As I wrote yesterday , there is a leaked email that has gotten surprisingly little attention around here. It's the one where Aaron Barr discusses his intention to post at Daily Kos - presumably something negative about Anonymous, the hacking group. But that's not the email I'm talking about here.
As I also mentioned yesterday, in some of the emails, HBGary people are talking about creating "personas", what we would call sockpuppets. This is not new. PR firms have been using fake "people" to promote products and other things for a while now, both online and even in bars and coffee houses.
But for a defense contractor with ties to the federal government, Hunton & Williams, DOD, NSA, and the CIA - whose enemies are labor unions, progressive organizations, journalists, and progressive bloggers, a persona apparently goes far beyond creating a mere sockpuppet.
According to an embedded MS Word document found in one of the HBGary emails, it involves creating an army of sockpuppets, with sophisticated "persona management" software that allows a small team of only a few people to appear to be many, while keeping the personas from accidentally cross-contaminating each other. Then, to top it off, the team can actually automate some functions so one persona can appear to be an entire Brooks Brothers riot online.
Persona management entails not just the deconfliction of persona artifacts such as names, email addresses, landing pages, and associated content. It also requires providing the human actors technology that takes the decision process out of the loop when using a specific persona. For this purpose we custom developed either virtual machines or thumb drives for each persona. This allowed the human actor to open a virtual machine or thumb drive with an associated persona and have all the appropriate email accounts, associations, web pages, social media accounts, etc. pre-established and configured with visual cues to remind the actor which persona he/she is using so as not to accidentally cross-contaminate personas during use.
And all of this is for the purposes of infiltration, data mining, and (here's the one that really worries me) ganging up on bloggers, commenters and otherwise "real" people to smear enemies and distort the truth.
This is an excerpt from one of the Word Documents, which was sent as an attachment by Aaron Barr, CEO of HBGary's Federal subsidiary, to several of his colleagues to present to clients:
To build this capability we will create a set of personas on twitter, blogs, forums, buzz, and myspace under created names that fit the profile (satellitejockey, hack3rman, etc). These accounts are maintained and updated automatically through RSS feeds, retweets, and linking together social media commenting between platforms. With a pool of these accounts to choose from, once you have a real name persona you create a Facebook and LinkedIn account using the given name, lock those accounts down and link these accounts to a selected # of previously created social media accounts, automatically pre-aging the real accounts.
Yes!!! That's how democracy and the first amendment are supposed to work.
In another Word document, one of the team spells out how automation can work so one person can be many personas:
Using the assigned social media accounts we can automate the posting of content that is relevant to the persona. In this case there are specific social media strategy website RSS feeds we can subscribe to and then repost content on twitter with the appropriate hashtags. In fact using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise, as one example. There are a variety of social media tricks we can use to add a level of realness to all fictitious personas
I don't know about you, but this concerns me greatly. It goes far beyond the mere ability for a government stooge, corporation or PR firm to hire people to post on sites like this one. They are talking about creating the illusion of consensus. And consensus is a powerful persuader. What has more effect, one guy saying BP is not at fault? Or 20 people saying it? For the weak minded, the number can make all the difference.
And another thing, this is just one little company of assholes. I can't believe there aren't others doing this already. From oil companies, political campaigns, PR firms, you name it. Public opinion means big bucks. And let's face it, what these guys are talking about is easy.
Just today I was listening to Stand Up with Pete Dominic on XM's POTUS channel. He was talking about the Wisconsin labor attack and how he had seen a lot of people email and contact the show in support of the Teachers there. Then he added a "but": "I've also seen a lot of anti-labor people on Twitter..."
Really? I thought. How do we know if those are real people? Twitter has to be the easiest thing to fake and to automate with retweets and 180 characrer max sentences. To the extent that the propaganda technique known as "Bandwagon" is an effective form of persuasion, which it definitely is, the ability for a few people to infiltrate a blog or social media site and appear to be many people, all taking one position in a debate, all agreeing, for example, that so and so is not credible, or a crook, is an incredibly powerful weapon.
How many times have you seen a diary get posted that reports some revelatory yet unfavorable tidbit about someone only to see a swarm of commenters arrive who hijack the thread, distract with a bunch of irrelevant nonsense, start throwing unsubstantiated accusations and ad hominem attacks to where before you know it, everyone's pretty much forgotten what the diary said in the first place.
Some times diaries deserve to be swarmed. But what if a diary is swarmed and it's really just one asshole working for a law firm that represents the oil company your diary was attacking?
I don't know about you, but it matters to me what fellow progressives think. I consider all views. And if there appears to be a consensus that some reporter isn't credible, for example, or some candidate for congress in another state can't be trusted, I won't base my entire judgment on it, but it carries some weight.
That's me. I believe there are many people though who will base their judgment on rumors and mob attacks. And for those people, a fake mob can be really effective.
I have no idea what to do about this problem, except just make sure everyone knows its possible, and so watches out for it.
-------------------------------------
Lastly, some here are falling for the meme that HBGary personel, and especially Aaron Barr himself, are incompetent buffoons. This is a mistake. While Mr Barr may be a fool, he was not the one who fell for a spear fishing attack that allow an, apparently, 16 year old girl to gain access to their servers.
I have rummaged through the leaked email, some of which contain resumes for employees there. These guys are recruiting people with incredibly advanced skills from many different agencies and top universities like MIT.
