Readit News logoReadit News
Posted by u/tsenkov 3 years ago
Ask HN: How to safely collaborate with team member (temp) in China?
A person goes to China for a month, visiting family and they want to continue to collaborate with team while there.

VPN seems to be a no-brainer, but even in that scenario - VPN's allowed to operate in China, most likely collaborate with the Chinese government?

Is there a secure way to get access to company data and systems of a western company while traveling in China?

hayst4ck · 3 years ago
You could set up your own VPN and if it works great, if it doesn't that's life.

I think the question that's more important is how big of a target are you? If you/your company/your co-worker are all ultimately nobodies, then it probably doesn't matter.

If you have highly desirable state secrets or advanced tech, then from a technical perspective you're probably out of luck.

Your problem might not even be the connection, but the device connecting.

Chinese (PRC) people will almost all have WeChat on their phone. It's not hard to imagine keeping a list of all Chinese citizens in the US who come back to china, catch messages that say "I have to work for several hours" and launch a targeted attack with Pegasus like software.

A border agent could say "your data or else."

If you buy an iPhone in China, that data, like complete backups, is probably open to the Chinese government probably unencrypted. I am not sure what happens when a person who bought an iPhone outside of china and brings it to china, or who sets their locality to PRC.

A password vault could be compelled to be opened.

So to answer your question, first we have to understand what you have of value and what your threat model is.

From an ultra paranoid perspective, no physical device with privileges should enter China and even the employees personal devices shouldn't have anything company related like 2fac codes.

From a completely practical perspective, connecting to a vpn on a laptop while tethering through a "state approved" vpn is probably fine.

I think most valley companies would give completely new devices for e-mail and meetings and maybe local development, but completely restrict prod access, then destroy those devices when the employee comes back, but maybe I misremember.

tsenkov · 3 years ago
Thanks for the reply, I appreciate you taking the time to write it - there is a lot of useful info in-here and def food for thought.
comprev · 3 years ago
Serious question - is the staff member _that vital_ to the company by which they cannot be unavailable for one month?

The first thing I'd do is involve a lawyer familiar with working for a western company in "hostile" environments and involve InfoSec for a risk assessment.

Coincidentally I know of a Chinese citizen, living & working in EU (western employer), who needs to be in China for 1-2 months for medical reasons. He casually (well, naively) believes it will be no different to working remote in EU, and therefore not a problem for his employers.

hnthrowaway0328 · 3 years ago
From my understanding companies in China can apply for non-blocking Internet so people can visit Google/Youtube/etc. freely. However, if your concern is that the general Internet in China is not safe enough (monitored), I'm not sure what solutions can solve that. Maybe there is some end-to-end encryption software that you can use?
tsenkov · 3 years ago
Thanks for the reply. We are not keeping continuous presence in the country, just have a teammate who lives in Canada, but is from China and would like to visit family for a month or so.
markus_zhang · 3 years ago
NP. Worst case maybe just ask him to take the time away :D
tsenkov · 3 years ago
Does anyone know if Amazon Workspace hosted in Tokyo, could be accessed from China? Latency to AWS Japan would likely be one-of/or the lowest from China to an AWS datacenter?