
Securing a laptop for travel to China - dankohn1
https://mricon.com/i/travel-laptop-setup.html
======
marco_salvatori
The police state that is China doesnt care about summit attendees, it cares
about social harmony. Summit attendees should have a passport and a visa if
needed. Otherwise they should act in a harmonius manner. If they can do that,
then they will be disappointed to find out that the officials simply dont care
about them. No one is going to ask friendly, personal questions in customs; no
one is going to ask for an inventory of what is being carried in; no one is
going to ask how much money you have with you; no one is interested in seeing
and opening your electonics; no one is going to pay the least attention to
your baggage. Relax, have a good time, and prep a vpn if you are set on
working. Then, on the way back, contrast the experience to the police state
that you are from.

~~~
qubex
As somebody who lived for three and a half years in mainland China (2003-2006)
and regularly crossed the border, I can confirm that this was my experience
too. I was never tampered with, interrogated, or made the object of any undue
attention; my equipment was of the utmost disinterest to authorities and I
even crossed the border with copies of _Nineteen-Eighty-Four_ and _Capitalist
Realism_ once, to the local authorities' utter disinterest.

I still visit semi-regularly (once a year, approximately) and my observations
remain valid now as then (for me at least).

Same goes for my experiences going into and coming out of Russia, for that
matter.

~~~
zcbenz
Books get much less censorship in China, compared to its Internet. Like, there
are new books about culture revolution every year.

However if you brought any book that attacks current government, for example
books about the 64 event, you would be in very big trouble.

~~~
dis-sys
That is not true. The most famous student leader who testified in front of the
US congress 8 times was allowed to go back in China. In fact, she (Chai Lin)
even started her business in China.

You seriously believe that she is less influential than a few books? If Chai
Lin is allowed to enter and stay in China, what is the point stopping a few
books?

~~~
justicezyx
They are allowed because they fully abandoned their belief... Oh, humans...

------
chvid
Sounds like the author the author is going to China for the first time.

Seriously; going through the Chinese border is much nicer experience than
those two declining and/or former empires: USA and UK.

They do not care about what is on your laptop. The Chinese block Facebook and
al to prevent Chinese en masse joining Facebook; they don't care that a few
westerners check up on dogs or complain about missing toilet paper using some
VPN/SSH-thingee.

~~~
jldugger
The author is the IT security person for the Linux Foundation, who's
activities include distributing the Linux kernel via kernel.org. They
represent a particularly juicy target for nation-state actors, and have been
targeted with reasonably advanced attacks before. In 2015 the author published
a checklist for laptop security, this is just an extension of that, teaching
people (and LF employees) how to comply with their policies and China's.

Are they likely to be hassled at the border? No. But if there's a way to make
all parties happy, might as well document it.

~~~
alecco
If I were him I would go with a burner laptop and wouldn't take with me any
digital credentials.

~~~
mricon
That's the TL;DR of the article. ;)

------
kasey_junk
The issue with traveling to China is _not_ the border crossing. Its the many
places you can be compromised after you've crossed the border (your hotel, the
internet cafe, etc).

While working for a couple of different financial institutions they had
blanket "hand in your electronic devices" both before you went to China (to
ensure you didn't take them) and after you returned (to ensure you didn't
attempt to continue using the device they gave you for your trip). This had
_nothing_ to do with political dissidents or customs inspections and
everything to do with the assumption that anything on a device in China was
compromised for financial reasons.

Its possible that the US/UK have been put in the same bucket by these
organizations, and maybe with cause, but the threat model is completely
different between the 2 places and comparing border crossing experiences
doesn't invalidate that.

------
dis-sys
What a huge load of cold war thinking. Look at the crap below found in the
article:

"Then, depending on your level of paranoia, give the ChromeBook away to what
is likely to be a very thankful kid/student"

133 million foreigners went through Chinese custom and entered China in 2016 -
that is a lot of paranoid laptops to give away.

~~~
jldugger
dis-sys, throughout this thread you seem a bit upset, and seem to be carrying
luggage on HN in general, given your outsized participation in China-centric
threads. I really don't think the post is as negative as you expect.

