a very small bird http://b.averysmallbird.com the shifting interests of Collin David Anderson. Mon, 12 Aug 2013 17:54:37 +0000 en-US hourly 1 https://wordpress.org/?v=4.5.2 Hayden on the Conflict Between Online Freedom and Security http://b.averysmallbird.com/entries/hayden-comments Mon, 12 Aug 2013 17:54:37 +0000 http://b.averysmallbird.com/?p=1146

“We need to pull the rest of American thinking into this in a relevant way.  Secretary Clinton gave two speeches on cyber stuff while she was secretary.  And if you’re you know you think of the world as security and liberty she broke left literally both times in both of her speeches she came down on on cyber freedom.  Society at the same time cyber communities out there are trying to crack the nut on anonymity on the net because you realize that’s the root of many many dangers out there as cyber communities just chugging away at that. The secretary of state is laundering money through NGOs to populate software throughout the Arab world to prevent the people in the Arab street from being tracked by their government.  Alright so on the one hand we’re fighting anonymity on the other hand we’re chucking products out there to protect anonymity on the net.”

]]>
Another Blue Coat Device in Iran (Respina, Infotech International) http://b.averysmallbird.com/entries/another-blue-coat-device-in-iran-respina-infotech-international Fri, 09 Aug 2013 15:47:10 +0000 http://b.averysmallbird.com/?p=1139 In “Some Devices Wander by Mistake: Planet Blue Coat Redux,” Citizen Lab located nearly a dozen footprints for Blue Coat proxy devices located on Iranian networks. Blue Coat Systems’ response and liabilities since have been minimal, so here is another on the Broadband Pool for Iranshahr PoP on Respina Networks in Iran, which appears to be associated with Infotech International.

Screen Shot 2013-08-09 at 5.44.09 PM

nmap -p- -A 92.242.223.221

Starting Nmap 5.21 ( http://nmap.org ) at 2013-08-09 03:15 IRDT
Stats: 0:04:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 73.39% done; ETC: 03:21 (0:01:40 remaining)
Nmap scan report for 92.242.223.221
Host is up (0.0038s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Blue Coat ftpd
22/tcp open ssh OpenSSH 5.6 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 1024 95:33:1a:03:41:3b:10:ba:0b:d9:fe:a9:da:0e:cf:f3 (RSA1)
|_1024 f8:89:0f:d2:ac:ab:4a:4c:bb:25:2d:65:f2:63:2b:f2 (RSA)
8082/tcp open ssl/http Blue Coat SG210 http proxy config
|_sslv2: server still supports SSLv2
|_html-title: Site doesn’t have a title (text/plain; charset=utf-8).
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = 92.242.223.221
Device type: proxy server|general purpose|storage-misc|specialized
Running (JUST GUESSING) : Blue Coat SGOS 5.X (96%), FreeBSD 5.X|6.X|5.x|7.X (92%), Apple Mac OS X 10.3.X|10.4.X (90%), VMware ESX Server 3.X|4.X (89%)
Aggressive OS guesses: Blue Coat SG510 proxy server (SGOS 5.2.2.5) (96%), Blue Coat SG810 web proxy (SGOS 5.3.1.9) (96%), Blue Coat SG510-series proxy server (SGOS 5.1.3.7) (95%), Blue Coat SG210 proxy se
rver (SGOS 5.2.3.3 – 5.2.3.9) (95%), FreeBSD 5.4-RELEASE (92%), FreeNAS 0.69RC2 (FreeBSD 6.4-RELEASE-p3) (92%), FreeBSD 6.0-RELEASE (92%), FreeBSD 6.0-RELEASE – 6.2-RELEASE (92%), FreeBSD 6.1-RELEASE – 6.
2 (92%), FreeBSD 6.0-STABLE – 6.2-RELEASE (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 11 hops
Service Info: OS: SGOS; Device: proxy server

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.60 ms 87.107.121.113
2 1.90 ms 81.12.48.89
3 1.69 ms 62.220.97.124
4 2.86 ms p2p.huawei-rtr.aryasat.dist-sw.aryasat.ir (78.154.32.177)
5 2.08 ms 78.38.255.100
6 1.66 ms 10.201.22.115
7 1.55 ms 10.10.53.94
8 2.58 ms 192.168.119.25
9 3.12 ms 192.168.119.76
10 3.25 ms 192.168.91.19
11 3.68 ms 92.242.223.221

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 415.32 seconds

openssl s_client -connect 92.242.223.221:8082

CONNECTED(00000003)
depth=0 C = ” “, ST = Some-State, O = Blue Coat SG900 Series, OU = 4412240214, CN = 192.168.60.90
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ” “, ST = Some-State, O = Blue Coat SG900 Series, OU = 4412240214, CN = 192.168.60.90
verify return:1

Certificate chain
0 s:/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90
i:/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90

Server certificate
—–BEGIN CERTIFICATE—–
MIIDLTCCApagAwIBAgIEIEqFAzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwIg
IDETMBEGA1UECBMKU29tZS1TdGF0ZTEfMB0GA1UEChMWQmx1ZSBDb2F0IFNHOTAw
IFNlcmllczETMBEGA1UECxMKNDQxMjI0MDIxNDEWMBQGA1UEAxMNMTkyLjE2OC42
MC45MDAeFw0xMzAzMDIwNzIzNDdaFw0xNTAzMDIwNzIzNDdaMHAxCzAJBgNVBAYT
AiAgMRMwEQYDVQQIEwpTb21lLVN0YXRlMR8wHQYDVQQKExZCbHVlIENvYXQgU0c5
MDAgU2VyaWVzMRMwEQYDVQQLEwo0NDEyMjQwMjE0MRYwFAYDVQQDEw0xOTIuMTY4
LjYwLjkwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrP8lp9JYXjBTj2Jjb
vISPlN6SnxT5u5qLsqB5Z9vrgECS7N6xodo+y45riz7YRzKdw73/oN1jYuqB40Le
ofzINGFKhmz7y1uJw3+YKlnF1qdzvw9hcLM7E0jTFA37ox4gCOeciatRtClDwFGg
gjlsoKZITKJ3Lon9p/+7O5EAoQIDAQABo4HTMIHQMB0GA1UdDgQWBBRSg229ISku
I6ERx62wiZGzNh9+CjCBnQYDVR0jBIGVMIGSgBRSg229ISkuI6ERx62wiZGzNh9+
CqF0pHIwcDELMAkGA1UEBhMCICAxEzARBgNVBAgTClNvbWUtU3RhdGUxHzAdBgNV
BAoTFkJsdWUgQ29hdCBTRzkwMCBTZXJpZXMxEzARBgNVBAsTCjQ0MTIyNDAyMTQx
FjAUBgNVBAMTDTE5Mi4xNjguNjAuOTCCBCBKhQMwDwYDVR0TAQH/BAUwAwEB/zAN
BgkqhkiG9w0BAQUFAAOBgQAekRf/NvJXT8K8hEEsZzXNd9L/eB8pAaywDshExbap
rF4wEZ8vJHe26vAI2nt0pAwNa/iVkaDm9obhpKVvQIwFD/ZRXRbvtsXelDqLobWf
CfvzDHQkk5CQe2FrNV/BPcwc3HsIxRUVKpVmZEY3byzlWQx0b/Kd5ujDVHGkkI6h
jg==
—–END CERTIFICATE—–
subject=/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90
issuer=/C= /ST=Some-State/O=Blue Coat SG900 Series/OU=4412240214/CN=192.168.60.90

No client certificate CA names sent

SSL handshake has read 986 bytes and written 423 bytes

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 3332DFE4AEEB29A1DE473ADF924AE256A5280CEC5C55FBF7B77D5DEA3FAE0E01
Session-ID-ctx:
Master-Key: B775A5DE8A557ABBB69FC51EB25CF1B1E74CF522E40C4A2048D361B5EC2F4BA8003DB3858755266F19332A68B61600E9
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1376003731
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

read:errno=0

whois 92.242.223.221

#

# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
#
# Query terms are ambiguous. The query is assumed to be:
# “n 92.242.223.221”
#
# Use “?” to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=92.242.223.221?showDetails=true&showARIN=false&ext=netref2
#

NetRange: 92.0.0.0 – 92.255.255.255
CIDR: 92.0.0.0/8
OriginAS:
NetName: 92-RIPE
NetHandle: NET-92-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-03-27
Updated: 2009-05-18
Ref: http://whois.arin.net/rest/net/NET-92-0-0-0-1

