Domain: bluecoat.com
Stories and comments across the archive that link to bluecoat.com.
Comments · 27
-
Bluecoat does this for their customers
You're that concerned about security yet you use public wifi?
In practice, can anybody but a state break HTTPS and SSH?
A Bluecoat device will seamlessly MITM any HTTPS for a corporate network. From their website (my emphasis added):
"From simple web-based threats to advanced network threats, you get complete visibility into your encrypted traffic and get to enjoy the peace of mind that comes with working with the best in the business of network security."
-
Re:Exploited sites?
This is true. Their website is https://sitereview.bluecoat.co....
Sometimes automated systems make mistakes, and when they do, they are corrected. Get over it and stop whining.
And by the way, all of the sites mentioned have been fixed.
The New Braunfels Republican Women (www.nbrw.com) > Political/Social Advocacy
Weston Community Children's Association (www.wccakids.org) > Charitable Organizations
Rotary Club of Midland, Ontario (www.clubrunner.ca) > Charitable Organizations -
Misunderstanding what trust is
Take the view of the Pentagon and assume that you are at all times compromised. You probably are. Any given entity can be broken into by a determined hacker. Talk to a pen tester sometime and ask them how many places they have failed to break into. The entire concept of trust is that you can send data privately over the Internet, you can't unless you encrypt your data offline ahead of time.
On the Internet trust is all about identity and encryption. For most people that translates into a certificate that is used to supply SSL. People then assume that because they are using SSL that they can now trust a given connection. There is no justification for trust and there never has been, the entire concept of trust is a misunderstanding of the concept of how a Certificate Authority works.
All a Certificate Authority does is say that their is an unbroken chain of identity from a given point to a given point. Even then a Certificate can be forged or stolen or issued improperly, and even if controls detect a bad certificate in use most people will click the button to use the bad certificate anyways.
All of this assumes that a given government entity hasn't used a court order to force a Certificate Authority to replicate a Certificate so that your data can be seized. Certificate Authorities cooperate with things like court orders, they don't self destruct like Lavabit. That whole backstory with Lavabit self destructing - it was a fight over getting the key that was used because he wouldn't hand over his private key.
People also forget that SSL is wholly dependent on Certificate Authorities. SSL is used to encrypt data with a key when data is in transit. The problem is that data anyone that owns the network can conduct an MITM attack against your key. SSL is fundamentally broken because it presents a perception of trust when it is incapable of providing that level of trust.
-
Re:Jupiter Tape?And Dell, who was the subject of today's slashdot story about Syria that mentioned Blue Coat in the summary, is listed as a strategic partner on Blue Coat's Web site and Narus's Web site.
NarusFor more than 26 years, Dell has empowered countries, communities, customers, and people everywhere with the right technologies to realize their dreams.
Blue Coat
Dell is a strategic reseller & global systems integrator for Blue Coat’s products. Blue Coat’s products are available through the Dell Software & Peripherals catalog for a variety of Secure Web Gateway, WAN Optimization & Visibility solutions.
Dell's Sunnyvale offices are at 909 Hermosa Ct Sunnyvale, CA... not on the same street, but physically adjacent to Blue Coat's campus. Its building is about 40 feet from Blue Coat's... for Dell employees, it's a shorter walk to Blue Coat than it is to some of their own cars in the parking lot.
Spelled out: Blue Coat and Dell work together to sell governments equipment to monitor their citizens' communications. And so do Narus and Dell. -
Re:to be fair
You can use a Blue Coat ProxySG to:
* Prevent malware by using a tie to ProxyAV.
* Manually block sites (no Blue Coat involvement).
* Automatically block sites, by classification. You subscribe to the data provided by Blue Coat. The list of classifications is quite long: http://sitereview.bluecoat.com/catdesc.jsp
* Review who went where, and how.
Unless Syria set up a man-in-the-middle decryption system or went so far as to block protocol anomalies, I'm sure there are lots of way to get past it. -
SSL Man In The Middle
Blue Coat's ProxySG product offers an ominous feature, "inspection and validation of SSL traffic," that creates a man-in-the-middle capable of opening up and reading SSL encrypted sessions. The reason, they claim, is that malware can leak in via SSL, and therefore enterprises are wise to inspect this data, damn all the legal arguments. This works by injecting the proxy's certificate into your browser's certificates store; afterward, the proxy issues on-the-fly certificates for your popular sites signed by that proxy cert causing your browser to trust it unconditionally and without popup.
-
Re:to be fair
That would depend, in part, on a couple of things:
1. How "3rd party" are the 3rd parties? Shit does get smuggled sometimes; but people have been known to wink that their Dubai based VARs so long as the money is there...
