[yerich]

> The agent said Tan handed the flash drive over to the US company, and the firm found that the deleted files would have allowed his new employers to recreate the product in question. The files had been deleted from the flash drive the day before Tan resigned, the affidavit said.

Call me confused, but I don't really see a crime here? The defendant turned over the data before his resignation and is not accused of actually making an attempt to transfer or sell the data to another party, or conspiring to do so. The only accusation is that he had some files that weren't part of his job to have, apparently. But presumably the internal corporate system allowed him access to it and thus he obtained it without breaching any computer system. Perhaps his workplace policy barred him from downloading files onto a USB drive. But is that considered theft?

[jgowdy]

As dguido posted below, the details are a bit different than the tiny pair of sentences you're basing your analysis on.

> On 12/12/2018 at approximately 10:30 a.m., Tan contacted his supervisor, advised he was resigning from Company A, and gave his two weeks' notice. Tan told his supervisor that he was returning to China to be with his family as he is the only child to aging parents. Tan told his supervisor that he did not currently have a job offer, but was negotiating with a few battery companies in China.

> Tan's resignation prompted Company A to revoke his access to company systems, and conduct a Systems Access review of Tan's computer activity.

> That review confirmed that Tan had accessed hundreds of files, including research reports. The reports included not only how to make Product A, which, according to Company A, is a complicated and technically difficult process, but also Company A's plans for marketing Product A in China and in cell phone and lithium-based battery systems. These files included information that Company A considers to be trade secrets and outside the scope of Tan's employment with Company A. The review revealed Tan downloaded restricted files to a personal thumb drive. In the course of his regular duties and responsibilities, Tan should have used his company issued laptop. Tan did not have authorization to use a thumb drive to download Company A files. Tan's supervisor confirmed that nothing in the downloaded files was within Tan's area of responsibility. Further Company A confirmed, through Tan's supervisor, Tan did not have a work related need to access or download the restricted files.

[ams6110]

How does this actually work? Does Windows keep a log of files accessed or copied? Or does the company install additional security software that audits this?

[reaperducer]

Windows has some of this. But if you want crazy levels of granularity there are plenty of software vendors to choose from.

My company knows every file every person accesses, where it came from, and where it went. They lock down computers down to the individual USB port. If you put a thumb drive in the wrong port Windows machine, a guy from IT Security shows up within 30 minutes.

That was the day I found out that if I try to charge my hotspot at work, it shows up as a USB drive.

[4684499]

> 15. Later that day, on 12/12/2018 at approximately 4:00 p.m., Tan sent the following text message to his supervisor:

    ... [Another Company A supervisor] was asking if there is anything I have with me associated with company IP. I have a memory disk that contains lab data that I plan to write report on, and papers/reports I plan to read at home. Now that I have been exited from (COMP ANY A), can you check what is the best way of handling the information and how sensitive they are? Can I still read the papers/reports from the memory disk?

> 16. After receiving the above text from Tan, Tan's supervisor asked him to return the flash drive (which Tan's text message referred to as a "memory disk") to Company A.

> 17. At approximately 5:15 pm on 12/12/18, Tan returned to the Research Technology Center at Company A where he provided a USB flash drive to his supervisor. The USB flash drive was Tan's personal property, which he was not authorized to utilize within Company A's space. There is no record of Company A having issued a USB flash drive to Tan.

[rando444]

You just turn on auditing features in Windows on your file servers. There are many third party tools that can help you sift through and retain logs, but the basics can all be done with vanilla windows os.

[raincom]

- Sharepoint access logs (the server side) - Corp IT has access to your machine, and can activate keyloggers to see what you are doing with the downloaded files. (the client side)

[ganoushoreilly]

There's lots of things in play, system logging, storage/file share logging, network traffic logging, authentication logs etc.

[yerich]

Thanks for the additional details. It was not present in the article, which is why I am glad I asked the question. It seems that the extent of the copying is greater than I had assumed from the original article's text.

[pointillistic]

I sometimes feel that people who comment here of the Chinese spying stories are the Chinese agents. First comment is always dismissing the story. Is anyone at HN looking where the comments originate?

[Rapzid]

You're not imagining it. China is executing a full-on "covert" culture/soft-power war. From the Confucius Institutes in US universities to propaganda "news" papers in New Zealand. They have teams of people trying to control the narrative on the internet anywhere China is mentioned. Quora is the worst in my personal experience.

