Hacker News new | past | comments | ask | show | jobs | submit login
Securing a laptop for travel to China (mricon.com)
225 points by dankohn1 on June 17, 2017 | hide | past | web | favorite | 145 comments



The police state that is China doesnt care about summit attendees, it cares about social harmony. Summit attendees should have a passport and a visa if needed. Otherwise they should act in a harmonius manner. If they can do that, then they will be disappointed to find out that the officials simply dont care about them. No one is going to ask friendly, personal questions in customs; no one is going to ask for an inventory of what is being carried in; no one is going to ask how much money you have with you; no one is interested in seeing and opening your electonics; no one is going to pay the least attention to your baggage. Relax, have a good time, and prep a vpn if you are set on working. Then, on the way back, contrast the experience to the police state that you are from.


As somebody who lived for three and a half years in mainland China (2003-2006) and regularly crossed the border, I can confirm that this was my experience too. I was never tampered with, interrogated, or made the object of any undue attention; my equipment was of the utmost disinterest to authorities and I even crossed the border with copies of Nineteen-Eighty-Four and Capitalist Realism once, to the local authorities' utter disinterest.

I still visit semi-regularly (once a year, approximately) and my observations remain valid now as then (for me at least).

Same goes for my experiences going into and coming out of Russia, for that matter.


China International Book Trading Cooperation (CIBTC) offers the original version of Capitalist Realism online to Chinese readers for 141RMB delivered. CIBTC is a company started/owned/managed by the Communist Party of China.

https://detail.tmall.com/item.htm?spm=a230r.1.14.1.WxB4yL&id...

Nineteen Eighty-Four is more interesting, apparently, there are hundreds of vendors selling it on taobao.com, including the Xinhua which was started/owned/managed by the Communist Party of China.

https://list.tmall.com/search_product.htm?q=Nineteen+Eighty-...


That's very interesting research I never thought to conduct, thank you.

(In all due deference, Capitalist Realism is a very anti-capitalist argument, so...)


Seconded. I've carried a laptop to China upwards of 20 times by now. The bag has been opened exactly once--by airport security as I was leaving, they wanted to run my assorted electronics through separately.

Only once has customs had the slightest look at our bags and that was when the airline left them behind and we had to pick them up later. I was wheeling out a cart with 4 checked bags, no carryons and that drew the interest of the customs guy. The entry stamp two days earlier also drew his interest. He started running the bags through his x-ray, at that point my wife caught up and explained what had happened (she's a native speaker, I figured it was easier to leave any discussion to her) and that was the end of it. Nothing was ever opened.

Even the day my wife set off a nuke alarm at customs produced no response. (She had set off a previous alarm also, which was resolved with a short discussion. They never checked what the actual radiation source was and the card from the lab that explained why she was hot was sitting at home in the pocket of the jacket she didn't wear.)

Now, if my employer was some big company I would be concerned with espionage but that's all. Since my employer doesn't do anything remotely of interest to the Chinese I don't worry about it. Besides, we stay with relatives, my laptop has never seen a Chinese hotel room.


Books get much less censorship in China, compared to its Internet. Like, there are new books about culture revolution every year.

However if you brought any book that attacks current government, for example books about the 64 event, you would be in very big trouble.



That is not true. The most famous student leader who testified in front of the US congress 8 times was allowed to go back in China. In fact, she (Chai Lin) even started her business in China.

You seriously believe that she is less influential than a few books? If Chai Lin is allowed to enter and stay in China, what is the point stopping a few books?


They are allowed because they fully abandoned their belief... Oh, humans...


Correcting Russia case.

Its an only state where during my travels on the way out of the country (Russia here) in addition to usual security scan and passport control you have an additional booth maned with rusia official/military personel only judging if they can let you out. Again: this was in addition to passport control due to destination etc.

Source: me at s petersburg airport 2016.

P.s. Overall Russia experience was very good and eyes opening (comparing to what you get from media)


I was able to get away with carrying a knife through the Shanghai metro, and onto the maglev to the airport. At entries to both, they x-rayed my bag and were not enthused by the knife's presence (one guard made vigorous stabbing gestures to communicate his concern). But it did not take much to assure them it was a souvenir not to be used as a weapon.

My point is perhaps you were profiled to your benefit as well.

Edit: I'm from the US.


I lived in both China and the US and the experience at the border are very different.

I wouldn't say the experience of getting into China is the best, because you still need a Visa to study/work there. But I'd say that it might have been the easiest Visa to get.

On the other hand I've never been through so much aggressiveness and difficulty with the American border. It probably is the worst border in the world (or at least that I've been through).


The US border might be the worst if you have any reason to attract interest, but as a boring tourist with an Australian passport, I've found the US border staff to be perfectly nice, like most other countries I've visited. Slow, boring and drab, but with a smile.

(In my travels to various unremarkable destinations, there's one country that stands out as having far and away the grumpiest, officious, unpleasant and sour people in immigration: the UK.)


To contrast, I'm also an Australian passport holder (though I'm on a working visa) and the US is so far my absolute least favourite country to enter or travel to (out of Australia, Malaysia, Turkey, Germany, The Netherlands, France, Switzerland, Mexico and Russia).

