#OpSyria : Telecomix vs. Assad
October 12, 2011 9:47 AM Subscribe
BlueCoat Systems (Sunnyvale, CA) has been exposed selling surveillance equipment to the Syrian government in violation of U.S. trade embargoes. The Telecomix hacktivist 'cluster' anonymized and released 54 gigabytes of Syrian censorship log data, collected from seven of the fifteen Bluecoat SG-9000 proxies used by Syrian government telco and ISP STE. Telecomix has also been providing Syrians with Tor and VPNs, offering support via IRC (#telecomix, #opsyria), and providing DNS service for The Pirate Bay. (see also : reflets.info tags opsyria and telecomix)
Last March, Gamma International (Germany and Britain) was exposed for selling surveillance technologies when Egyptian protests raided the SSIS headquarters. More recently, the Chaos Computer Club (CCC) analyzed a piece of malware the Bavarian government uses in criminal investigations, in violation of several German laws and a court verdict.
Last March, Gamma International (Germany and Britain) was exposed for selling surveillance technologies when Egyptian protests raided the SSIS headquarters. More recently, the Chaos Computer Club (CCC) analyzed a piece of malware the Bavarian government uses in criminal investigations, in violation of several German laws and a court verdict.
And the cryptography drive needs more condom jokes. (Thanks Wrinkled Stumpskin!)
posted by jeffburdges at 10:29 AM on October 12, 2011
posted by jeffburdges at 10:29 AM on October 12, 2011
sooo...BlueCoat has turned RedCoat?
srsly, tho...breaking federal law in order to destroy democracy? treason, right?
posted by sexyrobot at 10:34 AM on October 12, 2011
srsly, tho...breaking federal law in order to destroy democracy? treason, right?
posted by sexyrobot at 10:34 AM on October 12, 2011
breaking federal law in order to destroy democracy? treason, right?
why do you insist on looking backward, not forward?
posted by T.D. Strange at 10:45 AM on October 12, 2011 [1 favorite]
why do you insist on looking backward, not forward?
posted by T.D. Strange at 10:45 AM on October 12, 2011 [1 favorite]
srsly, tho...breaking federal law in order to destroy democracy? treason, right?
Uh, it's not treason if it's not against the U.S.
Also 'telecomix'? Are they french or something? Seems like a totally lame name for a 'hacker cluster' to me.
posted by delmoi at 10:50 AM on October 12, 2011
Uh, it's not treason if it's not against the U.S.
Also 'telecomix'? Are they french or something? Seems like a totally lame name for a 'hacker cluster' to me.
posted by delmoi at 10:50 AM on October 12, 2011
Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.
It's only treason if you buy into the insanely flexible and arbitrary definition of the word "Enemy" that's been used by the last two administrations.
posted by Grimgrin at 10:51 AM on October 12, 2011
It's only treason if you buy into the insanely flexible and arbitrary definition of the word "Enemy" that's been used by the last two administrations.
posted by Grimgrin at 10:51 AM on October 12, 2011
It's only treason if you buy into the insanely flexible and arbitrary definition of the word "Enemy" that's been used by the last two administrations.
So...it's treason, right? Or are these guys rich & white? Their management team looks pretty white. Maybe there's nothing to see here after all.
posted by spacewrench at 11:00 AM on October 12, 2011
So...it's treason, right? Or are these guys rich & white? Their management team looks pretty white. Maybe there's nothing to see here after all.
posted by spacewrench at 11:00 AM on October 12, 2011
So...it's treason, right?
No, it's not Treason because we are not at war with Syria. This is not a complicated thing to understand. They may have broken the law but this is not an example of actual Treason People need to stop using the word for "Shit I don't like"
posted by delmoi at 11:40 AM on October 12, 2011 [5 favorites]
No, it's not Treason because we are not at war with Syria. This is not a complicated thing to understand. They may have broken the law but this is not an example of actual Treason People need to stop using the word for "Shit I don't like"
posted by delmoi at 11:40 AM on October 12, 2011 [5 favorites]
i wonder how that bet involving involving the Koch brothers and Iran is going...
posted by Shit Parade at 12:07 PM on October 12, 2011
posted by Shit Parade at 12:07 PM on October 12, 2011
So far, from what I get from the article is BlueCoat tech has shown up on Syria's networks, and in a shoddy, adhoc setup (which is why, in a way, they could find out it was there).
