‘123456’ Is 2018’s Worst Password, Study Says. But This Year, ‘donald’ Joined the List

“Donald” has joined a new list. Not of world leaders, but of “worst passwords.” The password-management firm SplashData released its annual list of the 100 worst character combinations it found among leaks of about five million passwords.

“Donald” entered the list at position 23. You’ll also find “qwerty” (#9), password (#2), and baseball (#32). The worst of the worst passwords? “123456,” which has been sitting on top of the worst password chart for five years running.

Bad passwords are short, easily guessed, often contain words or common abbreviations, and are used by many other people. If one of yours is on the list, the right time to change it is right now.

What’s a strong password? It’s uniquely created for each site, it’s relatively long, and it’s not a common phrase or sequence. Many experts now recommend a password made up of a few words that are picked at random, a technique popularized by Diceware. While this may seem counter-intuive—couldn’t automated software just try all those words?—the large number of combinations and the length of the password in total makes it as hard to break as a shorter, impossible-to-type or remember sequence.

Password-management software can generate strong passwords according to any desired recipe, and it’s one reason SplashData promotes its list. Competitors abound, including built-in support across Apple’s and Google’s hardware, software, and browsers—iOS, Safari, and iCloud for Apple and Android, Chrome, and other apps for Google—as well as 1Password, Dashlane, and LastPass.

With over 5.6 billion accounts leaked over the last several years, according to the password-breach notification site Have I Been Pwned, researchers have been able to take a good look at the problem.

Security experts recommend that Web sites not allow users to create easily cracked password, but some sites prefer not to deter account creation by requiring something strong.

However, other sites have complex password-formulating requirements—like a mix of upper and lower case, one number, and one symbol—that can lead people to pick “Password1!”, which is only slight harder for intruders to decipher as “password”.

In many databases, about 50% of users rely on one of a handful of passwords. Hackers can crack those simple password and easily gain access to log into millions or tens of millions of accounts. With many users sharing the same, weak password across multiple services, that single breach can jeopardize their accounts at many different sites and services.

2019 will be the year of the cloud system maker

There’s a culture in the US called the maker culture, a hipster phenomenon. Related to the hacker culture, it represents a technology-based extension of the DIY culture that revels in the creation of new devices or systems.

I’ve been a maker for years. For me to feel like I’m accomplishing anything, I need to build physical things such as racing drones, motorcycles, books, on-demand video courses, and, yes, cloud-based software systems. If I don’t make things, I feel a bit empty and unfulfilled. I know there are many people out there who share this condition.

Being a maker involves taking some sort of risk. The risk of failure is the reason many nonmakers use to avoid building things or systems. Dare I say that nonmakers are typically holding leadership positions, typically supervising the makers? This has been the way it’s been for hundreds of years.

However, those who make stuff are moving up in status and pay these days, and that’s especially true in the cloud. Look at any recent job board: The top cloud and IT gigs are for those who build things—architects, engineers, developers, database developers, data scientists, and AI specialists.

While you could certainly say this has always been the focus in IT, the better-paying gigs with more status have been in IT planning positions, where nothing actually gets made. In the past, there was a clear separation between those who plan and direct and those who built. Now we’re removing that separation through the use of cloud computing and devops, as well as other technologies.

Today, those who make also plan while they make. We’ve done this to optimize the value that we get out of technology by removing the separations among planning, developing, and operating. Today, these are often carried out by a single person. The culture is less formal, as are the processes, and nothing stands between the maker’s ability to make things to solve business problems or meet a need of the market.

This is why I’m stating that 2019 will be the year of the cloud system maker. Those will be the hottest positions that will pay the most money. I also think those positions have the job satisfaction potential to make up the happiest group of staff or workers. I’m already one of them.

Truly Proud of Where You Work? Apply for the 2019 Inc. Best Workplaces List Today

In partnership with Quantum Workplace, a leading software platform for employee engagement and performance, Inc. is on the lookout for remarkable companies to feature in the fourth annual Best Workplaces issue. 

While company-sponsored trips to Jamaica are certainly enticing, great perks aren’t the sole–or most important–criteria. Is the culture egalitarian and supportive? Do you feel like your ideas matter and that there’s a clear path for career advancement? We want to hear about those less-tangible benefits too. 