Some of my experiences:

- ~2013 on an Australia -> US (1 month) -> Mexico (1 month) -> Australia via US stopover (~8h) trip, I was detained by customs at the stopover for ~3h and had all my luggage opened and unpacked in front of me for no reason that I can tell other than that I was coming from Mexico and looked tired. About 2h of the 3h were spent waiting in line and nobody told me why I was in line or what to expect.

- Mid 2014 on an Australia -> Malaysia (6h) -> Turkey (2w) -> US (2w) -> Australia trip, I was detained on the way into the US for ~2h by immigration and was asked the question "did you ever step foot in Syria" about 10 times (I wish that was an exaggeration). Again, nobody was friendly, nobody told me what was happening and I spent most of the time waiting and wondering whether I was about to be denied entry for some reason.

- Late 2015 on a US -> France (3d) -> US trip, I was pulled aside prior to boarding the plane because I had an SSSS mark on my boarding pass, which meant I was one of the 10% "randomly" selected for extra screening.

- Early 2016 on a US -> Switzerland (8d) -> US trip, I was pulled aside in Switzerland because once again I had an SSSS mark on my boarding pass. This was the second time in a row.

- Late 2016 on a US -> Germany (3d) -> US trip, I was again had an SSSS mark, for the 3rd time in a row.

Aside from my travel history which I don't think is particularly out of the ordinary, I don't believe there's anything else particularly interesting about me. I'm a young white male with a bachelor's degree, my father works for the Australian government, my mother is a nurse and I've never been a member of any major religious or human rights organization.


I'm the definition of boring, being a white male Canadian, and I get no end of hassles at the US border.

YMMV.


Of the ones you've been through.

I've been in most of the Iron Curtain countries--most of which searched us in far more detail than anything I've gotten from the US.

And I've been subject to some fairly through searches in Africa looking for anything that carried those forbidden words "Product of South Africa". Never mind all the stuff written in Afrikaans with the forbidden words blacked out.


This was my experience as well, my USA cell phone wasn't even blocked from accessing websites that were normally blocked in China, they make an exception. There could be some cases where you could run into issues, but the paranoia is greatly exaggerated, and being a "socially responsible" techie is not acting like a conspiracy theorist wing nut.


vpn that can unblock all those web site can be purchased for $15/year.

ironically, you don't get comparable Internet speed or cost (my 200mbps Internet costs me $180/year, or I can upgrade it to 500mbps for $400/year) in most "free" countries. I'd be protesting really hard if I have to pay some unfair cost, say $50/month or more, to suffer from the so called uncensored broadband running at tortoise speed such as 50mbps or less.


Nearly all vpn that you can get now by searching will be blocked when they are becoming popular quickly. But if you have your own server(or a vps) and setup a vpn or shadowsocks server, there will never be such problem. It's because China block website via blacklist, so only some well-known ip will be blocked. Many friends of mine is using shadowsocks to unblock now(I'm a Chinese :).


That is not true. It is a well know fact that the Great Fire wall does deep packet inspection since early 2000s, e.g. when google was still available in China, your connection got stopped for a few minutes every time when you search for some undesirable keywords.


I'm afraid your follow-up is even more inaccurate.

We developed shadowsocks for the exact purpose of battling machine learned DPI head on.

The real challenge is the (poor) quality of the networks and the topology of censorship body all around China. The Blackbox nature of such state system made each improvement feel like experiment at best, simulated annealing at worst.


The claims I was referring to are highly inaccurate:

1. shadowsocks is a good example that certain vpn/proxy can survive after becoming popular. 2. GFW blocks sites/pages/connections based on content, it has been doing this for more than a decade. whether shadowsocks can fool GFW or not doesn't change the nature of GFW.


I don't know how GFW work exactly, but I think it's not blocking based on content, which means to check every page. What China gov want to do is just prevent those naive people from being deceived by some vicious foreigners, and they don't really care about normal college students or programmers(we don't care about politics too). Indeed, en.wikipedia is unblocked at all, and we can get all academic resource(including history, most universities bought them). So if you know English, you can get everything about, e.g., 64 event. Even the gov is more anxious about contemporary politics, clever guys can get some information by just refer a politician as "big tiger".

So, 1. Chinese gov don't care about those who just want to paste a photo on twitter, they blocked website such as twitter because it's known by even some Chinese farmers or workers. They are supposed to be susceptible, which means, danger.

2. It is said that China will block by whitelist instead of blacklist(maybe like North Korea), but they didn't do that.

3. Usually, someone who can buy and setup a server for himself is clever enough to distinguish between lie by terrorists and the truth.


There is block based on content now, but not by check package by gov themselves(is it possible?). Search engine in China must follow the instructions by gov to block some content, which is the reason that google exit China. What I've learned told me if you have encrypted, it's impossible to get what you sent without a key. If it's possible, clearly it's in use in CIA too, not just GFW.