The don't have evidence that BlueCoat sold it directly to Syria, or that they have any business relationships with them at all. There is some handwaving about "this tech always comes with support agreements" but if you've ever walked into an IT closet of a cheaply run company, chances are you will find various under warrantied / supported pieces of cisco and other high end equipment picked up in fire sales and shoehorned into service.
I mean, what is stopping someone from buying a bluecoat proxy from CDW and then shipping it to Syria? I'm sure if you lean on the sales guy at the end of the phone desperate to make his margin for the month, he'll wave you through any red tape about it being sold with maintenance contract or support agreement.
posted by mrzarquon at 12:19 PM on October 12, 2011
The don't have evidence that BlueCoat sold it directly to Syria, or that they have any business relationships with them at all. There is some handwaving about "this tech always comes with support agreements" but if you've ever walked into an IT closet of a cheaply run company, chances are you will find various under warrantied / supported pieces of cisco and other high end equipment picked up in fire sales and shoehorned into service.
I mean, what is stopping someone from buying a bluecoat proxy from CDW and then shipping it to Syria? I'm sure if you lean on the sales guy at the end of the phone desperate to make his margin for the month, he'll wave you through any red tape about it being sold with maintenance contract or support agreement.
posted by mrzarquon at 12:19 PM on October 12, 2011
Could someone explain what this means?
From a more technical perspective, we firstly observed that the traffic routing from ADSL clients was performed depending on the requested TCP port. If the port differs from 80 and is not concerned by a blocking policy, the request goes directly to the server. If the port 80 is requested, it is redirected to a BlueCoat proxy without letting client know it.
I've looked up all the terms, but I'm still don't quite grasp the idea.
posted by Cwell at 2:39 PM on October 12, 2011
From a more technical perspective, we firstly observed that the traffic routing from ADSL clients was performed depending on the requested TCP port. If the port differs from 80 and is not concerned by a blocking policy, the request goes directly to the server. If the port 80 is requested, it is redirected to a BlueCoat proxy without letting client know it.
I've looked up all the terms, but I'm still don't quite grasp the idea.
posted by Cwell at 2:39 PM on October 12, 2011
cwell-
if a user tries to connect to a server through it's front door (port 80, default for the web), the bluecoat proxy intercepts all the traffic and checks to see first if it's a server that the user is trying to go through. If they aren't, it blocks them. If they are, it lets them through and records everything they are doing.
However, the devices really aren't setup properly, so if you can get the server to leave a window open for you (a different port) you can connect to it that way, since the bluecoat device is only monitoring people going through doors.
posted by mrzarquon at 2:48 PM on October 12, 2011
if a user tries to connect to a server through it's front door (port 80, default for the web), the bluecoat proxy intercepts all the traffic and checks to see first if it's a server that the user is trying to go through. If they aren't, it blocks them. If they are, it lets them through and records everything they are doing.
However, the devices really aren't setup properly, so if you can get the server to leave a window open for you (a different port) you can connect to it that way, since the bluecoat device is only monitoring people going through doors.
posted by mrzarquon at 2:48 PM on October 12, 2011
> if it's a server that the user is trying to go through
if it's a server that the user is allowed to go to
posted by mrzarquon at 2:48 PM on October 12, 2011
if it's a server that the user is allowed to go to
posted by mrzarquon at 2:48 PM on October 12, 2011
As for why devices like this exist: A lot of businesses use it to filter internet for objectionable content (questionable), provide realtime virus detection (scans the files as they go to the users computer, prevents popups that install virus from actually working, etc), and in some cases, compliance reasons (being able to monitor and track all user communications to ensure sensitive information isn't leaked).
Or atleast, those are the stated purposes of the BlueCoat and similar systems. I don't really have a problem with them being in place at an office environment for office computers, if the users are informed about it and know that yes, we know what you are doing (as a sysadmin: I can already read your email if I want). It's when ISPs, government entities, and similar larger organizations implement them as a whole against a public internet service that is the sketchy part of it.
It's like offices with RFID badges and security clearance areas and video cameras. I want that in my office for a server room. I don't want it in a public park or on every street or shop.
posted by mrzarquon at 2:54 PM on October 12, 2011
Or atleast, those are the stated purposes of the BlueCoat and similar systems. I don't really have a problem with them being in place at an office environment for office computers, if the users are informed about it and know that yes, we know what you are doing (as a sysadmin: I can already read your email if I want). It's when ISPs, government entities, and similar larger organizations implement them as a whole against a public internet service that is the sketchy part of it.