HBGary and its subsidiary, HBGary Federal, as well as Berinco and Palantir, employed a lot of extremely qualified people with backgrounds in the NSA and ATT and other major organizations/corporations. These guys are pros.
Aaron Barr may be a mockery to Anonymous for running his mouth off. As he should be. But he's not an idiot and he wasn't the one who gave out the company's keys to a 16 yo girl.
I wanted to make this clear because it is in the interests of government and propagandists, and anyone else who wants this story to go away to try and blow all this off as one little company who wrote a proposal no one even read and who isn't even competent enough to protect its own servers so no one should pay any attention at all to what they were up to.
That is the narrative being spun, even here on this site, and it is entirely fictitious.
We are under attack. And the attackers are damn good at what they do. Pretending they're not, or that this isn't happening isn't going to make it better.
I do believe there are limitation to the effectiveness of such an attack on this site and others like it. This isn't twitter, and bullshit only goes so far, no matter how many personas are spreading it.
But everyone needs to be aware that not only are sites like this a target of attack, but that Daily Kos has been mentioned specifically as a target of attack.
Maybe this whole thing will be liberating. Maybe people will develop stronger spines and not be so easily swayed by raving mobs.
UPDATE: From another email, I found a government solicitation for this "Persona Management Software".
This confirms that in fact, the US Gov. is attempting to use this kind of technology. But it appears from the solicitation it is contracted for use in foreign theaters like Afghanistan and Iraq. I can't imagine why this is posted on an open site. And whenthis was discovered by a couple of HBGary staffers, they weren't too happy about it either:
The first email just had the title, "WTF Dude?"
The response email said, "This is posted on open source. Are you fucking serious?"
Here's the link to the solicitation at website "FedBizOps.gov". Yes, that name doesn't sound like cronyism at all...
Link
Solicitation Number:
RTB220610
Notice Type:
Sources Sought
Synopsis:
Added: Jun 22, 2010 1:42 pm Modified: Jun 22, 2010 2:07 pmTrack Changes
0001- Online Persona Management Service. 50 User Licenses, 10 Personas per user.
Software will allow 10 personas per user, replete with background , history, supporting details, and cyber presences that are technically, culturally and geographacilly consistent. Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries. Personas must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms. The service includes a user friendly application environment to maximize the user's situational awareness by displaying real-time local information.
0002- Secure Virtual Private Network (VPN). 1 each
VPN provides the ability for users to daily and automatically obtain randomly selected
IP addresses through which they can access the internet. The daily rotation of
the user s IP address prevents compromise during observation of likely or
targeted web sites or services, while hiding the existence of the operation. In
addition, may provide traffic mixing, blending the user s traffic with traffic from
multitudes of users from outside the organization. This traffic blending provides
excellent cover and powerful deniability. Anonymizer Enterprise Chameleon or equal
0003- Static IP Address Management. 50 each
Licence protects the identity of government agencies and enterprise
organizations. Enables organizations to manage their persistent online personas
by assigning static IP addresses to each persona. Individuals can perform
static impersonations, which allow them to look like the same person over time.
Also allows organizations that frequent same site/service often to easily switch IP
addresses to look like ordinary users as opposed to one organization. Anonymizer IP Mapper License or equal
0004- Virtual Private Servers, CONUS. 1 each
Provides CONUS or OCONUS points of presence locations that are setup for
each customer based on the geographic area of operations the customer is
operating within and which allow a customer?s online persona(s) to appear to
originate from. Ability to provide virtual private servers that are procured using
commercial hosting centers around the world and which are established
anonymously. Once procured, the geosite is incorporated into the network and
integrated within the customers environment and ready for use by the customer.
Unless specifically designated as shared, locations are dedicated for use by
each customer and never shared among other customers. Anonymizer Annual Dedicated CONUS Light Geosite or equal
0005- Virtual Private Servers, OCONUS. 8 Each
Provides CONUS or OCONUS points of presence locations that are setup for
each customer based on the geographic area of operations the customer is
operating within and which allow a customer?s online persona(s) to appear to
originate from. Ability to provide virtual private servers that are procured using
commercial hosting centers around the world and which are established
anonymously. Once procured, the geosite is incorporated into the network and
integrated within the customers environment and ready for use by the customer.
Unless specifically designated as shared, locations are dedicated for use by
each customer and never shared among other customers. Anonymizer Annual Dedicated OCONUS Light Geosite or equal
0006- Remote Access Secure Virtual Private Network. 1 each
Secure Operating Environment provides a reliable and protected computing
environment from which to stage and conduct operations. Every session uses a
clean Virtual Machine (VM) image. The solution is accessed through sets of
Virtual Private Network (VPN) devices located at each Customer facility. The
fully-managed VDI (Virtual Desktop Infrastructure) is an environment that allows
users remote access from their desktop into a VM. Upon session termination,
the VM is deleted and any virus, worm, or malicious software that the user inadvertently downloaded is destroyed. Anonymizer Virtual Desktop Infrastructure (VDI) Solution or equal.
Contracting Office Address:
2606 Brown Pelican Ave.
MacDill AFB, Florida 33621-5000
United States
Place of Performance:
Performance will be at MacDIll AFB, Kabul, Afghanistan and Baghdad, Iraq.
MacDill AFB , Florida 33679
United States