A lot of this is widely reported on by credible news sources. Many current and ex intelligence and defense officials have called out China as the biggest threat to the US over the past year. I can't believe our government is shutdown right now over a "wall" separating us from countries who, in comparison, are our BFFs.

I hope you have your tinfoil hat ready:

https://www.npr.org/2018/10/02/627249909/australia-and-new-z...

https://www.washingtonpost.com/news/josh-rogin/wp/2018/05/22...

https://www.theguardian.com/news/2018/dec/07/china-plan-for-...

[mistrial9]

raise your hand if your un-advertised Linux server is attacked daily from China

[mroche]

(ノಠ益ಠ)ノ彡┻━┻

Every. Damn. Day.

Particularly at the university, I was setting up a GitLab box that wasn’t supposed to be externalized (didn’t realize at the time that LAN utilizes the public addresses instead of NAT). 90K ssh attacks in 3 days, vast majority from the east Asia area. Luckily none made it through. Learned my lesson (and firewalld) from that experience. Nearly had a panic attack from that (first time setting something up like that).

The above was from my naive days before I started getting more deeply involved in sysadmin and networking work. It’s still incredibly annoying to log in to systems with “There have been 173 failed login attempts since the last successful login.”

[Teknoman117]

When I set up my first gateway/router server for the first time, I was truly shocked to see how much traffic comes in searching for vulnerabilities. I knew it happened, but the frequency was wholly unexpected. SSH requests for root, SMB traffic, etc. every second or so.

[mountainofdeath]

If you want to see something, install MySql on a AWS EC2 (or any host for that matter), turn on verbose logging and open it to the public internet. I saw thousands of Chinese bots trying every way to get root access

[thoughtstheseus]

Check out the coordinated campaign against Serpentza and Laowhy86 on youtube.

[yerich]

No, I am not a Chinese agent. I don't know how to prove this to you definitively. However, I'd like to ask you if you consider my query legitimate, given that I did not have access to the full affidavit when I asked it, only the original article which was skimpy on the details around the extent of the copying. Mostly, I was more worried that my company could have me arrested either for accessing or copying a file arbitrarily deemed outside of my duties, or for violating their IT policy.

[mac01021]

How much did that company recover of the files?

Is it possible that tan deliberately deleted them in such a way that they could be recovered forensically? That might save him from getting caught, and his "handler" overseas could even have recommended it.

But who knows... This article doesn't provide enough information to make a good guess at what was going on.

[baybal2]

1. He surrendered USB sticks he used inside the company upon resignation.

2. They found confidential files there, but nothing he had no right to access to

3. They found out that he deleted "weird" files the day before he quit the company.

He could not have ever exfiltrated that data to begin with as he gave the drive back to Philips.

[jamescostian]

Tangent: somehow every single one of your comments was downvoted, even this non-inflammatory, informational one where you replied to someone and they ended up agreeing with you: https://news.ycombinator.com/item?id=18740217

I upvoted a few of your comments that were clearly non-inflammatory and useful. But I'd like to tell everyone who's blindly downvoting you, please read comments before downvoting them, instead of just downvoting everything you can that's tied to the person you disagree with.

[burfog]

Well, unvote them, because this makes no sense: "He could not have ever exfiltrated that data to begin with as he gave the drive back"

Think about it. The USB device was for transferring data to something else. That might have been a personal device with a cellular data plan.

Sure, he gave back the USB drive. He didn't physically take that to China, or intend to do so. Those files were on it for a reason though, and that reason is transferring them to something that gets the data to China.

[jamescostian]

In the post you're replying to, I included a link that does not contain the sentence you quoted. In fact, that link shows the person making a valid correction. If you read it, you'll see why I upvoted it.

The entire point of the comment I made (which you replied to) is not that baybal2 is correct (in fact, I have no idea/opinion of whether they are correct about the defendent being innocent). The point is that ad hominem attacks through downvotes are a bad thing.

[scarejunba]

PG has maintained from the beginning that HN comments need not be upvoted for civility alone. “I disagree therefore I downvote” is valid etiquette on HN. I’m not going to stop doing that.