> vpn that can unblock all those web site can be purchased for $15/year

Have you lived in China? If so, please tell me what VPN service you're talking about. If not, I think you might not be aware how sophisticated and annoying the GFW is.


search for "god use vpn". not trolling, that is the actual name of the service I am using. they charge for 100 RMB per year, that is $15/year, you get access to ~20-30 of their geographically distributed servers and all of them can help you to bypass vpn.


The name is also a rather clever pun on an existing item of Chinese food, likely chosen precisely to avoid censorship: http://languagelog.ldc.upenn.edu/nll/?p=22954


There's nothing sophisticated about China's attack strategy on VPN's, make them illegal and block their IP. Sites like greatfire.org maintain lists of working ones, or running one on a vps would be pretty easy.


Check out the CCC talks for details on what the sibling comments talk about if you want. It's actually very interesting.


This is just false. China has a massive censorship operation, of which their wry advanced anti firewall technology is a critical piece.

Start here: http://blog.zorinaq.com/my-experience-with-the-great-firewal...


Maybe 15 years ago, but today it's very sophisticated, incorporating deep packet inspection and machine learning. Under normal circumstances, they allow some VPN traffic. But they ramp up the firewall during big political events, at which times it's almost impossible to gain proper connectivity.


But there's no "deep packet" inspection of encrypted vpn or an ssh tunnel? Sure, you can guess that the connection is encrypted, and block it on general principle - but there's no way (that I know of) you could selectively block ssh based on the content/traffic pattern (you might let through low-throughput ssh only, ie: only allow use that "looks like" shell use, but a) you could run w3m on the other end of that tunnel, and b) it sounds unlikely - as that would also kill many other uses like file transfer for backup etc).

I'm curious if ssh access to eg: digital ocean is allowed?

If so, you can simply use ssh as a socks5 proxy:

  ssh -D 8080 you@example.com
  # Set your browser to use 127.0.0.1:8080
  # as a socks5 proxy for dns lookup and
  # traffic, via eg foxyproxy for firefox
I'm not saying GFW won't block this, but I'm doubtful it'll allow plain ssh, and block this use case?


In my experience ssh works but tunneling over ssh does not. Not sure how they do that. Personally when I am there I only miss Google for programming issues. It is terribly inefficient to use something else imho.


The reason why tunneling over SSH doesn't work very well is because the network is crap. SSH runs on TCP, and TCP doesn't perform well when there's a lot of packet loss. Even for interactive logins it's frustrating without mosh.


One could also distinguish between "normal" SSH and SSH used as a tunnel by used bandwidth.


this has been blocked for ages.


you must be kidding. the great firewall of China is arguably one of the most sophisticated systems ever deployed on the Internet.

try IPSec or PPTP based vpn, they turn your encrypted communication into plain text. then think about the scale - they do this on almost 1 billion users.


on a desktop we'd just setup an ssh tunnel to an ec2 instance and use SwitchyOmega in Chrome.


How did that work out performance wise? I was on an adsl connection in Beijing. Inside the country it was really great, could max out the 100mbit. Foreign websites were a pain. I found that ingress traffic constantly had a packet loss of 30%, which made TCP really unhappy, including ssh tunnels. Ended up writing my own tunnel software that was tuned to cope with the network situation.


I found the most success with https://github.com/shadowsocks/shadowsocks/tree/master . It was a while back though.

With ssh, restarting the connection would help for whatever reason. So I had a little script rotating a set of connection behind haproxy.

EDIT: oh and Hong Kong. HK VPSes seemed to work the best.


Does anyone know the story behind:

https://github.com/shadowsocks/shadowsocks

"Removed according to regulations." vs:

https://github.com/shadowsocks/shadowsocks/tree/master

Is it the shadowsocks project dancing around github censorship, or github allowing ss to dance around chinese censorship?


TLDR: Police asked the developer to stop working on it. (and judging by their Twitter activity, no crazy stuff happened)

https://web.archive.org/web/20150822042959/https://github.co...


Right, but the code is still there, still being developed, just on the master branch? That doesn't really square with "stopped working on it" - unless it's just a sham to dodge the police - but that sounds pretty dangerous? (As opposed to, say have someone else host it, host it in a new place etc).


What's about connections outside the browser (and SSH)?

BTW, I have noticed a trend to block port 22 in international hotels. It's annoying!


> it cares about social harmony

um... so what's social harmony? The exact same words are used by chinese gov. when trying to be 'vague' about their censoring activities...


I live here and it doesn't seem vague at all. It seems to basically mean no riots, large protests, or attempts to overthrow or weaken the government. We don't have a democracy so there's a risk that if large enough groups of people get too worked up, they might create a massive problem like a revolution or something. Nobody would benefit from that - see the mess it made in Syria, Egypt, Lybia, and Tunisia. In a democracy, there's no such risk because of the safety valve of angry mobs being able to vote their opponent out of power. But in a one-party system, it's necessary to limit the spread of dissenting ideas.

So as long as you're not doing political activism, it's fine. I know people who've had private messages apparently censored when they contained anti-government ideas. They don't get arrested. It's not something to fear. The tech companies just monitor and delete politically risky content. If you are a real dissident, then you know you're breaking the law, however vaguely it's worded, and you know you're in danger.


