Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Blue Coat Concedes Its Devices Operating in Syria

timothy posted about 2 years ago | from the hat-tip-to-jake dept.

Censorship 90

A few weeks ago, in reaction to claims that Blue Coat systems were being used to track internet use in Syria, a company spokesman denied the charges here, saying "To our knowledge, we do not have any customers in Syria," and that the company followed the web of regulations that would prohibit sale to certain countries, Syria among them. In response to the logs on which the claims were based, he said "it appears that these logs came from an appliance in a country where there are no trade restrictions." A report at the Wall Street Journal says that the company has now acknowledged that Blue Coat devices are being used in Syria after all; the paper reports that at least 13 of the censorware boxes are in use there, and cites an unnamed source who says "as many as 25 appliances have made their way into Syria since the mid-2000s, with most sold through Dubai-based middlemen."

cancel ×

90 comments

Sorry! There are no comments related to the filter you selected.

FIRST POST (-1)

Anonymous Coward | about 2 years ago | (#37875450)

I don't care about this topic.

SECOND POST (0)

Anonymous Coward | about 2 years ago | (#37875490)

I don't care about this AC.

Re:FIRST POST (-1, Troll)

Frosty Piss (770223) | more than 2 years ago | (#37876044)

Thanks for your input, your views are valued. But not very much. In fact very little indeed. Although, that's relative. But the point is it's a really really small number. Unless you're a flea, in which case you don't care even less.

Would you mind if I fucked your sister? Is that a topic you care a little more about? No? Good. Can I use your couch? Thanks, bro...

to be fair (1)

pinfall (2430412) | about 2 years ago | (#37875484)

Third parties smuggling hardware into a banned country isn't quite the same as adding to your customer base. Unless of course your are a superpower.

Re:to be fair (5, Interesting)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37875602)

That would depend, in part, on a couple of things:

1. How "3rd party" are the 3rd parties? Shit does get smuggled sometimes; but people have been known to wink that their Dubai based VARs so long as the money is there...

2. How independent of the mothership are Blue Coat's censorship appliances. Some enterprise gear is relatively independent. Buy it, plug it in, the only remaining contact with the vendor is a warranty call if needed. Some enterprise gear is virtually a rented extension of the vendor's own network: You plug it in, it phones home more or less constantly for updates, with status reports, to go into cripple-mode if the service contract isn't paid up, to initiate service calls for shot FRUs, etc. If Blue Coat's devices are the former, smuggling should be pretty trivial. If the latter, I'd want to hear a very convincing account of how the re-allocation of equipment was hidden from them. It certainly wouldn't be impossible to keep a device from phoning home(software pirates do that sort of thing routinely, and there are other proxying and such tricks that could theoretically be used); but if Blue Coat knew that serial #s X,Y,Z were routinely phoning in for updates from IPs in Syria, and just sort of whistled a happy tune, they are't exactly blameless.

According to the whitepaper [bluecoat.com] for their "Webpulse" 'cloud-based infrastructure', which appears to be integrated into their various perimeter security appliances, their devices are in more or less constant contact with them, and data including unclassifed URLs and binaries may be sent back to them from the security appliances for analysis and the release of detection rulesets to the customerbase.

Unless Syria was running some sneaky scheme for cloaking the location of their Blue Coat devices, or was turning off their most marketed features and running them dumb, Blue Coat should have been well aware of what was going on, and roughly where...

Re:to be fair (3, Interesting)

Ethanol-fueled (1125189) | more than 2 years ago | (#37875716)

1. How "3rd party" are the 3rd parties? Shit does get smuggled sometimes; but people have been known to wink that their Dubai based VARs so long as the money is there...Blue Coat should have been well aware of what was going on, and roughly where...

Hey, that rhymes. What you stated also happens all the time. When shadowy new laws designed to enrich US arms dealers are knee-jerkedly signed in times of war, the arms components suppliers wink at their middlemen in South America or the Middle East, who wink back at them saying "no, these ITAR-controlled components will most certainly not be resold to Cuba, Iran, North Korea, Sudan or Syria! Wink wink."

Then the US gubmint finds out and fines the hell out of, say, Lockheed Martin. Lockheed Martin, in turn, says that they had no idea that the components were to be sold to Syria and cites a twisted interpretation of said shadowy US war law.

Re:to be fair (1)

TheGratefulNet (143330) | more than 2 years ago | (#37875920)

its my understanding that you subscribe to the filter list from the mothership. that is kind of the whole point of this kind of box.

Re:to be fair (0)

Anonymous Coward | more than 2 years ago | (#37876216)

Well, yes. If you want the category updates (this new URL that popped up last week is a "gaming" site, etc.). If you just want to monitor what sites (not categories) people go to, or you want to block anything going to facebook.com, then you don't need to subscribe to the category update service at all.

Re:to be fair (1)

absurdhero (614828) | more than 2 years ago | (#37876224)

From what I understand of their boxes, they are able to operate without communicating at all with Blue Coat. Syria doesn't have to sneakily do anything. And I doubt a country's ISP cares about cloud-based ANYTHING. They just want to configure a box to block traffic. What Syria is doing may be more advanced, but would you blame Cisco if someone set up a router not to route to select IPs?

Re:to be fair (1)

WNight (23683) | more than 2 years ago | (#37883446)

If they sold it to someone they should have known would use it for illegal purposes, yes.

It's legal to sell your car. It's not legal to provide the vehicle for someone who's told you they're going to drive over someone - even if the sale would otherwise be legal.