[hnmonkey]

I imagine his comments have been downvoted because he's cherrypicking information from the article to defend the man across multiple comments. See the parent comment to your comment where he ignores that he did access and download files he had no right to access and instead states exactly the opposite according to the facts (in point 2).

[reaperducer]

They found confidential files there, but nothing he had no right to access to

You may have missed this part of the criminal complaint:

“Tan's supervisor confirmed that nothing in the downloaded files was within Tan's area of responsibility. Further Company A confirmed, through Tan's supervisor, Tan did not have a work related need to access or download the restricted files.”

[mac01021]

I'm not saying he stole data or even did anything wrong.

But he could certainly have copied data off the USB before deleting it.

[baybal2]

WELL, the main question: WHY THE HECK did he report on himself??? The charge pretty much says that he voluntarily contacted his supervisor and asked what to do with that USB stick.

And there, the parallel with Micron case gets more startling: the alleged "spy" was the very man who said that his cellhpone was missing. Then the police found the cellphone in his coworkers locker. The coworker accidentally put his phone into her back along with papers on the table. Then the police searched his phone, and found out that "he happened to be a spy" on very similar circumstances.

[arcticfox]

> WHY THE HECK did he report on himself???

I mean, he deleted the files first. It's reasonable that he thought that was sufficient; given the code I've seen from some scientists, scientist != computer expert.

The innocent explanation is that he was cleaning up company property before returning it, but I expect that will play out in court.

[daviesliu]

I have done the things before. Before returning the work laptop to employer on the last day, I cleaned out all the company stuff to left my personal things (this is my only laptop with my personal stuff in it), then move them out and clean them finally.

Is this common?

[baybal2]

> It's reasonable that he thought that was sufficient;

But aren't it? He surrendered his flash drive. You can't do anything with it if it is not in your possession... What do you think he was supposed to do with it???

And he had an option to not to do so, or moreover, just fly to China without a notice (remember the case of a hedge fund boy who allegedly "stole keys to the kingdom" and then warned his employer that he is leaving the company on a short notice...)

[linkregister]

Oh well, a suspect did something illogical, we can't prosecute. The case must be dismissed, because it wasn't a perfect crime.

[hnmonkey]

Yeah, that line of thinking is absurd. He probably got nervous right before he left the company and gave them the USB after hastily trying to delete the files. In which case, the parent commenter would seem to imply that he should be let go because he got nervous after stealing things he shouldn't have access to.

[perennate]

The article is from SCMP, a newspaper in Hong Kong. It's unclear what the source of the information is and it's very unlikely that the SCMP has the same information that the FBI has (as stated in the affidavit [1], the evidence in the affidavit "is intended to show merely that there is sufficient probable cause for the requested warrant").

As the Department of Justice statement [2] says:

> A criminal complaint is merely an allegation, and the defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.

There will be a court case where the FBI will lay out all the evidence they have and the jury will decide whether or not the evidence is sufficient to demonstrate that he is guilty.

The court case has not happened yet so it doesn't make sense to jump to conclusions without hearing the evidence first.

[1] https://www.justice.gov/opa/press-release/file/1122851/downl... [2] https://www.justice.gov/opa/pr/chinese-national-charged-comm...

[linkregister]

Sure it makes sense to jump to conclusions, that's why we go on HN! ;)

Seriously though, it's interesting to discuss this case. Clearly we don't have all the information. Some of us may change our minds later. Right now, the evidence that is out there isn't convincing on its own. It's okay to point that out!

[perennate]

Yeah, I agree that it's good to point that out. But I felt that some people might've been losing sight that more evidence would likely be presented in court.

[sundbry]

He could easily have exfiltrated the data without ever leaving the premises. All he would have to do is is walk into a lab room with an unsecured terminal to upload the files, or used his phone to upload the drive, there aren't hundreds of ways to pass the data off once it's on a thumb drive.

[the_duke]

You do realize that there is this crazy new thing now: copying files to a different drive

[cavanasm]

There's an FBI affidavit linked in another comment that mentions a search warrant found additional copies of the data at his home, and that he'd been in regular contact with a Chinese competitor, who offered him a job and ~$60k US signing bonus based on vaguely phrased information already provided.

[pfortuny]

Well, if the documents contain trade secrets... You may see them on your boss’s desk and read them and memorize them. That does not make your making a copy of them (even from memory) right or lawful.