The OP is also the author of LinuxFoundation's laptop security guidelines. LF
has been targetted by a number of DDoS's intrustions and worms. At least one
was successful, and it's not clear if it was a criminal org, or a state actor
disguised as such. So their laptop configuration policy is designed to thwart
all comers. Hard drive / swap encryption, SSH keys on GPG cards, secureboot,
SELinux, encrypted backups, NoScript, HTTPSEverywhere, FireJail, etc.

China's policy appears to be that you must provide them with data should they
request it. Making this happen is pretty much in direct contravention of the
same laptop configuration policies designed to thwart the NSA, Europeans,
Russians, cybercriminals, etc. But lets look at it this way: LF knew the facts
on the ground in China, and proceeded anyways. So their IT manager responsible
for preventing another break-in publishes a guide for adhering to China's laws
while keeping the LF safe.

Throughout this thread I see people suggesting that they're never bothered by
state apparatus, so nobody should worry. I don't know which of that
sentiment's implications is more insulting: that kernel.org isn't worthy of
state infiltration, or that China isn't competent enough to pull it off.

------
RijilV
Feels like given the recent issues people have been facing with US Customs,
this advise is relevant there too.

~~~
darkpoints
Yeah I'm recognising a lot of similarities here.

------
fooker
Seems to have mistaken China for the US.

Chinese immigration does not treat you as a potential criminal aiming to
overstay your visa by default.

~~~
qb45
> Chinese immigration does not treat you as a potential criminal aiming to
> overstay your visa by default.

There are probably reasons for that, apparently an estimated 3% of the US
population is illegal aliens. I wonder what the number is for China.

[https://en.wikipedia.org/wiki/Illegal_immigration_to_the_Uni...](https://en.wikipedia.org/wiki/Illegal_immigration_to_the_United_States)

~~~
fooker
That's what happens when you annex part of a country. People keep moving
across something which is not a natural border.

Also, it's sad that you have to call human beings 'aliens'.

~~~
toomuchtodo
"Non-citizens" works just as well I suppose.

~~~
closeparen
"Non-citizens" includes lawful permanent residents and visa holders.

The term generally preferred by those of us who balk at "illegal" and "alien"
is "undocumented."

~~~
qb45
I said "alien" because it's a legal term and I see it used a lot, including by
US authorities. FWIW, I was once an alien in the US too and saw this term in
my own documents many times. I don't even know any good substitute,
"foreigner" is pretty much the literal translation but "illegal foreigners"
just sounds unusual, "illegal immigrants" would be better but then "immigrant"
isn't really the same thing as "alien".

Now, using "undocumented" for "illegal" is clearly fraudulent. These words
don't mean the same.

~~~
closeparen
Ilegal alien frames people as primarily criminals who are not like us (and
should get out).

Undocumented frames people as lacking official documentation for the lives
they lead (so we should document them). That _is_ illegal, yes, but the
terminology puts the emphasis in a different place.

Would you say "person who struggled with narcotics addiction" or "felon"?
People who were addicted to hard drugs at one point possessed them, and are
necessarily criminals in the same way that people who are in the US without
corresponding records in government databases are necessarily criminals. Which
word you choose depends on how you want the audience to feel about them.

Illegal vs. undocumented is just a code word for your view on immigration
policy (with illegal being more neutral, undocumented being specifically
liberal).

------
leemailll
Why the author worry so much about China customs? I never had a problem go
through China customs with regards to my laptops. And never seen nor read that
someone having trouble about it.

~~~
toomanybeersies
Most people going through the USA have no issue with US Customs, but there are
people that do.

~~~
UnoriginalGuy
Most non-Americans have issues with US immigration because they're extremely
rude for absolutely no reason.

US customs is fine. TSA is a mixed bag. But US immigration are unfathomably
rude and disrespectful for no reason at all; they treat you like scum. I've
been through US immigration & customs a lot, been sent to secondary three
times, ironically the people you deal with in secondary are more
polite/reasonable than the people in the little glass booths, but still very
"respect my authority."

Ironically going into the US feels more like entering a police state than
going into Russia. The Russians were just super disinterested and to-the-
point. The US is fine once you're in, but getting in as a non-American is a
bad first impression (the UK has this issue too).

I'd hate to think how much worse they would treat me if I was non-white and
from a country with traditionally bad or mixed ties to the US. From other
people's anecdotes that I've read or spoken to: Bad. Just by what their
official union supports (and who) you can get a sense of their views on other
races.

Last year the US just started a new policy of asking foreigners for our social
media credentials. It is starting out as option, but like all of these things
it is just a matter of "when" not "if" it will be made mandatory.