It's obvious that doing anything with a dictator only legitimizes and enables the dictatorship. So yeah, if Cisco sold equipment to Syria, even if that equipment wasn't for censoring, they would be at least partly to blame for censoring in Syria.

Chill out people (0)

Anonymous Coward | more than 2 years ago | (#37876606)

BlueCoat offers services to their customers of the ProxySG line that can be centralized, but in no way does the device have to contact the mother ship in order to work. With a device as large as a SG9100 (by the way the 9000's listed in the article are 3+ couple years old and no longer sold from a product model standpoint), you definitely dont wan't to have a single point of failure with it and with as many connections as Ive seen customer's pass thru it. They offer their own content filtering service (BlueCoat Web Filter) which can do dynamic site categorization etc which by the way was a really nice one and blocked damn near most sites to the categories you wanted to block as an organization (ProxySG's have multiple and seperate vendor content filter solutions built in on them and you license them seperately and they integrate right into the devices - making them pretty flexible on if you want to use a content filtering solution where you DON'T have to put lists of URL's etc to block - I can say in the device to block porn, gamling etc and the devices go off of each vendor's content filtering solution you licensed. But you an also make your own, or even import the free URL lists out on the internet, so you have tons of options). But it in no way central contact is needed (we've ran them in ultra secure DMZ zones where the devices have firewall policies block any internet outbound connections originating from them, IE updates had to be handled manually and on site), you can make policies down to the per-html page or even content in the page using CPL (cache programming language iirc - their own scripting code to give you REALLY low level access to the traffic passing through the devices) you are loading for christ's sake.

I've also had to work on projects we're we had to have VAR's (I worked for a distributor of BlueCoat's) and we had to get devices out to Bahrain and other countries and it was a complete pain in the ass. We had to delays projects on a couple cases due to the hoops we an the VAR's had to jump through to get them shipped from BlueCoat. I would not say it was for a lack of BlueCoat's own attempt to conform to the law's. They do not have a need to try to sell these devices to one off scam places as they make plenty of dough on them in the states much less in the countries we are allies with. Have you not seen the price of ProxySG 9100 with 10k plus licenses? They are not cheap by any means, and they do they're function quite well.

it's a bummer to hear that those devices got out, but even myself I didn't realize there was any sort of heartbeat's back beyond trying to use their BlueCoat Web Filter service and things like that. At least they put their own stamp in, otherwise you could of been none the wiser if BlueCoat opted not to. At that point either way when you try to download the content filter list your going to have a source IP from somewhere. But just like say a plane flying in the air, do you want it to just stop what it is doing if it can't contact back to the server in the air plane manufactures datacenter? Even if they could figure out that they these devices are operating in an illegal country, what can they do about it? If you have VAR's that are front end shops and questionably sell the actual equipment to shady places, BlueCoat doesn't have an ounce of control over that. All they can do is just say hey, we wont sell these devices to this VAR, but what's there to stop another VAR that seemingly meets all the statndard business requierements to establish a sales relationship with? Your trying to grab smoke at that point.

People need to get off their high chair, you mean to tell me the US government doesn't happen to have ordinance in the wrong people's hands much less BlueCoat devices that just content filter? It's a bummer to hear that this happens to them, I've had a lot of successful projects with their ProxySG devices from the small 210's to the 9100's. They can try to just stop the devices from being able to grab updates for the SGOS and so forth, but beyond that, the devices are already out there and doing what they were designed to do. In the end what happened here could happen to their competitors such as River Bed etc.

Re:to be fair (1)

Melkman (82959) | more than 2 years ago | (#37877486)

I manage a few Bluecoat proies and Webpulse is an add-on feature. The boxes themselves offer a wide variety of lists you can subscribe to from all big filter list providers including Websense, SmartFilter, SurfControl, ALSI Intersafe and ISS/Proventia. You can also provide your own list.

Filtering is just one of the functions of the Bluecoat proxies however. For logging and reporting you don't need any contact with external services. The proxies also support intercepting and inspecting SSL traffic. The certificates stolen from Diginotar combined with these things make a perfect "I read your GMail" system.

Licences and software updates for the proxies can be downloaded from the Bluecoat website from any PC and then transferred to the box. It is however much easier to just let the box itself get the licence. But with a bit of hassle you can use Bluecoat proxies without letting them phone home. We still have two Bluecoats laying around which are end of life. But if I start them they still work and don't contact Bluecoat in any way.

Re:to be fair (0)

Anonymous Coward | more than 2 years ago | (#37878052)

You can use a Blue Coat ProxySG to:
* Prevent malware by using a tie to ProxyAV.
* Manually block sites (no Blue Coat involvement).
* Automatically block sites, by classification. You subscribe to the data provided by Blue Coat. The list of classifications is quite long: http://sitereview.bluecoat.com/catdesc.jsp [bluecoat.com]
* Review who went where, and how.

Unless Syria set up a man-in-the-middle decryption system or went so far as to block protocol anomalies, I'm sure there are lots of way to get past it.

Re:to be fair (0)

Anonymous Coward | more than 2 years ago | (#37880984)

i thought that BC devices occasionally contacted HQ to get software upgrades. If that's the case then couldn't they been forced to download a poison software that makes them unusable?

