Blue Coat Concedes Its Devices Operating in Syria 90
A few weeks ago, in reaction to claims that Blue Coat systems were being used to track internet use in Syria, a company spokesman denied the charges here, saying "To our knowledge, we do not have any customers in Syria," and that the company followed the web of regulations that would prohibit sale to certain countries, Syria among them. In response to the logs on which the claims were based, he said "it appears that these logs came from an appliance in a country where there are no trade restrictions." A report at the Wall Street Journal says that the company has now acknowledged that Blue Coat devices are being used in Syria after all; the paper reports that at least 13 of the censorware boxes are in use there, and cites an unnamed source who says "as many as 25 appliances have made their way into Syria since the mid-2000s, with most sold through Dubai-based middlemen."
to be fair (Score:1)
Re:to be fair (Score:5, Interesting)
1. How "3rd party" are the 3rd parties? Shit does get smuggled sometimes; but people have been known to wink that their Dubai based VARs so long as the money is there...
2. How independent of the mothership are Blue Coat's censorship appliances. Some enterprise gear is relatively independent. Buy it, plug it in, the only remaining contact with the vendor is a warranty call if needed. Some enterprise gear is virtually a rented extension of the vendor's own network: You plug it in, it phones home more or less constantly for updates, with status reports, to go into cripple-mode if the service contract isn't paid up, to initiate service calls for shot FRUs, etc. If Blue Coat's devices are the former, smuggling should be pretty trivial. If the latter, I'd want to hear a very convincing account of how the re-allocation of equipment was hidden from them. It certainly wouldn't be impossible to keep a device from phoning home(software pirates do that sort of thing routinely, and there are other proxying and such tricks that could theoretically be used); but if Blue Coat knew that serial #s X,Y,Z were routinely phoning in for updates from IPs in Syria, and just sort of whistled a happy tune, they are't exactly blameless.
According to the whitepaper [bluecoat.com] for their "Webpulse" 'cloud-based infrastructure', which appears to be integrated into their various perimeter security appliances, their devices are in more or less constant contact with them, and data including unclassifed URLs and binaries may be sent back to them from the security appliances for analysis and the release of detection rulesets to the customerbase.
Unless Syria was running some sneaky scheme for cloaking the location of their Blue Coat devices, or was turning off their most marketed features and running them dumb, Blue Coat should have been well aware of what was going on, and roughly where...
Re: (Score:3, Interesting)
1. How "3rd party" are the 3rd parties? Shit does get smuggled sometimes; but people have been known to wink that their Dubai based VARs so long as the money is there...Blue Coat should have been well aware of what was going on, and roughly where...
Hey, that rhymes. What you stated also happens all the time. When shadowy new laws designed to enrich US arms dealers are knee-jerkedly signed in times of war, the arms components suppliers wink at their middlemen in South America or the Middle East, who wink back at them saying "no, these ITAR-controlled components will most certainly not be resold to Cuba, Iran, North Korea, Sudan or Syria! Wink wink."
Then the US gubmint finds out and fines the hell out of, say, Lockheed Martin. Lockheed Martin, in t
Re: (Score:2)
its my understanding that you subscribe to the filter list from the mothership. that is kind of the whole point of this kind of box.
Re: (Score:1)
From what I understand of their boxes, they are able to operate without communicating at all with Blue Coat. Syria doesn't have to sneakily do anything. And I doubt a country's ISP cares about cloud-based ANYTHING. They just want to configure a box to block traffic. What Syria is doing may be more advanced, but would you blame Cisco if someone set up a router not to route to select IPs?
Re: (Score:2)
If they sold it to someone they should have known would use it for illegal purposes, yes.
It's legal to sell your car. It's not legal to provide the vehicle for someone who's told you they're going to drive over someone - even if the sale would otherwise be legal.
It's obvious that doing anything with a dictator only legitimizes and enables the dictatorship. So yeah, if Cisco sold equipment to Syria, even if that equipment wasn't for censoring, they would be at least partly to blame for censoring in Syria.
Re: (Score:2)
I manage a few Bluecoat proies and Webpulse is an add-on feature. The boxes themselves offer a wide variety of lists you can subscribe to from all big filter list providers including Websense, SmartFilter, SurfControl, ALSI Intersafe and ISS/Proventia. You can also provide your own list.
Filtering is just one of the functions of the Bluecoat proxies however. For logging and reporting you don't need any contact with external services. The proxies also support intercepting and inspecting SSL traffic. The certi
Re: (Score:3)
smuggling hardware into a banned country
What? Person A purchase from the US and ships to a a friendly non-US country. Person B buys it there and ships it to a neutral country. Person C sells it to a Syrian who then imports it from the neutral country. And it's all perfectly legal. Wait, you presume that US laws should apply to everyone in the whole world? You can't even get your own TSA to listen to your laws.
Re: (Score:2)
Re: (Score:3, Interesting)
Shortly after a close friend *cough, cough* was hired at a company I don't work for *cough cough* The HR manager gave a brief powerpoint summary of ITAR, then went on to say^W tell him with an evil grin, "But we have ways of getting around that." According to those rules, there are 5 countries on our government's shit-list that we never sell to: Cuba, Iran, North Korea, Sudan, and Syria. For many others, requests have to be filed and delays of months are not unhe
Sale may require full transfer of terms (Score:2)
And it's all perfectly legal.