[baybal2]

I think that's the second Micron case.

An exec reports "phone stolen," phone found in his "collaborator's" locker who accidentally shoved it into her bag along with other papers on the table. Both the exec who reported theft and his "accomplice" are send to jail, and a "national security" case just sprung up from two completely unrelated cases thanks to prosecutor's creativity.

Same thing here:

1. Apparently they found that he simply had "weird files" on his flash drive.

2. He had full right to access them.

3. He deleted "weird" files he had rightful access to, and voluntary surrendered the physical medium upon his resignation.

On the sole premise of him deleting "weird" files, he was accused of espionage, with the charge constructed from nothing but tangents, but no "corpus" to "habeus."

[wildmusings]

When you work somewhere, you end up having access to all sorts of stuff. E.g. through the issue tracker, you might be able to see things about projects that are supposed to be secret (as in company-secret, not government-secret). If you resign and your usb drive has a bunch of deleted files about that stuff, that has nothing to do with your job, that’s a reasonable basis for serious suspicion.

You don’t need a smoking gun of a crime to be suspicious that a crime may have been committed. Suspicious facts are plenty to start investigating, and a mountain of “circumstantial” evidence can even be enough for a conviction.

I don’t know anything about this case, and I’m not accusing this guy of anything, but your line of argument is wrong.

[mdorazio]

That's not how criminal investigation works, that's how a witch hunt works. In order to be a legitimate criminal investigation, the first part needs to be that an actual crime was committed, then suspicious activities are used to justify an investigation and possible conviction based on evidence. Otherwise, police could just run around arresting people because "that guy looks suspicious", search all their stuff and activities for something possibly illegal, and then say "look, we were right all along".

[perennate]

I agree, but keep in mind that Hongjin has merely been charged and not convicted yet. The evidence has not been presented in court yet, and it's quite likely that the evidence is going to be much much more comprehensive than the small set of facts that appeared in the SCMP article. If this is really all the evidence the FBI has, though, Hongjin will almost certainly not be convicted.

[zaroth]

Hasn’t stopped the FBI lately!

[baybal2]

It is your line of argument is wrong, patently wrong.

That's all about accusing a man of murder without proving that the person being murdered is dead. That's unjust, and is a joke of justice, and most fundamental legal standards of criminal law jurisprudence.

Man, who taught you all that?

[perennate]

In the U.S., the defendant can only be convicted if the evidence proves guilt beyond a reasonable doubt.

Hongjin has not been convicted yet, so I don't follow the logic in your comment. The criminal case process has only just started and we have not seen the full evidence yet, and there has been no determination by the court system on whether or not he is guilty.

I think there is some confusion because of the differences in the judicial process between the U.S. and other countries like China.

I'm not saying the U.S. judicial process is perfect, but I think it's unreasonable to attack it before a verdict has even been issued.

[abrawill]

Why were they on the USB drive is what I’d like to know.

[gralx]

> ... The defendant turned over the data before his resignation ...

The FBI affidavit contends Tan deleted the confidential data before leaving the U.S. company, not that he turned the thumb drive over to them. The charges suggest Tan kept the drive after leaving the company, though the article doesn't say so explicitly.

Correction: The affidavit does say Tan turned the drive over to them, and of his own initiative, after he was escorted from the company's premises. See paragraph 17 of the affidavit that user baybal2 links to below.

[baybal2]

No, he gave up the drive and everything he had from company's IT for review. They are very purposefully avoiding mentioning that, but logically you can't conceive of how they can review the thumb drive without him willingly giving it to them first, nor that he had authorised access to such data in the first place. The charge says nothing about his accessing the data unlawfully, other than saying that he had "no reason" to access it, and it being outside of his immediate responsibility.

https://www.justice.gov/opa/press-release/file/1122851/downl...

[perennate]

I think you're misunderstanding the process in a criminal case.

The affidavit that you linked to explicitly states:

> This affidavit is intended to show merely that there is sufficient probable cause for the requested warrant and does not set forth all of my knowledge about this matter.

The full evidence will come out in a court case, and a decision on whether or not he is guilty will be made based on that full evidence. He has only just been charged and the court case has not started yet.

[gralx]

Fair enough. I assumed the parent's source was OP's article.