Re:to be fair (2)

Dunbal (464142) | more than 2 years ago | (#37875858)

smuggling hardware into a banned country

What? Person A purchase from the US and ships to a a friendly non-US country. Person B buys it there and ships it to a neutral country. Person C sells it to a Syrian who then imports it from the neutral country. And it's all perfectly legal. Wait, you presume that US laws should apply to everyone in the whole world? You can't even get your own TSA to listen to your laws.

Re:to be fair (1)

aztracker1 (702135) | more than 2 years ago | (#37876136)

That's about how I feel about it.. it could just as easily be done with x86 systems as routers, though probably not as efficiently. I'm pretty sure they have Intel, and AMD parts over there too, that they are doing EVIL(tm) things with.

Re:to be fair (3, Interesting)

Ethanol-fueled (1125189) | more than 2 years ago | (#37876328)

That's what ITAR [state.gov] is supposed to address.

Shortly after a close friend *cough, cough* was hired at a company I don't work for *cough cough* The HR manager gave a brief powerpoint summary of ITAR, then went on to say^W tell him with an evil grin, "But we have ways of getting around that." According to those rules, there are 5 countries on our government's shit-list that we never sell to: Cuba, Iran, North Korea, Sudan, and Syria. For many others, requests have to be filed and delays of months are not unheard of. It's how the State Department plays favorites.

Besides using third-party "export firms" for the deals, simpler tricks may be played - playing games with serial numbers, for example. The subject of any serious ITAR-compliant transaction also may include Customs opening up the gadget in question, to ensure nobody's smuggling coke or setting them up the bomb.

Sale may require full transfer of terms (1)

perpenso (1613749) | more than 2 years ago | (#37876330)

And it's all perfectly legal.

Not necessarily. The terms of the initial contract may require that it not be sold/exported to nations on a certain list, and that any party you sell it to also agree to these terms. In other words the terms of the contract may be required to transfer with the goods.

Mod parent up. (1)

khasim (1285) | more than 2 years ago | (#37876616)

The manufacturer should have a list of what serial numbers were sold to whom.

So it should just be a matter of matching the serial numbers to buyers who should have agreed to the export limitations.

In fact, Blue Coat should be ACTIVELY pursuing this avenue of investigation in order to demonstrate that they themselves followed the legal restrictions.

Re:Mod parent up. (1)

Dunbal (464142) | more than 2 years ago | (#37878034)

Yeah, ok, these goods are allowed to be exported to Panama - a friendly nation. And they are sold to someone in Panama. Now what are you going to do? Panamanian law places no such restrictions on exports. So they are sold in Panama to someone in Costa Rica - another friendly nation. And from Costa Rica they are sold to Venezuela. And from Venezuela to Iran. And from Iran to Syria. What exactly are you going to do?

Re:Sale may require full transfer of terms (0)

Anonymous Coward | more than 2 years ago | (#37878012)

Breaking a contract is not illegal.

And in any case, local law where the contract is being broken may render the contract terms void anyway. For example, as an American, I could sign a contract that says I will suck your cock for money. If I sign that while traveling in some countries, it's a legal and valid contract. But if I leave those countries, and bring that contract to the US, you can neither force me to suck your cock, or refund the money; the contract is illegal, null, and void.

In the case of US export laws, even in a country where such a contract is theoretically valid, the local courts may not have much interest in enforcing something that is essentially seen as a way for the US to maintain other countries as tech have-nots.

Re:Sale may require full transfer of terms (1)

Dunbal (464142) | more than 2 years ago | (#37878020)

and that any party you sell it to also agree to these terms.

And such countries that recognize the right of first sale render said contract null and void. You cannot bind third parties (or fourth or fifth parties) to your contract, especially when they reside/operate in a country far away from where the contract was signed.

Re:Sale may require full transfer of terms (2)

perpenso (1613749) | more than 2 years ago | (#37880642)

and that any party you sell it to also agree to these terms.

And such countries that recognize the right of first sale render said contract null and void. You cannot bind third parties (or fourth or fifth parties) to your contract, especially when they reside/operate in a country far away from where the contract was signed.

It is the seller that is restricted, if the other party can not be bound then the seller can not sell.

Re:to be fair (0)

shentino (1139071) | more than 2 years ago | (#37875950)

And yet I find the lack of outrage very disturbing.

Companies don't even BOTHER pretending to comply. This was a case of them lying through their teeth and nobody having the guts to call them on it and demand blood.

Re:to be fair (1)

PopeRatzo (965947) | more than 2 years ago | (#37876086)

Third parties smuggling hardware into a banned country isn't quite the same as adding to your customer base. Unless of course your are a superpower.

I think it was Premium support contract they sold Syria that gave it away.

Here in the US, those "third parties" are called "distributors" or "independent sales agents".

Or maybe building censorware is just a shitty business and it's appropriate in any circumstances to shun Blue Coat. If a company can't trust its employees to responsibly use their internet connections, then maybe they should spend a few bucks and hire better people instead of hoping to get by with minimum wage, "right-to-work" dreck just because hiring good people would reduce their quarterly profits from 18.7% to 18.5% and maybe the new CEO would have to scrape by with a $4million "relocation bonus" instead of a $6million "relocation bonus", and the golden parachute he gets after 11 months on the job and he's driven the company into the ground will only be $18million instead of $20million.

Fuck Blue Coat. Their HR Department, R&D, and most of the sales force is based out of Bangalore and they have a special presence in Dubai and Saudi Arabia. I have no trouble believing that providing security services to repressive regimes is a favored profit center for them. I can only hope that when "Spring" comes to those countries, the freedom fighters remember who helped keep them under the thumb of the dictator. Then we'll find out just how good those "Critical Situation Managers" they've got on staff really are.

