lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <CE11EE8D-4DE7-490D-BFBB-172FA42BC939@gmail.com>
Date: Thu, 1 Nov 2012 10:41:11 -0700
From: bk <chort0@...il.com>
To: Dan Ballance <tzewang.dorje@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Security risks of doing business with China?


On Nov 1, 2012, at 1:43 AM, Dan Ballance wrote:

> Hi guys,
> 
> I greatly respect the collective knowledge about security matters on this list. What do you make of this BBC report? Here in the UK we are seeming happy to do business with China, but other countries are blocking over alleged security concerns. Do you think these concerns are legitimate or is this purely political protectionism?
> 
> http://www.bbc.co.uk/news/business-20163907
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


There are two main ways businesses are at risk when dealing with China:

a) Trying to business _in_ China, the authorities won't let you setup shop directly, but instead force you into a "joint venture" with an established (and state-supported) Chinese company. In order to make and sell your products, you have to transfer a lot of intellectual property to the joint venture. Guess what happens to that intellectual property? Pretty soon there are multiple Chinese companies making exactly the same thing you make, but selling for a lot cheaper, and maybe not only in their domestic market.

b) Deploying Chinese-built infrastructure components in critical areas of your country. There's a lot of hype about backdoors, but IMO the biggest practical risk is the technical experts they send to do the support. Do people do background checks on the support experts they send in who will have privileged access and debugging capabilities? I doubt it. Maybe they don't even steal any information directly, but simply file reports on how the infrastructure is designed and connected. That information alone has strategic value.

Related to the original article, simply selling a stake as an investment doesn't appear to be all that risky. It's a question of what access is granted as a part of that investment. Do they get access to board members, to sensitive financial data? If there's no access to non-public data or trade secrets, then there wouldn't appear to be much risk.

Are politicians exploiting China-bashing for votes? Absolutely. Just like any major issue, people are trying to hitch their wagon to it in improbable ways. That doesn't mean there isn't any truth to it.

If you're a business going into China, know that their goal will be to replace you with domestic companies within several years. Don't get bullied into stretching past your risk tolerance. They're really good at making it seem like you have a huge opportunity, if only you give in just a little bit more...

--
chort
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