Symantec Will Acquire Controversial Surveillance Firm Blue Coat Systems For $4.65 Billion

Reader LichtSpektren writes: Symantec will acquire Blue Coat for approximately $4.65 billion in cash, the security firm announced on Monday. The transaction has been approved by the boards of directors of both companies and is expected to close in the third calendar quarter of 2016. Greg Clark, CEO of Blue Coat, will be appointed CEO of Symantec and join the Symantec Board upon closing of the transaction.If Blue Coat name sounds familiar to you, it is because this controversial surveillance firm was recently in the news for receiving a grant for a powerful encryption certificate by its now-parent company Symantec.

Must have also gotten naked pictures...

[xxxJonBoyxxx]

>> Blue Coat (got) a powerful encryption certificate by its now-parent company Symantec...Symantec will acquire Blue Coat for approximately $4.65 billion in cash

It sounds like Blue Coat also got naked pictures of Symantec's board of director's spouses and/or mistresses.

I'd Double Check that Chain

Wow, Greg Clark just used Symantec's cash to make himself CEO of Symantec.

I'd double-check the trust chain on all those negotiation emails from Symantec's board. Something tells me Blue Coat's shiny, new CA cert will be in there. ;)

Go ahead! Install our Virus Scanner! It's safe!

As if Symantec were not shitty enough already, now it's going to be a tool of the surveillance state. Nice.

Re:/. EDITORS HATE GAY PEOPLE

[Luthair]

Precisely what was the technology angle? This isn't a general news site, GTFO

How To Untrust the Blue Coat CA Cert

For OS X: https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/

For WIndows: http://blogs.msmvps.com/alunj/2016/05/26/untrusting-the-blue-coat-intermediate-ca-from-windows/

And why you should: https://motherboard.vice.com/read/a-controversial-surveillance-firm-was-granted-a-powerful-encryption-certifica

Re:How To Untrust the Blue Coat CA Cert

[fuzzyfuzzyfungus]

Symantec's PR bullshit is not reassuring: "“What the certificate does not give them the ability to do is issue public certificates to other organizations," Gideon said. "That's the big misunderstanding.” “This intermediate CA is for their private servers only,” she wrote."

That's cute and all; except that the actual certificate contains no such restrictions whatsoever, and can be used to sign basically anything if the target trusts Verisign; and it's an 'internal testing' certificate that somehow needs to be valid until 2025...

Re:How To Untrust the Blue Coat CA Cert

MI6 is behind the certificate, in coordination with the American CIA.

I am a trusted source. Good post.

Re:How To Untrust the Blue Coat CA Cert

For all OS's, unless you have accepted the Certificate it should not be in your browser certificates.

Before adding and removing or adding and distrusting, check that it exists.

eg. on Firefox look in Edit/Preferences/Advanced/Certificates/View Certificates

If it is there it will be under Authorities and scroll down to Verisign. You can either distrust it if
it is there, or remove it and it will not be accepted unless you accept it while surfing.

I wouldn't add it to anything and then distrust it. First check if it is even there. If it is not
just remember to never accept it if your browser prompts you. This is true for any SSL Certificates
really. Just never accept them unless you basically are visiting your favorite cousin's website.

Re:How To Untrust the Blue Coat CA Cert

Specifically distrusting it is something you need only do once.

Specifically remembering not to accept it is something you can do over and over again.

I would say, you should even go so far as to distrust all new CA or Intermediate CA certs by default, and change that only if completely necessary. Why take Apple's. Microsoft's, Firefox's or Google's word for it?

Re:How To Untrust the Blue Coat CA Cert

[The+Last+Gunslinger]

This is spot-on.

As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.

From the viewpoint of the user's browser, the remote server (Google or CNN or BankofAmerica) appears to be sending you a trusted certificate. You would have to open the security dialog and examine the details of the certificate to even notice anything unusual.

So all the scruples reside with the device owner, not the manufacturer. As delivered, the devices can impersonate ANY server certificate. It's up to the implementer to construct policies that exclude traffic to certain servers or of certain categories from this ability.

Re:How To Untrust the Blue Coat CA Cert

This is spot-on.

As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.

From the viewpoint of the user's browser, the remote server (Google or CNN or BankofAmerica) appears to be sending you a trusted certificate. You would have to open the security dialog and examine the details of the certificate to even notice anything unusual.

  This kind of shit is what a good VPN is for. Some forms of VPN are resistant to things like deep packet inspection and look like regular web traffic.

Re:How To Untrust the Blue Coat CA Cert

[fuzzyfuzzyfungus]

In theory the legitimate users of these sorts of MiTM boxes aren't supposed to need an actual intermediate CA cert because they are only MiTMing devices that they administer, so they simply use their own internal trusted cert and configure their devices to trust it.