2. How independent of the mothership are Blue Coat's censorship appliances. Some enterprise gear is relatively independent. Buy it, plug it in, the only remaining contact with the vendor is a warranty call if needed. Some enterprise gear is virtually a rented extension of the vendor's own network: You plug it in, it phones home more or less constantly for updates, with status reports, to go into cripple-mode if the service contract isn't paid up, to initiate service calls for shot FRUs, etc. If Blue Coat's devices are the former, smuggling should be pretty trivial. If the latter, I'd want to hear a very convincing account of how the re-allocation of equipment was hidden from them. It certainly wouldn't be impossible to keep a device from phoning home(software pirates do that sort of thing routinely, and there are other proxying and such tricks that could theoretically be used); but if Blue Coat knew that serial #s X,Y,Z were routinely phoning in for updates from IPs in Syria, and just sort of whistled a happy tune, they are't exactly blameless.
According to the whitepaper for their "Webpulse" 'cloud-based infrastructure', which appears to be integrated into their various perimeter security appliances, their devices are in more or less constant contact with them, and data including unclassifed URLs and binaries may be sent back to them from the security appliances for analysis and the release of detection rulesets to the customerbase.
Unless Syria was running some sneaky scheme for cloaking the location of their Blue Coat devices, or was turning off their most marketed features and running them dumb, Blue Coat should have been well aware of what was going on, and roughly where... -
url lookups
I could care less who is doing the categorization. There are going to be mistakes. The important thing is being able to challenge the rating. Most of these content filtering products have URL category lookup and you can report sites that need further review.
McAfee http://www.trustedsource.org/en/feedback/url
BlueCoat http://sitereview.bluecoat.com/sitereview.jsp
The rest are easily found via google or from their respective support sites. -
Re:I'm going to complain.
>> Because allowing the Skype PtP client on to office computers makes them insecure, and probably uncontrollably violates the Congress firewalls in the process.
Can you provide a link that discusses this in detail? I'd like to know what about Skype is inherently insecure.
Assuming he meant insecure in the workplace, not insecure in general, then the link is here: http://www.bluecoat.com/doc/644/
-
tit for tat
A friend of mine works at Bluecoat ( http://www.bluecoat.com/ if you care...) (they do internet security and filtering services). He says they regularly send reports to Google when they find that Google is compromised with malicious code... so its good to know Google's taking part in helping fix a problem they certainly deal with.
-
Re:Bad Guys
And don't forget that just because you think it's safe doesn't mean that it actually IS safe. Check out the BlueCoat proxy, which is a corporate web proxy/filter that also works on SSL connections (via man-in-the-middle attack.) All your company has to do is drop their own root certificate on your machine, and unless you're in the habit of checking the sites providing your signature, you may never spot it. (Fortunately Firefox displays the certificate's site name next to the padlock icon.) There's also nothing stopping a corporation from installing a key sniffer or remote observation software on their equipment, which includes your desktop.
Just in case you were thinking that you were "safe" blowing whistles on a darknet at work.
I guess the "Post Anonymously" box isn't going to help me now anyway.
-
Re:Probably intentional
Let's not forget that the Google cache would provide a way around the filtering for every single website in its index
Not so, at least where I work. Sites blocked through the Web Applience Thingy our crack IT team uses (http://bluecoat.com/) also blocks the Google Cache for those sites.
-
Re:Deep inspection up your authorities
Check out Bluecoat Systems, http://www.bluecoat.com/. In any sufficiently important organization (state, government, ISP, HUGE company), they can mandate hidden proxies from Bluecoat systems. Unless you are extremely diligent and verify the cert **every time**, your company may proxy SSL connections and your browser will still show an encrypted connection, just not directly from the site the user thinks. BTW, the product is NOT listed on the website.
A large US-based telecom/ISP deployed DPI in 2006. I don't recall there being any headlines about it.
-
"Leaked blacklists"
Interesting topic. First, there is no loss of security in publicising blacklists. It is a bit silly (or nasty) to claim this is some security breach when it simply isnt.
The problem with web filtering is that there is a market for it. People want to buy it. People are making money on it. It is not going away.
Now, what aussie govt is doing is plain wrong. But, at least, they are not doing it in secret like in the UK... On balance, UK's filter is not mandated by the government, rather it is chosen by ISPs.
Either way, the technology simply isn't there yet.