Re:to be fair (1)

arglebargle_xiv (2212710) | more than 2 years ago | (#37880754)

Third parties smuggling hardware into a banned country isn't quite the same as adding to your customer base. Unless of course your are a superpower.

BlueCoat: I am shocked, shocked to find that our censorware is being used in Syria!
al-Assad: Your yearly license fee, sir.
BlueCoat: Oh, thank you very much.

Duh! (4, Insightful)

chill (34294) | more than 2 years ago | (#37875540)

Who here is surprised by this?

I'm sure a nice premium was paid to the Dubai distributor, who also most likely set up proxies for Syria so the update requests to BlueCoat look like they originate in the UAE.

I'd be stunned to learn there wasn't more than a few dedicated suppliers in the Middle East who do nothing BUT funnel high-tech equipment into Syria and Iran, along with anyone else who pays in cash. They probably have plenty of competition from Russian distributors.

Re:Duh! (1)

davecason (598777) | more than 2 years ago | (#37876368)

OMG! They might use CISCO FIREWALLS, TOO! CISCO is the DEVIL!

Re:Duh! (0)

Anonymous Coward | more than 2 years ago | (#37877588)

If Cisco said they didn't deal with oppressive country X, and then evidence turned up that they did, then it wouldn't make them the devil, but it would be a nasty lie. This would be particularly nasty if it was illegal to sell or support products to country X, and doubly so if the tools being sold were used specifically for the oppression.

Re:Duh! (1)

davecason (598777) | more than 2 years ago | (#37877964)

I made this very same point the last time this was "news": we seem to be upset that they are using a product to do exactly what it was designed for. This is like being upset that guns can be used to shoot things or poison being used to kill things.

Usual Lies (0)

TaoPhoenix (980487) | more than 2 years ago | (#37875542)

Ho Hum, Corps lying, then they admit it, and no one has any energy left to care.

Re:Usual Lies (1)

grcumb (781340) | more than 2 years ago | (#37876788)

Ho Hum, Corps lying, then they admit it, and no one has any energy left to care.

Oh ye of little faith. Get thee to Wall Street and start Occupying.

Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37875586)

Some people seem to have got the idea that tweeting and joining facebook groups is the way to change a regime. Which is the only reason this is News, like the only thing between Syrian hell and Syrian utopia is internet access. More or less that's not the case and the only reason Mubarak went was he thought he could trust guys he'd known for decades not to throw him in jail, probably now he regrets not repeating the shooting sprees he carried out in the 80s.

Point being thousands of people have now been shot in Syria and it really has nothing to do with the internet. At this stage nobody wants to get involved because although that dictatorship could be overthrown very fast the next guys might be worse (Libyan NTC repealed the secular gaddafi bans on polygamy as their first official act) and according to assad on his way out him and his hezbollah pals will fire thousands of rockets at Israel.

So some Arabs making some profits by reshipping some internet censorship stuff is the least of *anyones* concerns. Half the problem is that western leaders seem to believe the inner goodness of everyone on earth, news flash: not everyone is Booker T Washington just waiting for some education so they can build schools and liberate themselves, history proves quite the opposite. That's why things are hopeless, if you try did what Booker did in Damascus you'd be shot before you got started by some martyrs brigade who thinks arithmatic is a western conspiracy.

Re:Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37875670)

Libyan NTC repealed the secular gaddafi bans on polygamy as their first official act

Got a reliable source on that? I.e. not 1001 hilarious Indian "news" websites, which is the only thing I can find via. Google.

Re:Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37875738)

NTC leader Jalil: http://edition.cnn.com/2011/10/26/world/africa/libya-sharia/index.html - according to CNN. I read somewhere else about a week ago that it had already been done but cant find the link (was BBC or something but who knows, maybe the legislation itself hasn't been inked), that article also mentioned aside from generic sharia new islamic banking laws and modifications to loans people have taken out under the gaddafi regime when the amount was 7.5k USD or less.

Re:Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37875824)

http://edition.cnn.com/2011/10/26/world/africa/libya-sharia/index.html And if you read that article the new leader Jalil says

""The law of marriage and divorce, which deals with polygamy -- this law is against Islamic Sharia, and is now halted," he said."

The only thing that unites arabs now is Israel and very few care enough about democracy and the rights of the individual to fight about it which is a great shame because if you go back far enough their ancestors had some really great scientists. Egypt has been shooting minorities (sudanese blacks, coptic christians) before and after Mubarak and the majority of the population couldn't care less. Which shows what nonsense this democracy was because (and the reason why the Egyptian army has been stalling the elections since this lovely spring) if you give people democracy when they're not ready for it they're just going to elect the Muslim Brotherhood and it's *very* unlikely after something like that happens that people will have US style freedoms.

I'm athiest but people should be able to build a Church or a Synagogue or a Buddhist Temple or whatever and generally do what they like without being slaughtered.

Re:Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37877542)

This really isn't a big deal. You're not going to see the NTC cutting off hands, etc. Sharia has multiple meanings and interpretations; to many Libyans it means the abolition of high-interest rates and the sale of alcohol. (Gaddafi's family claimed to be religious but his sons were drunk in public etc) Regardless of what any official says, they're going to have elections and public participation in creating the new Libyan Constitution.

