrible time with English short vowels, particularly the a in "bad" and the u in "bus". This is because Japanese does not have these sounds. (Technically, the a in "bad" does occasionally occur in spoken Japanese, but it's a minority allophone in free variation for the a in "father". The u in "bus" does not occur at all.) Hence, "Pizza Hat". English speakers have a horrible time with glottal and pharyngeal stops, for the same reason.

* Consistently substituting certain words for certain other words in certain contexts where they don't make sense can mean that the native language has a word that is translated both ways. For example, using the word "teach" in place of "tell" ("Please, don't keep me in suspense. Teach me what happened!") is characteristic of Japanese. Saying "walk" instead of "live" (particularly when referring to living one's life a certain way) is characteristic of Greek (or of spending a lot of time reading old, sub-optimal English translations of things originally written in Greek; notably, the New Testament). English speakers often mix up ser and estar (in Spanish, and the corresponding verbs in other languages) and have trouble remembering which Japanese verbs to use to talk about wearing various kinds of clothing.

* Consistently confusing pairs of otherwise-related phonemes distinguished by the same type of contrast is a very strong indicator that the person's native language doesn't contrast on that feature. Koreans, for instance, have difficulty with the voiced/unvoiced distinction. English speakers have a similarly hard time hearing the distinction between aspirated and unaspirated.

* Having trouble with grammatical gender -- especially if it's inconsistent, not always getting the same words wrong in the same way, but different mistakes each time -- is an indication that the native language probably does not have grammatical gender. This doesn't apply much to English, since English has very little gender left in it.

* Attempting to pluralize adjectives when modifying plural nouns is a very strong indication that the person's native language does that. (This is characteristic of most European languages, with English being a notable exception.)

* If the target language is tonal, a native speaker can usually tell whether another speaker's native language is also tonal or not. This doesn't apply to English, obviously.

I'm sure there are others, but that's enough to illustrate the concept.

Preposition mistakes generally mean nothing, especially selecting the wrong preposition to introduce a prepositional phrase. Everyone makes them, and preposition usage varies so much even among dialects within a language that you can't usually draw firm conclusions. Frequent failure to correctly match up verbs with the complementary prepositions they prefer is a strong indication of a non-native speaker, but even this doesn't usually tell you very much about which other language they're coming from.

Sources Please?

I see a lot of unsubstantiated opinions. How about some credible sources that this is happening?

Re:Sources Please?

[zerro]

FTW: global warming is a hoax!!!

http://www.schneier.com/blog/archives/2012/02/computer_securi_2.html

http://www.homelandsecuritynewswire.com/us-government-recommends-weighing-laptop-and-after-visit-china

Re:Sources Please?

[zerro]

http://www.washingtonpost.com/world/national-security/in-china-business-travelers-take-extreme-precautions-to-avoid-cyber-espionage/2011/09/20/gIQAM6cR0K_story.html

Re:Sources Please?

[sydneyfong]

These links only prove some people are paranoid.

They don't prove anything actually happened aside of what the world already knows (and things that the Chinese government readily admits to) -- GFW, agents monitoring the internet, etc.

Agents physically breaking into your hotel room and installing keyloggers? I don't think they're rich enough to pay all the people to do that for the average travelling businessman.

Re:They don't know your password

[zerro]

Chinese AC troll?

Or Windows '98

[kawabago]

and infect them right back!

Re:Or Windows '98

[RabidReindeer]

How about Windows 95 with Microsoft Bob?

I think that's a violation of the Geneva Convention.

Re:Shred of Evidence

[dtmos]

See the sad case of Prof. John Roth, of the University of Tennessee.

Silly

[Charliemopps]

We don't even have people that travel outside the country and yet your security standards state that:
A. The laptop is wiped and re-imaged upon return. Every time.
B. The user simply uses the laptop to VPN into our corporate network which is protected by a random keyfob plus all the usual security.
C. Corporate laptops never leave the site of the user. You take it with you everywhere you go. Period.

Granted, I don't think C gets followed all that much. But A and B are pretty solid. Who the hell keeps a personal laptop for work anymore?

Re:EVIL MAID!

[FatdogHaiku]

Well... that explains why the HOT HORNY MAID never showed up... she got canned so they could insert their perfidious data thief in her place! Damn. Someone should update the Asian Porn section of the internet so travelers aren't disappointed...