Not necessarily. The terms of the initial contract may require that it not be sold/exported to nations on a certain list, and that any party you sell it to also agree to these terms. In other words the terms of the contract may be required to transfer with the goods.
Mod parent up. (Score:2)
The manufacturer should have a list of what serial numbers were sold to whom.
So it should just be a matter of matching the serial numbers to buyers who should have agreed to the export limitations.
In fact, Blue Coat should be ACTIVELY pursuing this avenue of investigation in order to demonstrate that they themselves followed the legal restrictions.
Re: (Score:2)
Re: (Score:2)
and that any party you sell it to also agree to these terms.
And such countries that recognize the right of first sale render said contract null and void. You cannot bind third parties (or fourth or fifth parties) to your contract, especially when they reside/operate in a country far away from where the contract was signed.
Re: (Score:3)
and that any party you sell it to also agree to these terms.
And such countries that recognize the right of first sale render said contract null and void. You cannot bind third parties (or fourth or fifth parties) to your contract, especially when they reside/operate in a country far away from where the contract was signed.
It is the seller that is restricted, if the other party can not be bound then the seller can not sell.
Re: (Score:1)
And yet I find the lack of outrage very disturbing.
Companies don't even BOTHER pretending to comply. This was a case of them lying through their teeth and nobody having the guts to call them on it and demand blood.
Re: (Score:2)
I think it was Premium support contract they sold Syria that gave it away.
Here in the US, those "third parties" are called "distributors" or "independent sales agents".
Or maybe building censorware is just a shitty business and it's appropriate in any circumstances to shun Blue Coat. If a company can't trust its employees to responsibly use their internet connec
Re: (Score:2)
Third parties smuggling hardware into a banned country isn't quite the same as adding to your customer base. Unless of course your are a superpower.
BlueCoat: I am shocked, shocked to find that our censorware is being used in Syria!
al-Assad: Your yearly license fee, sir.
BlueCoat: Oh, thank you very much.
Duh! (Score:5, Insightful)
Who here is surprised by this?
I'm sure a nice premium was paid to the Dubai distributor, who also most likely set up proxies for Syria so the update requests to BlueCoat look like they originate in the UAE.
I'd be stunned to learn there wasn't more than a few dedicated suppliers in the Middle East who do nothing BUT funnel high-tech equipment into Syria and Iran, along with anyone else who pays in cash. They probably have plenty of competition from Russian distributors.
Re: (Score:1)
Re: (Score:1)
Usual Lies (Score:1)
Ho Hum, Corps lying, then they admit it, and no one has any energy left to care.
Re: (Score:2)
Ho Hum, Corps lying, then they admit it, and no one has any energy left to care.
Oh ye of little faith. Get thee to Wall Street and start Occupying.
Re: (Score:2)
Re: (Score:2)
Libyan NTC repealed the secular gaddafi bans on polygamy as their first official act
Maybe they should first ban incestuous relationships with first cousins, but that would be against their muslim tradition.
Re: (Score:2)
Very few countries have that rule, actually. Discussing the same topic with some friends I ended up googling the subject. Do it, and you'll be surprised
Re: (Score:3)
Actually 18 US states allow first cousin marriages which has nothing to do with islamic law. In fact cousin marriage was legal in all US states prior to the civil war.
http://en.wikipedia.org/wiki/Cousin_marriage [wikipedia.org]
Censorware boxes? (Score:2)
I don't like to have many sites blocked by the Bluecoat box in our network, but they do a necessary service, using Facebook and Youtube belongs to the home and your personal devices. The use or abuse of this equipment is a decision of the customers, not the company making products. Linux and a lot of GNU software can an surely have been used to enable the killing of thousands, but we will not be blaming Stallman and Torvalds for that.
Re: (Score:2)
I've run a network in a basement. I wasn't ready at the time, but boy did i learn a lot i never parsed until i snapped, spent half a year in psych wards and learned the hard way I guess. except i am back here.
I learned how good admins survive the trenches in colleges. i learned by proxy examples of how things are done, without doing them personally.
but i am not an expert. just a hobbyist and tinkerer.
Re: (Score:2)
Try keeping youtube with open access to 70 k employees and see how your internet connections crawls, moron. Maybe you missed this:
I don't like to have many sites blocked by the Bluecoat box in our network, but they do a necessary service
I work in a state owned company, and we have already a big problem trying to get inside the hard skulls of my coworkers that we must give a good service to our customers because the government wants to sell the company as low as possible to party friendly plutocrats, and treating citizens like shit is a sure way to make this act of corruption appear like a move in the best intere
Re: (Score:2)
Yes, but how much money have oppressive regimes put directly into the pockets of Stallman and Torvalds?
Re: (Score:2)
Of course not a single cent that we or they would know, but really, is not in the best interest of BlueCoat to be on the wrong side of law, for not saying of history. Risking jail only for selling a few boxes, that are not even a half of what is installed in my company is insane.