~~~
camus2
> Most non-Americans have issues with US immigration because they're extremely
> rude for absolutely no reason.

Never had a single problem with US immigration or customs. Had plenty of
issues with Canadian customs on the other hand. Especially when crossing the
border by bus. From Canada to US, never an issue, from US to Canada, treated
like shit every time.

~~~
tluyben2
I had the reverse happen a lot: car from Canada to US. Hours waiting, very
angry, rude officer barking at you. We like vacation in the US so it would not
stop us but ugh.

------
a3n
Sibling comments here from people who've been there notwithstanding, if you're
afraid your laptop has something "bad" on it when you return, how can you in
good conscience give it to an unsuspecting donee? That's like wondering if
your doggy bag has food poison, so you give it to your neighbor.

~~~
MagnumOpus
Because while he as a linux kernel developer is a juicy target for the 3PLA's
spying/subversion efforts, the Chinese won't be interested in 99.9% of normal
people's activities.

------
rll
I know it is anecdotal, but I have never seen even the slightest hint of
anyone having their devices closely looked at entering China. At least not in
the 72/144 hour visa-free line that I have been using for the past couple of
years. This visa-free entry is aimed at business travelers so perhaps there is
less scrutiny there.

~~~
Bakary
I've had the same experience as well. Ironically, the only place where I've
ever been scrutinized or directly searched is the US.

Short of being some sort of China-focused activist, you'd have to try real
hard to get Chinese law enforcement to care about what you're doing.

------
paradite
Relax, whoever wrote this, you are not travelling to the US.

As long as you are not bringing a world map with Taiwan as a separate color
from China, you will be just fine.

------
Aargau
People commenting below are probably correct wrt border entry for the common
business traveler, but might be surprised if they checked their wifi logs at
how many things are hitting it maliciously.

For some companies/positions you may be targeted surreptitiously.

Spying exists. The people who granted me my expedited Russian visa inside the
consulate were kicked out as spies.

------
blablablub
If you travel a lot, ask immigration to put the stamp in a corner of your
passport to save space. Dont put food in your luggage, if you are extremely
unlucky a customs dog will smell it. Just walk through customs, no one cares
about you. The GFW will block most social media sites and all of Google. The
GFW detects the ssh protocol and slows it down/blocks it. ssh -D does work for
like 30 seconds or so. Mosh works good. If you really really want to use ssh
-D and firefox, remember to do an about:config and change remote DNS to true.
Do the same if you use shadowsocks. Plain tor is mostly blocked. If you want
to use your own, private VPN connection, use IPSEC, not PPTP. Overseas
connection (Europe/USA) are extremely slow. Set up a private VPM in HK or
Japan to enjoy faster speeds. Change you apt location or equivalent to
something like mirrors.aliyun.com or wait hours for any updates/ package
installs.

------
nickrio
Relax, they don't usually care what's inside your laptop.

If they ever checks it, it's usually because it looks so new so they want to
make sure you're not smuggling.

------
raggi
Starts out by pointing out that exporting encryption software is illegal, and
then recommends that you export encryption software in unencrypted form.

~~~
pzh
Is it really considered exporting if they already have it?

~~~
CaliforniaKarl
It could be, yes. Similar to how, just because something is classified has
been published, individuals who "needed to know" still can't talk about it
until it's been declassified.

~~~
TomMarius
I don't think that's similar at all. When you tell someone something secret,
it's still a secret, until you tell them it's no longer a secret. When you
start exporting something for the general public, it's generally known.

------
topmonk
The article states to use a VPN, but China has now cracked down on them:

[https://www.theguardian.com/technology/2017/jan/23/china-
vpn...](https://www.theguardian.com/technology/2017/jan/23/china-vpn-cleanup-
great-firewall-censorship)

Your best best (if you can survive on web only) is to ssh to a server outside
the country using the "-D" option which creates a socks proxy, then use
firefox to connect.. I tried with chrome but it kept trying to make direct DNS
requests (which don't work) and I was unable to fix it.