Nobody benefits from a revolution? Tell that to the French and the Germans!


seriously? German? you mean the 1918/19 revolution that eventually helped to cause WWII? surely Hitler benefited a lot from the German Revolution of 1918/19!

You tell me how Nazi could possibly raise to the very top without the help of that very beneficial revolution? maybe time to read more history books and come back with better trolling skills?


He was probably referring to the 1848 revolution.


two German revolutions, one probably okay/good, while the other one was a total disaster for the entire humanity. with this in mind, I'd probably argue that revolution is bad in general.

I do agree that it is always good for some political speculators.


You'll have to disregard the wars inbetween the revolution and the profiting though.


We don't have a democracy so there's a risk that if large enough groups of people get too worked up, they might create a massive problem like a revolution or something. Nobody would benefit from that - see the mess it made in Syria, Egypt, Lybia, and Tunisia.

What about the Cultural Revolution which put the ruling party itself in power? It's a bit hypocritical for the government to categorically condemn revolution when they wouldn't even exist without it.


No, see, the revolution created the one true revolutionary state that's a perfect expression of the People's Will(tm), so any attempt to have another revolution is clearly counterrevolutionary sabotage by lackey capitalist running dogs.

And yeah, while the French Revolution was probably a good thing in the long run, it was pretty terrible in the short run: https://en.wikipedia.org/wiki/Reign_of_Terror


The french Revolution was also kind of a mess, they shortly after elected Napoleon as the emperor, then they became a monarchy again, then an emperor came again? I don't know it's confusing.


> What about the Cultural Revolution which put the ruling party itself in power?

First of all, the Cultural Revolution didn't put the ruling party in power, and second of all the CCP (and China) of today is very different from the CCP (and China) at the time of the Cultural Revolution.


Yeah, it is. That's the reality.


peace is obtained through war. There are no exception.


well tell that to North Koreans escaping through China. Technically, they are 'dissidents' in the eyes of Chinese gov. so --- it's ok for Chinese gov. to torture them & deport them back to N.K. to be tortured.


Anything that "rocks the boat", or try to "change the status quo", so to speak.


There are multiple dimensions of threat. The first is from the police state angle. This is the one where the US Customs officials are demanding social media passwords from people with dark skin coming from certain countries, and is targeted at what ever the law enforcement or "homeland security" personnel are most worked up about. If you don't fall into the targeted categories, you will likely not notice it at all. I'm privileged in the US that I never get that treatment because I don't fall into that bucket. Similarly, if you don't fit whatever risk profile that say, the Chinese MSS are most concerned about, you won't see any issues either. As another example, if you are coming from a country that gives $8 billion dollars a year to Israel, your treatment will be very different than if you are of Palestinian descent. So a statement that a country has a really pleasant border crossing experience compared to "the police state that you are from" may be an egregious example of sampling error.

Another dimension of threat is the targeted threat model. Examples of this include the French Secret Service leaving audio recording devices in the first class seats, so they could distribute economic espionage to French state-owned companies. Or of some country (NSA, MSS, BND) trying to get a toehold into some company's internal systems as preparation either for cyber defense, cyber attack, defending their country against the pernicious dissident movement, etc. There have been stories about laptops left in Chinese hotel rooms getting outfitted with keyboard bugs or other free hardware "upgrades". It's not clear how true those stories are, but again, since they are targeted attacks, just because you've never seen it happen doesn't mean much.

Perhaps simply you never noticed the free hardware upgrade. Or the country has laws that prohibit using intelligence agencies from giving an advantage to that country's companies; or you are a citizen of that country and that automatically gives you significant protections over anyone else, for which anything is fair game because that country doesn't recognize privacy as a fundamental human right or views non-citizens located outside of the country as not having any constitutionally guaranteed rights.

Or perhaps you simply don't work for a US defense contractor, or a large social media or search company, and so you were deemed too unimportant to bug. (Don't take it personally.)

So the question of deciding what is the right level of paranoia is a tricky one, and I wouldn't be too quick to judge. Is wearing a seat belt in a car being too paranoid? After all, the vast majority of the time you don't need it. Does that mean you are a crackpot for insisting that you and your passengers wear a seat belt?

Finally, note that the person who wrote the article is responsible for providing IT for kernel.org, Linus Torvalds and Greg K-H, and other kernel developers who have their git trees on the kernel.org system. How much security protections do you think we should be providing to make sure no one is trying to introduce a backdoor into the Linux kernel?


> the French Secret Service leaving audio recording devices in the first class seats

somehow, a plane is so noisy that I cannot imagine this working :D


It's easy enough to test, record some video with your cellphone during a flight, see how much voice you can pick up after some simple filtering. Now imagine what an intelligence service could do if they had access to test runs on actual planes, could engineer their own microphones, and could tune filters to the engine noise.

You might as well say that it's unlikely that tapping 60s era cars on the highway will work. I'm fairly certain it did.


> The police state that is China doesnt care about summit attendees, it cares about social harmony.

Well, the Cultural Revolution was a crazy time.


