BACK

WMR: February 21, 2011 -- Beware the government's avatars, especially fear your own

The Department of Homeland Security is conducting massive spying on Internet users through a program called "Avatar Identity." The existence of the program was disclosed to WMR by a source who stated that the development of avatars for every user of the Internet had its beginnings with the U.S. Air Force and the Advance Research Projects Agency (ARPANET) at the outset of the fielding of World Wide Web (WWW) technology in the early 1990s.

At the core of Homeland Security's Avatar Identity Program is the reliance on genetic algorithms developed for the analysis of the stock market to come up with prime investment strategies. The program was developed through the aegis of the Homeland Security Advanced Research Projects Agency (HSARPA), which inherited many of the invasive Internet surveillance programs from its Pentagon cousin, the Defense Advanced Research Projects Agency (DARPA), after its programs, including the proposed Total Information Awareness program, were defunded by Congress

The Avatar Identity Program appears to coincide with another Air Force project to solicit "persona management software" to create virtual users on the Internet in order to conduct perception management campaigns to inundate chat rooms, letter to the editor, and on-line polls to sway public opinion on key issues.

It was also recently revealed that the computer security firm HB Gary Federal worked in a program to create and manage "sock puppet" Internet users to infiltrate websites to create confusion and propagate disinformation. The program was to be used to attack WikiLeaks and apparently was linked to the US Chamber of Commerce, the Bank of America, the bank's chief law firm Hunton & Williams, and two other technology firms that later withdrew from participation: Palantir Technologies and Berico Technologies. More ominous is the report that it was the Department of Justice recommended the use of HB Gary Federal, Palantir, and Berico (known as Team Themis, which would operate a Corporate Information Reconnaissance Cell [CIRC]) to the Chamber, the Bank of America, and Hunton & Williams to engage in the sock puppet management operation. The program matches recommendations from White House Office of Information Regulatory Affairs chief Dr. Cass Sunstein, who has referred to such operations as "cognitive infiltration."

However, Homeland Security's Avatar Identity program involves the creation of an avatar for every Internet user that pulls information from the actual user's Google searches, Twitter messages, Facebook postings, on-line commerce activities, and other web interactions and feeds the transactions to the avatar program. Intelligence analysts then query the avatar for details of the user's activities.

Your Internet avatar is watching you and snitching on you.

WMR was informed that the Avatar Identity Program was first developed for every known terrorist in the world. However, it has now expanded to include every Internet user and it is being aggressively used to identify and track down members of the hacktivist group "Anonymous," which has attacked the computer systems of HB Gary Federal, Bank of America, and other firms seen as waging a war against Internet freedom.

As an example of its practical use, the Avatar Identity Program records all on-line letters to President Obama sent via the White House web site, as well as any searches for Obama on the Internet.

Our source explained the avatar program by saying, "Every Internet user has a life on the Internet," adding, "but with the avatar, every user has a second life on the web." In the case of the avatar, every Internet user has a virtual "snitch" that reports their every action and movement on the web to the government.

======= The solicitation for the Air Force's Persona Management program:

Solicitation Number: RTB220610 Notice Type: Sources Sought Synopsis: Added: Jun 22, 2010 1:42 pm Modified: Jun 22, 2010 2:07 pmTrack Changes 0001- Online Persona Management Service. 50 User Licenses, 10 Personas per user.

Software will allow 10 personas per user, replete with background , history, supporting details, and cyber presences that are technically, culturally and geographacilly consistent. Individual applications will enable an operator to exercise a number of different online persons from the same workstation and without fear of being discovered by sophisticated adversaries. Personas must be able to appear to originate in nearly any part of the world and can interact through conventional online services and social media platforms. The service includes a user friendly application environment to maximize the user's situational awareness by displaying real-time local information. 0002- Secure Virtual Private Network (VPN). 1 each

VPN provides the ability for users to daily and automatically obtain randomly selected IP addresses through which they can access the internet. The daily rotation of the user s IP address prevents compromise during observation of likely or targeted web sites or services, while hiding the existence of the operation. In addition, may provide traffic mixing, blending the user s traffic with traffic from multitudes of users from outside the organization. This traffic blending provides excellent cover and powerful deniability. Anonymizer Enterprise Chameleon or equal