That's why Bluecoat being handed a fully loaded Verisign intermediate CA cert is so disturbing; and Symantec's unwillingness to do anything but bullshit about it so disturbing.

MiTM-ing SSL traffic is one thing if it is from devices you have legitimate administrative access to; but when you have legitimate administrative access it's trivial to configure the clients to trust your certificate so you don't need anything special. The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.

Re: How To Untrust the Blue Coat CA Cert

+1 what parent said.

It negates TLS because the cert could be real or could be Bluecoat fake. Every bank, government, financial, health, EVERY cert is worthless from that deal. Symantec have been caught faking Google certificates before, this was obviously a workaround to hide the faking.

But, here's the most disturbing thing of all.... 70% of ALL certs are from Symantec or Symantec's child companies. They cannot be removed from the cert chain because they ARE the cert chain.

So TLS certs have to been removed because the whole certification process is broken. You can be at an internet cafe, and the cafe owner can be intercepting your bank and email details, his ISP can be intercepting them too, the government your in can be intercepting, the NSA can be intercepting, there could be 100 man in the middle attacks, all running Bluecoat hardware and you wouldn't know it.

Making the TLS certificate worthless.

Re: How To Untrust the Blue Coat CA Cert

That's misleading.

Symantec are a root cert, BY DEFAULT Bluecoats cert will be trusted without you ever accepting it. You need to follow the correct instructions to obtain the certificate, then add it to the 'always reject' pile. Your claim of 'reject it when asked to accept it' is false.

With Bluecoat CEO taking over Symantec, we need to look at rejecting all Symantec (Thawte etc. lots of certs are from Symantec's companies) certs.

Re:How To Untrust the Blue Coat CA Cert

As a one-time employee of Blue Coat who holds a technical certification on their ProxySG line of products, I can confirm absolutely that these devices use these intermediate CA certs to generate on-demand certs for any destination that the device's owner allows on their network by policy.

Also a former BlueCoat employee here.

While you are correct, that this cert can be used to create valid MitM certificates, this certificate will never be pushed out to customer boxes. They would never run the risk of a customer being able to get the private key, and then use it for whatever evil uses they have.

They could use their CA to sign other intermediate CAs that they push out onto customer boxes, but that is just as dangerous as giving them their CA.

What they are probably testing, is using this on their cloud-based secure gateway product. In that case, all of the customer traffic is routed via VPN to the BlueCoat cloud, and then run through BlueCoat owned proxies before going out to the Internet. This way, they have total control of the CA, and their customers do not need to install any private root CA onto their users' computers in order to do SSL interception.

Re:How To Untrust the Blue Coat CA Cert

I would say, you should even go so far as to distrust all new CA or Intermediate CA certs by default, and change that only if completely necessary. Why take Apple's. Microsoft's, Firefox's or Google's word for it?

Apple/Microsoft/Mozilla/Google can add new CAs to their trusted list any time they want, and the user never gets any notification that there are new CAs being trusted. If you want to make sure that, even though the browsers may not currently trust the cert, your browser will NEVER trust the cert, then you should specifically tell the browsers to not trust it now.

Re: How To Untrust the Blue Coat CA Cert

All I can say is... holy fucking shit. This is huge and the masses *need* to pay attention to this.

Re: How To Untrust the Blue Coat CA Cert

Anybody can right now look in their browser certificate store. It is demonstrated how to do so above in newer Firefox. In older Firefox it isn't Edit/Preferences it's Tools/Options.

Look under Authorities/Verisign, do you see one listed for Blue Coat? It's likely not there. You don't need to install 5000 certificates and untrust them nor do you need to add 1 and untrust it. If it is there you can remove it and it won't be used unless it asks to install it and you say yes... instead of "Get me out of here" as Firefox prompts you. Any time your browser asks you to accept a new CA Cert you should skip it unless it is a site you absolutely trust. Maybe you have never seen a spy other than Ed Snowden? Do you think he is the only one? Guess where they are. On your networks looking at all your stuff. Doesn't that ring a bell? A spy. A hacker. A liar. On the Internet. Looking at your shit. Have you ever read this before?

If you are very curious and wish to see how it works, install the actual Blue Coat spy certificate from https://crt.sh/?d=19538258 , then look at what options you have in Firefox. You can distrust it aka delete it, or you can stare at the three check boxes in the Edit Trust dialog that give it permissions to permit 3 types of actions with each certificate.

It is simpler than this whole long story.

Big corporations are networked with us/eu spy agencies in no small way. They also cooperate with each other but one spy never trusts another because no spy is trustworthy. All is tracked ask Ed Snowden. When you come to a page to install a certificate, never install it.