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: RNO29-ARIN
OrgAbuseName: RIPE NCC Operations
OrgAbusePhone: +31 20 535 4444
OrgAbuseEmail: hostmaster@ripe.net
OrgAbuseRef: http://whois.arin.net/rest/poc/RNO29-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘92.242.216.0 – 92.242.223.255’

% Abuse contact for ‘92.242.216.0 – 92.242.223.255’ is ‘abuse@respina.net’

inetnum: 92.242.216.0 – 92.242.223.255
netname: RESPINA
descr: Broadband Pool for Iranshahr PoP
country: IR
admin-c: PN2434-RIPE
tech-c: MS19636-RIPE
status: ASSIGNED PA
mnt-by: MNT-RSPN
source: RIPE # Filtered

person: Mehdi Sabour
address: No. 19, Arak St., Gharani Ave., Tehran, Iran, Zip Code: 15989
phone: +98 21 8892 4363
fax-no: +98 21 8890 4866
abuse-mailbox: abuse@respina.net
nic-hdl: MS19636-RIPE
mnt-by: MNT-RSPN
source: RIPE # Filtered

person: Pouya Nasirabadi
address: No. 19, Arak St., Gharani Ave., Tehran, Iran, Zip Code: 15989
phone: +98 21 8892 4363
fax-no: +98 21 8890 4866
abuse-mailbox: abuse@respina.net
nic-hdl: PN2434-RIPE
mnt-by: MNT-RSPN
source: RIPE # Filtered

% Information related to ‘92.242.216.0/21AS42337’

route: 92.242.216.0/21
descr: Respina-Route
origin: AS42337
mnt-by: MNT-RSPN
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.67.4 (WHOIS2)

 

]]>
An Eventful Few Weeks in Iran: DNS Tampering, Content-Type Filtering and SSL Blocking on Google http://b.averysmallbird.com/entries/an-eventful-month-in-iran http://b.averysmallbird.com/entries/an-eventful-month-in-iran#comments Fri, 12 Oct 2012 01:39:24 +0000 http://b.averysmallbird.com/?p=1105 As is the historical trend, an eventful month of political and economic instability, not the least reflected in the return of Mehdi Hashemi, the dive of the Toman, Ahmadinejad at the U.N. General Assembly, and the arrest of Ali Akbar Javanfekr, has led to an increase in the aggressiveness of Internet censorship by the state. This was most evident in the filtering of SSL access to Google and Gmail, however, what has received less attention are two development, the filtering of foreign-hosted media files and the fulltime implementation of DNS tampering. Since such moments are the time when the government tips its hand on what it can do, I offer some brief notes.

Google Blocking

Google services were filtered starting Sep 24 2012 through the targeted blocking of HTTPS connections on IP addresses within the round-robin DNS records for encrypted.google.com, google.com, accounts.google.com, youtube.com, mail.google.com, and gmail.com. Representatives of the telecommunications sector were quoted attributing the blocking as an inability to differentiate YouTube with other Google services. This, however, was one of a multitude of reasons that were given and contrary to Iran having successfully blocked the site since at least Summer 2009. My belief in this case was that blocking was accomplished through simple port restrictions, rather than a more sophisticated approach such as deep packet inspection of traffic. It is also worth noting that Iran was not completely thorough in blocking all active Gmail addresses.

[root@nami results]# tcptraceroute 173.194.69.19 -p 80
traceroute to 173.194.69.19 (173.194.69.19), 30 hops max, 40 byte packets
 1  [hop-1]  0.721 ms  0.862 ms  1.024 ms
 2  [hop-2]  0.740 ms  0.900 ms  1.010 ms
 3   (62.220.96.114)  1.089 ms  1.319 ms  1.258 ms
 4  217.218.190.173 (217.218.190.173)  0.909 ms  1.063 ms  1.066 ms
 5  78.38.119.237 (78.38.119.237)  0.875 ms  0.992 ms  0.918 ms
 6  78.38.119.222 (78.38.119.222)  1.082 ms  1.056 ms  1.209 ms
 7  10.10.36.221 (10.10.36.221)  1.092 ms 10.10.36.253 (10.10.36.253)  1.368 ms 10.10.36.117 (10.10.36.117)  1.273 ms
 8  92.50.192.145 (92.50.192.145)  80.031 ms  79.992 ms  79.821 ms
... [international]
13  bk-in-f19.1e100.net (173.194.69.19)  440.813 ms  440.784 ms  440.574 ms
[root@nami results]# tcptraceroute 173.194.69.19 -p 443
traceroute to 173.194.69.19 (173.194.69.19), 30 hops max, 40 byte packets
 1  [hop-1]  0.944 ms  1.106 ms  1.310 ms
 2  [hop-2]  0.954 ms  1.181 ms  1.433 ms
 3   (62.220.96.114)  1.245 ms  1.312 ms  1.523 ms
 4  217.218.190.173 (217.218.190.173)  0.937 ms  1.130 ms  1.487 ms
 5  78.38.119.237 (78.38.119.237)  0.688 ms  0.955 ms  0.701 ms
 6  78.38.119.222 (78.38.119.222)  0.790 ms  1.191 ms  0.895 ms
 7  * * *
... * * *
30  * * *

Lastly, it was noted from comments on social media and testing that the implementation of this filtering was not uniform; Gmail became blocked in some locations earlier than others. As the fate of Google was announced a few hours before implementation this would seem to indicate that some ISPs jumped the gun before the TCI acted to prevent access for nearly the entire country.

DNS Tampering

While one would assume that the Telecommunication Company of Iran (TCI) had figured out DNS tampering in preparation for its August 2011 attempt to man-in-the-middle Gmail, specific instance and data have not been readily accessible. On or shortly before October 2 2012, DNS requests for ‘youtube.com’ began to return the improper address of 10.10.34.34, otherwise known as the domestic filtered site page.

22:37:08.987441 IP (tos 0x0, ttl  64, id 33216, offset 0, flags [none], proto: UDP (17), length: 57) [host].35934 > 8.8.8.8.53: [udp sum ok]  25198+ A? youtube.com. (29)
22:37:08.989841 IP (tos 0x0, ttl  57, id 0, offset 0, flags [none], proto: UDP (17), length: 73) 8.8.8.8.53 > [host].35934: [udp sum ok]  25198 q: A? youtube.com. 1/0/0 youtube.com. A 10.10.34.34 (45)
22:37:12.659425 IP (tos 0x0, ttl  64, id 33222, offset 0, flags [none], proto: UDP (17), length: 56) [host].47877 > 8.8.8.8.53: [udp sum ok]  55700+ A? google.com. (28)
22:37:12.805491 IP (tos 0x0, ttl  43, id 10830, offset 0, flags [none], proto: UDP (17), length: 152) 8.8.8.8.53 > [host].47877:  55700 q: A? google.com. 6/0/0 google.com. A 173.194.70.102, google.com.[|domain]

Watching data in transit, specifically the TTL of packets,  it would appear that the false answer is being returned seven hops away from our host, therefore we can determine the probable location of the device on a traceroute.

 1  [hop-1] 0.851 ms  1.444 ms  1.391 ms
 2  [hop-2]  1.323 ms  1.267 ms  1.205 ms
 3   (62.220.97.124)  1.144 ms  1.090 ms  1.031 ms
 4  p2p.huawei-rtr.aryasat.dist-sw.aryasat.ir (78.154.32.177)  3.787 ms  2.546 ms  4.669 ms
 5  78.38.255.100 (78.38.255.100)  1.425 ms  1.304 ms  1.435 ms
 6  10.10.53.197 (10.10.53.197)  1.812 ms  1.947 ms  1.989 ms
 7  10.10.53.34 (10.10.53.34)  1.557 ms  2.015 ms nyk-b7-link.telia.net (213.248.99.177)  209.877 ms
 8  ldn-b4-link.telia.net (213.155.129.33)  146.864 ms ldn-bb1-link.telia.net (80.91.248.90)  172.420 ms  172.289 ms
... [international]
15  google-public-dns-a.google.com (8.8.8.8)  1294.457 ms  454.992 ms *

It would appear then that the false answers are originating out of the private network that acts as Iran’s international gateway, around 10.10.53.34 and mostly likely operated by the Data Communication Affairs within the TCI. Additionally, setting the +TCP flag on dig returned the legitimate result eleven records in the 173.194.43.0/24 IP space. While it appears all international DNS requests are subject to inspection, only UDP traffic triggers false answers.

