

Traveling Light in a Time of Digital Thievery - joejohnson
http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.htm

======
tsunamifury
It surprises me how many security precautions taken sounds more like
superstition to me than an educated understanding of protecting your data.

Cut and paste instead of typing -- really? We all know the clipboard is
equally insecure. This is logic that seems to come from a child-like
understanding of how computers work.

Why don't more organizations have their own secure token system? Then add a
layer of secondary authentication over access to any sensitive data? Security
is more about creating reasonable inefficiencies that ensure the right people
are accessing information than it is about protecting your passwords from key
loggers.

~~~
mahyarm
Copy/paste protects from purely physical key loggers, they can be hard to
detect by visual inspection if you do it right and they wont go away even you
wipe the laptop. You would have to do something more complicated to capture
clip board data purely in a physical manor.

But he says software keyloggers, so that's pretty moot.

------
wcoenen
> _He connects to the Internet only through an encrypted, password-protected
> channel, and copies and pastes his password from a USB thumb drive. He never
> types in a password directly, because, he said, “the Chinese are very good
> at installing key-logging software on your laptop.”_

Apparently he didn't realize that it's also trivial for snooping software to
monitor the clipboard content.

~~~
kylemaxwell
Not to mention access everything on the external drive. Relying on one-factor
authentication when the system may be (well, _is_ ) in the hands of the enemy
is just asking for trouble.

Use a token or smartcard in addition to your password.

~~~
drewda
I've found it surprisingly easy to start using two-factor authentication using
Google Authenticator: <http://code.google.com/p/google-authenticator/>

~~~
bigiain
I wouldn't rely on Google Authenticator to secure my logins from a "government
national security" level attacker.

If they're capable of installing keyloggers at customs inspection, I suspect
they're also capable of imaging my phone at the same time.

While I'm _reasonably_ confident the crypto in the app is probably done right,
the truth is I've got barely 13bits of entropy in my unlock code for
Authenticator - and I could easily work out how to brute-force it given a
realistic "government security agency" sized IT infrastructure. (Hell - even
spinning up 10,000 EC2 instances for long enough to crank up the android
simulator and try all possible 4 digit "PINs" one at a time would probably
only cost "nice dinner out" kind of money…)

------
greenyoda
It's not just the Chinese that people are worried about. Travelers also wipe
their cell phones and laptops to avoid giving up sensitive data to the customs
inspectors at the U.S. borders.

~~~
ImprovedSilence
Very true, I would bet that often times a govt such as the US will take
precautions against the very same technological espionage that they themselves
are performing, as they will figure if they built something and are using it,
so is somebody else (china).

------
droithomme
Weren't most of the laptops being discussed originally manufactured in China?

It seems strange to consider the devices to be contaminated if privately
inspected by Chinese officials, when there were plenty of previous
opportunities to root them at the factory.

~~~
gwern
There's a big difference between your negotiating counterpart quietly alerting
Customs to do a special job when you pass through tomorrow, and _rooting every
laptop your country makes and sells to everyone in the world_.

~~~
junto
The better attack vector here is to champion an encryption technology that you
a) have a backdoor too or b) have the computing resources to crack within a
reasonable time, or c) both a) and b). :-)

------
nitrogen
_“The Chinese are very good at covering their tracks,” said Scott Aken, a
former F.B.I. agent who specialized in counterintelligence and computer
intrusion. “In most cases, companies don’t realize they’ve been burned until
years later when a foreign competitor puts out their very same product — only
they’re making it 30 percent cheaper.”_

Isn't cheaper stuff better for consumers in the long run? Besides, how do
companies know that their foreign competitors didn't legitimately reverse
engineer and/or independently reinvent the product in question, especially if
the product comes out years later?

------
laughinghan
I wonder how often these loaners that are known to be clean before entering
China are actually compromised when they're brought back?

~~~
jahmed
Seems like a good opportunity for a honey pot.

