The Trouble With Bringing Your Business Laptop To China

← Back to Stories (view on slashdot.org)

The Trouble With Bringing Your Business Laptop To China

Posted by Soulskill on Tuesday December 4, 2012 @12:37PM from the laptops-are-the-panda's-favorite-food dept.

snydeq writes "A growing trend faces business executives traveling to China: government or industry spooks stealing data from their laptops and installing spyware. 'While you were out to dinner that first night, someone entered your room (often a nominal hotel staffer), carefully examined the contents of your laptop, and installed spyware on the computer — without your having a clue. The result? Exposure of information, including customer data, product development documentation, countless emails, and other proprietary information of value to competitors and foreign governments. Perhaps even, thanks to the spyware, there's an ongoing infection in your corporate network that continually phones home key secrets for months or years afterward.'"

27 of 402 comments (clear)

Min score:

Reason:

Sort:

That's only one of the problems by dtmos · 2012-12-04 12:37 · Score: 4, Interesting

The other -- and, I would submit, more important -- reason for not taking your business laptop to China (if you're from the US) is US export control laws. The definitions of "export" and "controlled technology" have been so generalized that it is an even-money bet that the laptop of a given technologist contains information that, were he to travel to China, would result in at least a technical violation of the law -- and the penalties are severe.
1. Re:That's only one of the problems by DragonWriter · 2012-12-04 12:47 · Score: 5, Informative
  
  Considering these laptops are for the most part manufactured in China anyway, how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?
  Controlled technology includes software as well as hardware.
2. Re:That's only one of the problems by dtmos · 2012-12-04 12:54 · Score: 4, Informative
  
  how does bringing them back there in anyway give China access to any "controlled technology" they don't already have?
  It's the information the technologist has stored on it that is the problem. The export control laws are enforced by the Bureau of Industry and Security, and they are arcane, complex, and woefully out of date. Just to give one example, if you're a microprocessor designer, and have a design that operates at temperatures exceeding 125C, that design is controlled; carrying that design in your laptop when you go to China is a violation of the law -- whether or not it is even accessed while in China. (It's also illegal to show that design to any person of Chinese citizenship, even if you both are in the US at the time; that, too, is considered export under the law.)
3. Re:That's only one of the problems by neyla · 2012-12-04 18:25 · Score: 4, Interesting
  
  True !
  Fun Fact
  encryption*SOFTWARE* was classified as munitions and restricted, meanwhile free speech laws meant that printed words could very seldom be stopped.
  I was part of exporting PGP from USA legally, by way of printing the (zipped, uuencoded + checksums) source-code, mailing it physically to norway, scanning it, OCRing it and manually proofreading all lines where the checksum failed.
Fix 'em good. by ackthpt · 2012-12-04 12:40 · Score: 4, Funny

Take a TRS-80 and watch them try to figure it out.

--

A feeling of having made the same mistake before: Deja Foobar
encryption by Anonymous Coward · 2012-12-04 12:41 · Score: 5, Insightful

Why doesn't your business mandate HDD encryption?
China isn't the only place this goes on...
1. Re:encryption by lister+king+of+smeg · 2012-12-04 13:07 · Score: 4, Interesting
  
  better yet live cd let them try installing malaware on there then, encrypt the whole drive and only use it for data storage, when chinless agents tries booting and no OS is found so he simply images you drive for later analysis let him stew for a few billion years trying to decrypt it.
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
2. Re:encryption by homer_ca · 2012-12-04 13:12 · Score: 5, Informative
  
  A hardware keylogger inline with the keyboard cable takes care of that. It only means they'll have to break in twice instead of once.
3. Re:encryption by Qzukk · 2012-12-04 13:55 · Score: 4, Interesting
  
  And if the laptop has a firewire port, i'm fairly certain RAM can be dumped on ANY operating system.
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
4. Re:encryption by Jeremi · 2012-12-04 16:38 · Score: 4, Funny
  
  You take the USB key with you around your neck.
  Still insecure, someone could grab it and run. For enterprise-level security, swallow the USB key. That will keep the USB key well and truly secure, while still giving you access to your data every 48 hours.
  
  --
  
  I don't care if it's 90,000 hectares. That lake was not my doing.
5. Re:encryption by Vegan+Cyclist · 2012-12-04 19:38 · Score: 5, Funny
  
  As a vegan it's probably more like every 16hrs. ;)
That's what encryption is for. by stevenh2 · 2012-12-04 12:43 · Score: 4, Insightful

Who leaves their business secrets in the open. Especially laptops, they get lost stolen, or as the article says people examining it. Really you can use a truecrypt container and hide it somewhere.
Hah, I had this problem... by DDLKermit007 · 2012-12-04 12:49 · Score: 4, Funny

I had this problem when I was doing work with associates in China when I was working to develop some software to use there. After going out one night I noticed the next day my laptop had been gotten into. Sure they poked around, but I didn't care. Not stupid enough to actually bring any data physically there with me. Checked the machine for anything funky, but seemed he was poking around to copy any interesting data. In the end they ended up trying to screw us & do the job we were doing which was they found really hard without our actual software in their hands. We just ran pointers that always pushed data from China back to the US where we churned through the data because I was a paranoid maniac. Sucks the company went under due to them, but felt a sort of sick satisfaction they ended up looking really dumb when everything ground to a halt suddenly.
Re:Booby trap time by cheros · 2012-12-04 12:55 · Score: 4, Funny

the laptop battery goes critical on bootup
Nah. Dell tried that already..

--
Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
throw away laptops by lophophore · 2012-12-04 12:56 · Score: 5, Interesting

Any serious exec is going to use a throw-away laptop for travelling to China. A $400 special will keep you online abroad, and then it can be destroyed as a business expense. Cheap insurance against hacking.