It is unclear if other domains are subject to tampering, however, false answers are still be returned at the time of writing. This new technique should be disconcerting regardless of the availability of anti-filtering tools and VPN services; unless the tool properly tunnels DNS traffic and authenticates itself as the valid destination to the user, an intermediary may be able to control the user’s online activities and even completely hijack their connection for surveillance. Further investigation on the extent of this monitoring will be presented in a forthcoming research project developed for the Iran Media Program at the University of Pennsylvania.

Filtering Based Content-Type Header

In perhaps the most literal possible parallel to the government’s jamming of international satellite broadcasts, as a response to riots over the rapid devaluing of currency, Iran appears to have blocked foreign-hosted media files for several days beginning around October 6 2012. Reportedly, this blocking targeted audio (.MP3), video (.MP4, .AVI) and Adobe Flash/Shockwave content. Attempts to access these files would result in a hanging request returning no data, which differs from normal blocking that generates a 403 ‘Forbidden’ HTTP response code, a HTML page and a TCP RST packet. Renaming an mp3 file to an alternative extension such as ‘.rawr’ resulted in successful transfer. Upon the trigger of this rule, the transmission of data between the client and server is blocked for the session (most likely determined based on either source ports or packet numbers).

After investigation, it appears that the trigger is based on HTTP headers, rather than the file extension. A simple PHP page returning only the ‘Content-Type: audio/mpeg’ would trigger the described behavior. It was previously known that the TCI’s filtering is done based on inspection of the GET and HOST headers; this filtering is unique in that context because it is based on returned data, rather than sent requests. The nature of the failure made research into the location of these mechanisms difficult, and the interference had ended by the time of writing.

Private Address Space Use

Lastly, in a paper published to the open access research site arXiv recently, I detail the particularly unique routing of ‘private’ IP addresses within Iran’s domestic network.

Abstract

While funding agencies have provided substantial support for the developers and vendors of services that facilitate the unfettered flow of information through the Internet, little consolidated knowledge exists on the basic communications network infrastructure of the Islamic Republic of Iran. In the absence open access and public data, rumors and fear have reigned supreme. During provisional research on the country’s censorship regime, we found initial indicators that telecommunications entities in Iran allowed private addresses to route domestically, whether intentionally or unintentionally, creating a hidden network only reachable within the country. Moreover, records such as DNS entries lend evidence of a ‘dual stack’ approach, wherein servers are assigned a domestic IP addresses, in addition to a global one. Despite the clear political implications of the claim we put forward, particularly in light of rampant speculation regarding the mandate of Article 46 of the ‘Fifth Five Year Development Plan’ to establish a “national information network,” we refrain from hypothesizing the purpose of this structure. In order to solicit critical feedback for future research, we outline our initial findings and attempt to demonstrate that the matter under contention is a nation-wide phenomenom that warrants broader attention.

]]>
http://b.averysmallbird.com/entries/an-eventful-month-in-iran/feed 2
Splunk IPO Statement on Export Regulations Compliance http://b.averysmallbird.com/entries/splunk-ipo-statement-on-export-regulations-compliance http://b.averysmallbird.com/entries/splunk-ipo-statement-on-export-regulations-compliance#respond Sun, 06 May 2012 00:38:51 +0000 http://b.averysmallbird.com/?p=1096 From Page 18 of Splunk Inc.’s SEC Form S-1, dated 12 January 2012.

We are subject to governmental export and import controls that could subject us to liability or impair our ability to compete in international markets.

Our products are subject to U.S. export controls, and we incorporate encryption technology into certain of our products. These encryption products and the underlying technology may be exported outside of the United States only with the required export authorizations, including by license, a license exception or other appropriate government authorizations, including the filing of an encryption registration. We shipped our encryption products prior to obtaining the required export authorizations. Accordingly, we have not fully complied with applicable encryption controls in the Export Administration Regulations. We are in the process of remediating our export compliance procedures to prevent such violations from recurring.

Furthermore, U.S. export control laws and economic sanctions prohibit the shipment of certain products and services to countries, governments, and persons targeted by U.S. sanctions. While we are taking precautions to prevent our products and services from being shipped to U.S. sanctions targets, we believe that certain of our products that are available at no cost have been downloaded by persons in countries that are the subject of U.S. embargoes. These free downloads were likely made in violation of U.S. export control and sanctions laws. Based upon our inquiry to date, we believe that we have not had any paying customers in countries sanctioned by the U.S. Government, and have instituted procedures, including IP blocking, that are intended to prevent any downloads from being made into sanctioned countries in the future. In addition, we had not been screening our customers against the U.S. Government lists of prohibited persons, including the Treasury Department’s List of Specially Designated Nationals and the Commerce Department’s List of Denied Persons. Based upon our inquiry to date, we believe that we do not have any paying customers on any U.S. Government lists of prohibited persons. We are in the process of screening our non-paying customers to determine if we have permitted any free downloads to any prohibited persons. We are also instituting a process for screening all paying and non-paying customers against U.S. Government lists of prohibited persons going forward.

We are continuing to review this matter and new or different facts may be discovered in the course of our inquiry. In January 2012, we filed Initial Notifications of Voluntary Self Disclosures with the U.S. Department of Commerce’s Bureau of Industry and Security and the U.S. Department of Treasury’s Office of Foreign Assets Control concerning these potential violations. Once we complete our review, we will supplement the Initial Notifications by filing Final Disclosures with both agencies. If we are found to be in violation of U.S. sanctions or export control laws, it could result in fines or penalties for us and for individuals, including civil penalties of up to $250,000 or twice the value of the transaction, whichever is greater, per violation, and in the event of conviction for a criminal violation, fines of up to $1 million and possible incarceration for responsible employees and managers for willful and knowing violations. The voluntary disclosure processes with OFAC and BIS are in the initial stages, and we cannot predict when OFAC and BIS will complete their reviews or what enforcement action, if any, they will take.

We also note that if our channel partners fail to obtain appropriate import, export or re-export licenses or permits, we may also be adversely affected, through reputational harm as well as other negative consequences including government investigations and penalties. We presently incorporate export control compliance requirements in our channel partner agreements. Complying with export control and sanctions regulations for a particular sale may be time-consuming and may result in the delay or loss of sales opportunities.

In addition, various countries regulate the import of certain encryption technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Changes in our products or future changes in export and import regulations may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, prevent the export or import of our products to certain countries, governments, or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.