-
Re:Content still blocked by Blue Coat at my employ
Normally, I wouldn't reply to myself, but Blue Coat's site to report pages that are mis-categorized claims that the Wikipedia page for "Virgin Killer" is now only classified as "Reference." So either the IWF filtered category doesn't get set by users (likely, since it's not selectable in their drop-down menus), and thus the user-accessible site review page doesn't show that category, or else there's a substantial delay in Blue Coat getting the latest blacklist from the IWF.
-
Re:Simple recipe
Don't put too much faith in SSL. Read Bluecoat SSL visibility. It works and decodes the SSL in the middle to inspect traffic. This is the good use of the technique. It is however more sophisticated than plain text protocols to pull off.
-
Re:WARNING: GNAA
Dirt Bag!
WARNING: ProxyAV has detected a virus in this
file!
File has been dropped.
ProxyAV Administrator: unknown
2008-02-14 15:55:56-05:00EST
Hardware serial number: N/A
ProxyAV (Version 3.1.1.7(31501)) - http://www.bluecoat.com/
Antivirus Vendor: Kaspersky Labs
Scan Engine Version: 5.0.0.37
Pattern File Version: 080214.185824.567002 (Timestamp: 2008.02.14 18:58:24)
Machine name: ProxyAV
Machine IP address: xxx.xxx.xxx.xxx
Server: xxx.xxx.xxx.xxx
Client: xxx.xxx.xxx.xxx
Protocol: ICAP
Virus: "Exploit.HTML.DialogArg" found!
URL: http://safesite.on.nimp.org/ -
Re:What Pirate Bay got right
Don't be confused. Look up a little company called BlueCoat http://www.bluecoat.com/. I think IBM just bought them. They help really big companies and governments of all sizes to monitor **all** internet traffic. Don't be confused. There is zero privacy on the internet, just methods to make is a little harder to track your connections.
-
Re:thawte offers free x.509 certificates . . .
I believe thawte offers a viable and professional alternative to PGP.
Open up your IE browser, Internet Options->Content->Certificates and then click on the intermediate and root trusted authorities. Each of these you must trust. Further, another weak point, someone else has the keys that can gerate other keys to spoof domains.
Rememeber, there are devices that can do SSL in the middle. Don't believe me, see http://www.bluecoat.com/downloads/support/BCS_tb_
r everse_proxy_with_SSL.pdf Your best defence against a product like this is sign your own certs and don't give the CA to the proxy owners. This way you will get a warning when SSL in the middle hits you.The theory is simple enough. PGP is far superior this way as you don't give out keys to a third party. A third party has no involvement so they don't need to be trusted. PGP for secure point to point is superior to SSL by a billion miles.
-
Internet Parenting Observations and GuidelinesA few fundamental points:
1) The entire range of human behavior, from the most inspired to the most depraved, is available on the Internet.
2) Two fundamentals of your job as a parent are to:
- Teach your children well, to be responsible and accountable for their actions and make good judgments
- Provide a safe environment in which they can learn.
I offer some simple questions:- Are there elements from the entire range of human behavior that you feel that you would like to keep your children from experiencing at this time?
- Do you feel that you have a responsibility to supervise your children when they engage in activities "at the edge of their judgment"?
The previous responses have already talked about the many analogies and comparables. The bottom line is, in choosing to be a parent, you elect to embrace the responsibility to protect your kids from things they are not ready for, and to supervise them appropriately.
One more fundamental point:
3) Internet behavior is public behavior.
The Internet is a public place. And the Internet is a place where every and any kind of behavior is exhibited, including that which is cruel, nasty, addicitive, corrupting, seductive, and damaging. To your kid. The vivid imagery and compelling interactivity of the Internet is not to be underestimated. I submit that you have an interest in keep your kids away from this kind of experience.
Kids (and parents) need to understand that when they are on the Internet, they are "behaving in public". And that such behavior has consequences, and that there are influences out there that are not benign, not even neutral, but decidedly, aggressively negative.
Teaching kids is great -- a fundamental part of the job. But even if you do it perfectly, and they learn perfectly, they're still kids, and will still be susceptible to well-crafted influences that seek to draw them into destructive or dangerous behavior.
As parents, most of us know in our gut when something is "not good for my kid". Trust your gut. Porn is "not good for my kid". It distorts sexuality and can easily become a compulsion/addiction for many.
Lord-of-the-flies environments where kids run amok unsupervised is "not good for my kid". MySpace is where "good kids" get drawn into "bad behavior" as they experiment with new identities and get stroked for their most provocative acts and attitudes. Stroked by predatory adults as well as their inexperienced and experimental peers.
So, Supervise, Coach, and Protect.
1) Keep the computer in a visible room of the house. Make the behavior seem as public as it really is.