Re:Misplaced Priorities? (1)

Toonol (1057698) | more than 2 years ago | (#37879606)

I don't doubt they'll have an election. I'm not sure they'll have a second one, though.

Re:Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37875768)

That's why things are hopeless, if you try did what Booker did in Damascus you'd be shot before you got started by some martyrs brigade who thinks arithmatic is a western conspiracy.

Never mind that we use Arabic numbers because they invented our arithmetic, or anything historical like that.

Re:Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37875984)

Exactly you durak, arabs made fantastic advancements in all fields of science but if you look at scientific output the last few centuries it's some sort of dark age. Just selfish sheiks too paying german architechts to build the worlds tallest and most useless buildings. It'd be better for everyones futures if they were spending the oil money on real education.

Re:Misplaced Priorities? (0)

Anonymous Coward | more than 2 years ago | (#37877444)

Never mind that we use Arabic numbers because they invented our arithmetic, or anything historical like that.

You mean the numbering system developed in India?

Re:Misplaced Priorities? (1)

NynexNinja (379583) | more than 2 years ago | (#37876522)

Libyan NTC repealed the secular gaddafi bans on polygamy as their first official act

Maybe they should first ban incestuous relationships with first cousins, but that would be against their muslim tradition.

Re:Misplaced Priorities? (1)

sam0vi (985269) | more than 2 years ago | (#37877074)

Very few countries have that rule, actually. Discussing the same topic with some friends I ended up googling the subject. Do it, and you'll be surprised

Re:Misplaced Priorities? (2)

voss (52565) | more than 2 years ago | (#37877148)

Actually 18 US states allow first cousin marriages which has nothing to do with islamic law. In fact cousin marriage was legal in all US states prior to the civil war.

http://en.wikipedia.org/wiki/Cousin_marriage [wikipedia.org]

Censorware boxes? (1)

Kyusaku Natsume (1098) | more than 2 years ago | (#37875634)

I don't like to have many sites blocked by the Bluecoat box in our network, but they do a necessary service, using Facebook and Youtube belongs to the home and your personal devices. The use or abuse of this equipment is a decision of the customers, not the company making products. Linux and a lot of GNU software can an surely have been used to enable the killing of thousands, but we will not be blaming Stallman and Torvalds for that.

Re:Censorware boxes? (0)

Anonymous Coward | more than 2 years ago | (#37875838)

I'm sorry, but if only censorship can keep your employees from avoiding to work, they they are not really working for you at all.. Instead they work for the money only, don't give a fuck if the company dies, provided they keep getting money, and you have got to have a pretty shitty company. *Maybe* you should think about actually giving some decision power (includes responsibility too, obviously) to your employees, so that they have their thing that is *theirs*, that they are the boss of, and that they can be proud of.
That way, you don't have to force them like a n00b, but they *want* to work instead of going to Facebook because it's *more important to /them/*.
Yes, sometimes they will still go to Facebook and Youtube and the coffee machine, and have a chat/flirt with a coworker and go to the toilet. Because they are freakin' *humans*!

Man, I wonder how such douche companies stay alive...

Re:Censorware boxes? (0)

Anonymous Coward | more than 2 years ago | (#37875942)

I take it you've never run a network, outside maybe the one in your parent's basement....

Re:Censorware boxes? (1)

kesuki (321456) | more than 2 years ago | (#37876404)

I've run a network in a basement. I wasn't ready at the time, but boy did i learn a lot i never parsed until i snapped, spent half a year in psych wards and learned the hard way I guess. except i am back here.

I learned how good admins survive the trenches in colleges. i learned by proxy examples of how things are done, without doing them personally.

but i am not an expert. just a hobbyist and tinkerer.

Re:Censorware boxes? (0)

Anonymous Coward | more than 2 years ago | (#37876152)

Appliances for filtering are an unfortunate fact of life once a company gets to a certain size.

The web filters are just like antivirus utilities on the Solaris or AIX boxes -- legal CYA. On the lowest level keep the sexual harassment suits from happening, allegations of people viewing child pr0n from appearing (especially with automatic updates blocking domains and IPs).

On another security level, they keep confidential information from getting out the door. Not everything company confidential is bad -- keeping employee PII secure is a good thing.

So, these appliances are not a bad thing. In fact, they can actively thwart attacks, especially if exploit web sites are blocked quickly.

Re:Censorware boxes? (1)

Kyusaku Natsume (1098) | more than 2 years ago | (#37876472)

Try keeping youtube with open access to 70 k employees and see how your internet connections crawls, moron. Maybe you missed this:

I don't like to have many sites blocked by the Bluecoat box in our network, but they do a necessary service

I work in a state owned company, and we have already a big problem trying to get inside the hard skulls of my coworkers that we must give a good service to our customers because the government wants to sell the company as low as possible to party friendly plutocrats, and treating citizens like shit is a sure way to make this act of corruption appear like a move in the best interest of everyone and lose our jobs in the process. I like to have a job, I feel proud to be a member of the company that gives the most widely available public service in Mexico and I really hate when my coworkers are not nice with customers. Our job is to provide a public service and if is necessary to have a filtered network to keep people focused on the job, so be it.

Re:Censorware boxes? (0)

Anonymous Coward | more than 2 years ago | (#37903162)

Well, that’s self-regulating, "moron". If the connection crawls, your employees will themselves tell YouTube users to stop it, so they can do their work. Peer pressure solves this pretty quickly. I know because I have seen it!.