We are subject to governmental export and import controls that could subject us to liability or impair our ability to compete in international markets.
Our products are subject to U.S. export controls, and we incorporate encryption technology into certain of our products. These encryption products and the underlying technology may be exported outside of the United States only with the required export authorizations, including by license, a license exception or other appropriate government authorizations, including the filing of an encryption registration. We shipped our encryption products prior to obtaining the required export authorizations. Accordingly, we have not fully complied with applicable encryption controls in the Export Administration Regulations. We are in the process of remediating our export compliance procedures to prevent such violations from recurring.Furthermore, U.S. export control laws and economic sanctions prohibit the shipment of certain products and services to countries, governments, and persons targeted by U.S. sanctions. While we are taking precautions to prevent our products and services from being shipped to U.S. sanctions targets, we believe that certain of our products that are available at no cost have been downloaded by persons in countries that are the subject of U.S. embargoes. These free downloads were likely made in violation of U.S. export control and sanctions laws. Based upon our inquiry to date, we believe that we have not had any paying customers in countries sanctioned by the U.S. Government, and have instituted procedures, including IP blocking, that are intended to prevent any downloads from being made into sanctioned countries in the future. In addition, we had not been screening our customers against the U.S. Government lists of prohibited persons, including the Treasury Department’s List of Specially Designated Nationals and the Commerce Department’s List of Denied Persons. Based upon our inquiry to date, we believe that we do not have any paying customers on any U.S. Government lists of prohibited persons. We are in the process of screening our non-paying customers to determine if we have permitted any free downloads to any prohibited persons. We are also instituting a process for screening all paying and non-paying customers against U.S. Government lists of prohibited persons going forward.We are continuing to review this matter and new or different facts may be discovered in the course of our inquiry. In January 2012, we filed Initial Notifications of Voluntary Self Disclosures with the U.S. Department of Commerce’s Bureau of Industry and Security and the U.S. Department of Treasury’s Office of Foreign Assets Control concerning these potential violations. Once we complete our review, we will supplement the Initial Notifications by filing Final Disclosures with both agencies. If we are found to be in violation of U.S. sanctions or export control laws, it could result in fines or penalties for us and for individuals, including civil penalties of up to $250,000 or twice the value of the transaction, whichever is greater, per violation, and in the event of conviction for a criminal violation, fines of up to $1 million and possible incarceration for responsible employees and managers for willful and knowing violations. The voluntary disclosure processes with OFAC and BIS are in the initial stages, and we cannot predict when OFAC and BIS will complete their reviews or what enforcement action, if any, they will take.We also note that if our channel partners fail to obtain appropriate import, export or re-export licenses or permits, we may also be adversely affected, through reputational harm as well as other negative consequences including government investigations and penalties. We presently incorporate export control compliance requirements in our channel partner agreements. Complying with export control and sanctions regulations for a particular sale may be time-consuming and may result in the delay or loss of sales opportunities.In addition, various countries regulate the import of certain encryption technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Changes in our products or future changes in export and import regulations may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, prevent the export or import of our products to certain countries, governments, or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.
Our products are subject to U.S. export controls, and we incorporate encryption technology into certain of our products. These encryption products and the underlying technology may be exported outside of the United States only with the required export authorizations, including by license, a license exception or other appropriate government authorizations, including the filing of an encryption registration. We shipped our encryption products prior to obtaining the required export authorizations. Accordingly, we have not fully complied with applicable encryption controls in the Export Administration Regulations. We are in the process of remediating our export compliance procedures to prevent such violations from recurring.
Furthermore, U.S. export control laws and economic sanctions prohibit the shipment of certain products and services to countries, governments, and persons targeted by U.S. sanctions. While we are taking precautions to prevent our products and services from being shipped to U.S. sanctions targets, we believe that certain of our products that are available at no cost have been downloaded by persons in countries that are the subject of U.S. embargoes. These free downloads were likely made in violation of U.S. export control and sanctions laws. Based upon our inquiry to date, we believe that we have not had any paying customers in countries sanctioned by the U.S. Government, and have instituted procedures, including IP blocking, that are intended to prevent any downloads from being made into sanctioned countries in the future. In addition, we had not been screening our customers against the U.S. Government lists of prohibited persons, including the Treasury Department’s List of Specially Designated Nationals and the Commerce Department’s List of Denied Persons. Based upon our inquiry to date, we believe that we do not have any paying customers on any U.S. Government lists of prohibited persons. We are in the process of screening our non-paying customers to determine if we have permitted any free downloads to any prohibited persons. We are also instituting a process for screening all paying and non-paying customers against U.S. Government lists of prohibited persons going forward.
We are continuing to review this matter and new or different facts may be discovered in the course of our inquiry. In January 2012, we filed Initial Notifications of Voluntary Self Disclosures with the U.S. Department of Commerce’s Bureau of Industry and Security and the U.S. Department of Treasury’s Office of Foreign Assets Control concerning these potential violations. Once we complete our review, we will supplement the Initial Notifications by filing Final Disclosures with both agencies. If we are found to be in violation of U.S. sanctions or export control laws, it could result in fines or penalties for us and for individuals, including civil penalties of up to $250,000 or twice the value of the transaction, whichever is greater, per violation, and in the event of conviction for a criminal violation, fines of up to $1 million and possible incarceration for responsible employees and managers for willful and knowing violations. The voluntary disclosure processes with OFAC and BIS are in the initial stages, and we cannot predict when OFAC and BIS will complete their reviews or what enforcement action, if any, they will take.
We also note that if our channel partners fail to obtain appropriate import, export or re-export licenses or permits, we may also be adversely affected, through reputational harm as well as other negative consequences including government investigations and penalties. We presently incorporate export control compliance requirements in our channel partner agreements. Complying with export control and sanctions regulations for a particular sale may be time-consuming and may result in the delay or loss of sales opportunities.
In addition, various countries regulate the import of certain encryption technology, including import permitting and licensing requirements, and have enacted laws that could limit our ability to distribute our products or could limit our customers’ ability to implement our products in those countries. Changes in our products or future changes in export and import regulations may create delays in the introduction of our products in international markets, prevent our customers with international operations from deploying our products globally or, in some cases, prevent the export or import of our products to certain countries, governments, or persons altogether. Any change in export or import regulations, economic sanctions or related legislation, or change in the countries, governments, persons or technologies targeted by such regulations, could result in decreased use of our products by, or in our decreased ability to export or sell our products to, existing or potential customers with international operations. Any decreased use of our products or limitation on our ability to export or sell our products would likely adversely affect our business, financial condition and results of operations.


]]>
http://b.averysmallbird.com/entries/splunk-ipo-statement-on-export-regulations-compliance/feed 0
The Need for Community Participation and Clear Disclosure Processes in the Case of Ultrasurf http://b.averysmallbird.com/entries/the-need-for-community-participation-and-clear-disclosure-processes-in-the-case-of-ultrasurf http://b.averysmallbird.com/entries/the-need-for-community-participation-and-clear-disclosure-processes-in-the-case-of-ultrasurf#comments Wed, 18 Apr 2012 02:29:55 +0000 http://b.averysmallbird.com/?p=1089 Having been a party to the disclosure process, there were a number of occasions where communications broke down due to differences of definitions and intent. I had offered to review any draft of Ultrasurf’s response, however, it appears that they chose to publish without consultation. Throughout its existence, Ultrasurf’s support and funding has been hampered by the politics of US-Chinese foreign relations, and this document should be read as a political, rather than technical, rebuttal. The vendor was asked to provide an official, detailed response with the specific intent of correcting outdated information, but declined to do so and quietly updated the client recently. The vendor’s statement, in a bit of a crass fashion, brings up the issue of language barriers, a point that is exacerbated by the Tor paper and Ultrasurf reply having two separate audiences, so let me correct some of these miscommunications.
“We have pointed out to Tor that the paper does not reflect current versions of Ultrasurf.  Unfortunately, the Tor project did not choose to accurately report information in its paper.”
The version that incorporates the latest changes (12.01) was quietly released at the beginning of the week to coincide with the release of the paper.
“Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested.”
There are two separate issues in play here: traceability and logging. The latter was disclosed voluntarily by the vendor on a number of occasions and in the statement “Ultrasurf has never disclosed log files to the US government without a warrant.” Here their statement is incomplete as it does not address subpoenas or national security letters, as I understand, they have complied with the former and the latter I am not sure they are allowed to acknowledge. Ultrasurf’s threat model is solely obsessed with the police of authoritarian states, as Chinese expatriates, their understanding of American law not as nuanced and do not seem to be a substantial risk. Ultrasurf has previously presented data at private conferences were IP addresses were visible, however, they now assert that such demonstrates show country code, rather than address. The vendor categorically states under no other conditions was such information made available. This, and Google, form the basis of both parties opposing claims on log disclosure.
The traceability issue comes into play with the following statement:
“Tor provides no evidence that BlueCoat sells software and hardware that can break Ultrasurf.”
At times Ultrasurf has conflated traceability with claims of decryption. From Jacob’s paper and vendor disclosure, it appears that Ultrasurf uses standard encryption mechanisms that, if properly implemented, are considered reasonably secure. This obviously differs greatly from detecting Ultrasurf in transit, which Blue Coat and others have claimed to do.  Using the traffic noted in §5.8 and §5.13 as indicators, it becomes easy to see how trivial the process of spotting Ultrasurf users can be. I would encourage anyone who is skeptical to try with the Telecomix logs. In fact, Ultrasurf themselves note “we do not claim that Ultrasurf is untraceable,” a claim that I believe was removed in the website revisions that resulted from both parties’ December meeting.
“For us, one of the most puzzling claims by the Tor researchers is that Ultrasurf is blocked in China.”
Difference of definition on the part of Tor and Ultrasurf. Ultrasurf releases new clients with new bootstraps in response to blocking — it is an aggressive mechanism of deploying new entry nodes that I am impressed seems to work reasonably well for them. However, the exit node IP pool has been consistent for several years and pretty easy to block. The same issue of definitions come up in whether Ultrasurf is one hop or two, but that is a digression that gets into infrastructure details that I will follow the vendor’s request not to disclose.
“We wish that Tor had approached us first so that we could use the information in the Tor paper as part of our continuing effort to improve user security.”
“Somebody is not being honest. Who do you trust?”
I believe Ultrasurf is referring to the final copy of the paper, which they received about a week and a half ago. However, as I am aware Ultrasurf was told all the details during a private meeting in December. As I was aware of the contents of the paper, the key points were discussed between myself and the vendor in March to ensure that the users would not be affected by the release of the paper.
“Moreover, we find Tor’s approach to be disingenuous; while they purport to want to protect Ultrasurf users, their chosen approach is to publicly release a detailed and explicit description of perceived vulnerabilities. Were it not for the fact that the security vulnerabilities identified have either already been closed or are superficial, this would be tantamount to providing oppressive governments with a roadmap to monitor our users and acquire their information.”
“I’m interested in your reply. Also, is it true that Tor and Ultrasurf compete for funding from the same agencies?”
My understanding was that these agencies have been encouraging a security review and offering technical assistance to all recipients of Internet Freedom funding. However, where intention matters is when it comes to rhetoric, the technical results of the paper cannot not be decided by where the author has benevolent or malicious intent. I regret Ultrasurf’s framing of this process, as I was a party to ensuring that the most significant holes were patched before the release of the paper. If the author’s motives were not intended to be responsible or constructive, the vendor would not have been given five months to close the most serious holes. The simple fact of the matter is that the majority of these issues were fixed within a short window of lead up to the publication and are directly attributable to Tor’s paper.
In the end, I believe the simple answer is for Ultrasurf is to remove its branding as a privacy service and participate more openly within the security research community. From my experience studying privacy and circumvention tool use, I suspect most of its users would not mind Google Analytics, et al if they were made aware. In countries such as Iran where proxy service use is common, even detectability is not a substantial issue. The issue is that the majority of the problems raised and remaining run contrary to the advertising claims made by Ultrasurf. There is certainly a space for tools that exist solely to connect people in repressive regimes to Facebook and Youtube. However, this does not negate the responsibility to disclose user risk and maintain the integrity of infrastructure. There are historical circumstances that have encouraged Ultrasurf to behave in a closed manner, none of which imply they act in bad-faith; I spent quite a deal of time with the hope that this first round of exchange continues with independent verification of the claims made in their statement and based on technical merits, rather than politics.T

