Hacker News new | past | comments | ask | show | jobs | submit login
Should I worry about being targeted in China as a small hardware startup owner?
12 points by brazed_blotch 8 days ago | hide | past | favorite | 7 comments
I'm going to China tomorrow and have already prepared a laptop and phone which I plan to keep just for work trips abroad. I'm the owner of a small hardware startup (less than $1m revenue per year but not an insignificant amount, no employees on the books so it looks like a one man band to anyone looking, and we are not in the security sector so it's nothing sensitive) and am going to China on a business visa in order to carry out assembly operations as well as find a logistics partner, which the government is aware of as it's written in my visa application.

A lot of manufacturing I'm doing already takes place in China, so they have a lot of the designs for products I make. However they don't have access to my financial records for example, emails, etc. and I am anonymous to a lot of my suppliers, some of whom are my direct competitors, to prevent them knowing what the component they are making actually is/what it's being used in.

At the moment, I am making do with a burner email account that has all my emails redirected to it for the trip, which will only be accessed through a phone with GrapheneOS. I have a linux machine which will be used just for hardware and software development. All important files are stored on an encrypted USB (could change this to cloud storage but not sure what's better, also I have passport scans on the USB which I don't really want to upload to the cloud ideally).

However, ideally I want to access my Shopify account and I need to submit my invoices to my accountant every month. I also want access to my email archive, and also access to the company VPN (we have our ticket system and management software on it). I will be in China for longer than a month for sure. I can forego the above but it will make my life way harder and I will be relying on employees for one time codes, showing me the Shopify, etc. Also the servers on the VPN are self hosted, and it's all through tailscale, I set the VPSes up myself so they are not hardened at all and I wouldn't trust myself to do it properly either.

My questions is, given my profile, what threats should I be worried about? Suppliers/government actors trying to get physical access to my machine, or am I being paranoid? Is my current set up overkill? What risks do I face in terms hacking over the network, what data is potentially at risk? I am also traveling the majority of the year, so if I can make concessions, I would be grateful, as this will be my set up for a lot of it.

Thanks for reading if you got this far!






You're not big enough or important enough to attract attention from the Gov. Depending on your suppliers, you might not be that significant to them either.

I never had a problem with my factories. Good business people that understood my success was their success.


Also consider the little guy, the less ethical hardware supplier and their associates. I'd place more preparation on the horde of less ethical Chinese companies taking advantage of a foreigner than any Chinese Gov. intervention.

Tailscale may not work if you funnel traffic to a VPS as that's a common firewall avoidance tactic. A roaming SIM will have full access to the external internet without needing a VPN, if your carrier roaming is expensive an esim from 3hk or any other Asia roaming SIM may be worth it for 20-50usd depending on how much data and how long for. If you have any conceivable access to data that someone really wants always remember xkcd and the wrench. Enjoy china, is a fantastic place, don't talk about politics and enjoy.

Nothing to worry about as long as you don't get into politics. Enjoy your stay.

In my opinion, your setup is likely to be insufficient for the purposes you want, and in some minor or not so minor ways may be more likely to draw additional scrutiny (i.e. grapheneOS (minor)/tailscale(?)).

Physical access is almost never needed with current consumer hardware, especially if they control the infrastructure, which they do.

Any services you access through their network, can potentially be impersonated later or denied while you are there. Cookie capture for auth access tokens is real and very simple to do, and there are many other security threats in the IT space.

You should follow good security hygiene when starting and ending engagements.

You may want to limit your personal access through an intermediary, and almost surely should do a full account reset for all related services/systems you access while abroad upon your return, if you do not choose to create stubbed accounts.

It may be better to use limited stub accounts while traveling, which may also be used later as a tripwire indicator/honeypot of interest related to a particular trip.

From what you've written, it seems that you neglect the fact that physical coercion negates all your current security measures.

You should familiarize yourself with the laws there regarding VPNs, and the related requirements, as well as the customs of business in that country. (i.e. Gift Giving on first meeting, Who pays lunch, that sort of thing).

Not that it will come to physical coercion, or that it is even likely given your profile, but still, you should be aware and prepare accordingly. It is all about risk management.

As for what threats you should be worried about, its generally nothing you wouldn't already consider in any other country where your personal security is not guaranteed.

If you are particularly concerned about your safety or security, or are entering a high-risk area, K&R insurance, its related planning and preparation for travel abroad often covers the most critical important aspects. This is their jam. Cyber-related losses may potentially be covered under the extortion part of these policies.

Generally speaking, the sooner your state-side counterpart knows there is an actionable issue, the quicker they can react, and this will largely be decided by your level of acceptable risk and prior preparation. Regular check-in's are good practice.

Subtle challenge response phrase check-in's may allow you to indicate duress, or that you are missing (and not the one responding) in some extreme circumstances.

I'd like to emphasize, none of this is likely to be needed, but these things do happen, and still it is prudent to plan for the worst to give you the best chances if something does go wrong.

You should consider that whatever you access directly while you are there will not be private.

Also, the night before is hardly the right time to be asking these questions.

There is a lot of business process that generally needs to be implemented for proper risk management in an international business setting.

You may find this article helpful as a starting point, and may consider reaching out to one of the companies that specialize in these services, if further more detailed knowledge is needed.

https://us.milliman.com/en/insight/pirates-kidnappings-and-r...


> Cookie capture for auth access tokens is real and very simple to do,

If HTTPS, how?


Chain of Trust is the low hanging fruit, there are many other potential avenues that compromise TLS.

If you want to see a full discussion of this exact topic by Cybersecurity professionals, a reddit post covered it a few years ago. I'll include the link below, it covered all the salient points with regards to what a business person should do while in China and what to expect. My response reiterates it, but lacks as much detail.

Attacks have only gotten better since then, you are up against a country that spends trillions on its ability to see and know everything you do digitally within their borders, and they deny service to companies that prevent or limit this mandatory access requirement.

VPN access is illegal in the country without prior government approval from the PRC's MIIT. Your company has to be approved to run a VPN, and that approval often implicitly includes mandatory requirements for decryption at the service provider level. It's largely speculated that Russia does the same through their network of "Red Boxes" that are co-located at ISPs and data exchanges within its respective country.

When decryption is forced, auth token theft is quite simple and bypasses 2FA in many cases.

Link: https://www.reddit.com/r/cybersecurity/comments/121ftg6/can_...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: