Slashdot Mirror
Blue Coat Concedes Its Devices Operating in Syria
A few weeks ago, in reaction to claims that Blue Coat systems were being used to track internet use in Syria, a company spokesman denied the charges here, saying "To our knowledge, we do not have any customers in Syria," and that the company followed the web of regulations that would prohibit sale to certain countries, Syria among them. In response to the logs on which the claims were based, he said "it appears that these logs came from an appliance in a country where there are no trade restrictions." A report at the Wall Street Journal says that the company has now acknowledged that Blue Coat devices are being used in Syria after all; the paper reports that at least 13 of the censorware boxes are in use there, and cites an unnamed source who says "as many as 25 appliances have made their way into Syria since the mid-2000s, with most sold through Dubai-based middlemen."
Third parties smuggling hardware into a banned country isn't quite the same as adding to your customer base. Unless of course your are a superpower.
I don't care about this AC.
Who here is surprised by this?
I'm sure a nice premium was paid to the Dubai distributor, who also most likely set up proxies for Syria so the update requests to BlueCoat look like they originate in the UAE.
I'd be stunned to learn there wasn't more than a few dedicated suppliers in the Middle East who do nothing BUT funnel high-tech equipment into Syria and Iran, along with anyone else who pays in cash. They probably have plenty of competition from Russian distributors.
Learning HOW to think is more important than learning WHAT to think.
Ho Hum, Corps lying, then they admit it, and no one has any energy left to care.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Some people seem to have got the idea that tweeting and joining facebook groups is the way to change a regime. Which is the only reason this is News, like the only thing between Syrian hell and Syrian utopia is internet access. More or less that's not the case and the only reason Mubarak went was he thought he could trust guys he'd known for decades not to throw him in jail, probably now he regrets not repeating the shooting sprees he carried out in the 80s.
Point being thousands of people have now been shot in Syria and it really has nothing to do with the internet. At this stage nobody wants to get involved because although that dictatorship could be overthrown very fast the next guys might be worse (Libyan NTC repealed the secular gaddafi bans on polygamy as their first official act) and according to assad on his way out him and his hezbollah pals will fire thousands of rockets at Israel.
So some Arabs making some profits by reshipping some internet censorship stuff is the least of *anyones* concerns. Half the problem is that western leaders seem to believe the inner goodness of everyone on earth, news flash: not everyone is Booker T Washington just waiting for some education so they can build schools and liberate themselves, history proves quite the opposite. That's why things are hopeless, if you try did what Booker did in Damascus you'd be shot before you got started by some martyrs brigade who thinks arithmatic is a western conspiracy.
I don't like to have many sites blocked by the Bluecoat box in our network, but they do a necessary service, using Facebook and Youtube belongs to the home and your personal devices. The use or abuse of this equipment is a decision of the customers, not the company making products. Linux and a lot of GNU software can an surely have been used to enable the killing of thousands, but we will not be blaming Stallman and Torvalds for that.
Mexico: 100% conservative's America now!
A Bluecoat box, without updates, eventually ceases to operate properly if at all. So, Bluecoat can just chase down the offending machines and therefore the money stream, and stop updating them. Eventually they won't be able to run a report (to figure out who went where), block proxy avoidance sites, or do anything useful with it. How do I know this? I have a large customer that stopped paying the maintenance, and that is what happened.
Blue Coat's ProxySG product offers an ominous feature, "inspection and validation of SSL traffic," that creates a man-in-the-middle capable of opening up and reading SSL encrypted sessions. The reason, they claim, is that malware can leak in via SSL, and therefore enterprises are wise to inspect this data, damn all the legal arguments. This works by injecting the proxy's certificate into your browser's certificates store; afterward, the proxy issues on-the-fly certificates for your popular sites signed by that proxy cert causing your browser to trust it unconditionally and without popup.
quoting:
Blue Coat told The Wall Street Journal the appliances were transmitting automatic status messages back to the company as the devices censored the Syrian Web. Blue Coat says it doesn't monitor where such "heartbeat" messages originate from.