On Monday, April 16 2012, Tor released a long-awaited paper assessing the security of the circumvent and privacy tool Ultrasurf.

Tor’s Disclosure: https://blog.torproject.org/blog/ultrasurf-definitive-review

Ultrasurf’s Response: http://ultrasurf.us/Ultrasurf-response-to-Tor-definitive-review.html

Having been a party to the disclosure process, there were a number of occasions where communications broke down due to differences of definitions and intent. I had offered to review any draft of Ultrasurf’s response, however, it appears that they chose to publish without consultation. Throughout its existence, Ultrasurf’s support and funding has been hampered by the politics of US-Chinese foreign relations, and this document should be read as a political, rather than technical, rebuttal. The vendor was asked to provide an official, detailed response with the specific intent of correcting outdated information, but declined to do so and quietly updated the client recently. The vendor’s statement, in a bit of a crass fashion, brings up the issue of language barriers, a point that is exacerbated by the Tor paper and Ultrasurf reply having two separate audiences, so let me correct some of these miscommunications.

“We have pointed out to Tor that the paper does not reflect current versions of Ultrasurf.  Unfortunately, the Tor project did not choose to accurately report information in its paper.”

The version that incorporates the latest changes (12.01) was quietly released at the beginning of the week to coincide with the release of the paper.

“Ultrasurf also often boasts of being untraceable when in fact they admitted to logging and disclosing user identifying logs to law enforcement when the data was requested.”

There are two separate issues in play here: traceability and logging. The latter was disclosed voluntarily by the vendor on a number of occasions and in the statement “Ultrasurf has never disclosed log files to the US government without a warrant.” Here their statement is incomplete as it does not address subpoenas or national security letters, as I understand, they have complied with the former and the latter I am not sure they are allowed to acknowledge. Ultrasurf’s threat model is solely obsessed with the police of authoritarian states, as Chinese expatriates, their understanding of American law not as nuanced and is not thought to be a substantial risk. Ultrasurf has previously presented data at private conferences where IP addresses were visible, however, they now assert that such demonstrates show country code, rather than address. The vendor categorically states under no other situations was user information made available. These scenarios, and Google, form the basis of both parties opposing claims on log disclosure.

The traceability issue comes into play with the following statement:

“Tor provides no evidence that BlueCoat sells software and hardware that can break Ultrasurf.”

At times Ultrasurf has conflated traceability with claims of decryption. From Jacob’s paper and vendor disclosure, it appears that Ultrasurf uses standard encryption mechanisms that, if properly implemented, are considered reasonably secure. This obviously differs greatly from detecting Ultrasurf in transit, which Blue Coat and others have claimed to do.  Using the traffic noted in §5.8 and §5.13 as indicators, it becomes easy to see how trivial the process of spotting Ultrasurf users can be. I would encourage anyone who is skeptical to try with the Telecomix logs. In fact, Ultrasurf themselves note “we do not claim that Ultrasurf is untraceable,” a claim that I believe was removed in the website revisions that resulted from both parties’ December meeting.

“For us, one of the most puzzling claims by the Tor researchers is that Ultrasurf is blocked in China.”

Difference of definition on the part of Tor and Ultrasurf. Ultrasurf releases new clients with new bootstraps in response to blocking — it is an aggressive mechanism of deploying new entry nodes that I am impressed seems to work reasonably well for them. However, the exit node IP pool has been consistent for several years and is pretty easy to block. Old versions become obsolete quickly, hence the concern regarding update integrity. The same issue of definitions come up in whether Ultrasurf is one hop or two, but that is a digression that gets into infrastructure details that I will follow the vendor’s request not to disclose.

“We wish that Tor had approached us first so that we could use the information in the Tor paper as part of our continuing effort to improve user security.”

“Somebody is not being honest. Who do you trust?” – Tor Blog Comment

I believe Ultrasurf is referring to the final copy of the paper, which they received about a week and a half ago. However, as I am aware Ultrasurf was told all the details during a private meeting in December. As I was familiar with the contents of the paper, the key points were discussed between myself and the vendor in March to ensure that the users would not be affected by the release of the paper.

“Moreover, we find Tor’s approach to be disingenuous; while they purport to want to protect Ultrasurf users, their chosen approach is to publicly release a detailed and explicit description of perceived vulnerabilities. Were it not for the fact that the security vulnerabilities identified have either already been closed or are superficial, this would be tantamount to providing oppressive governments with a roadmap to monitor our users and acquire their information.”

“I’m interested in your reply. Also, is it true that Tor and Ultrasurf compete for funding from the same agencies?” – Tor Blog Comment

My understanding was that these agencies have been encouraging a security review and offering technical assistance to all recipients of Internet Freedom funding. However, where intention matters is when it comes to rhetoric, the technical results of the paper cannot not be decided by whether the author has benevolent or malicious intent. I regret Ultrasurf’s framing of this process, as I was a party to ensuring that the most significant holes were patched before the release of the paper. If the author’s motives were not intended to be responsible or constructive, the vendor would not have been given five months to close the most serious holes. The simple fact of the matter is that the majority of these issues were fixed within a short window of lead up to the publication and are directly attributable to Tor’s paper.

In the end, I believe the simple answer is for Ultrasurf is to remove its branding as a privacy service and participate more openly within the security research community. From my experience studying privacy and circumvention tool use, I suspect most of its users would not mind Google Analytics, et al if they were made aware. In countries such as Iran where proxy service use is common, even detectability is not a substantial issue. The issue is that the majority of the problems raised and remaining run contrary to the advertising claims made by Ultrasurf. There is certainly a space for tools that exist solely to connect people in repressive regimes to Facebook and Youtube. However, this does not negate the responsibility to disclose user risk and maintain the integrity of infrastructure. There are historical circumstances that have encouraged Ultrasurf to behave in a closed manner, none of which imply they act in bad-faith; I spent quite a deal of time with the hope that this first round of exchange continues with independent verification of the claims made in their statement and based on technical merits, rather than politics.

]]>
http://b.averysmallbird.com/entries/the-need-for-community-participation-and-clear-disclosure-processes-in-the-case-of-ultrasurf/feed 4
Tracing Incitement or Signaling through Terminology http://b.averysmallbird.com/entries/instances-of-the-phrases http://b.averysmallbird.com/entries/instances-of-the-phrases#respond Mon, 16 Jan 2012 22:44:03 +0000 http://b.averysmallbird.com/?p=1080 Elsewhere, a comment had been made on on the terminology used by diplomats for the Persian Gulf as incitement or signaling to Iran. As a hypothesis, this is both novel and easily testable. There are ample opportunities to quickly mine the online texts, such as the Department of Defense’s online transcripts, as a corpus of fourteen years of policy.  The DoD list, as described by the departments, includes ‘all DOD news briefings and significant interviews.’ [1]

For the sake of time, I have parsed out all instances of the terms ‘Arab Gulf,’ ‘Arabian Gulf,’ ‘Persian Gulf,’ and ‘the Gulf.’ The terms were searched in a case sensitive manner, relying on the understanding of the transcriber as a means to avoid picking up general use of the term ‘gulf.’ One other caveat is that this doesn’t distinguish between reporters’ questions and official statements, however, I think the former is infrequent. Lastly, the quantity is based on occurrences rather than speeches. The original dataset is available in Google Docs. [2]

There is a clear and consistent trend to use the term ‘the Gulf,’ while the tendency to use ‘Persian Gulf’ has lessened across time. April 2003 and February 2000-February  2001 represent the periods where ‘Arabian Gulf’ found its greatest use.