Upon nominating your company, you’ll need to survey all employees using Quantum’s methodology, which includes topics such as trust in senior leadership, career development, change management, and benefits and perks. Quantum also takes into account financial elements of corporate culture. 

In May, winners will be notified via email and in June, Inc. will publish the list of the best places to work online and in print. If your company made the cut, you’ll be able to see how it lines up in comparison to similarly-sized businesses in your industry. How’s that for competitive intelligence?

To access the early rate of $195, applications are due by January 10. The rate goes up to $245 for applications received after that date and until February 14, which is the deadline to apply.

Published on: Dec 12, 2018

Japan rules out asking private firms to avoid telecoms gear that could be malicious

FILE PHOTO: Japan’s Chief Cabinet Secretary Yoshihide Suga attends a news conference at Prime Minister Shinzo Abe’s official residence in Tokyo, Japan May 29, 2017. REUTERS/Toru Hanai

TOKYO (Reuters) – Japan’s government has no plan to ask private companies to avoid buying telecommunications equipment that could have malicious functions, such as information leakage, its top spokesman, Yoshihide Suga, said on Thursday.

The comment suggests Japan does not intend, for the moment, to extend to private firms a policy of not buying such equipment for the government, after it issued a policy document on Monday on the need to maintain cybersecurity during procurement.

While China’s telecoms equipment supplier Huawei Technologies, and ZTE (0763.HK) are not explicitly named, sources said last week the change aimed at preventing government procurement from the two Chinese makers.

Reporting by Chang-Ran Kim and Sam Nussey; Editing by Clarence Fernandez

Google studies steps to open representative office in Vietnam, government says

HANOI (Reuters) – Alphabet Inc’s Google is studying steps toward opening a representative office in Vietnam, the government of the Southeast Asian nation said on its website, citing Google’s Senior Vice President Kent Walker.

FILE PHOTO: The brand logo of Alphabet Inc’s Google is seen outside its office in Beijing, China, August 8, 2018. REUTERS/Thomas Peter/File Photo

Despite economic reforms and increasing openness to social change, Vietnam’s Communist Party retains tight media censorship and does not tolerate dissent.

The news comes as a controversial cybersecurity law is set to take effect next month, requiring global technology firms to open local offices and store data in the country.

“Google is studying steps to open a representative office in Vietnam,” the website quoted Kent as saying on Tuesday, and adding it would follow a principle of ensuring that host country regulations do not contradict international commitments.

Vietnam appreciated an opinion Google contributed to a draft decree on guidelines to implement the law and ensure cyber safety and security, the website added.

Google did not immediately respond to a request for comment.

Vietnam’s new law has provoked objections from tech companies, rights groups and Western governments, including the United States.

Facebook and Google, which are widely used in Vietnam and serve as the main platforms for dissidents, do not have offices or data storage facilities there and have pushed back on the localization requirements.

The security ministry said the law would protect Vietnam from tens of thousands of large-scale cyber attacks that directly cause serious economic losses and threaten security and social order.

This year, Vietnam, which has been drafting a code of conduct for the internet, asked Facebook to open a local office.

Its information ministry also wants half of social media customers to use domestic social networks by 2020, and plans to stamp out “toxic information” on Facebook and Google.

The draft decree, released last month, requires providers of services such as email and social media to set up offices if they collect or analyze data, allow anti-state actions or cyber attack by users, and fail to remove objectionable content.

Reporting by Mai Nguyen; Editing by Clarence Fernandez

Elon Musk Abuses Tesla Autopilot on *60 Minutes*

“Do you feel safe?” Leslie Stahl asked Elon Musk on Sunday’s episode of 60 Minutes, as the scene showed her riding on the freeway with Musk in a red Tesla Model 3. “Yeah,” the CEO answered, settling back into the driver’s seat, his hands clasped together over his stomach, after turning on the car’s semiautonomous driving system. “Now you’re not driving at all,” Stahl said, incredulously, looking over at his feet.

Musk went on to demonstrate the car’s new Navigate on Autopilot feature, which lets it change lanes by itself. Stahl’s wowed reaction—“Oh my goodness”—matches that of many people when they first see the Tesla take control of its steering and speed. But her questioning, trying to gauge Musk’s involvement in the driving process, highlights a significant issue Tesla faces as it rolls out ever more advanced Autopilot features.

