By: Andy Greenberg, Forbes
One morning in mid-August, seven months into the Arab Spring protests and government crackdowns in which thousands have been killed, something strange happened on Syria’s Internet. As users aimed their Web browsers at Google and Facebook, they instead saw a page of white Arabic script scrawled across a black background.
“This is a deliberate, temporary Internet breakdown. Please read carefully and spread the following message,” it read. “Your Internet activity is monitored.”
Then the page switched to a white screen filled with instructions on using free encryption and anonymity software like Tor and TrueCrypt to evade surveillance and censorship. Emblazoned above the text was a round, mysterious symbol: a star inside an omega, hovering over a pyramid surrounded by lightning bolts. Below it were written the words: “This is Telecomix. We come in peace.”
Telecomix, a loose-knit team of international hacktivists, had been scanning the Syrian Internet in a massive sweep, dividing 700,000 target connections among its members in Germany, France and the U.S., probing for hackable devices with software tools like Nmap and Shodan. They compromised vulnerable Cisco Systems-produced network switches to find other devices’ passwords, snooped on open cameras revealing street scenes and even officials’ desks, and at one point retrieved the log-in credentials for 5,000 unsecured home routers, which they used to insert the surveillance warning (shown below) into browsers across the country.
As the globally-distributed hackers combed Syria’s networks and posted their findings in a crowd-sourced document, one American member of the group, who uses the handle Punkbob, spotted a Windows FTP server filled with data he recognized: logs from a Proxy SG 9000 appliance built by the Sunnyvale, Calif.-based company Blue Coat Systems. In Punkbob’s day job at a Pentagon contractor, he says, the same equipment had been used to intercept traffic to filter and track staff behavior. The Syrian machine’s logs showed the Internet activity of thousands of users, connecting the sites they attempted to visit and every word of their communications with the IP addresses that pointed directly to their homes. In short, he had discovered American technology being used to help a brutal dictatorship spy on its citizens.
“At first we were just poking around, but when I saw that, I had this feeling of dread,” says Punkbob, who requested that Forbes not use his real name. “To see exactly what Syria was tracking and who was providing the technology to do it.…That was when it felt real.”
Since Telecomix published 54 gigabytes of those logs, the resulting attention has forced Blue Coat to admit that its gear had been used by Syria, a potential violation of international sanctions against that country. The company didn’t respond to Forbes’ request for an interview, citing an ongoing internal review and a related Commerce Department probe. (Note that the investigation didn’t deter private equity firm Thoma Bravo and the Ontario Teachers Pension Plan from a recent deal to take Blue Coat private for $1.3 billion.) The disclosure of Blue Coat’s gear in Syria has touched off revelations that hardware from other U.S. firms, including NetApp and HP, was also used by blacklisted regimes. The industry now faces tough new questions about tech firms’ responsibility for how their products are deployed—and by whom.
Telecomix sees its Blue Coat discovery as a turning point in the group’s mission: Founded to fight for free speech, it now aims to also expose those who fight against that ideal, including any Western tech firm aiding the wrong side. “I hope that the Blue Coat thing was the start of something much bigger,” says Chris Kullenberg, a lean and lip-pierced Swedish political science grad student at the University of Gothenburg and a Telecomix founder. “The goal is to put political pressure on these companies. It started with rage and frustration. What can we do? Well, we can hack a few boxes and expose this to the world. That’s the motivation that drives hackers deeper and deeper into the networks.”
Telecomix likely broke Syrian law. But some more traditional activists appreciate their work. “It crosses a line we wouldn’t be comfortable crossing,” says Brett Solomon, president of the digital human rights group Access Now. “But sometimes it takes someone like Telecomix to put a spanner in the works.”
Actively hacking networks is a new game for Telecomix’s Web revolutionaries. But unlike the hacker group Anonymous, which began with juvenile pranks before attacking Scientologists, opponents of WikiLeaks and defense contractors, Telecomix was born political. The group was created at a Gothenburg conference in 2009 to oppose the European Union’s so-called Telecoms Package, industry-influenced laws that would have cut Internet access for anyone repeatedly downloading copyrighted files. “In a sense, corporations have always been the enemy,” says Kullenberg.
The hackers dug up and published the phone numbers of every EU Parliament member, then convinced the copyright-flouting Swedish download site the Pirate Bay to post a link on its home page. At the time, the site received 20 million monthly visitors. The Parliament’s phones were jammed for days, and the statute was eventually dropped.