I call BS.
who, here, believes the company goes to the trouble of having the appliances phone home and yet does not scrutinize every bit of info that comes back, *especially* what subnets and routes its connected to?
shit, man, if I was the company, *I* would do such things and I'm one of the good guys. there's no way a vendor would not want to see data and look for things that are not registered or show up all of a sudden, etc. the license fees are not insignificant (I'm guessing, but its a fair guess) and so any new box would cause an alarm. again, I would do this and I'm not even in this business.
--
"It is now safe to switch off your computer."
find oppression in the world and you will always hear an American accent, no wonder the middle east hate your guts and will fuck you up again as soon as they get the chance.
As the supreme court is fond of pointing out, it is up to the legislature [or in this case, the State Department] to pass laws which are clear and specific.
We've had posts before about ISPs being told to "ban PirateBay.com" but not PirateBay.org, or to ban a specific IP address in an effort to take a website offline. Both of these are ineffective for the stated goal.
The overall opinion is that companies should implement the court instructions to the letter. Anything else might provoke the wrath of the court. Even doing something *effective* in lieu of a court's ineffective instructions is a bad move and likely to provoke a contempt of court ruling.
So Blue Coat's software is used in Syria, so what? They have followed the law and that's that. We may find their actions less than ethical, but the dividing line between ethics seems to waver depending on who and where you are. The Syrian government probably views the software as a stabilizing influence, and something that protects the population.
Put your blame where it truly lies. Write your congresscritter if you feel strongly about it.
The International Traffic in Arms Regulation are a Waste Of Fucking Time And Money.
There's this crazy notion that we can keep technology from folks by not selling it to them. Yet there is a thousand ways for folks to get the same technology, from paying a middle man, to sending people here to use it and recreate it. The absolute best case is delaying, by a small amount of time, how long before they get the technology.
It's also quite hypocritical that this technology is A-Ok for US companies to use on US citizens working for them....but somehow if Syria uses it to determine what Syrians see it's evil. That really doesn't make any sense.
And it's all perfectly legal.
Not necessarily. The terms of the initial contract may require that it not be sold/exported to nations on a certain list, and that any party you sell it to also agree to these terms. In other words the terms of the contract may be required to transfer with the goods.
I used to work for a reseller in the Middle East that sold many tech firm appliances, including BlueCoat proxy filters. I can tell you that an order of 14 BlueCoat devices would not go unnoticed without members of BlueCoat sales/pre-sales team being aware of it. This includes knowing the end customer, the proposed design and deployment setup, and the intended use of these devices.
I would have to say that BlueCoat was more interested in the ca$h they were getting paid and the quotas they were retiring, and decided to overlook all the other facts about the end customer (which then knew all along).
You can't tell me you have a $700k deal and 14 of your devices and you still don't know the end customer very well. Pretty disgusting.
BlueCoat should come clean. They should fire all their regional staff who made this mess and publicly admit their mistake.
BlueCoat offers services to their customers of the ProxySG line that can be centralized, but in no way does the device have to contact the mother ship in order to work. With a device as large as a SG9100 (by the way the 9000's listed in the article are 3+ couple years old and no longer sold from a product model standpoint), you definitely dont wan't to have a single point of failure with it and with as many connections as Ive seen customer's pass thru it. They offer their own content filtering service (BlueCoat Web Filter) which can do dynamic site categorization etc which by the way was a really nice one and blocked damn near most sites to the categories you wanted to block as an organization (ProxySG's have multiple and seperate vendor content filter solutions built in on them and you license them seperately and they integrate right into the devices - making them pretty flexible on if you want to use a content filtering solution where you DON'T have to put lists of URL's etc to block - I can say in the device to block porn, gamling etc and the devices go off of each vendor's content filtering solution you licensed. But you an also make your own, or even import the free URL lists out on the internet, so you have tons of options). But it in no way central contact is needed (we've ran them in ultra secure DMZ zones where the devices have firewall policies block any internet outbound connections originating from them, IE updates had to be handled manually and on site), you can make policies down to the per-html page or even content in the page using CPL (cache programming language iirc - their own scripting code to give you REALLY low level access to the traffic passing through the devices) you are loading for christ's sake.