A growing body of evidence makes clear that many drivers are confused about what the car can and can’t do. Tesla has repeatedly insisted—with spokesperson statements, driver manuals, and on-screen warnings in the car—that Autopilot is not an autonomous system. It doesn’t even see stopped firetrucks. The human is always responsible, and should keep their hands on the wheel. Yet, on one of the country’s most popular news programs, Musk risked compounding the confusion by clearly not even touching the steering wheel, and agreeing that he wasn’t driving. As he put it: “I’m not doing anything.”

Meanwhile, Musk continues to talk up Tesla’s goal of making its cars drive themselves in situations far beyond the highway, with no human oversight or involvement. And so he risks widening the gap between what the car seems to do and what it actually does.

Outfits like Waymo and GM’s Cruise are going straight for a fully autonomous system, testing their tech with trained safety drivers in carefully prescribed situations. Tesla has been adding abilities steadily via over-the-air software updates, telling its customers these features are in beta, and letting them have at it. The approach has its merits—they’re clever assistance features that could make driving safer if they’re used properly—but also relies on a driving public that understands the system’s limitations. That’s what makes Musk’s on-camera willingness to let go of the wheel look so unfortunate. (Tesla did not reply to a series of questions about the 60 Minutes interview.)

“His board of directors needs to slap him upside the head,” says Missy Cummings, who researches human and autonomous vehicle interaction at Duke University. “One of the biggest problems with Tesla is something called mode confusion—people don’t realize when a car is in one automated mode versus not.”

Ironically, part of the problem is the high quality of Tesla’s software. Over the weekend, I drove about 60 miles on the freeway in a Model 3, using Navigate on Autopilot. The new feature lets the car change lanes to pass slower vehicles and merge into the correct lane to take an exit. The car’s central display shows other cars around the Tesla in a cartoonish graphical representation. (Once, on surface streets, the car spotted a man on an electric scooter moving into a blind spot, noting him as a stick figure pedestrian.) The car requires the driver’s approval before changing lanes, indicating where it wants to go with a gray line on the screen. Once I signaled my approval with a tap of the gear or indicator stalk, the computer put on the blinker, waited for a gap in the traffic, moved over, and canceled the signal. It felt particularly futuristic when I reached my freeway exit (per the destination I entered in the navigation system). The car signaled, moved into the exit lane, slowed down, and made three “bong” sounds to tell me Navigate on Autopilot was turning off, all without my involvement.

Because it was a new feature, I stayed hyper alert, keeping at least one hand on the wheel and watching the mirrors to make sure the car stayed safe—just like you’re supposed to. But I know from experience with previous versions of Autopilot that such vigilance wears off quickly. When the car drives so capably, it’s easy to be lulled into a sense that the computer doesn’t need any help or supervision. It’s fine. It’s OK to glance away from the road for a moment, or a minute, or a few minutes.

“This is why it’s so dangerous,” says Cummings. “One of the things we know for sure is humans will immediately start not paying attention as soon as the car is doing a good enough job.”

This sort of overconfidence in the automation has been cited by the National Transportation Safety Board in the first Autopilot fatality that killed Josh Brown in Florida in May 2016. It has been implicated in more recent deaths and the three times (at least) Tesla drivers have slammed into stopped fire trucks in 2018 alone. And with the booming sales of the Model 3, more and more regular drivers, with little experience of automated systems and no training, will be acting as Tesla’s safety drivers. “The public doesn’t understand issues surrounding the technical limitations,” Cummings says.

That’s not holding Tesla back. Also on Sunday, Musk tweeted that the company is testing more Autopilot features in development software, including the ability to handle traffic lights and roundabouts.

For the foreseeable future, though, Tesla’s cars will require driver oversight, if not input. But despite Tesla’s recent efforts to make it harder for drivers to zone out, the man leading the charge doesn’t seem to have gotten the message.

Australian watchdog calls for more scrutiny of Google, Facebook

SYDNEY (Reuters) – Australia’s competition watchdog on Monday recommended a new regulatory body be set up to monitor tech giants Facebook Inc and Alphabet Inc’s Google and their dominance of the online advertising and news markets.