Is there a relationship between democracy and the rudeness of border control officers?


Yea... this aint the DHS at the USA entry points...


Sounds like the author the author is going to China for the first time.

Seriously; going through the Chinese border is much nicer experience than those two declining and/or former empires: USA and UK.

They do not care about what is on your laptop. The Chinese block Facebook and al to prevent Chinese en masse joining Facebook; they don't care that a few westerners check up on dogs or complain about missing toilet paper using some VPN/SSH-thingee.


The author is the IT security person for the Linux Foundation, who's activities include distributing the Linux kernel via kernel.org. They represent a particularly juicy target for nation-state actors, and have been targeted with reasonably advanced attacks before. In 2015 the author published a checklist for laptop security, this is just an extension of that, teaching people (and LF employees) how to comply with their policies and China's.

Are they likely to be hassled at the border? No. But if there's a way to make all parties happy, might as well document it.


"who's activities include distributing the Linux kernel via kernel.org. They represent a particularly juicy target for nation-state actors"

If they really cared, they wouldn't host it on Linux. It would be OpenBSD or something with every software measure possible on read-only storage that admin physically replaces. That's just to start with. It's good that the author is taking measures but it gets amusing how much risk they keep on distribution side when you bring up nation-states going after them. Most big ones have 0-days for Linux systems anyway. They just use them in a targeted fashion to get more ROI from them. China can probably hit anyone working for Linux Foundation if they wanted to outside some really, paranoid setups that might exist.

They just don't since they don't care about them. They're 100% unimportant to Chinese intelligence. What is important is the source code of the kernel and privileged software which are freely available. If anything, letting Linux development and distribution continue is a good thing for Chinese intelligence since developers add features (and vulnerabilities) more than do code audit on a project whose source is available to the black hats. Makes Chinese spies' jobs so much easier. :)


If I were him I would go with a burner laptop and wouldn't take with me any digital credentials.


That's the TL;DR of the article. ;)


I completely agree, I've entered China about a dozen times in the past year - always a smile, polite, efficient. Never had my bags looked at or questioned.

The US is quite different, far from welcoming, it's scary, so many bad stories of things happening, the immigration people trend to scowl (they must be under so much pressure) they take your photos, your fingerprints (not entering China) ... honestly, as much as I love the US, it's my home I've spent half my adult life there, I'm not going out of my way to visit these days


I was going to say this: US and UK are far worse. Heathrow is so bad that I rather take an Uber from or to another airport. I have been going to all three quite a lot the past 3 years.


I think he knows

> It is important to point out that you are extremely unlikely to be penalized for bringing in an encrypted laptop with you to China, as any kind of widespread zealous application of such practice would quickly shut down any business travel to China -- and this is definitely not in the government's interest.


It seems like a rational argument (about the consequences of adopting such policy) but looking at the US as a live example, is that really happening?

In the US's case, it might mean that the world depends too much on it and has to put up with draconian policies.


It seems to indeed be more that China is up and coming, while the US is declining. Remember how the US used to be friendly to immigrants and prided itself on its diversity? Well, now everyone's already there, everyone speaks English and there hasn't been an internal war in a while. It's like it grew fat and is now hibernating on that.

Just a wild guess, but like many people have said in this discussion: I find it pleasant to go to China, but I have to be paid to go to the US.

Hopefully the US will sort itself out and people can be happy visitors again, and not simply go there because it's normal to do so.


The UK border was OK in comparison to the USA.


The issue with traveling to China is not the border crossing. Its the many places you can be compromised after you've crossed the border (your hotel, the internet cafe, etc).

While working for a couple of different financial institutions they had blanket "hand in your electronic devices" both before you went to China (to ensure you didn't take them) and after you returned (to ensure you didn't attempt to continue using the device they gave you for your trip). This had nothing to do with political dissidents or customs inspections and everything to do with the assumption that anything on a device in China was compromised for financial reasons.

Its possible that the US/UK have been put in the same bucket by these organizations, and maybe with cause, but the threat model is completely different between the 2 places and comparing border crossing experiences doesn't invalidate that.


What a huge load of cold war thinking. Look at the crap below found in the article:

"Then, depending on your level of paranoia, give the ChromeBook away to what is likely to be a very thankful kid/student"

133 million foreigners went through Chinese custom and entered China in 2016 - that is a lot of paranoid laptops to give away.


dis-sys, throughout this thread you seem a bit upset, and seem to be carrying luggage on HN in general, given your outsized participation in China-centric threads. I really don't think the post is as negative as you expect.

The OP is also the author of LinuxFoundation's laptop security guidelines. LF has been targetted by a number of DDoS's intrustions and worms. At least one was successful, and it's not clear if it was a criminal org, or a state actor disguised as such. So their laptop configuration policy is designed to thwart all comers. Hard drive / swap encryption, SSH keys on GPG cards, secureboot, SELinux, encrypted backups, NoScript, HTTPSEverywhere, FireJail, etc.