It is that simple. It is not hey let's get that certificate ON YOUR PC ASAP and untrusted. You want nothing to do with it. Not any future browser code that affects it, nothing. This is akin to social engineering to get a CA Cert you DON'T WANT onto your computer.

Facts.

It is inconsequential if Symantec merges with Microsoft/Google/Apple/Facebook/Twitter and all of their US spy tracking/profiling if you NEVER INSTALL CA CERTS ON THE FLY.

Re:How To Untrust the Blue Coat CA Cert

[Phreakiture]

If that's the case, then there is no reason not to untrust the cert, since it doesn't serve any purpose in the wild.

Re:How To Untrust the Blue Coat CA Cert

[The+Last+Gunslinger]

The only reason you'd need a Verisign intermediate CA is if you want to be able to hit the vast majority of clients as configured out-of-the-box, without your certs pushed by group policy or whatever. Nobody involved seems to have a remotely good explanation of why Bluecoat has one; or what legitimate purposes it could possibly serve that couldn't be served by a vastly less dangerous toy.

The reason is simple: most customers of these devices prefer to implement them in transparent proxy mode, which requires no endpoint device (browser, etc.) configuration, no pushing of internal certs, etc. Browsers are talking on 80/443 happily unaware that their traffic is being proxied, and the SSL server certs being presented by Google or Facebook or their bank are not actually certs from those servers...they're Blue Coat's imposter certificates, generated on-demand.

The only upside...

[fuzzyfuzzyfungus]

The only upside to all this is that Symantec has an astonishingly powerful ability to turn everything they acquire into utter shit. This doesn't make one of the world's major SSL CAs owning a sleazy SSL MiTM appliance vendor any less disturbing; but it at least means that the various malefactors using Bluecoat products to exploit us will have an incrementally more miserable time.

Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.

Re:The only upside...

[LichtSpektren]

The only upside to all this is that Symantec has an astonishingly powerful ability to turn everything they acquire into utter shit. This doesn't make one of the world's major SSL CAs owning a sleazy SSL MiTM appliance vendor any less disturbing; but it at least means that the various malefactors using Bluecoat products to exploit us will have an incrementally more miserable time. Just more fuel on the "trusting 'trusted' CAs just doesn't cut it" fire.

Agreed. It would be nice if Google, Apple, Microsoft, and Mozilla agreed to blacklist Symantec-signed certificates from their browsers. Unfortunately they have billions of dollars to throw at legislators and judges, so it wouldn't make a difference in the long run.

Re:The only upside...

Blue Coat is already utter shit (my employer is a big time user of their "security" appliances).

Re:The only upside...

[retchdog]

that was my first thought too, but while it may be Symantec's money going into the deal, Symantec is getting Blue Coat's CEO as part of the deal.

Re: /. EDITORS HATE GAY PEOPLE

You obviously don't know how it works. When you post AC, you're automatically at 0 dumbass. So don't post AC unless you have something the masses will think pertinent enough to upvote you or they'll down vote you especially when you spam as you've done. I doubt it's a "team". You've already lied.

Why are security companies compromising themselves

[QuietLagoon]

Symantec is buying Blue Coat Systems. Avira Anti-Virus installs the MixPanel data harvester. What's going on with security companies nowadays?

Re: /. EDITORS HATE GAY PEOPLE

Well it is "stuff that matters". Took them long enough.

Re:/. EDITORS HATE GAY PEOPLE

Does that mean that Obama hates gays too? He also refuses to call it radical Islam.

Symantec = NSA

Hmm. The geographic proximity of Symantec and the "Utah Data Center" would tend to raise the eyebrows of those paying attention.

Re: /. EDITORS HATE GAY PEOPLE

You obviously don't know how it works. When you post AC, you're automatically at 0 dumbass. So don't post AC unless you have something the masses will think pertinent enough to upvote you or they'll down vote you

So many great posts get modded down to -1 that I and many others browse at -1. Slashdot isn't the bastion of evidence-based objective truth that its users want to believe it is. It's often an echo chamber. There are shills or rabid fanboys, hard to tell sometimes. But the worst is the people who think, "I use X, therefore if you criticize X, you're attacking MY TEAM and I just MUST retaliate!" morons everywhere. A lot of people cannot seem to use something without becoming personally identified with it, just like you see with sports fans. Just watch for the next Apple or Google story and it will be obvious.

Until some serious metamoderation is brought back or mods grow up and learn to tolerate views they disagree with, -1 is the way to do things. If you're a big boy/girl and can handle "offensive" words then it's really not bad at all.