Re: (Score:1)
Actually that's not what these devices "are for". They're tools for enforcing company policy. That's it. They are not evil in and of themselves. Do clueless organizations try to use them for "nannying" their employees to death? Every day. And they're so busy making sure Joan in Accounting doesn't spend 15 extra minutes on Facebook that they miss all the PII and company IP going out one of the other many other open transports out of the company network. Any company that is serious about security either doesn
Re: (Score:1)
Sorry. I missed that first "not" in your post. As for apps with their own certs, you would let those stay encrypted, but limit where they can go. These kinds of apps (ones that use client certs if I'm reading you right) usually perform specific business functions and are not for general surfing. In fact, if it was me, I'd bypass the proxy entirely for these apps to keeps the number of moving parts to a minimum.
They will eventually go dead (Score:2)
Re: (Score:2)
Call me a devil's advocate here:
With my IT pro hat on, this active MITM is a good thing. It will substitute its SSL cert for the other one and actively inspect traffic. Of course, you have to add the Blue Coat cert into the domain root, as well as other web browsers.
The benefit of this is that confidential info can't just be kicked to an exploit site via SSL, or someone isn't going to be trying to make a proxy via SSL (since traffic that isn't decrypted gets blocked.) This is important because an intrude
BS alert (Score:3)
quoting:
Blue Coat told The Wall Street Journal the appliances were transmitting automatic status messages back to the company as the devices censored the Syrian Web. Blue Coat says it doesn't monitor where such "heartbeat" messages originate from.
I call BS.
who, here, believes the company goes to the trouble of having the appliances phone home and yet does not scrutinize every bit of info that comes back, *especially* what subnets and routes its connected to?
shit, man, if I was the company, *I* would do such things and I'm one of the good guys. there's no way a vendor would not want to see data and look for things that are not registered or show up all of a sudden, etc. the license fees are not insignificant (I'm guessing, but its a fair guess) and so any new box would cause an alarm. again, I would do this and I'm not even in this business.
Re: (Score:2)
either you don't know the full story (not an insult; it limits their liabilithy if only so many people know the real story) or they are pretty dumb to not make the maximal use from uploaded hello messages.
as someone who has been in the comms field for a few decades now, I am slightly aware of the disconnect between upper mgmt and the guy writing the code. the code guys don't always know everything that goes on in the box. nuff said?
sorry if that was world-shaking to you.
Here, have a tinfoil piece of headgear (Score:2)
You sir, just earned a tinfoil hat. While I have no particular love for Bluecoat (they're competitors in another field), you're assuming things based on what you think to be the case. Claiming that others are misinformed simply because it doesn't fit your mental image is rather silly.
There's only so and so much time in a workday. Spending it on going over phone-home in detail and sending across sensitive information in the first place? Not so useful.
(We also do phone home. Aggregates only, nothing sensitive
Re: (Score:1)
You'd be amazed how lazy corporate entities can be. Even "security companies"...
Re: (Score:1)
You'd be amazed how lazy corporate entities can be. Even "security companies"...
Having worked at a security company, this is oh so true and I'd mod you up if I could.
Not Blue Coat's problem (Score:2)
As the supreme court is fond of pointing out, it is up to the legislature [or in this case, the State Department] to pass laws which are clear and specific.
We've had posts before about ISPs being told to "ban PirateBay.com" [slashdot.org] but not PirateBay.org, or to ban a specific IP address in an effort to take a website offline. Both of these are ineffective for the stated goal.
The overall opinion is that companies should implement the court instructions to the letter. Anything else might provoke the wrath of the court
Re: (Score:2)
The ITAR regulations are a WOFTAM. (Score:2)
The International Traffic in Arms Regulation are a Waste Of Fucking Time And Money.
There's this crazy notion that we can keep technology from folks by not selling it to them. Yet there is a thousand ways for folks to get the same technology, from paying a middle man, to sending people here to use it and recreate it. The absolute best case is delaying, by a small amount of time, how long before they get the technology.
It's also quite hypocritical that this technology is A-Ok for US companies to use on US c
They should take action (Score:2)
A company like this should introduce Windows Product Activation functionality. Any license that isn't valid (e.g. pirate copies or those in countries where it isn't allowed to sell the software), they can blacklist it and make it so that it does not actually censor anything. (or update its censor list)
Re: (Score:2)
I mean "windows product activation like functionality"
So basically if the program isn't a valid license, it stops working. But in a way that isn't instantly visible to the operator of the software/appliance.
Re: (Score:2)
But then, when the activation fails for a legitimate customer (because it WILL fail at some point), that customer doesn't know that he's paid full rate for a non-functional appliance.
There's not much harm in a "your device appears to be operating in a country on a list of Bad Places. Please call 0800 UNCLE SAM to resolve the problem."
It's not like they're likely to route all their traffic through a proxy in another country to avoid it. That's plausible, but so unwieldy it probably wouldn't be worth the effo
[condense]Syria[/condense] (Score:2)
Why is "Syria," as shown in the title, displayed a more narrow font than the rest of that title?
(Or am I really the only person to notice this?)
Re: (Score:1)
Re: (Score:2)
Syriasly?