Ask HN: Should we allow one of our devs to work remotely from China?

2 points by citeright ↗ HN
One of our devs will be going back home to China for a few weeks. Is it an unacceptable security risk for him to work remotely while he’s away?

There are two parts to my question: (1) is this even possible? (2) Is this a good idea?

(1) Is this possible?

We use google suite, and many key pieces of our infrastructure (Jira, bitbucket) use Google for SSO authentication and login. My understanding is that these services will be blocked by the Great Wall. Does anyone have any direct experience with this kind of situation?

(2) Is this a good idea?

I understand the Chinese government has something of a reputation for snarfing down content from laptops brought into the country. Our dev’s laptop has source code, private keys, and (likely) personally identifiable information from our customers. I’m not worried about the Chinese government stealing our source code (we’re so early and our code changes so rapidly that, meh, whatever). Credentials (especially to access our AWS services) seems like a bigger deal.

Am I being too paranoid? Is there any official guidance or best practices about this? Has anyone been in a similar scenario who can share insights?

4 comments

[ 3.2 ms ] story [ 18.9 ms ] thread
Presume the worst case scenario so you can own the decision. If you make the presumption that anything you have your dev[s] do or may or may not have access to will soon be public domain in China, would you have a problem with that? If the answer is no, move forward.
It depends very much on what you work on. If you are in the security business, write software for networking gear or anything like that I'd say no, really do not do that. If you make software for ovens that bake cookies I see no problem.
How much of your IP do you consider expendable?
> Am I being too paranoid?

> I’m not worried about the Chinese government stealing our source code

You're contradicting yourself.

Take security seriously, it's not a game. It is ABSOLUTELY an unacceptable risk. Doesn't matter what your software is, you need to cultivate a security mindset.

That said though, you're already compromised. Your developer has family back in China, the Government there won't hesitate to use them as leverage to get him to hand over everything.