But I guess everything suffices as an excuse to keep holding the ideals of Stalin and China high.
It's the same thing they always do to creep in such evil shit: "Oh, *I* hate it, sure, just as much as you... But it is 'necessary' because of $anyUnjustifiedVagueBlahBlahShit"
Stalin used literally *everything* in place of that variable. It didn't matter if it made no sense or had no justification. As everyone was "Just doing his job, and hey, it was 'necessary'. That's what $authority said.". And otherwise, they would end up being the next ones going to the Gulags and becoming an "unperson" (that's where that word in 1984 comes from).

You, just like them, didn't even *think* about *thinking* about if it's *actually* justifiable at all or if there is a better solution.

You should be ashamed of yourself!

Re:Censorware boxes? (0)

Anonymous Coward | more than 2 years ago | (#37877242)

Instead they work for the money only, don't give a fuck if the company dies, provided they keep getting money, and you have got to have a pretty shitty company.

Do you expect a different attitude from employees who are treated like worthless assets and matters of expense that have to be cut as radically as possible? Corporations and politicians treat people like crap. No wonder employees don't care about the them in return.

Re:Censorware boxes? (1)

XorNand (517466) | more than 2 years ago | (#37875962)

Linux and a lot of GNU software can an surely have been used to enable the killing of thousands, but we will not be blaming Stallman and Torvalds for that.

Yes, but how much money have oppressive regimes put directly into the pockets of Stallman and Torvalds?

Re:Censorware boxes? (1)

Kyusaku Natsume (1098) | more than 2 years ago | (#37876314)

Of course not a single cent that we or they would know, but really, is not in the best interest of BlueCoat to be on the wrong side of law, for not saying of history. Risking jail only for selling a few boxes, that are not even a half of what is installed in my company is insane.

Re:Censorware boxes? (0)

Anonymous Coward | more than 2 years ago | (#37876146)

Uhm, that's not what these devices are for. They are used to perform MITM attacks to monitor the content of ssl traffic. Of course, they need valid certificates issued from a trusted CA in order to do this. Now where have I heard about hacked CA's recently?...

Re:Censorware boxes? (1)

trashcanman (30020) | more than 2 years ago | (#37876266)

Actually that's not what these devices "are for". They're tools for enforcing company policy. That's it. They are not evil in and of themselves. Do clueless organizations try to use them for "nannying" their employees to death? Every day. And they're so busy making sure Joan in Accounting doesn't spend 15 extra minutes on Facebook that they miss all the PII and company IP going out one of the other many other open transports out of the company network. Any company that is serious about security either doesn't allow this information on the untrusted network (where the users live) in the first place or they lock down internet access to the point that most employees don't even know the company has a connection to the internet. Everyone else is a breach in progress.

And no, you don't need a certificate from a trusted CA to do SSL MITM on on a Bluecoat (but it would come in handy for a government entity spying on its citizens). All you need is a trusted wildcard cert. The Active Directory CA cert would work just as well in a corporate environment.

Re:Censorware boxes? (0)

Anonymous Coward | more than 2 years ago | (#37876386)

And nowhere did I say they were evil. Active Directory CA certs work for apps that use the system certificate store, but apps that maintain their own certificates will typically alert the user without a trusted CA cert.

Re:Censorware boxes? (1)

trashcanman (30020) | more than 2 years ago | (#37878598)

Sorry. I missed that first "not" in your post. As for apps with their own certs, you would let those stay encrypted, but limit where they can go. These kinds of apps (ones that use client certs if I'm reading you right) usually perform specific business functions and are not for general surfing. In fact, if it was me, I'd bypass the proxy entirely for these apps to keeps the number of moving parts to a minimum.

They will eventually go dead (1)

OnlineAlias (828288) | more than 2 years ago | (#37875760)

A Bluecoat box, without updates, eventually ceases to operate properly if at all. So, Bluecoat can just chase down the offending machines and therefore the money stream, and stop updating them. Eventually they won't be able to run a report (to figure out who went where), block proxy avoidance sites, or do anything useful with it. How do I know this? I have a large customer that stopped paying the maintenance, and that is what happened.

SSL Man In The Middle (0)

Anonymous Coward | more than 2 years ago | (#37875800)

Blue Coat's ProxySG product offers an ominous feature, "inspection and validation of SSL traffic," that creates a man-in-the-middle capable of opening up and reading SSL encrypted sessions. The reason, they claim, is that malware can leak in via SSL [bluecoat.com] , and therefore enterprises are wise to inspect this data, damn all the legal arguments. This works by injecting the proxy's certificate into your browser's certificates store; afterward, the proxy issues on-the-fly certificates for your popular sites signed by that proxy cert causing your browser to trust it unconditionally and without popup.

Re:SSL Man In The Middle (1)

mlts (1038732) | more than 2 years ago | (#37876180)

Call me a devil's advocate here:

With my IT pro hat on, this active MITM is a good thing. It will substitute its SSL cert for the other one and actively inspect traffic. Of course, you have to add the Blue Coat cert into the domain root, as well as other web browsers.

The benefit of this is that confidential info can't just be kicked to an exploit site via SSL, or someone isn't going to be trying to make a proxy via SSL (since traffic that isn't decrypted gets blocked.) This is important because an intruder can create a SSL connection and use that as a proxy.

Of course, wearing the concerned individual hat, the same technology that keeps confidential data from leaking could be used by ISPs for nefarious reasons, such as Phorm over SSL. At least people will start complaining if a SSL cert gets replaced, but if the ISP's CA makes it into the root stash of Web browsers, this would be a field day for them.