0003- Static IP Address Management. 50 each Licence protects the identity of government agencies and enterprise organizations. Enables organizations to manage their persistent online personas by assigning static IP addresses to each persona. Individuals can perform static impersonations, which allow them to look like the same person over time. Also allows organizations that frequent same site/service often to easily switch IP addresses to look like ordinary users as opposed to one organization. Anonymizer IP Mapper License or equal

0004- Virtual Private Servers, CONUS. 1 each Provides CONUS or OCONUS points of presence locations that are setup for each customer based on the geographic area of operations the customer is operating within and which allow a customer?s online persona(s) to appear to originate from. Ability to provide virtual private servers that are procured using commercial hosting centers around the world and which are established anonymously. Once procured, the geosite is incorporated into the network and integrated within the customers environment and ready for use by the customer. Unless specifically designated as shared, locations are dedicated for use by each customer and never shared among other customers. Anonymizer Annual Dedicated CONUS Light Geosite or equal

0005- Virtual Private Servers, OCONUS. 8 Each Provides CONUS or OCONUS points of presence locations that are setup for each customer based on the geographic area of operations the customer is operating within and which allow a customer?s online persona(s) to appear to originate from. Ability to provide virtual private servers that are procured using commercial hosting centers around the world and which are established anonymously. Once procured, the geosite is incorporated into the network andintegrated within the customers environment and ready for use by the customer. Unless specifically designated as shared, locations are dedicated for use by each customer and never shared among other customers. Anonymizer Annual Dedicated OCONUS Light Geosite or equal

0006- Remote Access Secure Virtual Private Network. 1 each

Secure Operating Environment provides a reliable and protected computing environment from which to stage and conduct operations. Every session uses a clean Virtual Machine (VM) image. The solution is accessed through sets of Virtual Private Network (VPN) devices located at each Customer facility. The fully-managed VDI (Virtual Desktop Infrastructure) is an environment that allows users remote access from their desktop into a VM. Upon session termination, the VM is deleted and any virus, worm, or malicious software that the user inadvertently downloaded is destroyed. Anonymizer Virtual Desktop Infrastructure (VDI) Solution or equal.

2606 Brown Pelican Ave. MacDill AFB, Florida 33621-5000 United States Place of Performance: Performance will be at MacDIll AFB, Kabul, Afghanistan and Baghdad, Iraq. MacDill AFB , Florida 33679 United States Primary Point of Contact.: Russell Beasley, Contracting Officer russell.beasley-02@macdill.af.mil Phone: (813) 828-4729 Fax: (813) 828-5111

 

Deep Packet Inspection, Wikipedia
Deep packet inspection (DPI) is the act of any packet network equipment which is not an endpoint of a communication using non-header content (typically the actual payload) for some purpose. This is performed as the packet passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions or predefined criteria to decide what actions to take on the packet, including collecting statistical information. There are multiple headers for IP packets, network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (TCP, UDP etc) is normally considered to be shallow packet inspection (usually called Stateful Packet Inspection) despite this definition.[1] Deep Packet Inspection (and filtering) enables advanced network management, user service, and security functions as well as internet data mining, eavesdropping, and censorship. Although DPI technology has been used for Internet management for many years, some advocates of net neutrality fear that the technology can be used anticompetitively or to reduce the openness of the Internet.[2] DPI is currently being used by the enterprise, service providers and governments in a wide range of applications.[3] Contents [hide] 1 Background 2 DPI at the enterprise 3 DPI at network/Internet service providers 3.1 Lawful interception 3.2 Policy definition and enforcement 3.3 Targeted advertising 3.4 Quality of service 3.5 Tiered services 3.6 Copyright enforcement 3.7 Statistics 4 Deep Packet Inspection by governments 4.1 United States 4.2 China 4.3 Iran 5 DPI and net neutrality 6 Software 7 See also 8 References 9 External links [edit]Background