[1] http://www.defense.gov/transcripts/
[2] https://docs.google.com/spreadsheet/ccc?key=0Amq69Ncu9Fp_dEVUTnMyLTFwb0pCTWFGNkpXVUpSaUE

]]>
http://b.averysmallbird.com/entries/instances-of-the-phrases/feed 0
Syria, eGovernance, Sanctions and an American Connection http://b.averysmallbird.com/entries/syria-egovernance-sanctions-and-an-american-connection http://b.averysmallbird.com/entries/syria-egovernance-sanctions-and-an-american-connection#respond Wed, 30 Nov 2011 16:39:33 +0000 http://b.averysmallbird.com/?p=982 As Turkey follows the Arab League, Europe and the United States in sanctions against the Syrian economy, the intention is to stifle the ability of companies and government bureaucracy to carry out routine business by limiting available resources. The expectation of the West and its allies is that if business and political elites, not to mention the masses, begin to suffer, their willingness to support the Assad regime will ebb, opening opportunities for regime change. However, scarcity depends largely on the inability to find what is still available domestically, from countries not participating in the embargo or on the black market. For this reason, it is increasingly possible that open government and the Internet provides the possibility for regimes and businesses to buttress some aspects of sanctions.

translate_c

In the pursuit of the origin of Syria’s censorship structure, the site SyrianTenders.com came up as a potential source of foreign solicitations for hardware and software. While the story that unfolded describes a more secretive process, SyrianTenders is by all means a mature business that has been in operation for at least two years, servicing a range of clients from Al Assad University Hospital to the Syrian Military’s Housing Authority. As of this posting, the site lists 870 tenders, the vast majority of which appear to still be open for bidding. ST even has a browser toolbar available to alert when the news tenders are posted based off its RSS feed. In some respects, what is particularly striking is how banal and low-quantity the needs are for all their stated urgency.

Anathema to my general line of research, there are very few requests for technology, instead requesting packaging for produce, mass transit buses, pipes and agricultural support. However, SyrianTenders does contain the types of hydroelectric components, oil production equipment and building materials that are exactly what foreign governments want to restrict in order to stifle domestic growth.

tendersbysector

Tenders by Sector

Furthermore, some of the solicitations seem to openly reflect the unstable political situation of the country.

إعلان طلب عروض أسعار لتقديم وتركيب أجهزة إنارة مضادة للانفجار في مشروع مشفى المخرم – للمرة الثالثة – بالسرعة الكلية

(Declaration request bids for installation of lighting and anti-explosion in the hospital project openwork – for the third time – URGENT)

For the past month, it has been my deep desire to attempt to quantify the rate of posting of tenders as a test of the hypothesis that it correlates with sanctions-related scarcity. The problem is the site does not denote when a tender was posted or automatically delete old listings. Looking at cached copies shows times where the more tenders were available, but with higher rates of expiration. Regrettably then, no approach to this problem seems able without direct access to the database.

Following CitizenLab’s research, it is interesting to document the delivery of services for SyrianTenders. Sure enough, the associated address ‘207.32.185.22’ is owned by Nexcess, a Michigan-based hosting company specializing in e-Commerce. A recent addition, premium subscriptions for potential bidders (100 USD per 6 months), accepts payment by major credit card through Paypal. Taking it further with a whois on the syriantenders.com domain returns:

Administrative Contact:
ghashim, moe moe@kzresults.com
Walnut Bend Ln
Houston, Texas 77042
US
713 706 4380

On its contact page, Syrian Tenders lists.

Syrian Tenders
Aleppo – Syria – Cordoba Street
Phone : +963 95 6337522
Fax: +963212683456

Screen Shot 2011-11-30 at 11.38.04 AM

Walnut Bend Ln

According to a lookup on the aggregator CorporationWiki, the specific Walnut Bend address is host to a number of business entities.

Companies at this address:
Mnc Group International, Inc.
Ghashim Capital Ventures Corporation
Sports Zone
Ghashim Group, Inc.

The domains associated with the server’s IP address support this as well, hosting:

7arake.com, fr-wear.com, golfshirtspro.com, jacketspro.com, labcoatsusa.com, mohanadghashim.com, signfurniture.com, sorrymenak.com, syriantenders.com, workshirtsusa.com, workuniform.com, zizac.com.

Among the domains is the link, ‘7arake.com,’ an ecommerce vendor with listed addresses for Aleppo, Syria (Cordoba St.) and Houston, TX (Walnut Bend Ln.). There 7arake describes its involvements with SyrianTenders.com as such:

SyrianTenders is the first website of its kind in Syria which electronically aggregates and categorizes all tenders advertised in the Syrian Arab Republic according to your company’s needs. 7arake is managing this site in partnership with Close2Edge.

(Close2Edge announced its merger with 7arake on September 17th, 2011 in a blog post that noted their close collaboration on SyrianTenders.)

It’s difficult to know what to make of SyrianTenders at this point. Its relationships and shell companies clearly violate Department of Commerce and Department of Treasury sanctions on doing business with Syria. On the other hand, is proves that there are markets in everything, and gives a fascinating overview of the situation on the ground in the country. It is deeply unfortunate that the historical data appears lost to the outside.

]]>
http://b.averysmallbird.com/entries/syria-egovernance-sanctions-and-an-american-connection/feed 0
This is Definitely Not A BlueCoat Device In Syria. http://b.averysmallbird.com/entries/this-is-definitely-not-a-bluecoat-device-in-syria http://b.averysmallbird.com/entries/this-is-definitely-not-a-bluecoat-device-in-syria#respond Tue, 11 Oct 2011 20:52:14 +0000 http://b.averysmallbird.com/?p=961 RE: BlueCoat Refutal of BlueCoat Devices in SyriaBlueCoat and Syria: Indicators and Culpability (me)

Mr. Steve Schick,

The device attached to 77.44.210.15 is not a BlueCoat SG-400 Appliance. Not a chance. None at all. And if it were, it would definitely not be an address owned by the Syrian Computer Society.

Nmap scan report for 77.44.210.15
Host is up (1.1s latency).
Not shown: 985 closed ports
PORT STATE SERVICE VERSION
22/tcp filtered ssh
23/tcp filtered telnet
53/tcp open domain?
80/tcp open http Blue Coat proxy server
|_html-title: Access Denied
81/tcp open http-proxy BlueCoat SG-400 http proxy
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
1720/tcp filtered H.323/Q.931
1723/tcp filtered pptp
2000/tcp filtered cisco-sccp
3128/tcp open squid-http?
4444/tcp filtered krb524
5060/tcp filtered sip
8080/tcp open http Blue Coat proxy server
|_html-title: Access Denied
8082/tcp open ssl/http Blue Coat SG210 http proxy config
|_sslv2: server still supports SSLv2
|_html-title: Site doesn't have a title (text/plain; charset=utf-8).
| http-auth: HTTP Service requires authentication
|_ Auth type: Basic, realm = 77.44.210.15
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=5.21%I=7%D=10/11%Time=4E94A92C%P=x86_64-redhat-linux-gnu%r
SF:(DNSVersionBindReq,44,"\0B\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version
SF:\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\n\t\[secured\]\xc0
SF:\x0c\0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3128-TCP:V=5.21%I=7%D=10/11%Time=4E94A930%P=x86_64-redhat-linux-gnu
SF:%r(GetRequest,2F3,"HTTP/1\.1\x20403\x20Forbidden\r\nCache-Control:\x20n
SF:o-cache\r\nPragma:\x20no-cache\r\nContent-Type:\x20text/html;\x20charse
SF:t=utf-8\r\nConnection:\x20close\r\nContent-Length:\x20606\r\n\r\n
SF:\nAccess\x20Denied\n\n\n SF:=\"Helvetica\">\n
\n\n
SF:>\n\n\n SF:NT\x20face=\"Helvetica\">\nAccess\x20Denied\x20\(policy_denied\) SF:big>\n
\n
\n\n\n\n SF:ica\">\nYour\x20system\x20policy\x20has\x20denied\x20access\x20to\x20th
SF:e\x20requested\x20URL\.\n\n\n\n SF:"Helvetica\">\n\n\n\n\n SF:ca\"\x20SIZE=2>\n
\nFor\x20assistance,\x20contact\x20your\x20network
SF:\x20support\x20team\.\n\n\n\n