Hardcore Security Fix.

[Deathlizard]

1) Buy this: http://www.newegg.com/Product/Product.aspx?Item=N82E16822168002
2) Get a Laptop that has A TPM. Preferably a Panasonic Toughbook or Dell Latitude. Put Drive from #1 in it. (or better yet. Buy the system with a Encrypting hard drive built in.)
3) Encrypt the hard drive. I don't care how, either with bitlocker or Truecrypt.
4) Set your laptop to boot from ONLY the Hard drive in the BIOS
5) Password protect the hard drive at the BIOS level. also password the bios.
6) Backup your system (Preferably, Using A Drive form #1). put backup in a safe deposit box. set a Password on that drive or backup file if you can. Do this monthly like clockwork or a hard drive crash will screw you.
7) If uber paranoid, look into a BIOS Level remote protection system such as computrace or Lojack to remote wipe the PC, but considering who you're dealing with, most likely it will never see the internet again, but its good to thwart casual theves.

Encryption: Not allowed

[jabberwock]

From The New York Times in February:

Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.

Low-tech solution?

[NewtonsLaw]

How about just carrying some of those "warranty void" stickers with you and place one so that it bridges the keyboard and screen on the opposite edge to the hinge.

Now the "maid" can't open your laptop without knowing their intrusion would be very obvious to the owner.

I wonder if they still would?

Full hard drive encryption

[fufufang]

If you use Windows, you can install Truecrypt, and change the bootloader so it shows "Operating System Not Found".

If you use Linux, set up encrypted LVM, and have your boot partition on a separate USB flash drive, which you attach to your keyring, and carry around with you all time.

troll them

[Lehk228]

Troll like a pro, carry lots and lots of "super sekrit" docs in a poorly truecrypted volume (password on a sticky note under the mouse)

gigabytes and gigabytes of detailed looking prototype data from your projects that failed due to a fatal and truly unsolvable flaw, but fudge the data and info to mask the unsolvable part

bonus points for anything that will cost them 100 million to fail to reproduce
more bonus points at the billion, 10 billions and 100 billion level

cold fusion, hot fusion, electric vehicle, atomic reactors, there must be trillions of dollars worth of hopelessly flawed design proposals kicking around collecting dust in company archives. -- Put them to good^H^H^H^HLulzy use

Full disc encryption

I work for a major multi-national corporation with big interests in China. Every transportable computer in the company has strong full-disc encryption installed by default, and NO ONE is allowed to divulge the ID/password required to boot it. If you are going to travel internationally, you back up your system before you leave. If some border agency demands the keys to your kingdom, you give them the laptop, but not the keys. Then the company ($40+B and major presence in every country) will bang on a few heads until the system is returned and some poor schlub is hung out to dry...

Re:Shred of Evidence

[Man+On+Pink+Corner]

US export law is no joking matter. It is impossible to exaggerate how goofy the rules are, and how much trouble you can get in for violating them. It doesn't matter if you're a hacker in a basement or a Fortune 100 defense contractor -- you do not want to mess around with these people.

Some examples of the evidence you're asking for.

More here. I think my favorite is the veterinary supply wholesaler in Waukee, Iowa who was fined $250,000 for sixteen unlicensed exports of cattle prods to Mexico.

Yeah

[bytesex]

We have the same problem. With an obscure little country called the USA.

Sorry, but the hypocrisy is staggering. We are NOT allowed to even bring an encrypted laptop across US borders.

Re:Shred of Evidence

[supercrisp]

That's a very unfair characterization of Roth's actions. He employed two graduate students, one from China and then one from Iran. He had the Chinese student send him a file while he, Roth, was in China, at a Chinese professor's e-mail address. The material in the file was deemed sensitive, as was the research. I think the professor ended up in prison primarily because he didn't understand that the FBI didn't appreciate him speaking with the professorial authority, like Moses from the mountain, that he was accustomed to use in his lab and within his field of study. but he did not hire spies, at least knowingly, not that anyone knows. And, I'll just drop this in: If I were a professor in the sciences I can imagine that I might want to employ non-American grad. students. I worked with and was friends with grad. students in the STEM fields, and there were a lot of "foreign" ones, and many of those foreign ones were much harder working than the American ones, many of whom seemed to think that grad. school was just more undergrad. school.