DPI combines the functionality of an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) with a traditional stateful firewall.[4] This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot on their own catch events that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, Denial of Service (DoS) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet. DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model, in cases DPI can be evoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the actual payload of the message. DPI functionality is evoked when a device looks or takes other action based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases. A classified packet can be redirected, marked/tagged (see quality of service), blocked, rate limited, and of course reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information. [edit]DPI at the enterprise

Until recently, security at the enterprise was just a perimeter discipline, with a dominant philosophy of keeping unauthorized users out, and shielding authorized users from the outside world. The most frequently used tool for accomplishing this has been a stateful firewall. It can permit fine-grained control of access from the outside world to pre-defined destinations on the internal network, as well as permitting access back to other hosts only if a request to the outside world has been made previously.[5] However, vulnerabilities exist at network layers that are not visible to a stateful firewall. Also, an increase in the use of laptops in the enterprise makes it more difficult to prevent threats such as viruses, worms and spyware from penetrating the corporate network, as many users will connect the laptop to less-secure networks such as home broadband connections or wireless networks in public locations. Firewalls also do not distinguish between permitted and forbidden uses of legitimately-accessed applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats. Deep Packet Inspection is able to detect a few kinds of buffer overflow attacks. DPI can be used by the enterprise for Data Leak Prevention (DLP). When an e-mail user tries to send a protected file he may be given information on how to get the proper clearance to send the file.[clarification needed][6] [edit]DPI at network/Internet service providers

In addition to using DPI to secure their internal networks, Internet service providers also apply this technology on the public networks provided to customers. Common uses of DPI by ISPs are lawful intercept, policy definition and enforcement, targeted advertising, quality of service, offering tiered services, and copyright enforcement. [edit]Lawful interception Service providers are required by almost all governments worldwide to enable lawful intercept capabilities. Decades ago in a legacy telephone environment, this was met by creating a traffic access point (TAP) using an intercepting proxy server that connects to the government's surveillance equipment. This is not possible in contemporary digital networks. The acquisition component of this functionality can be provided in many ways, including DPI, DPI enabled products that are "LI or CALEA-compliant" can be used - when directed by a court order - to access a user's datastream.[7] [edit]Policy definition and enforcement Service providers obligated by the service level agreement with their customers to provide a certain level of service, and at the same time enforce an acceptable use policy, may make use of DPI to implement certain policies that cover copyright infringements, illegal materials, and unfair use of bandwidth. In some countries the ISPs are required to perform filtering depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online—from e-mail, to websites, to sharing of music, video and software downloads".[8] Policies can be defined that allow or disallow connection to or from an IP address, certain protocols, or even heuristics that identify a certain application or behavior. [edit]Targeted advertising Because ISPs route all of their customers' traffic, they are able to monitor web-browsing habits in a very detailed way allowing them to gain information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 US customers are tracked this way, and as many of 10% of US customers have been tracked in this way.[citation needed] Technology providers include NebuAd, Front Porch and Phorm. US ISPs monitoring their customers include Knology,[9] and Wide Open West, and probably also Embarq[citation needed]. In addition, the UK ISP British Telecom has admitted testing technology from Phorm without their customers' knowledge or consent.[10] [edit]Quality of service Applications such as peer-to-peer (P2P) traffic present increasing problems for broadband service providers. P2P traffic is typically used by applications that do file sharing. This can be documents, music and videos. Due to the frequently large size of media files being transferred, P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as email or Web browsing which use less bandwidth.[11] Poor network performance increases customer dissatisfaction and leads to a decline in service revenues. DPI allows the operators to oversell their available bandwidth while ensuring equitable bandwidth distribution to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not.[12] This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks. Other Vendors claim that DPI is ineffective against P2P and that other methods of Bandwidth Management are more effective.[citation needed] [edit]Tiered services Mobile and broadband service providers use DPI as a means to implement tiered service plans, to differentiate "walled garden" services from "value added", “all-you-can-eat" and "one-size-fits-all” data services.[13] By being able to charge for a "walled garden", per application, per service, or "all-you-can-eat" rather than a "one-size-fits-all" package, the operator can tailor his offering to the individual subscriber and increase their Average Revenue Per User (ARPU). A policy is created per user or user group, and the DPI system in turn enforces that policy, allowing the user access to different services and applications. [edit]Copyright enforcement ISPs are sometimes requested by copyright owners or required by courts or official policy to help enforce copyrights. In 2006, one of Denmark's largest ISPs, Tele2, was given a court injunction and told it must block its customers from accessing The Pirate Bay, a launching point for BitTorrent.[14] Instead of prosecuting file sharers one at a time,[15] the International Federation of the Phonographic Industry (IFPI) and the big four record labels EMI, Sony BMG, Universal Music and Warner Music have begun suing ISPs like Eircom for not doing enough about protecting their copyrights.[16] The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit and directive 2002/58/EC granting European citizens a right to privacy of communications. The Motion Picture Association of America (MPAA) which enforces movie copyrights, on the other hand has taken the position with the Federal Communications Commission (FCC) that network neutrality could hurt anti-piracy technology such as Deep Packet Inspection and other forms of filtering.[17] [edit]Statistics DPI allows ISPs to gather statistical information about usage patterns by user group. For instance, it might be of interest whether users with a 2 Mbit connection use the network in a dissimilar manner to users with a 5 Mbit connection. Access to trend data also help network planning. [edit]Deep Packet Inspection by governments