China's policy appears to be that you must provide them with data should they request it. Making this happen is pretty much in direct contravention of the same laptop configuration policies designed to thwart the NSA, Europeans, Russians, cybercriminals, etc. But lets look at it this way: LF knew the facts on the ground in China, and proceeded anyways. So their IT manager responsible for preventing another break-in publishes a guide for adhering to China's laws while keeping the LF safe.

Throughout this thread I see people suggesting that they're never bothered by state apparatus, so nobody should worry. I don't know which of that sentiment's implications is more insulting: that kernel.org isn't worthy of state infiltration, or that China isn't competent enough to pull it off.


How many of those 133 million people signed the linux kernel, used by... billions?


The phrase "coal to Newcastle" springs to mind.


>133 million foreigners went through Chinese custom and entered China in 2016 - that is a lot of paranoid laptops to give away.

A lot of laptops that have the wrong keycaps and radio regulatory domain no less.


Feels like given the recent issues people have been facing with US Customs, this advise is relevant there too.


Yeah I'm recognising a lot of similarities here.


Seems to have mistaken China for the US.

Chinese immigration does not treat you as a potential criminal aiming to overstay your visa by default.


> Chinese immigration does not treat you as a potential criminal aiming to overstay your visa by default.

There are probably reasons for that, apparently an estimated 3% of the US population is illegal aliens. I wonder what the number is for China.

https://en.wikipedia.org/wiki/Illegal_immigration_to_the_Uni...


That's what happens when you annex part of a country. People keep moving across something which is not a natural border.

Also, it's sad that you have to call human beings 'aliens'.


"Non-citizens" works just as well I suppose.


"Non-citizens" includes lawful permanent residents and visa holders.

The term generally preferred by those of us who balk at "illegal" and "alien" is "undocumented."


I said "alien" because it's a legal term and I see it used a lot, including by US authorities. FWIW, I was once an alien in the US too and saw this term in my own documents many times. I don't even know any good substitute, "foreigner" is pretty much the literal translation but "illegal foreigners" just sounds unusual, "illegal immigrants" would be better but then "immigrant" isn't really the same thing as "alien".

Now, using "undocumented" for "illegal" is clearly fraudulent. These words don't mean the same.


Ilegal alien frames people as primarily criminals who are not like us (and should get out).

Undocumented frames people as lacking official documentation for the lives they lead (so we should document them). That is illegal, yes, but the terminology puts the emphasis in a different place.

Would you say "person who struggled with narcotics addiction" or "felon"? People who were addicted to hard drugs at one point possessed them, and are necessarily criminals in the same way that people who are in the US without corresponding records in government databases are necessarily criminals. Which word you choose depends on how you want the audience to feel about them.

Illegal vs. undocumented is just a code word for your view on immigration policy (with illegal being more neutral, undocumented being specifically liberal).



Why the author worry so much about China customs? I never had a problem go through China customs with regards to my laptops. And never seen nor read that someone having trouble about it.


Thats the thing.. A lot of westerners seems to think Chinese state apparatus are super ideological communists bent on catching anything that has a slight smell of democracy.

If I were to sum up my personal experience with Chinese gov. officials, I think "apathetic", or even "lazy" would be a much more apt description.


The author's post is less about smuggling democracy into china and more about avoiding newspaper headlines like 'kernel.org pwned by national actor'.


I understand. The measures described in the article about hardening the laptop as a precaution are good, and I would encourage anyone who have concerns about the security of their device to take similar precaution, regardless of whether or not you have plans to travel.

My response above is more about the paranoia some people tend to have when visiting China because of the reputation of its government, when from my personal experience, the people and the government workers of China are some of the most non-ideological, politically apathetic people I have interacted with.


Most people going through the USA have no issue with US Customs, but there are people that do.


It doesn't matter that most people going through the USA have no issue with US Customs.

What matters is that nerve-wracking bullshit like this[1] happens to people (little old ladies!) from allied bloody countries.

Mem Fox is a celebrated Australian author of childrens books.

She later received an apology, but only because she's famous. Tough luck to the average foreigner who gets abused by your border agents.

This is why the US is hell bent on spewing negative propaganda about China and Russia, because it needs to hide the fact that it's a huge embarrassment to itself.

1. http://www.abc.net.au/news/2017-02-25/mem-fox-detained-at-lo...


Australia is even worse than the US when it comes to disgraceful treatment of foreigners by Customs. I was humiliated and interrogated in a similar manner described by Mem Fox in her US trip several times while entering Australia. Several friends from other countries report the same or worse. I've been to the US and China, and without doubt Australia was the worst. China, as others are saying, is actually the easiest one to get in, almost no questions, no intrusion, no laptop/phone raids.

After I became an Australian citizen, I never had problems entering Australia again, interestingly (as everywhere else, they have different Customs areas for citizens).


>Australia is even worse than the US when it comes to disgraceful treatment of foreigners by Customs.

That is a bold claim. As an Australian it would be enlightening if you could provide links to support your assertion.


We should create a service where people can trade laptops when they go to conferences.


No, we should stop organizing conferences in countries where it is not legal to bring encrypted devices for personal use (like China, according to the beginning of the article), or countries where there have been known cases of pressuring travelers to decrypt their devices or of confiscating the devices (like the US).