After that initial victory, the group’s pseudonymous chatrooms slowly filled with likeminded hacktivists, and a strange, Internet meme-laden culture developed around them: Telecomix members call each other “agents” or “Internauts.” Its symbols, like the one shown on the Syrian warning message, integrate obscure socialist, technological and pirate icons. Ask them to identify the group’s leader, and they’ll name Cameron, an interactive artificial intelligence bot that they’ve designed to read and learn from their chatroom conversations and respond to questions. (“His commands are fuzzy,” admits Icelandic Telecomix agent Smari McCarthy. When I type a question to Cameron asking it to tell me Telecomix’s mission, for instance, it responds, “The mission is Christmas?”)
Bizarre sense of humor aside, the group remains serious about its work; The populist uprisings of the Arab Spring have only brought its goals—and its enemies—into sharper focus. A few days into the January 25 protests in Egypt Hosni Mubarak shut down all but one of his country’s Internet service providers. “Telecomix members consider themselves citizens of the Internet,” says one American Telecomixhacker who goes by the nickname the Doctor. “So we took that as a personal affront.”
Agents arranged with the hacker-friendly Internet provider French Data Network to fire up modem banks and give users free dial-up connections. Then the group faxed thousands of leaflets to Egyptian universities, offices and cybercafes, explaining how to skirt the blackout.
Soon Telecomix’ chatrooms became a kind of dissident IT support helpline, with Middle Eastern activists appearing on its IRC channels to ask for advice about securing their connections or avoiding surveillance. Increasingly, they came from Syria, many bringing graphic videos and pictures of police violence they wanted Telecomix’s agents to help them distribute.
Telecomix’s scanning of the Syrian Net began as reconnaissance to prepare for an Egypt-style Internet shutdown. Stumbling onto the Blue Coat logs was a fateful fluke. When the hackers realized what they’d found, they downloaded close to 100 gigabytes of data, using the Tor anonymization network to cover their tracks, a process that took weeks over Syria’s thin bandwidth.
In October Telecomix released hundreds of millions of lines of text listing hundreds of sites the Syrian government was blocking, from porn to Facebook to Chatroulette, along with enough users’ communication logs to show that the regime was using their Blue Coat gear to not only filter but also monitor dissidents’ activities. Blue Coat’s scandal demonstrates the complexity of regulating surveillance technology. The firm claims it hadn’t known about its devices in Syria, arguing they must have found their way into the country through a reseller in the United Arab Emirates.
“Blue Coat is mindful of the violence in Syria and is saddened by the human suffering and loss of human life that may be the result of actions by a repressive regime,” it wrote in a statement. “We don’t want our productsto be used by the government of Syria or any other country embargoed by the United States.” But critics like cryptography guru Bruce Schneier and Tor developer Jacob Appelbaum point out that Blue Coat devices link back to its servers for licensing and updates, implying the company may have turned a blind eye to its Syrian users.
Some Telecomix agents say they’ve also spotted equipment sold by Fortinet in Syria. Fortinet responds that it “has in place a policy prohibiting shipping its product to countries where shipment is embargoed.” And what about resellers who pass it on to those countries? “At that point it’s out of our hands,” a spokesperson says.
In some cases, companies have argued that the line between ethical and unethical use of their products is simply too blurry to distinguish. Cisco, whose network switches Telecomix identified in Syria, was previously hauled before Congress in 2008 after a leaked PowerPoint suggested it pitched Chinese police on using its equipment to track members of the banned Falun Gong regime.“Cisco’s routers and switches include basic features that are essential to the fundamental operation of the Internet by blocking hackers from interrupting Internet services and protecting users from viruses,” Cisco’s General Counsel told a Senate Subcommittee on human rights in 2008. He denied the PowerPoint represented company policy, but conceded that “those same basic features – without which the Internet could not function effectively-can unfortunately be used by network administrators for censorship purposes.
Hazy as the line may be, it’s clear some companies have crossed it. Marketing documents published by WikiLeaks show 160 firms advertising surveillance gear, often in Arabic as well as English. British firm Gamma International brags that it can spy on users of Gmail, Skype and iTunes; its sales pitch was found in the files of the Egyptian government after Mubarak fled.
Telecomix is determined to remain a watchdog against Western firms aiding foreign Big Brothers. Two Swedish members, Chris Kullenberg and Jonatan Walck, have registered a site called Internaut.cat where they plan to publish future disclosures of the group’s findings, using Sweden’s strong media laws to shield their sources.“ We’re at a point now where Internet users are becoming aware of what’s being done to them,” says the Doctor. “Companies that sell gear designed to track people should expect to be outed.”