2) Listen to your kids - what are they doing on the net, and what experience do they get? How does it make them feel?
3) Remind your kids that Internet behavior is public behavior, and that you are responsible for their behavior in public.
4) Use tools to supervise, guide, and coach your kids. Yes, that means filtering and monitoring software. (Full disclosure: K9 Web Protection - free - is provided by my company, Blue Coat Systems.)
5) Talk to the parents of your kid's friends, and suggest they do the same. It takes a village to raise a child. The easiest way to beat a filter is to go next door where they don't have one. Demand more from yourself and your peers in protecting your kids.
I invite you to visit TheInternetParent.blogspot.com for more discussion and analysis of these and related issues. -
Re:ports
We can view any SSL traffic leaving or entering our network... been doing it for over a year: http://bluecoat.com/
We just tell the filter which traffic to allow, and which to prevent (based on our Corporate security policy). -
Re:Encryption?
Several:
Any SSL accelerator can do it , given the private key.
An example is the Radware CT100/Appaccel, but most load balancing companies have this capability.
SSLDump is an OSS app that does the same thing.
If you have an in-line device, you can break any session, and proxy the connection both ways. Some Examples:
SCIP
Finjan
Blue Coat
Breach Security also provides an SSL Inspection plugin and appliance that is OEMed by various IDS vendors.
A Google search for SSL Proxy traffic Monitor returns a number of interesting responses. If you can proxy the service, you can do transparent man in the middle attacks on it.
Full Disclosure: I have worked for both Radware and Breach security on these products, and did a SANS tooltalk on the topic (login required). -
Re:I'm putting on my hat...
Sometimes I wonder if this is exactly what companies *want*. They don't want people to use outside e-mail (especially ones running over https) because then they can't easily monitor what their staff is doing.
Yes you can. Bluecoat Systems can intercept SSL communications and output it to "Data Leakage Prevention" devices in plain text, then only pass it along if it's fine. Nobody else can really do this right now, but it's something that's hugely important in the Financial and Health industries. You can't have Joe Schmo emailing a spreadsheet of 100,000 credit card numbers or SSN's through gmail, can you?
http://www.bluecoat.com/solutions/security/ssl.htm l -
Re:About timeSounds like this bank doesn't have shareholder value in mind. Which bank is it so I can be sure not to invest in them?
One $40k mistake is not a reason to not invest in a bank. Seriously. Banks have million dollar rounding errors and that's ok; the year after I joined (and I stayed 5 years), the bank had like a $1.4 billion dollar profit, then proceeded to trim 10,000 jobs because they weren't making enough money.
:) As important as the proxy debate was to me, it didn't have any material effect on the bank's financials one way or the other.OMG, someone who can admit that their job don't rule a $507 billion, 94,000-employee organization!
Anyways, the decisionmaker involved has since left the bank. We went with something from CacheFlow (now BlueCoat), something similar to this, because they were appliances, not subject to the OS limitation.
Not bad equipment, but guess what those things actually run inside? Linux and squid. LOL..
-
What about this?
I just read the bluecoat.com offers proxy servers that claim to do exactly what you want.
-
Re:Use a proxy
that's exactly what BlueCoat does. In fact they announced a solution for blocking spyware today http://www.bluecoat.com/news/index.html.
This seems to be a better approach than trying to deal with the problem at the client PCs. -
Prefetching
I'm extremely wary about the new prefetching feature in Mozilla. The Web caching community has tried this from about every angle, but the general consensus of professionals (with one notable exception) is that prefetching is a bad approach.
For one thing, it assumes free bandwidth; not such a hot idea in a lot of places (e.g., Australia, where you pay per Mb).
I've also had network and server administrators calling me in a panic because they're being flooded with requests from a single machine - whoops.
Prefetching is generally pretty antisocial; it says "my browsing experience is so important, damn your network, damn your servers, I'm getting it all!"
This doesn't mean that it isn't of great interest to the research community, of course; go to any caching-related conference and you'll see earnest proposals for prefetching (along with yet more hyper-optimised replacement algorithms... *sigh*).
Specifically, I'm concerned that the Mozilla implementation won't fare any better; in one way, it's better that it uses explicit prefetching hints (rather than some "optimized" algortithm... I hate heuristics), but OTOH it's horrible; this is ripe for abuse by over-zealous webmasters. I wonder how long it'll be before we see a demo of a DOS attack based on this...
Also, not providing a preference UI to control this isn't so bright; Mozilla has matured past the "world is my debugger" stage, at least in this respect. There are legitimate reasons for turning this off; in fact, I think there's a strong argument for turning this off by default.