It's like offices with RFID badges and security clearance areas and video cameras. I want that in my office for a server room. I don't want it in a public park or on every street or shop.
posted by mrzarquon at 2:54 PM on October 12, 2011
Oh wow. I thought that name sounded familiar. I interviewed for a programming job with them four years ago. A recruiter had approached me; I didn't know anything about them. Everything was going fine until they asked for my references. They came back and said I was described as "abrasive" and that they would have no further contact with me. I asked my references what had happened (I was on very good terms with them, and we spoke regularly), and they both said the Blue Coat rep had left one voicemail and never answered the callback number. It was all very weird.
I continue to be very glad I didn't get the job.
posted by Sibrax at 2:55 PM on October 12, 2011
I continue to be very glad I didn't get the job.
posted by Sibrax at 2:55 PM on October 12, 2011
I've looked up all the terms, but I'm still don't quite grasp the idea.
Let's see if I can explain in from the ground up.
Basically the internet works by routing packets around. You can think of a packet as a long string of data with two important chunks followed by whatever you want. The two chunks are the 'source' and 'destination' of the packet. You can see a chart here the source starts at bit 96 and the destination starts at 128.
Routers on the internet use the destination address to figure out where to send the packet as far as their physical network connections are concerned. The packet might pass through several machines before it gets to it's destination
But here's a problem, what if you have multiple computer programs running on the same machine? When the computer gets the packet, it won't know which program to send it too. TCP solves that problem, as well as other problems dealing with the ordering of packets as well as what to do if a packet gets lost.
The important bits are the source and destination ports. Those are 16 bit numbers (you can see them in the chart at bit zero and 16) That tells the recipient computer what program to send the packet too.
By default, most web servers use port 80, but you can use a different port if you want, however you need to use URLs like this: "http://www.metafilter.com:99" which will try to download a web page on port 99 rather then port 80. It's pretty uncommon, because of the unwieldy URLs. (however, https uses a different port number)
So basically, these proxies were just looking at the destination ports of the packets that were outgoing, and then capturing web traffic going through port 80. They were ignoring all the packets that didn't have an 80 in the destination port of the TCP packet. Fairly lazy.
posted by delmoi at 3:12 PM on October 12, 2011
Let's see if I can explain in from the ground up.
Basically the internet works by routing packets around. You can think of a packet as a long string of data with two important chunks followed by whatever you want. The two chunks are the 'source' and 'destination' of the packet. You can see a chart here the source starts at bit 96 and the destination starts at 128.
Routers on the internet use the destination address to figure out where to send the packet as far as their physical network connections are concerned. The packet might pass through several machines before it gets to it's destination
But here's a problem, what if you have multiple computer programs running on the same machine? When the computer gets the packet, it won't know which program to send it too. TCP solves that problem, as well as other problems dealing with the ordering of packets as well as what to do if a packet gets lost.
The important bits are the source and destination ports. Those are 16 bit numbers (you can see them in the chart at bit zero and 16) That tells the recipient computer what program to send the packet too.
By default, most web servers use port 80, but you can use a different port if you want, however you need to use URLs like this: "http://www.metafilter.com:99" which will try to download a web page on port 99 rather then port 80. It's pretty uncommon, because of the unwieldy URLs. (however, https uses a different port number)
So basically, these proxies were just looking at the destination ports of the packets that were outgoing, and then capturing web traffic going through port 80. They were ignoring all the packets that didn't have an 80 in the destination port of the TCP packet. Fairly lazy.
Everything was going fine until they asked for my references. They came back and said I was described as "abrasive" and that they would have no further contact with me. I asked my references what had happened (I was on very good terms with them, and we spoke regularly), and they both said the Blue Coat rep had left one voicemail and never answered the callback number. It was all very weird.Or your references stabbed you in the back! (dunt dunt dunnnnn)
posted by delmoi at 3:12 PM on October 12, 2011
There was clearly an intention to violate the embargo, mrzarquon, given they've fifteen identical models. Did that intention originate within BlueCoat itself? An aggressive salesmen perhaps? I donno.
These guys aren't exactly somebody who everyone learns about configuring though, ala Cisco. Ergo, there is probably evidence in their server configuration, i.e. good configuration suggest an unofficial support contract.
Is only monitoring port 80 a bad decision like delmoi claims? Not necessarily. You have a whole country to filter and spy upon, but only a limited IT budget, and your superiors care most about port 80.
posted by jeffburdges at 3:31 PM on October 12, 2011
These guys aren't exactly somebody who everyone learns about configuring though, ala Cisco. Ergo, there is probably evidence in their server configuration, i.e. good configuration suggest an unofficial support contract.