FILE PHOTO – A 3D printed Facebook logo is seen in front of displayed cyber code in this illustration taken March 22, 2016. REUTERS/Dado Ruvic/Illustration/File Photo

The Australian Competition and Consumer Commission (ACCC) said in a preliminary report on the U.S. firms’ market power that extra oversight was justified to ensure advertisers were treated fairly and the public access to news was unfettered.

The report, ordered by the government a year ago, is being closely watched as lawmakers around the world wrestle with the powerful tech firms’ role in public life and their influence on everything from privacy to disinformation and traditional media.

It follows moves by Australia last week to compel tech firms to help security agencies access private user data.

Facebook and Google’s algorithms governing the display of advertisements lacked transparency, the ACCC said in its report, giving the firms “both the ability and incentive to favor their own related businesses” ahead of advertisers’.

Similarly, the companies have usurped traditional publishers as news distributors, which has both hurt incumbent media companies and made it harder for readers to find accurate reports, the regulator found.

“Consumers face a potential risk of filter bubbles, or echo chambers, and less reliable news on digital platforms,” ACCC Chairman Rod Sims said in a statement.

The ACCC has suggested that a new regulator be given investigative powers to examine how the companies rank advertisements and news articles.

Facebook and Google had no immediate response, although both firms say they are committed to tackling the spread of fake news.

Australia’s government ordered the probe into the firms’ influence as part of wider media reforms, amid growing concern for the future of journalism and the quality of news following years of declining profits and newsroom job cuts.

Like their rivals globally, Australia’s traditional media companies have been squeezed by online rivals, as advertising dollars have followed eyeballs to digital distributors.

Reporting by Tom Westbrook in SYDNEY and Devika Syamnath in Bengaluru; Editing by Peter Cooney and Stephen Coates

Cyber Saturday—Marriott’s Data Breach Baloney, Quora Hack, Aussie Encryption Law

Happy weekend, Cyber Saturday readers.

I’m back stateside after a week-and-a-half stay in China, where I helped host Fortune‘s 2018 Global Tech Forum. I hope you understand the absence of last weekend’s dispatch; following the event, I took an impromptu vacation in Hong Kong. Thankfully, I did not stay at a Marriott hotel. Speaking of which.

As you have no doubt heard by now, Marriott disclosed a massive data breach that exposed up to 500 million customer records. Hackers accessed information in the company’s Starwood reservation system, which affected brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and other properties in the Starwood portfolio, the company said. The intrusion apparently began in 2014, two years before Marriott acquired Starwood. This oversight in the M&A process calls to mind another recent, post-acquisition hacker-surprise: Yahoo, whose two mega-breaches remained undetected when the company sold to Verizon last year. Coincidentally, Marriott’s hack is the biggest suffered by a corporation, second only to those at Yahoo.

After news of the Marriott breach came out, Sen. Charles E. Schumer (D-N.Y.) called on the hotel chain to foot the bill and replace people’s passports which were potentially compromised as part of the breach. Marriott quickly promised to cover the cost for as many as 327 million people whose passport numbers may have been exposed. At a fee of $110 per passport, that would put Marriott on the hook to pay up to $36 billion—a price tag equivalent to the value of the entire company, per its market capitalization. A devastating payout.

Here’s the thing though: While seemingly noble, Marriott’s promise is a bunch of baloney. The company said it will follow through on reimbursement only in instances where it “determine[s] that fraud has taken place.” What this caveat conveniently excludes is that Marriott’s hack likely had little to do with fraud and everything to do with espionage. In other words, if you’re a victim, don’t expect remuneration.

As Reuters reported, investigators believe the perpetrators of this attack were Chinese spies. The breach used tools, tactics, and procedures that matched Beijing’s style. The intrusion is said to have begun shortly after a breach of the government’s Office of Personnel Management, which government officials have attributed to China. The Starwood database represents a massive trove of potential intelligence: information on who is staying where, when—a bonanza for building up profiles of targets and tracking people of interest.

Geng Shuang, China’s Ministry of Foreign Affairs spokesperson, issued a statement saying the country “opposes all forms of cyber attack,” per Reuters. He said the country would investigate the claims, if offered evidence. Meanwhile, Connie Kim, a Marriott spokesperson, said “we’ve got nothing to share” about the Chinese attribution claim.

