Hi all,
American traveling to China for IETF, and making my tech prep plans (bringing a laptop, phone, tablet, kindle, and steam deck). I won’t bias with my current plans too much, but I do already run Linux+LUKS and GrapheneOS.
For those with experience, what tech prep would you do?
Thanks!
Since google is blocked, google maps is also blocked. Hence, make sure to have a good alternative available. Bing maps, Apple maps, or OSM.
Yea, I heard aMaps? is the official choice but Organic Maps works good. I also have OsmAnd.
Completely depends on what your threat model is, but personally:
I’d make an encrypted image of my drives, upload that to remote storage, zero out the drives for border crossing, then restore over the wire on the other side.
Don’t zero, install windows. Use company laptop or loaner, might catch hardware backdoor on the border. Don’t use for critical stuff or to access critical stuff. Discard or return afteru the fact.
might catch hardware backdoor on the border
Say whatever you will about the CCP: there’s nobody on earth burning the level of resources needed to do that undetectably and reliably on some tourist pleb’s arbitrary hardware.
More power to you if that’s what you wanna spend energy on, though.
Half a dollar for the hardware and they already have the manpower there. Certainly not bugging any random device, but there is always the chance and its certainly not unheard of. I’m a security researcher, that might be a red flag. But somebody posting on Lemmy might also be considered an activist and certainly somebody trying to enter the country with a heap of encrypted devices.
Genuine curiosity: What kind of hardware bug would you go for if you wanted to spy on a relatively easy target like a Thinkpad from ten years ago, and had 1-2 hours to install it?
My naive guess would be intercepting the monitor cable to pull occasional screencaps, but then you’d need a wireless modem to transmit out and you’d have pretty serious limitations on power draw (assuming you’re running off a cell battery and not splicing in somewhere).
Hardware bugs are put on the storage. Allows injecting data into ram or backdooring the OS.
I can absolutely see that making sense for a targeted attack.
Are there bootkits in the wild that can reliably bootstrap to a rootkit on most non-Windows hosts these days? The hard part of that approach would be having a bootkit payload sophisticated enough to escalate to a meaningful form of exfiltration, I imagine.
Backdooring initrd is standard stuff. This allows Luks key extraction and upload via staging through the root fs.
Linux+LUKS and GrapheneOS
Reminder that you’d be going to another legal jurisdiction, don’t be an arrogant Westerner and assume your “Constitutional Rights” apply there. If they ask to search your devices, and you refuse to unlock it, they can do anything from deportation to potentially jailing you. Just keep this in mind. You may not have a “right to silence” there.¹
(¹I am not a lawyer)
You can’t fix legal issues with technological solutions.
Very good point. I think I’m going to go with my old laptop, my debate on the phone continues. Full wipe, or just set up a new profile? Hmm…
Multi level encryption ftw
I’ve been a few times and crossed that border once, only with a phone and maybe kindle but never had a device searched or even looked at. Also on my latest trip last September I got an esim through airalo which didn’t block access to any websites.
Yea esim is something I need to figure out. I’ll look at airalo, thanks!
When traveling for work to new locations I always made sure to have multiple connectivity and VPN options (including commercial VPNs with in-country PoPs). It’s amazing what will work and won’t because of a hotel or conference venue setting.
Also, always good to get a local SIM with a roaming data plan and hotspot support. You can get the SIM in U.S. (pricey) or when you land. Hotels can help with that. Forgot to do it once and got reamed by the home carrier and their ‘international travel’ plan, especially with SMS/MMS messaging.
Push notifications go over internet so that needs a data plan. I would also go through all unnecessary apps and disable pointless notifications before travel (I don’t need realtime baseball scores while traveling). For local activity, nice to download larger files like maps, music, ebooks, audiobooks, and hiking guides.
As others have said, be careful not to violate local data sovereignty rules. Also, some folks have had issues with electronics seizure when returning at U.S. ports-of-entry. May want to slim down what you take with you.
Some non-tech thing. Make sure you talk to your healthcare plan about international travel. Best to make sure you have coverage while traveling. Also, may want to install and set up WeChat and AliPay mobile apps and configure payment before heading over. Many places won’t take cash or ATM cards. Before bringing back souvenirs, make sure they’re OK. Liquor, agricultural products, and unlicensed electronics usually have restrictions.
Lastly, sure hope you all update rfc2549 to support Meshtastic 😬
Hah yes, must have the mesh.
Yea, VPN to homelab is a pretty important one to me. I run all my services as *.lan behind Wireguard with ntfy for push notifications. I’ve got Alipay already but will be adding Wechat to that list, too. Great recco on healthcare, almost forgot that one!
i would just carry a mostly empty (wiped) laptop and a recent-ish iphone. i do hate iphones but they’re reasonably secure, and many chinese apps are notorious for crazy background usage and shits. those apps’ ios versions tend to be much better/less intrusive. you’ll probably have to use a few to find places or make payments…
Never been, sounds like an adventure! (Also a grapheneOS user, that’s awesome) How long is your trip?
I’d be thinking about a dual sim burner phone and a laptop I don’t care about for the trip myself. Possibly unnecessary but I always err on the side of caution, often to a fault. I’ve never been and can’t speak from experience.
Yea since my phone will be on me, I’m less concerned on the need of a burner, especially as I can use a second profile.
But for laptop, I am considering a fresh build/take down on my old one, thanks for reaffirming that. The big catch is tablet, SD, and kindle, which would likely be left in a room and don’t have the same security features.