\n SF:FONT>\n\n")%r(HTTPOptions,2F3,"HTTP/1\.1\x20403\x20Forbid
SF:den\r\nCache-Control:\x20no-cache\r\nPragma:\x20no-cache\r\nContent-Typ
SF:e:\x20text/html;\x20charset=utf-8\r\nConnection:\x20close\r\nContent-Le
SF:ngth:\x20606\r\n\r\n\nAccess\x20Denied\n SF:AD>\n\n\n
SF:
\n\n

\n SF:th=\"80%\">\n\n\nAccess\x20Den
SF:ied\x20\(policy_denied\)
\n
\n
\n\n\n SF:D>\n\nYour\x20system\x20policy\x20has\x20de
SF:nied\x20access\x20to\x20the\x20requested\x20URL\.\n\n\
SF:n\n\n\n\n\n SF:>\n\n
\nFor\x20assistance,\x20
SF:contact\x20your\x20network\x20support\x20team\.\n\n\n<
SF:/TABLE>\n

\n\n\n")%r(Socks5,363,"HTTP/
SF:1\.1\x20400\x20Bad\x20Request\r\nCache-Control:\x20no-cache\r\nPragma:\
SF:x20no-cache\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nProxy-Co
SF:nnection:\x20close\r\nConnection:\x20close\r\nContent-Length:\x20691\r\
SF:n\r\n\nRequest\x20Error\n\n\n SF:ONT\x20face=\"Helvetica\">\n
\n\n
SF:

\n\n SF:R>\n\nRequest\x20Error\x20\(invali
SF:d_request\)
\n
\n
\n\n\n\n SF:face=\"Helvetica\">\nYour\x20request\x20could\x20not\x20be\x20processed
SF:\.\x20Request\x20could\x20not\x20be\x20handled\n\n\n SF:R>\n\nThis\x20could\x20be\x20caused\x20
SF:by\x20a\x20misconfiguration,\x20or\x20possibly\x20a\x20malformed\x20req
SF:uest\.\n\n\n\n SF:IZE=2>\n
\nFor\x20assistance,\x20contact\x20your\x20network\x20suppo
SF:rt\x20team\.\n\n\n\n

\n\n SF:BODY>\n");
Device type: proxy server|general purpose|WAP|firewall
Running (JUST GUESSING) : Blue Coat SGOS 5.X (90%), FreeBSD 6.X (89%), AirSpan embedded (88%), Apple Mac OS X 10.5.X (87%), Netasq embedded (85%)
Aggressive OS guesses: Blue Coat SG200 proxy server (SGOS 5.1.4.4) (90%), FreeBSD 6.2-RELEASE (89%), AirSpan ProST WiMAX access point (88%), Apple Mac OS X 10.5 (Leopard) (Darwin 9.2.2, x86) (87%), Apple Mac OS X 10.5.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin 9.5.0 - 10.0.0) (87%), FreeBSD 6.1-RELEASE (86%), Netasq U70 firewall (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 18 hops
Service Info: OS: SGOS; Device: proxy server

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 0.53 ms 10.240.80.2
2 5.39 ms ip-10-1-4-9.ec2.internal (10.1.4.9)
3 15.70 ms ip-10-1-2-128.ec2.internal (10.1.2.128)
4 0.57 ms 216.182.232.12
5 0.58 ms 216.182.232.50
6 14.98 ms 72.21.222.148
7 2.08 ms 72.21.220.156
8 2.87 ms dca-edge-18.inet.qwest.net (63.233.113.177)
9 2.51 ms ae-3.r01.asbnva02.us.bb.gin.ntt.net (129.250.2.210)
10 1487.82 ms lon-sb2-i.LON.GB.NET.DTAG.DE (62.154.5.137)
11 -- lon-sb2-i.LON.GB.NET.DTAG.DE (62.156.131.149)
12 -- 80.156.162.202
13 -- 80.156.162.194
14 ... 16
17 -- 77.44.201.206
18 -- 77.44.210.15

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 401.84 seconds

% Information related to '77.44.128.0 - 77.44.255.255'
inetnum: 77.44.128.0 - 77.44.255.255
org: ORG-SCSs1-RIPE
netname: SY-SCS-NET-20061220
descr: Syrian Computer Society, scs
country: SY
admin-c: SN2832-RIPE
tech-c: SN2832-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: SCS-NOC
mnt-domains: NOC-domains
mnt-routes: SCS-NOC
mnt-routes: STEMNT-1
source: RIPE # Filtered
organisation: ORG-SCSs1-RIPE
org-name: Syrian Computer Society, scs
org-type: LIR
address: Syrian Computer Society, scs Beirut Street, Tishreen park 13365 Damascus Syrian Arab Republic
phone: +963 11 371 2003
fax-no: +963 11 37298030
e-mail: noc@scs-net.org
mnt-ref: SCS-NOC
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
admin-c: SH5359-RIPE
source: RIPE # Filtered
role: SCS NOC
address: Damascus, Syia
mnt-by: SCS-NOC
e-mail: noc@scs-net.org
admin-c: SH5359-RIPE
admin-c: ML9004-RIPE
tech-c: SH5359-RIPE
nic-hdl: SN2832-RIPE
source: RIPE # Filtered

I’m glad we have this resolved, Sir.

Cordially,

Collin Anderson

]]>
http://b.averysmallbird.com/entries/this-is-definitely-not-a-bluecoat-device-in-syria/feed 0
BlueCoat and Syria: Indicators and Culpability. http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability#comments Tue, 11 Oct 2011 16:59:40 +0000 http://b.averysmallbird.com/?p=937 The way we produce media

On October 5, the technology collective Telecomix released a set of logs that documents the web traffic of users of Syrian Telecommunications Establishment (Syria Telecom). The logs had been deposited on a poorly secured filesystem by a set of network monitoring appliances built by the American company BlueCoat and, compressed, total about 54 GB. Leila Nachawati, of Global Voices, has expounded on the immediate censorship ramifications, however, there is much more to be documented in this rich data source.

As a point of reference, the logs follow the format:

date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id

2011-08-05 16:28:01 1 0.0.0.0 – – – OBSERVED “unavailable” –  200 TCP_HIT GET text/html http sp.cwfservice.net 80 /1/N/K962ZF9Z39/K9-00006/0/GET/HTTP/bluecoat.com/80// – – “ClientLibs Session” 82.137.200.42 275 151 –

Amongst a deluge of attempts to reach Facebook and pornography, a multitude of angles for research on the infrastructure of Syrian censorship and behavior of Internet users stands out. Considering the origin of the logs and pressing issues, one potential avenue would be the documentation of bluecoat-related accesses. Here one finds hundreds of iterations of the following line:

2011-08-05 16:28:01 1 0.0.0.0 – – – OBSERVED “unavailable” –  200 TCP_HIT GET text/html http sp.cwfservice.net 80 /1/N/K962ZF9Z39/K9-00006/0/GET/HTTP/bluecoat.com/80// – – “ClientLibs Session” 82.137.200.42 275 151 –

According to an address lookup, the registrant of the domain ‘cwfservice.net’ is:
Registrant:
Blue Coat Systems
Bluecoat Hostmaster
420 N Mary Ave
Sunnyvale, CA 94085
US
Email: hostmaster@bluecoat.com
Accessing this URL (http://sp.cwfservice.net/1/N/K962ZF9Z39/K9-00006/0/GET/HTTP/bluecoat.com/80//) returns a simple XML document containing:
<Result>
<Code>04008000</Code>
<DomC>26</DomC>
</Result>
According to a posting made on BlueCoat’s forums, the above line seems to describe the BlueCoat system connecting to the company’s ‘DRTR’ intelligent rating service. As described by a sales document for BlueCoat WebFilter.