I was there June, 2016.

~~~
rahimnathwani
I live in China, and have many friends who also live in China. ssh -D is _not_
the best way to access things outside China.

There are many other ways. The best current methods I know of are Shadowsocks
(what I use), or ShadowsocksR, or Shadowsocks over obfsproxy. Although the
Shadowsocks protocol presents as a socks proxy, there are clients for iOS
(e.g. Potatso 2), Android and routers (e.g. those available at koolshare's web
site) which make it transparent to use (and they deal with your DNS issue as
well, by tunneling DNS through the proxy).

~~~
StavrosK
How is shadowsocks better? I looked at the page but nothing immediately jumped
out...

~~~
rahimnathwani
How is it better than ssh -D, you mean? I thought I answered that above:

"Although the Shadowsocks protocol presents as a socks proxy, there are
clients for iOS (e.g. Potatso 2), Android and routers (e.g. those available at
koolshare's web site) which make it transparent to use (and they deal with
your DNS issue as well, by tunneling DNS through the proxy)."

How would you use ssh -D to reroute your iPad traffic? How would you set up
DNS? How would you help your non-technical friends who wanted to set this up?

Put more simply:

\- Easy to set up the server

\- Easy to set up devices (Windows, OSX, Android, iOS 9+) so that you can
connect in a couple of clicks, and the right traffic goes via the tunnel

\- It's reliable (in the past 1+ years I've been using it, I've experienced
none of the slow-downs or blocking I experienced using other protocols,
including ssh, PPTP, L2TP and OpenVPN).

~~~
StavrosK
I see, thank you. I was wondering whether it was just an app, or just a
protocol, or what protocol it used, but I see now that it's an app that uses
its own protocol, so it makes a bit more sense to me, thanks.

------
phkamp
All this advise applies equally to USA (in particular if you are brown),
England and certainly Russia.

~~~
eps
It doesn't apply to Russia actually in the slightest.

The only issue with Russian border crossings are the line-ups due to general
mess and inefficiency. Nobody checks anything, leave alone rummaging through
your belongings or asking to see the contents of your devices.

------
zoom6628
Useful notes even for those of us that live here - have been here total of 18
years and only cross border issue was bringing in a used(out of production)
dot matrix printer for my own factory to use! I just paid the tax. I also use
ExpressVPN and find it very good across pc gear, tablets and phones. Just this
past week started using dnscrypt of my work laptop - npt because of company
policy but because i know the govt snoops on that as well. After install and
setting a couple of overseas DNS resolves all of my web pages load more
quickly and getting to onedrive is a world more reliable.

Others have also mentioned that yes the govt doesnt really care about tourist,
conference attendees, or even normal business people for that matter. If you
are human rights lawyer, and environment activist, or full websites with anti-
china hate material then you may get 'closer personal attention'.

------
digi_owl
Seems to me that if you travel internationally these days, your best bet is to
leave electronics at home and instead buy "burner" devices at your
destination.

------
kutkloon7
Or you just encrypt sensitive files and stash it in a folder somewhere. The
chance is practically zero they will find it.

~~~
jloughry
Just a note: it's possible to identify encrypted information by its entropy
signature. Forensic tools exist that can scan a filesystem (or a raw block
device) and highlight likely locations of encrypted data.

------
jpelecanos
This is probably off-topic, but I'm wondering how aggressive is China's GSD
(General Staff Department) domestic SIGINT ops compared to U.S.'s NSA or
Russia's _Spetssvyaz_ /Special Communications Service?

------
KayL
Does the author unlock all data on his laptop in his hometown? If you're
targeted, no matter where you are. I think that's no differences. You just
will be another missing people.

------
jwfxpr
"IT security is just like driving on the highway in the sense that anyone
going slower than you is an idiot, and anyone going faster is clearly a
maniac"

Excellent metaphor!

------
DanBC
There are lots of people talking about China, but not many talking about
whether any of this works against well funded government actors.

------
kiwioperator
hmm.. Chinese gov't does not care about normal citizens/foreigners, let alone
a speaker in a tech con. However, some of these advice are universally
applicable when you are going to any foreign countries or even in your home
country.

------
mtgx
Or the US.

------
panzer_wyrm
Is there a chance he is mistaking china with north korea? China is very
welcoming place, passing trough the border is smooth experience.

Unless you are an activist they don't care about anything.