Re: /. EDITORS HATE GAY PEOPLE

[wardrich86]

The line is "news for nerds, stuff that matters" as in "the news for nerds is the stuff that matters." I think you mistook it for "News for nerds; stuff that matters" which would imply it covered nerdy news as well as other important topics. The difference some punctuation can make...

This story squeezed UNDER the Microsoft story, how

Slashdot is acting funny lately. Has somebody said hey editor, have a seat?

Re: /. EDITORS HATE GAY PEOPLE

The line is "news for nerds, stuff that matters" as in "the news for nerds is the stuff that matters." I think you mistook it for "News for nerds; stuff that matters" which would imply it covered nerdy news as well as other important topics. The difference some punctuation can make...

More like, the difference it makes when one has mastered basic literacy.

Re:Why are security companies compromising themsel

Capitalism demands ever increasing ROI for shorter time horizons. With these changes, the CEO gets a nice bonus yacht, the insiders sell after the next quarterly report with great numbers and all the smart people jump ship leaving the suckers to lose their shirts and pick up the pieces.

Worst system ever, except for all the other ones we've tried.

inspection or surveillance?

[omgwtfroflbbqwasd]

Corporate use is inspection of traffic to detect security breaches, but Service Provider use is surveillance?

Use of wildcard certs is one thing, but BlueCoat technology isn't designed for surveillance any more than network analysis tools are.

Re: inspection or surveillance?

[fuzzyfuzzyfungus]

Yes, applying network surveillance tools to systems you own and administer and applying them to every hapless bastard who relies on your ISP are different things. It's not news that 'admin tools' and 'malice' have broad technical overlap; both are designed for easy and powerful control over a whole bunch of systems; but whether or not you are th legitimate admin is an obvious distinction between surveillance and security and 'remoteadministration' vs. remote access Trojan. Bluecoat's products certainly can be used for internal security applications; but it's a matter of record that they can and have been used for widespread surveillance by deeply unsavory state actors with nothing but the thinnest excuses from the vendor.

Sigh. Sensationalism.

"Symantec acquires Blue Coat." Journalism.

"Symantec acquires controversial surveillance firm Blue Coat." Sensationalism.

I know this is Slashdot, but the world runs on standards that only a small percentage of the population understands let alone creates or manages. Simply living in this world requires a huge amount of trust. For the rest of us, there's medication.

Re: Sigh. Sensationalism.

It means that bob's internet cafe can fake a Google certificate, if he uses Bluecoat software. Symantec should lose their root status across the board for essentially voiding the certificate system.

Re: Sigh. Sensationalism.

Bob's Internet cafe can already do that, particularly if they require more than a layer 2 connection to get "online." The issue is whether or not the browser trusts the certificate.

Given the number of perfectly valid certificates that generate security warnings in Chrome and other browsers because of hash algorithms, key length, or other reasons, the average user is likely to ignore any other warnings.

Racketeering

[sjbe]

Symantec is buying Blue Coat Systems. Avira Anti-Virus installs the MixPanel data harvester. What's going on with security companies nowadays?

They're having the problem that they can't grow fast enough to please their shareholders/investors. The market for security products is finite, competitive and customers aren't willing to pay ever increasing amounts of cash for their products. So their management is pushed inexorably towards sources of revenue that might not be in the best interests of their customers. Of course Symantec has produced crap software for a long time now so them making bad decisions is nothing new. Removing their crapware is usually among the first things I do with any new PC that is burdened with it.

Of course there is also the old problem that security companies make money by "protecting" against malware but if malware ceased to exist so would their business. So they have a built in conflict of interest in that they want to protect but not actually get rid of malware completely. In theory they could even be the ones creating the malware to ensure there is a threat to protect against. A form of racketeering really.

Re:Why are security companies compromising themsel

Neither Symantec nor Blue Coat are security companies. They are signals intelligence operations, and their leadership ranks have rather more "flexible" views on intelligence acquisition and sharing than the narratives offered by their tireless PR/legal/accounting wings. Simply do as I did and spend a decade-plus with root access to the core networks and cryptographic facilities of a few dozen Fortune 500 corps, plus similar access to a bunch of network backbone/transit/telco/satcom infrastructure spread across several continents, with generous dollops of "golly gee that's interesting" discussions in nice conference rooms full of corporate/federal/uniformed/spooky/indie/depends-who's-asking types with Bright Ideas (TM), and you can see for yourself. It's a trip, man. -PCP

Couldn't have planned to ditch my blue coat better

This year my blue coat product was just replaced. Guess i couldn't have planned that one any better.
The minute symantec gets ahold of anything - it becomes more expensive, more bloated, slower than any other product out there.
was never impressed by that company