Blue Coat WebFilter includes as a standard feature – our Dynamic Real-Time Rating (DRTR™) service; when users encounter a new Web page, DRTR can use extremely accurate artificial intelligence to confidently rate the page (typically in about 200 milliseconds) so that appropriate use and security policy can be enforced the first time the Webpage is encountered. DRTR is particularly accurate at rating potentially objectionable sites (rating up to 98% automatically).

Furthermore, it calls by device services such ‘PacketShaper’ indicates that the DRTR service is not the only mechanism that contacts the BlueCoat controlled ‘sp.cwfservice.net.’

It would appear that all of Syria’s BlueCoat hardware calls home to update its ability to filter and monitor new objects that it has not encountered. Equally importantly, the Syrian logs are filled with queries related to BlueCoat systems, such as ‘bluecoat data collector,’ something that a general home user would have little interest in.

From personal experience with Iran, hardware will eventually find its way into sanctioned countries — restrictions increase price, not necessarily decreases availability. No company can reasonably be held accountable for second-hand sales, and many have increased their control of distributors as a result of leakages to embargoed countries. Furthermore, Telecomix’s exploration has found evidence for hardware from other manufacturers, namely Cisco and Barracuda, the former of which I have more faith to abide US trade restriction.

As we have seen elsewhere, the common interpretation of OFAC sanctions to embargoed countries is the denial of electronic services to known, national IP address ranges. It would appear that at least after August 14, these same level of restrictions apply to Syria as well. Unfortunately this date range of logs were not available to Telecomix. However, many technology providers appear to have interpreted sanctions to apply far before the Arab Spring-related pressures.

Syria has by all means built for itself the foundations of mature system of monitoring and censoring Internet traffic, and at its foundation is at least a two dozen accounted for BlueCoat ProxySG Appliances. By current count, there are more than a thousand queries to BlueCoat’s client services documented in a few days of traffic logs. Considering the extent of this traffic and the peculiarity of its origin, that BlueCoat was not aware of the existence of these devices appears implausible. Syria Telecom’s relationships with the Assad regime expose the company to the legal restrictions on services imposed by American embargoes on doing business to with the country. Regardless of who sold Syria these devices, BlueCoat has both the moral and legal responsibilities to end these services now.

Clarification (11.3.2011): It’s been noted that the specific entry cited may have been generated by Blue Coat’s free ‘K9’ desktop software. However, this was solely a matter of poor luck in my choice of examples to include. More functions appear to reach cwfservice.net, most of which are less likely to be a client application.

2011-08-03 09:01:05 277 0.0.0.0 – – – OBSERVED “none” –  200 TCP_MISS GET text/html http sp.cwfservice.net 80 /2/N/0477d7b851ad026ebf20ea158cf5164f/BLUSHPR1/0/GET/https/updates.bluecoat.com/443/ – – “PacketShaper” 82.137.200.48 270 305 –

]]>
http://b.averysmallbird.com/entries/bluecoat-and-syria-indicators-and-culpability/feed 7
Occupy Wall Street: Misreading Lessons from Tahrir http://b.averysmallbird.com/entries/occupy-wall-street-misreading-lessons-from-tahrir http://b.averysmallbird.com/entries/occupy-wall-street-misreading-lessons-from-tahrir#comments Mon, 19 Sep 2011 05:14:24 +0000 http://b.averysmallbird.com/?p=888 Straw Poll on Direct Action

This weekend, over a thousand protesters marched on Wall Street, with a couple hundred continuing into the night occupying Liberty Plaza in lower Manhattan. Echoed with enthusiastic, revolutionary glee was the impression that the event, planned over a few short weeks, was an extension of popular movements in Tunisia, Egypt, Greece and Spain, and a change in American discourse. Unfortunately, the event has come to represent, in execution, an extension of the same insular leftism with no broad appeal to the public.


NYC Madrid

Passive revolution.

Walking to cull through my photos from the day, I ran into a group holding a candle light vigil on the sidewalk. Knowing my neighborhood, I assumed the townhouse was an embassy and went to spy which. Northwest Dupont Circle is a hotbed of consulates for former and current pariah regimes, housing Belarus, Iraq, Zimbabwe within a few square blocks. As I ducked in to look and then walk away, I was flagged down by an older individual who wanted to explain that they were expatriate Eritrean,s protesting government oppression of democratic activists.

The difference in attitude was striking. For a group of eight, it was worthwhile to track me down and make the case for their cause; yet, the previous afternoon, little effort was made by the hundreds of protesters to engage the public.

Instead, the media model was clear. A sufficient number of protesters occupying a space for long enough would hypothetically attract the Television attention necessary to bring out the public and inconvenience the daytime residents of the neighborhood. The call to action was ‘bring your friends, stay the night and if you can’t stay — come back tomorrow.’

Lectures given and agreements were made that the police were working class comrades, deceived by the elites; however, few attempts were made to convert those lining the perimeter of the square. Those interlocutors that wandered in on their own will, were less at risk of being lectured on wealth inequality than they were on truths about the events that took place two blocks away and ten years ago, or imminent execution of a Georgian man.

IMG_8602

Pluralism is Strength

The differences between ‘Occupy Wall Street’ and Egypt’s Tahrir Square couldn’t be more stark. Nowhere close to enough has been written about the internal process leading up to the early days of February, but one gleans the image of organizers moving into the coffeeshops to recruit the unemployed and dispossessed. On top of this legwork, preexisting civil society existed that the protesters could connect on a common cause. The lead up to Tahrir was not young students camping out, writing on Twitter, appealing to the media and waiting for the public to join. Instead, it was the process of

First:

…the Kifaya movement, a political formation that brought together Islamists, Muslim Brothers, communists, liberals, and secular-leftists, joined on the basis of a common demand for an end to the Mubarak regime…[1]

Second:

The organizational skills of the ultras, fanatical Cairo soccer fans, are emerging as opponents and supporters of embattled Egyptian President Hosni Mubarak determine the fate of the 82-year old Egyptian leader’s 30-year rule.[2]

At times it would seem that the Tea Party, a coalition of groups with extremely different social positions united by a few common goals, has more in common than Egypt’s revolutionaries.

Nothing of the sort of networking necessary for a movement happened that day on Wall Street. No attempt was made to bring in the public; and groups introspectively defined themselves to discuss the ambitions of the strike. More time was spent on the discussion of parliamentary systems and planning of events, than communications and outreach. As tourists wandered, unassailed, down the busy corridor of Broadway that constituted the border of the encampment, opportunities were lost.

People Against the Machine

Rhetoric Matters

The classic pattern occurred of working groups, self-indoctrination and sectarian debate. Instead, the protests seemed more bent of defining their unwillingness to participate in economic systems, than offering solutions to the public. By conflating wealth inequality with class warfare, the protesters closed off access to the majority of the public. Peripheral issues further this disengagement — confronting the narrative of September 11th, everyone is lost.

Lower Manhattan is not pre-revolution Egypt or Tunisia, and environmental comparisons fail in merit. The bombastic comments heard frequently about ‘not being afraid to go to jail or die,’ must certainly be based on the understanding that the latter is improbable and the former insignificant. The New York Police Department’s book, hold, release and drop policies are incomparable to the horrors of Evin Prison, and attempts to draw parallels insult real suffering. For that matter, such poor execution of civil disobedience is more liable to put off potential supporters than create social change.

Guitars

Avoiding Alienation

To be sure, many in Liberty Plaza have been genuinely affected by the economics of the United States, and compelling stories exist in the crowd. One comment overheard embodied this.

To pay my way through a Bachelors in Biology, I worked in a hotel. When I graduated I couldn’t find a job in what I studied for, and the only reason I could find anything at all, was because of that previous hospitality experience, doing the same thing I was doing back then. It’s sad; that terrible job was worth more than my college diploma.

These are the stories that concern the general public and resonate more deeply than the idealist whose goal is to never work a nine-to-five job in their life while they seek to overthrow the status quo. No suburban parent will see themselves or their children in that individual.

What’s clear is that a compelling narrative exists to be seized by idealistic youth. The social politics of America is defined by a generation with a bleaker future than their predecessors — underemployed and lacking credibility — and the parents, concerned about their children’s future and their own. This is a nightmare that cuts across all sections of the public, from the cosmopolitan coasts to the rural Midwest. If the United States has its own Tahrir moment, it will begin with that simple fact.

[1] http://blogs.ssrc.org/tif/2011/02/09/the-road-to-tahrir/

[2] http://mideastsoccer.blogspot.com/2011/02/egyptian-ultra-tactics-evident-in.html

]]>
http://b.averysmallbird.com/entries/occupy-wall-street-misreading-lessons-from-tahrir/feed 3