How is it reasonable or courteous to require your conference attendees to read a long guide, buy a throwaway laptop, set it up, etc., or run the risk of being requested to decrypt sensitive information at the border or have their devices seized?

Just because the US and China get away with this does not mean that all countries do. Just pick any state in this list http://www.wassenaar.org/participating-states/ that doesn't have a history of requesting decryption or taking traveler's property without good cause.


This is already going on in the crypto world, see https://www.iacr.org/misc/us-immigration-ban.html


We've been there, and it looks like we might be going back...

https://wiki.debian.org/non-US (Also: OpenBSD etc)


Well if you think US customs is the model of customs around the world, may be you should try behave nicely to those people in a cubicle?


Most non-Americans have issues with US immigration because they're extremely rude for absolutely no reason.

US customs is fine. TSA is a mixed bag. But US immigration are unfathomably rude and disrespectful for no reason at all; they treat you like scum. I've been through US immigration & customs a lot, been sent to secondary three times, ironically the people you deal with in secondary are more polite/reasonable than the people in the little glass booths, but still very "respect my authority."

Ironically going into the US feels more like entering a police state than going into Russia. The Russians were just super disinterested and to-the-point. The US is fine once you're in, but getting in as a non-American is a bad first impression (the UK has this issue too).

I'd hate to think how much worse they would treat me if I was non-white and from a country with traditionally bad or mixed ties to the US. From other people's anecdotes that I've read or spoken to: Bad. Just by what their official union supports (and who) you can get a sense of their views on other races.

Last year the US just started a new policy of asking foreigners for our social media credentials. It is starting out as option, but like all of these things it is just a matter of "when" not "if" it will be made mandatory.


My twitter account is a throwaway used for spam in f2p games; I love the thought that the only person who will ever read it will be some drone from US immigration.


> Most non-Americans have issues with US immigration because they're extremely rude for absolutely no reason.

Never had a single problem with US immigration or customs. Had plenty of issues with Canadian customs on the other hand. Especially when crossing the border by bus. From Canada to US, never an issue, from US to Canada, treated like shit every time.


I had the reverse happen a lot: car from Canada to US. Hours waiting, very angry, rude officer barking at you. We like vacation in the US so it would not stop us but ugh.


Sibling comments here from people who've been there notwithstanding, if you're afraid your laptop has something "bad" on it when you return, how can you in good conscience give it to an unsuspecting donee? That's like wondering if your doggy bag has food poison, so you give it to your neighbor.


Because while he as a linux kernel developer is a juicy target for the 3PLA's spying/subversion efforts, the Chinese won't be interested in 99.9% of normal people's activities.


I know it is anecdotal, but I have never seen even the slightest hint of anyone having their devices closely looked at entering China. At least not in the 72/144 hour visa-free line that I have been using for the past couple of years. This visa-free entry is aimed at business travelers so perhaps there is less scrutiny there.


I've had the same experience as well. Ironically, the only place where I've ever been scrutinized or directly searched is the US.

Short of being some sort of China-focused activist, you'd have to try real hard to get Chinese law enforcement to care about what you're doing.


Relax, whoever wrote this, you are not travelling to the US.

As long as you are not bringing a world map with Taiwan as a separate color from China, you will be just fine.


People commenting below are probably correct wrt border entry for the common business traveler, but might be surprised if they checked their wifi logs at how many things are hitting it maliciously.

For some companies/positions you may be targeted surreptitiously.

Spying exists. The people who granted me my expedited Russian visa inside the consulate were kicked out as spies.


If you travel a lot, ask immigration to put the stamp in a corner of your passport to save space. Dont put food in your luggage, if you are extremely unlucky a customs dog will smell it. Just walk through customs, no one cares about you. The GFW will block most social media sites and all of Google. The GFW detects the ssh protocol and slows it down/blocks it. ssh -D does work for like 30 seconds or so. Mosh works good. If you really really want to use ssh -D and firefox, remember to do an about:config and change remote DNS to true. Do the same if you use shadowsocks. Plain tor is mostly blocked. If you want to use your own, private VPN connection, use IPSEC, not PPTP. Overseas connection (Europe/USA) are extremely slow. Set up a private VPM in HK or Japan to enjoy faster speeds. Change you apt location or equivalent to something like mirrors.aliyun.com or wait hours for any updates/ package installs.


Relax, they don't usually care what's inside your laptop.

If they ever checks it, it's usually because it looks so new so they want to make sure you're not smuggling.


Starts out by pointing out that exporting encryption software is illegal, and then recommends that you export encryption software in unencrypted form.


I missed that bit. I see where he mentions the missing PUE, but that's not the same as outlawing the export of encryption.


Is it really considered exporting if they already have it?


It could be, yes. Similar to how, just because something is classified has been published, individuals who "needed to know" still can't talk about it until it's been declassified.


I don't think that's similar at all. When you tell someone something secret, it's still a secret, until you tell them it's no longer a secret. When you start exporting something for the general public, it's generally known.