I've also had to work on projects we're we had to have VAR's (I worked for a distributor of BlueCoat's) and we had to get devices out to Bahrain and other countries and it was a complete pain in the ass. We had to delays projects on a couple cases due to the hoops we an the VAR's had to jump through to get them shipped from BlueCoat. I would not say it was for a lack of BlueCoat's own attempt to conform to the law's. They do not have a need to try to sell these devices to one off scam places as they make plenty of dough on them in the states much less in the countries we are allies with. Have you not seen the price of ProxySG 9100 with 10k plus licenses? They are not cheap by any means, and they do they're function quite well.
it's a bummer to hear that those devices got out, but even myself I didn't realize there was any sort of heartbeat's back beyond trying to use their BlueCoat Web Filter service and things like that. At least they put their own stamp in, otherwise you could of been none the wiser if BlueCoat opted not to. At that point either way when you try to download the content filter list your going to have a source IP from somewhere. But just like say a plane flying in the air, do you want it to just stop what it is doing if it can't contact back to the server in the air plane manufactures datacenter? Even if they could figure out that they these devices are operating in an illegal country, what can they do about it? If you have VAR's that are front end shops and questionably sell the actual equipment to shady places, BlueCoat doesn't have an ounce of control over that. All they can do is just say hey, we wont sell these devices to this VAR, but what's there to stop another VAR that seemingly meets all the statndard business requierements to establish a sales relationship with? Your trying to grab smoke at that point.
People need to get off their high chair, you mean to tell me the US government doesn't happen to have ordinance in the wrong people's hands much less BlueCoat devices that just content filter? It's a bummer to hear that this happens to them, I've had a lot of successful projects with their ProxySG devices from the small 210's to the 9100's. They can try to just stop the devices from being able to grab updates for the SGOS and so forth, but beyond that, the devices are already out there and doing what they were designed to do. In the end what happened here could happen to their competitors such as River Bed etc.
The manufacturer should have a list of what serial numbers were sold to whom.
So it should just be a matter of matching the serial numbers to buyers who should have agreed to the export limitations.
In fact, Blue Coat should be ACTIVELY pursuing this avenue of investigation in order to demonstrate that they themselves followed the legal restrictions.
A company like this should introduce Windows Product Activation functionality. Any license that isn't valid (e.g. pirate copies or those in countries where it isn't allowed to sell the software), they can blacklist it and make it so that it does not actually censor anything. (or update its censor list)
Why is "Syria," as shown in the title, displayed a more narrow font than the rest of that title?
(Or am I really the only person to notice this?)
Kid-proof tablet..
You sir, just earned a tinfoil hat. While I have no particular love for Bluecoat (they're competitors in another field), you're assuming things based on what you think to be the case. Claiming that others are misinformed simply because it doesn't fit your mental image is rather silly.
There's only so and so much time in a workday. Spending it on going over phone-home in detail and sending across sensitive information in the first place? Not so useful.
(We also do phone home. Aggregates only, nothing sensitive. It usually makes very little sense to go fucking with your customers or risking their sensitive data, so there's no reason to send anything else.)
Not only bluecoat is used in Syrian ISPs to monitor users activities. Recently a Europe company (may be Italian) is contracted after the uprising in Syria, and it seems they started to do Deep Packet Inspection. They are trying to intercept any kind of voice communication over the internet, also they collect http traffic which contains a payload that matches a list of words, also IM service is monitored. They use active monitoring sometimes as they try to steal facebook accounts and spy on activists.
Tor service and OpenVPN is blocked few months ago, and youtube traffic is throttled to make it very hard to upload contents.
A special secret service or intelligence agency department is dedicated for internet monitoring called ( 225).
This just a very little of what is going on with the internet service in Syria.
Why help repress people why is this not a crime.
Blue Coat works directly by the direction of President Barak Obama.
President Barak Obama is rightfully concerned regard his personel rendition cells at Syrian Prisons and the hundreds of billions of US dollars he has authorized the US Treasury Dept. to send to Syria.
Rightfully so, Blue Coat is pissing blood right about now.