--
there are 3 kinds of people:
* those who can count
* those who can't
1. Re:throw away laptops by Anonymous Coward · 2012-12-04 13:05 · Score: 5, Interesting
  
  Yup, that's how we deal with it. We're frequently in China to do software and hardware testing at our facilities (I work for a large US transportation company), and we have "China laptops". These are encrypted machines that are specifically loaded with the bare minimum stuff we need when we leave and immediately blown away when we get back. Installation of anything beyond the bare minimum (which is pretty much Win7 and VS2005) is strictly disallowed. Source is kept on a separate, encrypted sd card which is not to be kept in the machine, but even then it's just not that interesting. It's all internal source for package sort controllers and such, and we don't even have the ability to check code back in from these machines. It's purely for debugging and sending problem reports back home.
  There's a big sticker on them that even says "China laptop, do not connect to corporate network"
2. Re:throw away laptops by swillden · 2012-12-04 17:12 · Score: 5, Informative
  
  ChromeOS encrypts all user data by default, automatically verifies the integrity of all software during startup, and reverts to a known-good version in the event any compromise is discovered. Boot verification is based on code and data stored in ROM, so subverting it requires modifying the hardware. Run-time compromise must be done by leveraging web-style attacks (cross-site scripting, etc.) and can normally only achieve what web-style attacks can achieve which is access to data from other sites, etc. In the event deeper compromise is achieved, it's lost as soon as the device is restarted, until the user visits the malicious web site again.
  Use a Chromebook, connect only to trusted sites and only over SSL, and you become an extremely hard target for compromise. Little if any of your data is actually stored on the device, what is cached on it is encrypted. When you get home, reboot and you're very, very likely to have a trustworthy system again. Do a factory reset and it's guaranteed to be clean (barring hardware hacks), since all data will be gone, and any modified code will be detected by the verified boot process. And, as a last resort, you only paid $200 for the thing, so if you fear hardware hacks, just chuck it and buy a new one. It's unlikely to add more than about 5% to the cost of your trip.
  http://www.chromium.org/chromium-os/chromiumos-design-docs/security-overview
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Industrial espionage by Taco+Cowboy · 2012-12-04 13:02 · Score: 4, Interesting

I travel all the time, for business.
China is not the only country where industrial cloak and dagger stuffs happen.
The other countries that I've personally encountered industrial espionage activities includes Japan, Korea, Vietnam, France, Italy, India, Indonesia, Egypt, Turkey, and you will be surprised, I had had similar encounters in Canada, UK, Australia, and also US of A, although not that often.

--
Muchas Gracias, Señor Edward Snowden !
1. Re:Industrial espionage by hendridm · 2012-12-04 13:18 · Score: 5, Interesting
  
  I've surprised by many of the countries on your list.
  Can you give some examples of what you've observed that we non-travelers might find surprising/interesting?
2. Re:Industrial espionage by AaronW · 2012-12-04 14:07 · Score: 4, Interesting
  
  As you said, France is also notorious for this sort of thing which surprises a lot of people.
  
  --
  This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
3. Re:Industrial espionage by CoderJoe · 2012-12-04 15:37 · Score: 4, Insightful
  
  How about just doing a boot-time truecrypt volume? They can't boot the system from the hard drive, and booting from a live CD/USB is also useless, as the data on the hard drive is encrypted. (unless they want to take the time to image the whole hard drive so they can work on cracking it elsewhere)
4. Re:Industrial espionage by halofan_sd · 2012-12-04 16:17 · Score: 4, Funny
  
  not being able to formulate a sentence without grammatical errors is a strong (actually, perfect) indicator that the speaker is a product of the American educational system.
5. Re:Industrial espionage by RocketRabbit · 2012-12-04 16:46 · Score: 5, Funny
  
  I'm sure your lack of experience in capital letters and their proper usage increases the public's perceived veracity in your experience with this subject.
Re:Or Windows '98 by RabidReindeer · 2012-12-04 14:17 · Score: 5, Funny

How about Windows 95 with Microsoft Bob?
I think that's a violation of the Geneva Convention.
Encryption: Not allowed by jabberwock · 2012-12-04 14:23 · Score: 5, Informative

From The New York Times in February:

Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission.
troll them by Lehk228 · 2012-12-04 15:40 · Score: 5, Funny

Troll like a pro, carry lots and lots of "super sekrit" docs in a poorly truecrypted volume (password on a sticky note under the mouse)

gigabytes and gigabytes of detailed looking prototype data from your projects that failed due to a fatal and truly unsolvable flaw, but fudge the data and info to mask the unsolvable part

bonus points for anything that will cost them 100 million to fail to reproduce
more bonus points at the billion, 10 billions and 100 billion level

cold fusion, hot fusion, electric vehicle, atomic reactors, there must be trillions of dollars worth of hopelessly flawed design proposals kicking around collecting dust in company archives. -- Put them to good^H^H^H^HLulzy use

--
Snowden and Manning are heroes.
Re:Shred of Evidence by Man+On+Pink+Corner · 2012-12-04 19:10 · Score: 5, Informative

US export law is no joking matter. It is impossible to exaggerate how goofy the rules are, and how much trouble you can get in for violating them. It doesn't matter if you're a hacker in a basement or a Fortune 100 defense contractor -- you do not want to mess around with these people.
Some examples of the evidence you're asking for.
More here. I think my favorite is the veterinary supply wholesaler in Waukee, Iowa who was fined $250,000 for sixteen unlicensed exports of cattle prods to Mexico.