The article states to use a VPN, but China has now cracked down on them:

https://www.theguardian.com/technology/2017/jan/23/china-vpn...

Your best best (if you can survive on web only) is to ssh to a server outside the country using the "-D" option which creates a socks proxy, then use firefox to connect.. I tried with chrome but it kept trying to make direct DNS requests (which don't work) and I was unable to fix it.

I was there June, 2016.


I live in China, and have many friends who also live in China. ssh -D is not the best way to access things outside China.

There are many other ways. The best current methods I know of are Shadowsocks (what I use), or ShadowsocksR, or Shadowsocks over obfsproxy. Although the Shadowsocks protocol presents as a socks proxy, there are clients for iOS (e.g. Potatso 2), Android and routers (e.g. those available at koolshare's web site) which make it transparent to use (and they deal with your DNS issue as well, by tunneling DNS through the proxy).


How is shadowsocks better? I looked at the page but nothing immediately jumped out...


How is it better than ssh -D, you mean? I thought I answered that above:

"Although the Shadowsocks protocol presents as a socks proxy, there are clients for iOS (e.g. Potatso 2), Android and routers (e.g. those available at koolshare's web site) which make it transparent to use (and they deal with your DNS issue as well, by tunneling DNS through the proxy)."

How would you use ssh -D to reroute your iPad traffic? How would you set up DNS? How would you help your non-technical friends who wanted to set this up?

Put more simply:

- Easy to set up the server

- Easy to set up devices (Windows, OSX, Android, iOS 9+) so that you can connect in a couple of clicks, and the right traffic goes via the tunnel

- It's reliable (in the past 1+ years I've been using it, I've experienced none of the slow-downs or blocking I experienced using other protocols, including ssh, PPTP, L2TP and OpenVPN).


I see, thank you. I was wondering whether it was just an app, or just a protocol, or what protocol it used, but I see now that it's an app that uses its own protocol, so it makes a bit more sense to me, thanks.


The crackdown only applies to local VPN providers, that is, providers located within the mainland. The majority of VPN providers, which are usually based on Western countries, are not affected, unless added to that blacklist of GFW.

And ssh is not the best way. shadowsocks is.


The "crackdown" had precisely zero effect on vpn usage for anyone I know.


Odd, because when I tried using OpenVPN on my own server in Japan, it kept timing out. I thought it was due to this: https://www.vpnanswers.com/bypass-great-firewall-hide-openvp...


Yes, OpenVPN or really any of the standard VPN protocols are blocked. But this has been the case for a long time before the "new" regulation was introduced.

My point was more that everyone was already using a VPN that wasn't blocked, and that didn't change. (I guess they bribe the government or have an agreement to monitor traffic, or else they are not big enough to care about.)


All this advise applies equally to USA (in particular if you are brown), England and certainly Russia.


It doesn't apply to Russia actually in the slightest.

The only issue with Russian border crossings are the line-ups due to general mess and inefficiency. Nobody checks anything, leave alone rummaging through your belongings or asking to see the contents of your devices.


“In particular if you are brown..” [citation needed] – as in actual data and statistics on the alleged difficulties of brown people at the US border. Tens of millions of “brown” people enter the US each year without incident.


Useful notes even for those of us that live here - have been here total of 18 years and only cross border issue was bringing in a used(out of production) dot matrix printer for my own factory to use! I just paid the tax. I also use ExpressVPN and find it very good across pc gear, tablets and phones. Just this past week started using dnscrypt of my work laptop - npt because of company policy but because i know the govt snoops on that as well. After install and setting a couple of overseas DNS resolves all of my web pages load more quickly and getting to onedrive is a world more reliable.

Others have also mentioned that yes the govt doesnt really care about tourist, conference attendees, or even normal business people for that matter. If you are human rights lawyer, and environment activist, or full websites with anti-china hate material then you may get 'closer personal attention'.


Seems to me that if you travel internationally these days, your best bet is to leave electronics at home and instead buy "burner" devices at your destination.


Or you just encrypt sensitive files and stash it in a folder somewhere. The chance is practically zero they will find it.


Just a note: it's possible to identify encrypted information by its entropy signature. Forensic tools exist that can scan a filesystem (or a raw block device) and highlight likely locations of encrypted data.


This is probably off-topic, but I'm wondering how aggressive is China's GSD (General Staff Department) domestic SIGINT ops compared to U.S.'s NSA or Russia's Spetssvyaz/Special Communications Service?


Does the author unlock all data on his laptop in his hometown? If you're targeted, no matter where you are. I think that's no differences. You just will be another missing people.


"IT security is just like driving on the highway in the sense that anyone going slower than you is an idiot, and anyone going faster is clearly a maniac"

Excellent metaphor!


There are lots of people talking about China, but not many talking about whether any of this works against well funded government actors.


hmm.. Chinese gov't does not care about normal citizens/foreigners, let alone a speaker in a tech con. However, some of these advice are universally applicable when you are going to any foreign countries or even in your home country.


Or the US.


Is there a chance he is mistaking china with north korea? China is very welcoming place, passing trough the border is smooth experience.

Unless you are an activist they don't care about anything.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: