While sorting through emails from the HBGary incident, associates of Anonymous discovered links that suggest an established U.S. government contractor was the winner of a bid to develop persona management software for the U.S. Central Command (USCENTCOM). What is this technology? As a U.S. citizen, should you be concerned by its development and use?
Earlier this week, Anonymous reported on discoveries made while examining the HBGary and HBGary Federal email archive they released to the Web. These discoveries center on persona management software. The intended use of this software, the organizations involved with it, and the potential for abuse, raised several questions.
Given that it doesn’t have an official name, Anonymous dubbed the untitled technology MetalGear, and are digging for details on who has the software, why it was developed, and the full extent of its use.
The idea for such technology isn’t new. Reputation and persona management techniques have been used by the government and the private sector for years online. Whole businesses exist to leverage reputation and brand management on social media, blog comments, forums, and search results.
The interesting aspect to the reported discovery is the claim by Anonymous that Booz Allen Hamilton, a well-known U.S. government contractor, in connection with HBGary Federal’s ex-CEO Aaron Barr, bid on, and possibly won, a U.S. Air Force (USAF) contract seeking persona management software. While they may have bid on the contract, they didn’t win it, according to USCENTCOM.
When reading Barr’s emails, one can see that he has met with several government agencies, other intelligence firms in the private sector, and contractors such as Booz Allen Hamilton, to discuss intelligence gathering and other risk management topics associated with social media.
When contacted by The Tech Herald, Booz Allen Hamilton would not comment on their business relationships with the government, including any social media aspect of the work they do. Likewise, they would not comment on their relationship with Aaron Barr or HBGary Federal. However, even though Booze Allen Hamilton didn’t win the contract, there is more to this story.
Barr’s ideas and plans for persona or social media business ventures are evident from the countless emails seeking or confirming meetings on the topic. Given the purpose of the Web, such business deals would equal a lot of money, and there is definite interest in that area of research both privately and publically.
Due to the sensitive nature of the persona management software, its complexity, and the confirmation of its existence and usage by the government, it is understandable that some people may be a little concerned.
MetalGear - opening Pandora’s Box
Again, the persona management software has no known official title, so this is where the name MetalGear comes from. The MetalGear story starts with a proposal [archive copy] from the Office of Air Mobility Command, within the U.S. Air Force, in June of 2010.
The proposal asked for 50 user licenses for software that would allow 10 personas per user. In all, this is a virtual army of 500 personas, who can be centrally controlled by a small group of people.
According to the bid put out, personas must be “…replete with background, history, supporting details, and cyber presences that are technically, culturally, and geographically consistent.”
“Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries. Personas must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms. The service includes a user friendly application environment to maximize the user's situational awareness by displaying real-time local information.”
In addition, the bid called for access to secure virtual private networks and virtual private servers, which would consist of secure operating environments that use clean virtual machines to stage and conduct operations. The networks should offer clean IP addresses that will allow “organizations to manage their persistent online personas by assigning static IP addresses to each persona.”
“Individuals can perform static impersonations, which allow them to look like the same person over time. Also allows organizations that frequent same site/service often to easily switch IP addresses to look like ordinary users as opposed to one organization.”
Not long after this bid was placed online, several sites ended up mirroring the proposal. However, it wasn’t until Anonymous compromised HBGary and HBGary Federal - subsequently releasing their company email to the Web - that the public learned of such initiatives by the government.
When the proposal hit the Web, emails within HBGary started circulating back and forth. One of them speculated that government’s operation was blown before it even began, given that the whole world could read about the plans.
Yet, based on the timelines in the HBGary emails, as well as public comments about the proposal and contract by USCENTCOM, HBGary Federal might have bid on the contract with Booz Allen Hamilton, but they too lost the race.
Internal communications from Aaron Barr say that the RFI for the persona software was written for Anonymizer, a company acquired in 2008 by intelligence contractor Abraxas Corporation. The reasoning is that they had existing persona management software and abilities.
In 2010, Abraxas was purchased by another intelligence contractor, Cubic for the tidy sum of $124 million in cash. Some of the top talent at Anonymizer, who later went to Abraxas, left the Cubic umbrella to start another intelligence firm. They are now listed as organizational leaders for Ntrepid, the ultimate winner of the $2.7 million dollar government contract.
Ntrepid, “provides national security and law enforcement customers with software, hardware, and managed services for cyber operations, analytics, linguistics, and tagging & tracking,” a company profile explains.
Ntrepid’s corporate registry lists Abraxas’ previous CEO and founder, Richard Helms, as the director and officer, along with Wesley Husted, the former CFO, who is an Ntrepid officer as well. The shifting company names and management has led to some speculation that this is a front company for Abraxas, but there is no proof of those claims.
Not much is known about Ntrepid, as the company website consists of little more than an email address and a logo. Emails to Ntrepid were not returned.
MetalGear - the government’s response to violent extremist propaganda
The U.S. Central Command is located a MacDill Air Force Base in Tampa, Florida. They have an area of operation that includes Egypt, Iran, Iraq, Jordan, Pakistan, Yemen, and fourteen other countries.
USCENTCOM spokesperson, Commander Bill Speaks, has confirmed MetalGear’s existence and usage. He told the Washington Post and other media that the software supports, “classified blogging activities on foreign-language Web sites to enable CENTCOM to counter violent extremist and enemy propaganda outside the U.S.”
