BlueCoat and Syria: Indicators and Culpability.

The way we produce media

On October 5, the technology collective Telecomix released a set of logs that documents the web traffic of users of Syrian Telecommunications Establishment (Syria Telecom). The logs had been deposited on a poorly secured filesystem by a set of network monitoring appliances built by the American company BlueCoat and, compressed, total about 54 GB. Leila Nachawati, of Global Voices, has expounded on the immediate censorship ramifications, however, there is much more to be documented in this rich data source.

As a point of reference, the logs follow the format:

date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id

2011-08-05 16:28:01 1 0.0.0.0 – – – OBSERVED “unavailable” –  200 TCP_HIT GET text/html http sp.cwfservice.net 80 /1/N/K962ZF9Z39/K9-00006/0/GET/HTTP/bluecoat.com/80// – – “ClientLibs Session” 82.137.200.42 275 151 –

Amongst a deluge of attempts to reach Facebook and pornography, a multitude of angles for research on the infrastructure of Syrian censorship and behavior of Internet users stands out. Considering the origin of the logs and pressing issues, one potential avenue would be the documentation of bluecoat-related accesses. Here one finds hundreds of iterations of the following line:

2011-08-05 16:28:01 1 0.0.0.0 – – – OBSERVED “unavailable” –  200 TCP_HIT GET text/html http sp.cwfservice.net 80 /1/N/K962ZF9Z39/K9-00006/0/GET/HTTP/bluecoat.com/80// – – “ClientLibs Session” 82.137.200.42 275 151 –

According to an address lookup, the registrant of the domain ‘cwfservice.net’ is:
Registrant:
Blue Coat Systems
Bluecoat Hostmaster
420 N Mary Ave
Sunnyvale, CA 94085
US
Email: hostmaster@bluecoat.com
Accessing this URL (http://sp.cwfservice.net/1/N/K962ZF9Z39/K9-00006/0/GET/HTTP/bluecoat.com/80//) returns a simple XML document containing:
<Result>
<Code>04008000</Code>
<DomC>26</DomC>
</Result>
According to a posting made on BlueCoat’s forums, the above line seems to describe the BlueCoat system connecting to the company’s ‘DRTR’ intelligent rating service. As described by a sales document for BlueCoat WebFilter.

Blue Coat WebFilter includes as a standard feature – our Dynamic Real-Time Rating (DRTR™) service; when users encounter a new Web page, DRTR can use extremely accurate artificial intelligence to confidently rate the page (typically in about 200 milliseconds) so that appropriate use and security policy can be enforced the first time the Webpage is encountered. DRTR is particularly accurate at rating potentially objectionable sites (rating up to 98% automatically).

Furthermore, it calls by device services such ‘PacketShaper’ indicates that the DRTR service is not the only mechanism that contacts the BlueCoat controlled ‘sp.cwfservice.net.’

It would appear that all of Syria’s BlueCoat hardware calls home to update its ability to filter and monitor new objects that it has not encountered. Equally importantly, the Syrian logs are filled with queries related to BlueCoat systems, such as ‘bluecoat data collector,’ something that a general home user would have little interest in.

From personal experience with Iran, hardware will eventually find its way into sanctioned countries — restrictions increase price, not necessarily decreases availability. No company can reasonably be held accountable for second-hand sales, and many have increased their control of distributors as a result of leakages to embargoed countries. Furthermore, Telecomix’s exploration has found evidence for hardware from other manufacturers, namely Cisco and Barracuda, the former of which I have more faith to abide US trade restriction.

As we have seen elsewhere, the common interpretation of OFAC sanctions to embargoed countries is the denial of electronic services to known, national IP address ranges. It would appear that at least after August 14, these same level of restrictions apply to Syria as well. Unfortunately this date range of logs were not available to Telecomix. However, many technology providers appear to have interpreted sanctions to apply far before the Arab Spring-related pressures.

Syria has by all means built for itself the foundations of mature system of monitoring and censoring Internet traffic, and at its foundation is at least a two dozen accounted for BlueCoat ProxySG Appliances. By current count, there are more than a thousand queries to BlueCoat’s client services documented in a few days of traffic logs. Considering the extent of this traffic and the peculiarity of its origin, that BlueCoat was not aware of the existence of these devices appears implausible. Syria Telecom’s relationships with the Assad regime expose the company to the legal restrictions on services imposed by American embargoes on doing business to with the country. Regardless of who sold Syria these devices, BlueCoat has both the moral and legal responsibilities to end these services now.

Clarification (11.3.2011): It’s been noted that the specific entry cited may have been generated by Blue Coat’s free ‘K9’ desktop software. However, this was solely a matter of poor luck in my choice of examples to include. More functions appear to reach cwfservice.net, most of which are less likely to be a client application.

2011-08-03 09:01:05 277 0.0.0.0 – – – OBSERVED “none” –  200 TCP_MISS GET text/html http sp.cwfservice.net 80 /2/N/0477d7b851ad026ebf20ea158cf5164f/BLUSHPR1/0/GET/https/updates.bluecoat.com/443/ – – “PacketShaper” 82.137.200.48 270 305 –

About

You’re currently reading “BlueCoat and Syria: Indicators and Culpability.,” an entry on a very small bird.

Published:
10.11.11 / 10am
Tags:
, , , , , , , ,