Re:SSL Man In The Middle (0)

Anonymous Coward | more than 2 years ago | (#37877530)

But an intruder can use steganography to achieve the same ends if they thought SSL were being inspected. Therefore, inspecting SSL only really hurts user privacy.

Re:SSL Man In The Middle (0)

Anonymous Coward | more than 2 years ago | (#37880384)

We've seen social engineering lately on our network. Someone sends out an email directing the user to go to spreadsheets.google.com and reset their password since it's expired. With 100k employees, some are bound to bite on it.

BS alert (2)

TheGratefulNet (143330) | more than 2 years ago | (#37875938)

quoting:

Blue Coat told The Wall Street Journal the appliances were transmitting automatic status messages back to the company as the devices censored the Syrian Web. Blue Coat says it doesn't monitor where such "heartbeat" messages originate from.

I call BS.

who, here, believes the company goes to the trouble of having the appliances phone home and yet does not scrutinize every bit of info that comes back, *especially* what subnets and routes its connected to?

shit, man, if I was the company, *I* would do such things and I'm one of the good guys. there's no way a vendor would not want to see data and look for things that are not registered or show up all of a sudden, etc. the license fees are not insignificant (I'm guessing, but its a fair guess) and so any new box would cause an alarm. again, I would do this and I'm not even in this business.

Re:BS alert (0)

Anonymous Coward | more than 2 years ago | (#37876222)

who, here, believes the company goes to the trouble of having the appliances phone home and yet does not scrutinize every bit of info that comes back, *especially* what subnets and routes its connected to?

As a Blue Coat employee, I can assure you that this sort of information is not mined from the heartbeats. In general, no one looks at the heartbeats from a particular box unless there is a reason to do so.

Re:BS alert (1)

TheGratefulNet (143330) | more than 2 years ago | (#37876282)

either you don't know the full story (not an insult; it limits their liabilithy if only so many people know the real story) or they are pretty dumb to not make the maximal use from uploaded hello messages.

as someone who has been in the comms field for a few decades now, I am slightly aware of the disconnect between upper mgmt and the guy writing the code. the code guys don't always know everything that goes on in the box. nuff said?

sorry if that was world-shaking to you.

Here, have a tinfoil piece of headgear (1)

kriss (4837) | more than 2 years ago | (#37877466)

You sir, just earned a tinfoil hat. While I have no particular love for Bluecoat (they're competitors in another field), you're assuming things based on what you think to be the case. Claiming that others are misinformed simply because it doesn't fit your mental image is rather silly.

There's only so and so much time in a workday. Spending it on going over phone-home in detail and sending across sensitive information in the first place? Not so useful.

(We also do phone home. Aggregates only, nothing sensitive. It usually makes very little sense to go fucking with your customers or risking their sensitive data, so there's no reason to send anything else.)

Re:BS alert (0)

Anonymous Coward | more than 2 years ago | (#37876232)

You don't check on things that you don't want to know.

Re:BS alert (1)

trashcanman (30020) | more than 2 years ago | (#37876290)

You'd be amazed how lazy corporate entities can be. Even "security companies"...

Re:BS alert (1)

CadentOrange (2429626) | more than 2 years ago | (#37877194)

You'd be amazed how lazy corporate entities can be. Even "security companies"...

Having worked at a security company, this is oh so true and I'd mod you up if I could.

Re:BS alert (0)

Anonymous Coward | more than 2 years ago | (#37926678)

I don't agree, there are license reasons also.

since licenses = money, I do not doubt they would check/log were the heartbeat messages originate from.

Re:BS alert (0)

Anonymous Coward | more than 2 years ago | (#37877340)

Ok... so I develop a product, and part of it is info that has to be downloaded from my servers.

Why is it important to me where you're from? As long as your contract is paid up, and you purchased the equipment, I would want to provide the service as cheaply as possible. (And they did buy the equipment -- through dubai...)

Please tell me how knowing what country you are in would help me do it cheaper? If anything it would make it more expensive (develop software to do it, reporting, additional load on the servers, etc).

I think you're thinking way too much about the computers involved here to realize businesses (and consumers) don't give a shit. COMPUTERS ARE TOOLS. And if you're selling a service, it's the service people are paying for... not some elaborate computer setup.

Re:BS alert (0)

Anonymous Coward | more than 2 years ago | (#37880948)

Find some companies that actually do that and get back to me.

of course (0)

Anonymous Coward | more than 2 years ago | (#37876098)

find oppression in the world and you will always hear an American accent, no wonder the middle east hate your guts and will fuck you up again as soon as they get the chance.

Not Blue Coat's problem (1)

Okian Warrior (537106) | more than 2 years ago | (#37876254)

As the supreme court is fond of pointing out, it is up to the legislature [or in this case, the State Department] to pass laws which are clear and specific.

We've had posts before about ISPs being told to "ban PirateBay.com" [slashdot.org] but not PirateBay.org, or to ban a specific IP address in an effort to take a website offline. Both of these are ineffective for the stated goal.

The overall opinion is that companies should implement the court instructions to the letter. Anything else might provoke the wrath of the court. Even doing something *effective* in lieu of a court's ineffective instructions is a bad move and likely to provoke a contempt of court ruling.

So Blue Coat's software is used in Syria, so what? They have followed the law and that's that. We may find their actions less than ethical, but the dividing line between ethics seems to waver depending on who and where you are. The Syrian government probably views the software as a stabilizing influence, and something that protects the population.