The Marriott breach—which took place quietly over years, as spies prefer—does not appear to have been a cybercriminal score. The passport payment pledge is probably bunk; nevertheless, if you think you might have been affected, it won’t hurt to follow these steps to refresh your cybersecurity hygiene and better protect yourself.

Have a great weekend.

Robert Hackett

@rhhackett

[email protected]

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

Marriott Says It Will Pay for Replacement Passports After Data Breach. Here’s Why That’s Likely Baloney.

As you have no doubt heard by now, Marriott disclosed a massive data breach that exposed up to 500 million customer records. Hackers accessed information in the company’s Starwood reservation system, which affected brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and other properties in the Starwood portfolio, the company said. The intrusion apparently began in 2014, two years before Marriott acquired Starwood. This oversight in the M&A process calls to mind another recent, post-acquisition hacker-surprise: Yahoo, whose two mega-breaches remained undetected when the company sold to Verizon last year. Coincidentally, Marriott’s hack is the biggest suffered by a corporation, second only to those at Yahoo.

After news of the Marriott breach came out, Sen. Charles E. Schumer (D-N.Y.) called on the hotel chain to foot the bill and replace people’s passports which were potentially compromised as part of the breach. Marriott quickly promised to cover the cost for as many as 327 million people whose passport numbers may have been exposed. At a fee of $110 per passport, that would put Marriott on the hook to pay up to $36 billion—a price tag equivalent to the value of the entire company, per its market capitalization. A devastating payout.

Here’s the thing though: While seemingly noble, Marriott’s promise is a bunch of baloney. The company said it will follow through on reimbursement only in instances where it “determine[s] that fraud has taken place.” What this caveat conveniently excludes is that Marriott’s hack likely had little to do with fraud and everything to do with espionage. In other words, if you’re a victim, don’t expect remuneration.

As Reuters reported, investigators believe the perpetrators of this attack were Chinese spies. The breach used tools, tactics, and procedures that matched Beijing’s style. The intrusion is said to have begun shortly after a breach of the government’s Office of Personnel Management, which government officials have attributed to China. The Starwood database represents a massive trove of potential intelligence: information on who is staying where, when—a bonanza for building up profiles of targets and tracking people of interest.

Geng Shuang, China’s Ministry of Foreign Affairs spokesperson, issued a statement saying the country “opposes all forms of cyber attack,” per Reuters. He said the country would investigate the claims, if offered evidence. Meanwhile, Connie Kim, a Marriott spokesperson, said “we’ve got nothing to share” about the Chinese attribution claim.

The Marriott breach—which took place quietly over years, as spies prefer—does not appear to have been a cybercriminal score. That’s why the passport payment pledge is probably bunk; nevertheless, if you think you might have been affected, it won’t hurt to follow these steps to refresh your cybersecurity hygiene and better protect yourself.

A version of this article first appeared in Cyber Saturday, the weekend edition of Fortune’s tech newsletter Data Sheet. Sign up here.

U.S. accuses Huawei CFO of Iran sanctions cover-up

VANCOUVER/LONDON (Reuters) – Huawei Technologies Co Ltd’s chief financial officer faces U.S. accusations that she covered up her company’s links to a firm that tried to sell equipment to Iran despite sanctions, a Canadian prosecutor said on Friday, arguing against giving her bail while she awaits extradition.

The case against Meng Wanzhou, who is also the daughter of the founder of Huawei, stems from a 2013 Reuters report here about the company’s close ties to Hong Kong-based Skycom Tech Co Ltd, which attempted to sell U.S. equipment to Iran despite U.S. and European Union bans, the prosecutor told a Vancouver court.

U.S. prosecutors argue that Meng was not truthful to banks who asked her about links between the two firms, the court heard on Friday. If extradited to the United States, Meng would face charges of conspiracy to defraud multiple financial institutions, the court heard, with a maximum sentence of 30 years for each charge.

Meng, 46, was arrested in Canada on Dec. 1 at the request of the United States. The arrest was on the same day that U.S. President Donald Trump met in Argentina with China’s Xi Jinping to look for ways to resolve an escalating trade war between the world’s two largest economies.

The news of her arrest has roiled stock markets and drawn condemnation from Chinese authorities, although Trump and his top economic advisers have downplayed its importance to trade talks after the two leaders agreed to a truce.