Records indicate that the persona management software used by USCENTCOM is part of a larger operation codenamed Earnest Voice.
Operation Earnest Voice hopes to “counter extremist ideology and propaganda, and to ensure that credible voices in the region are heard,” according to a statement made by General Petraeus last March.
“OEV provides CENTCOM with direct communication capabilities to reach regional audiences through traditional media as well as via websites and regional public affairs blogging. In each of these efforts, we follow the admonition we practiced in Iraq, that of trying to be ‘first with the truth’.”
The problem most have with the USCENTCOM methodology is that if you use fake voices - or sock puppets as they are sometimes called - then there is no real credibility, and the truth turns into nothing more than matching propaganda with alternative propaganda.
There is a fear that this software could be used domestically as well as internationally. In statements to the media, Commander Speaks was quick to point out that the persona software’s usage would be foreign only, and would not be directed at Americans without qualification. Yet, what qualification means in this regard is unknown.
These fears are compounded by the fact that the government doesn’t have exclusive rights to the software itself. A patent, written by IBM RSW in 2009, seeks approval for a “system to apply persona styles to written communications.”
The patent describes a system that includes a communication analyzer coupled with a modification engine.
“The selected persona style defines a communication style. The modification engine modifies the original content of the written communication to replace the element of the original content with a substitute element that is compatible with the selected persona style.”
When the patent application, the research proposals from Aaron Barr, and the government’s admission that they do not have exclusivity with it comes persona management are considered, the question of who exactly has this technology in play begs to be asked.
In truth, the very nature of persona management itself means it would be nearly impossible to tell when and where it is used in the public by a private sector organization.
MetalGear - proposals and potential customers
Aaron Barr was critical of social media and the risks it posed to organizations. However, he was a big fan in intelligence gathering and leveraging social media to collect and sell information. Part of this process included the development and deployment of persona software.
In an email to ManTech, Barr said that he wanted to develop personas for collection of information related to cyber threats and then provide the data “as part of a feed or data package that can be sold at subscription.”
“This model is working successfully for a few small companies in the high end security space. It gives the government access to information that would be more difficult for them to collect. We handle all the parsing and weeding of information on our end before we hand it over as part of the subscription.”
While the ManTech recipient of Barr’s pitch was receptive, he noted that he could not get the upper management to commit. A few weeks later, ManTech’s COO approached Barr about a meeting that would see Barr going from the CEO of HBGary Federal to VP of Cyber Strategy. Also possible was the outright purchase of HBGary Federal itself.
“We are well funded and need to do some serious acquisitions this year,” the email said.
The purchase or position change is important, because ManTech is another government contractor, and if Barr had developed software as he had claimed to others, then it could be assumed this technology would have gone with him. This would open persona management abilities to everyone outside of USCENTCOM.
Given the scope of Barr’s professional contacts, plenty of private and government sector organizations were pitched on persona and social media intelligence. His mission was to make it happen, and based on his emails, in some ways he did. The problem is that his research is also what ultimately causes his world to collapse when he targeted Anonymous.
MetalGear - should you panic or just go on with life?
The idea that there is technology used by the government, and possibly by the private sector, that can fill Internet with single sided information is nothing to head to the hills over. However, the potential for abuse is something to be mindful of.
Sticking with USCENTCOM, unless they are doing things the public is unaware of, there is no way to tell if the people their fake personas interact with are not on US soil. As mentioned, it is also impossible to tell if they are using persona management stateside unless someone comes forward and blows the whistle.
It’s been widely reported that terrorists are aware that their online movements are monitored. They actively post false information within their ranks to ferret out impostors. With this software, it would appear that the U.S. wants to take part in this game too. Yet, it isn’t clear what this propaganda push will accomplish in the long term, other than government approved comment spam.
On the other side of this coin, the persona management software of the scale discussed recently is as dangerous as it is powerful. Aaron Barr is still taking a public beating over his research and ideas, but it is important to remember he is well versed in social media and intelligence gathering.
At the same time, he cannot be the only one with the idea to collect and sell information, to anyone with cash in-hand, simply by using social networks. Moreover, his idea to develop personas to further information collection cannot be seen as a unique idea either.
But sales is only part of it, this technology can be used to promote. It can be used to advance an idea or grassroots movement. The government could use this strategy sure, but there is more value to the private sector when it comes to this type of use. Viral promotion can be used to leverage a brand, or it can be used to pass agendas.
If you have ever seen a blog post with an active comment section, perhaps a product review, it should come as no surprise to know many of the positive comments are false. Now repeat that process thousands of times over for a popular product.
This alone should make everyone cautious. The concept isn’t new or original, but it isn’t something that was publically discussed until recently.
The only way to prevent this technology from being abused is to enact tough laws that protect the privacy of anyone online. Adding to that is a need for social awareness, as in be sure you know what personal information exists about you online and know who it is you are associating with. Both options are far easier to write down than they are to accomplish sadly.
For now, if you are concerned about privacy, many experts agree the first task is to limit the amount of information you offer to websites and people online. From there, keep an open mind when meeting new friends online, but keep a close tab on your social circles, and separate work from play when it comes to contacts.
At the end of the day, the existence of persona management and social media intelligence software shouldn’t cause blind panic in the masses. At the same time, it should cause questions to be asked, and lawmakers and officials should be willing to address them.
Tell us. What do you think of USCENTCOM usage of personas? What do you think of the idea of persona management overall? We welcome all feedback in the comments below.