Put your blame where it truly lies. Write your congresscritter if you feel strongly about it.

Re:Not Blue Coat's problem (1)

kanto (1851816) | more than 2 years ago | (#37876592)

I don't think anyone is surprised about embargoes being broken, so the ethics part is it. But don't write your congresscritters, since the US does this globally they'll probably just pass laws to make censorship free speech and eavesdropping protected speech; ethics fixed for ya.

Re:Not Blue Coat's problem (0)

Anonymous Coward | more than 2 years ago | (#37884754)

AT&T was doing horrible things directly and that was fine but xyz company's system are found in a country [we are preparing to attack on way or another] then all hell breaks loose. Something doesn't compute, there is some background thread whose only evidence this increasing drum beat about insignificant finding.

The ITAR regulations are a WOFTAM. (1)

Above (100351) | more than 2 years ago | (#37876262)

The International Traffic in Arms Regulation are a Waste Of Fucking Time And Money.

There's this crazy notion that we can keep technology from folks by not selling it to them. Yet there is a thousand ways for folks to get the same technology, from paying a middle man, to sending people here to use it and recreate it. The absolute best case is delaying, by a small amount of time, how long before they get the technology.

It's also quite hypocritical that this technology is A-Ok for US companies to use on US citizens working for them....but somehow if Syria uses it to determine what Syrians see it's evil. That really doesn't make any sense.

Re:The ITAR regulations are a WOFTAM. (0)

Anonymous Coward | more than 2 years ago | (#37876894)

ITAR is actually very good for high tech companies in other countries, such as India, Brazil, South Africa, Canada... So, I'm all for it.

Of course BlueCoat knew about it (0)

Anonymous Coward | more than 2 years ago | (#37876342)

I used to work for a reseller in the Middle East that sold many tech firm appliances, including BlueCoat proxy filters. I can tell you that an order of 14 BlueCoat devices would not go unnoticed without members of BlueCoat sales/pre-sales team being aware of it. This includes knowing the end customer, the proposed design and deployment setup, and the intended use of these devices.

I would have to say that BlueCoat was more interested in the ca$h they were getting paid and the quotas they were retiring, and decided to overlook all the other facts about the end customer (which then knew all along).

You can't tell me you have a $700k deal and 14 of your devices and you still don't know the end customer very well. Pretty disgusting.

BlueCoat should come clean. They should fire all their regional staff who made this mess and publicly admit their mistake.

They should take action (1)

jonwil (467024) | more than 2 years ago | (#37876722)

A company like this should introduce Windows Product Activation functionality. Any license that isn't valid (e.g. pirate copies or those in countries where it isn't allowed to sell the software), they can blacklist it and make it so that it does not actually censor anything. (or update its censor list)

Re:They should take action (1)

jonwil (467024) | more than 2 years ago | (#37876862)

I mean "windows product activation like functionality"
So basically if the program isn't a valid license, it stops working. But in a way that isn't instantly visible to the operator of the software/appliance.

Re:They should take action (1)

Clovert Agent (87154) | more than 2 years ago | (#37877080)

But then, when the activation fails for a legitimate customer (because it WILL fail at some point), that customer doesn't know that he's paid full rate for a non-functional appliance.

There's not much harm in a "your device appears to be operating in a country on a list of Bad Places. Please call 0800 UNCLE SAM to resolve the problem."

It's not like they're likely to route all their traffic through a proxy in another country to avoid it. That's plausible, but so unwieldy it probably wouldn't be worth the effort. Esp not for a national government.

[condense]Syria[/condense] (1)

adolf (21054) | more than 2 years ago | (#37876956)

Why is "Syria," as shown in the title, displayed a more narrow font than the rest of that title?

(Or am I really the only person to notice this?)

Re:[condense]Syria[/condense] (0)

Anonymous Coward | more than 2 years ago | (#37876984)

Vowel movement.

Re:[condense]Syria[/condense] (1)

fibonacci8 (260615) | more than 2 years ago | (#37882022)

Syria's business

Re:[condense]Syria[/condense] (1)

adolf (21054) | more than 2 years ago | (#37883212)

Syriasly?

Insider - Syria (0)

Anonymous Coward | more than 2 years ago | (#37879170)

Not only bluecoat is used in Syrian ISPs to monitor users activities. Recently a Europe company (may be Italian) is contracted after the uprising in Syria, and it seems they started to do Deep Packet Inspection. They are trying to intercept any kind of voice communication over the internet, also they collect http traffic which contains a payload that matches a list of words, also IM service is monitored. They use active monitoring sometimes as they try to steal facebook accounts and spy on activists.
Tor service and OpenVPN is blocked few months ago, and youtube traffic is throttled to make it very hard to upload contents.

A special secret service or intelligence agency department is dedicated for internet monitoring called ( 225).

This just a very little of what is going on with the internet service in Syria.

Why (0)

Anonymous Coward | more than 2 years ago | (#37879630)

Why help repress people why is this not a crime.

A blue of a coat (0)

Anonymous Coward | more than 2 years ago | (#37883428)

Blue Coat works directly by the direction of President Barak Obama.

President Barak Obama is rightfully concerned regard his personel rendition cells at Syrian Prisons and the hundreds of billions of US dollars he has authorized the US Treasury Dept. to send to Syria.

Rightfully so, Blue Coat is pissing blood right about now.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>