A spokesman for Huawei had no immediate comment on the case against Meng on Friday. The company has said it complies with all applicable export control and sanctions laws and other regulations.

Friday’s court hearing is intended to decide on whether Meng can post bail or if she is a flight risk and should be kept in detention.

The prosecutor opposed bail, arguing that Meng was a high flight risk with few ties to Vancouver and that her family’s wealth would mean than even a multi-million-dollar surety would not weigh heavily should she breach conditions.

Meng’s lawyer, David Martin, said her prominence made it unlikely she would breach any court orders.

“You can trust her,” he said. Fleeing “would humiliate and embarrass her father, whom she loves,” he argued.

Huawei CFO Meng Wanzhou, who was arrested on an extradition warrant, appears at her B.C. Supreme Court bail hearing in a drawing in Vancouver, British Columbia, Canada December 7, 2018. REUTERS/Jane Wolsak

The United States has 60 days to make a formal extradition request, which a Canadian judge will weigh to determine whether the case against Meng is strong enough. Then it is up to Canada’s justice minister to decide whether to extradite her.

Chinese Foreign ministry spokesman Geng Shuang said on Friday that neither Canada nor the United States had provided China any evidence that Meng had broken any law in those two countries, and reiterated Beijing’s demand that she be released.

Chinese state media accused the United States of trying to “stifle” Huawei and curb its global expansion.

IRAN BUSINESS

The U.S. case against Meng involves Skycom, which had an office in Tehran and which Huawei has described as one of its “major local partners” in Iran.

In January 2013, Reuters reported that Skycom, which tried to sell embargoed Hewlett-Packard computer equipment to Iran’s largest mobile-phone operator, had much closer ties to Huawei and Meng than previously known.

Slideshow (9 Images)

In 2007, a management company controlled by Huawei’s parent company held all of Skycom’s shares. At the time, Meng served as the management firm’s company secretary. Meng also served on Skycom’s board between February 2008 and April 2009, according to Skycom records filed with Hong Kong’s Companies Registry.

Huawei used Skycom’s Tehran office to provide mobile network equipment to several major telecommunications companies in Iran, people familiar with the company’s operations have said. Two of the sources said that technically Skycom was controlled by Iranians to comply with local law but that it effectively was run by Huawei.

Huawei and Skycom were “the same,” a former Huawei employee who worked in Iran said on Friday.

A Huawei spokesman told Reuters in 2013: “Huawei has established a trade compliance system which is in line with industry best practices and our business in Iran is in full compliance with all applicable laws and regulations including those of the U.N. We also require our partners, such as Skycom, to make the same commitments.”

U.S. CASE

The United States has been looking since at least 2016 into whether Huawei violated U.S. sanctions against Iran, Reuters reported in April.

The case against Meng revolves around her response to banks, who asked her about Huawei’s links to Skycom in the wake of the 2013 Reuters report. U.S. prosecutors argue that Meng fraudulently said there was no link, the court heard on Friday.

U.S. investigators believe the misrepresentations induced the banks to provide services to Huawei despite the fact they were operating in sanctioned countries, Canadian court documents released on Friday showed.

The hearing did not name any banks, but sources told Reuters this week that the probe centered on whether Huawei had used HSBC Holdings (HSBA.L) to conduct illegal transactions. HSBC is not under investigation.

U.S. intelligence agencies have also alleged that Huawei is linked to China’s government and its equipment could contain “backdoors” for use by government spies. No evidence has been produced publicly and the firm has repeatedly denied the claims.

The probe of Huawei is similar to one that threatened the survival of China’s ZTE Corp (0763.HK) (000063.SZ), which pleaded guilty in 2017 to violating U.S. laws that restrict the sale of American-made technology to Iran. ZTE paid a $892 million penalty.

Reporting by Julie Gordon in Vancouver and Steve Stecklow in London; Additional reporting by Anna Mehler Paperny in Toronto, David Ljunggren in Ottawa, Karen Freifeld in New York, Ben Blanchard and Yilei Sun in Beijing, and Sijia Jiang in Hong Kong; Writing by Denny Thomas and Rosalba O’Brien; Editing by Muralikumar Anantharaman, Susan Thomas and Sonya Hepinstall