Should I worry about being targeted in China as a small hardware startup owner?
12 points ·
brazed_blotch
·
A lot of manufacturing I'm doing already takes place in China, so they have a lot of the designs for products I make. However they don't have access to my financial records for example, emails, etc. and I am anonymous to a lot of my suppliers, some of whom are my direct competitors, to prevent them knowing what the component they are making actually is/what it's being used in.
At the moment, I am making do with a burner email account that has all my emails redirected to it for the trip, which will only be accessed through a phone with GrapheneOS. I have a linux machine which will be used just for hardware and software development. All important files are stored on an encrypted USB (could change this to cloud storage but not sure what's better, also I have passport scans on the USB which I don't really want to upload to the cloud ideally).
However, ideally I want to access my Shopify account and I need to submit my invoices to my accountant every month. I also want access to my email archive, and also access to the company VPN (we have our ticket system and management software on it). I will be in China for longer than a month for sure. I can forego the above but it will make my life way harder and I will be relying on employees for one time codes, showing me the Shopify, etc. Also the servers on the VPN are self hosted, and it's all through tailscale, I set the VPSes up myself so they are not hardened at all and I wouldn't trust myself to do it properly either.
My questions is, given my profile, what threats should I be worried about? Suppliers/government actors trying to get physical access to my machine, or am I being paranoid? Is my current set up overkill? What risks do I face in terms hacking over the network, what data is potentially at risk? I am also traveling the majority of the year, so if I can make concessions, I would be grateful, as this will be my set up for a lot of it.
Thanks for reading if you got this far!
bsenftner ·7 days ago
ChumpGPT ·7 days ago
I never had a problem with my factories. Good business people that understood my success was their success.
bing5643 ·7 days ago
markus_zhang ·7 days ago
trod1234 ·7 days ago
Physical access is almost never needed with current consumer hardware, especially if they control the infrastructure, which they do.
Any services you access through their network, can potentially be impersonated later or denied while you are there. Cookie capture for auth access tokens is real and very simple to do, and there are many other security threats in the IT space.
You should follow good security hygiene when starting and ending engagements.
You may want to limit your personal access through an intermediary, and almost surely should do a full account reset for all related services/systems you access while abroad upon your return, if you do not choose to create stubbed accounts.
It may be better to use limited stub accounts while traveling, which may also be used later as a tripwire indicator/honeypot of interest related to a particular trip.
From what you've written, it seems that you neglect the fact that physical coercion negates all your current security measures.
You should familiarize yourself with the laws there regarding VPNs, and the related requirements, as well as the customs of business in that country. (i.e. Gift Giving on first meeting, Who pays lunch, that sort of thing).
Not that it will come to physical coercion, or that it is even likely given your profile, but still, you should be aware and prepare accordingly. It is all about risk management.
As for what threats you should be worried about, its generally nothing you wouldn't already consider in any other country where your personal security is not guaranteed.
If you are particularly concerned about your safety or security, or are entering a high-risk area, K&R insurance, its related planning and preparation for travel abroad often covers the most critical important aspects. This is their jam. Cyber-related losses may potentially be covered under the extortion part of these policies.
Generally speaking, the sooner your state-side counterpart knows there is an actionable issue, the quicker they can react, and this will largely be decided by your level of acceptable risk and prior preparation. Regular check-in's are good practice.
Subtle challenge response phrase check-in's may allow you to indicate duress, or that you are missing (and not the one responding) in some extreme circumstances.
I'd like to emphasize, none of this is likely to be needed, but these things do happen, and still it is prudent to plan for the worst to give you the best chances if something does go wrong.
You should consider that whatever you access directly while you are there will not be private.
Also, the night before is hardly the right time to be asking these questions.
There is a lot of business process that generally needs to be implemented for proper risk management in an international business setting.
You may find this article helpful as a starting point, and may consider reaching out to one of the companies that specialize in these services, if further more detailed knowledge is needed.
https://us.milliman.com/en/insight/pirates-kidnappings-and-r...
Show replies