NetApp, Sophos join list of tech being used by Syrian state snoopers
"Dual-use" technology: who is meant to be the bad guy?
Published 12:02, 04 November 11
If you're in any part of the security industry you will know the phrase dual-use technology; it's the umbrella term for any technology that can be used for both "good" and "evil" from the perspective of whomever is speaking at the time. Traditionally it's used to describe something like a knife which can be used to kill someone, but can also be used to prepare food, or in the hands of a surgeon to remove cancer.
See how it's meant to work? Both good and bad purposes.
Clear cut dual-use.
Except it's not really that simple; entire nations have a tendency to fetishise particular classes of object (handguns: UK "bad", US "good") - and all technology can be dual-use if you're sufficiently creative: is a frying pan an implement of breakfast or a comical but effective weapon?
With software the arguments become even more convoluted, because software is just computer code, which is a form of written speech; to regulate speech as one might a handgun may seem bizarre, but until 1996 that was precisely what the US Government did to inhibit widespread use of cryptography - such as that which you now use so often that you barely consider it.
The bad technology vs: good technology mindset continues even though the deep truth is that technology merely exists, and what is good or bad is the intent of the people using it. Write a password cracker or vulnerability scanner and someone will invariably call for it's availability to be restricted only to "good" people - as if they were all enumerated on some convenient list.
But I am pleased to report that the good vs: bad distinction is becoming increasingly grey, especially as governments worldwide provide us with complex examples; coverage of the Stuxnet virus leans more heavily towards it being a "horrifying viral malware cyberweapon" rather than it being a state-sponsored initiative to keep nuclear weapons away from a vile regime, but at least some people are making both that observation and the parallel one that the security risk posed by malware might be best mitigated by not being vulnerable to it.
And now we have an uprising in Syria - the tech angle is that various companies' dual-use technologies have been turning up in Damascus and are being used to oppress the freedom-loving dissidents; these are (of course) precisely the same kinds of technology that are deployed by our governments to keep us safe from terrorism, organised crime, malware, and hairy protestors.
Blue Coat technologies was the first to be fingered, makers of deep packet inspection tools that drill into (even some encrypted) web traffic and inform the authorities as to what their
citizens activists troublemakers are up to.
This morning Bloomberg broke a story adding several other companies' technologies to the list of tools in use in Syria, and also explaining how the equipment gets into Damascus:
As Syria's crackdown on protests has claimed more than 3,000 lives since March, Italian technicians in telecom offices from Damascus to Aleppo have been busy equipping President Bashar al-Assad's regime with the power to intercept, scan and catalog virtually every e-mail that flows through the country.
Employees of Area SpA, a surveillance company based outside Milan, are installing the system under the direction of Syrian intelligence agents, who've pushed the Italians to finish, saying they urgently need to track people, a person familiar with the project says. The Area employees have flown into Damascus in shifts this year as the violence has escalated, says the person, who has worked on the system for Area.
Area is using equipment from American and European companies, according to blueprints and other documents obtained by Bloomberg News and the person familiar with the job. The project includes Sunnyvale, California-based NetApp Inc. (NTAP) storage hardware and software for archiving e-mails; probes to scan Syria's communications network from Paris-based Qosmos SA; and gear from Germany's Utimaco Safeware AG (USA) that connects tapped telecom lines to Area's monitoring-center computers.
...and Utimaco is a part of Britain's very-own Sophos group.
Also this morning Privacy International's Eric King was interviewed for Bloomberg TV (video), noting that if this sort of technology was used in Europe it would be "totally illegal"; if that's correct then perhaps the technology is not so dual-use after all?
In the light of this weeks' London Cyberspace Conference - sponsored by the Foreign Office - you have to wonder how the Government will take the revelation of a UK company's involvement, even if it is through a German (ie: European) subsidiary?
 Disclosure: I have done this.
 Aside: this is still my favourite quote from the Egyptian uprising.