Is only monitoring port 80 a bad decision like delmoi claims? Not necessarily. You have a whole country to filter and spy upon, but only a limited IT budget, and your superiors care most about port 80.
posted by jeffburdges at 3:31 PM on October 12, 2011
Yeah, I am not saying that BlueCoat should be let off scott free about any basis of wrongdoing, and there is enough evidence to suggest that they should be investigated and see how well the auditing capabilities of their own devices are. Just at this point, I don't think there is enough to say that because their equipment is in Syria doesn't mean they (BlueCoat) had anything to do with the sale of the equipment.
But they also work with partners and vendors, who can get certified on the product and install it for them, so it would be possibly a yet unknown third party has found it. Now if they can track the serial numbers of the units and find out who bought them from BlueCoat, then you start having a clearer cases on the matter.
posted by mrzarquon at 3:59 PM on October 12, 2011
But they also work with partners and vendors, who can get certified on the product and install it for them, so it would be possibly a yet unknown third party has found it. Now if they can track the serial numbers of the units and find out who bought them from BlueCoat, then you start having a clearer cases on the matter.
posted by mrzarquon at 3:59 PM on October 12, 2011
Could it be that someone in the US bought them then resold them? I mean, don't get me wrong, odds are that somebody got greedy and figured they would never get caught, but you know, that seems like a pretty easy sale to make.
Next question; Is this an actual physical device? Where was it made? Could someone along the line have sold a few units to line their own pockets?
posted by Canageek at 4:13 PM on October 12, 2011
Next question; Is this an actual physical device? Where was it made? Could someone along the line have sold a few units to line their own pockets?
posted by Canageek at 4:13 PM on October 12, 2011
No one would sell to directly to Syria just to make a couple bucks. It's way too dangerous. There are tons and tons of forms and checklists you have to fill out for every international sale and it's not worth betting the entire company on lying. On the other hand, selling your stuff to someone in "Turkey" who happens to call you from Syrian numbers and use bank routing numbers that end up in Syria, and not investigating particularly carefully, sounds absolutely typical.
posted by miyabo at 5:37 PM on October 12, 2011
posted by miyabo at 5:37 PM on October 12, 2011
Is only monitoring port 80 a bad decision like delmoi claims? Not necessarily. You have a whole country to filter and spy upon, but only a limited IT budget, and your superiors care most about port 80Sure, but the vast majority of traffic is going to be port 80, and the traffic off port 80 would be much more interesting in general.
posted by delmoi at 6:14 PM on October 12, 2011
I suggested the Syrian IT guys' careers depend more upon "protecting public morals" than upon implementing tools the spooks aren't familiar with anyways, not what traffic was interesting.
posted by jeffburdges at 6:23 PM on October 12, 2011
posted by jeffburdges at 6:23 PM on October 12, 2011
Blue Coat Concedes Its Devices Operating in Syria
Anyone think "hey, dictators deploy out technology" will become a selling point?
posted by jeffburdges at 7:32 PM on October 28, 2011
Anyone think "hey, dictators deploy out technology" will become a selling point?
posted by jeffburdges at 7:32 PM on October 28, 2011
Yeah, and they were sold through a Dubai based middleman apparently, which I believe does not have any such restrictions or legal issues saying you can't sell to them. There is really nothing stopping someone with strong financial ties in the UAE to setup a business and order a bunch of bluecoat tech and training, and then transport them to Syria.
Everything right now it sounds like they are saying "yeah, looks like someone lied to us on all the forms we had them fill out saying they weren't criminals."
posted by mrzarquon at 7:19 PM on October 29, 2011
Everything right now it sounds like they are saying "yeah, looks like someone lied to us on all the forms we had them fill out saying they weren't criminals."
posted by mrzarquon at 7:19 PM on October 29, 2011
Iranian police tracking dissidents aided by western companies
posted by jeffburdges at 10:04 AM on November 4, 2011
posted by jeffburdges at 10:04 AM on November 4, 2011
Syria Undercover: Reporter Ramita Navai goes undercover for a rare look at the uprising from inside Syria.
posted by homunculus at 9:52 PM on November 8, 2011 [1 favorite]
posted by homunculus at 9:52 PM on November 8, 2011 [1 favorite]
« Older "Food is very important here," said Hazan of the... | "You wouldn’t go to a restaurant that hasn’t been... Newer »
This thread has been archived and is closed to new comments
posted by anarch at 10:12 AM on October 12, 2011 [1 favorite]