See also: network surveillance and censorship In addition to using DPI for the security of their own networks, governments in North America, Europe and Asia use DPI for various purposes such as surveillance and censorship; many of these programs are classified.[18] [edit]United States FCC adopts Internet CALEA requirements. The FCC, pursuant to its mandate from the US Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S. Main article: NSA warrantless surveillance controversy The National Security Agency (NSA), with cooperation from AT&T has used Deep Packet Inspection technology to make internet traffic surveillance, sorting and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) phone call.[19] Traffic associated with AT&T’s Common Backbone was "split" between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T’s switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a "central location" for analysis. According to Marcus’s affidavit, the diverted traffic "represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area," and thus, "the designers of the ... configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources comprised primarily of domestic data."[20] Narus's Semantic Traffic Analyzer software which runs on IBM or Dell Linux servers, using DPI technology, sorts through IP traffic at 10Gbit/s to pick out specific messages based on a targeted e-mail address, IP address or, in the case of VoIP, phone number.[21] President George W. Bush and Attorney General Alberto R. Gonzales have asserted that they believe the president has the authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a FISA warrant.[22] The Defense Information Systems Agency has developed a sensor platform that uses Deep Packet Inspection.[23] [edit]China Main article: Internet censorship in the People's Republic of China The Chinese government uses Deep Packet Inspection to monitor and censor network traffic and content that it claims harmful to Chinese citizens or state interests. This material includes pornography, information on religion, and political dissent.[24] Chinese network ISPs use DPI to see if there's any sensitive keyword going through their network. If so, the connection will be cut. People within China often find themselves blocked while accessing Web sites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, the Tiananmen Square protests and massacre of 1989, political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements[25] as those materials were signed as DPI sensitive keywords already. China also blocks VoIP traffic in and out of their country[citation needed]. Voice traffic in Skype is unaffected, although text messages are subject to DPI, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites like YouTube.com, and various photography and blogging sites.[26] [edit]Iran Main article: Internet censorship in Iran The Iranian government purchased a system, reportedly for deep packet inspection, in 2008 from Nokia Siemens Networks (NSN), a joint venture Siemens AG, the German conglomerate, and Nokia Corp., the Finnish cellphone company, according to a report in the Wall Street Journal in June, 2009, quoting NSN spokesperson Ben Roome. According to unnamed experts cited in the article, the system "enables authorities to not only block communication but to monitor it to gather information about individuals, as well as alter it for disinformation purposes." The system was purchased by the Telecommunication Infrastructure Co., part of the Iranian government's telecom monopoly. According to the Journal, NSN "provided equipment to Iran last year under the internationally recognized concept of 'lawful intercept,' said Mr. Roome. That relates to intercepting data for the purposes of combating terrorism, child pornography, drug trafficking and other criminal activities carried out online, a capability that most if not all telecom companies have, he said.... The monitoring center that Nokia Siemens Networks sold to Iran was described in a company brochure as allowing 'the monitoring and interception of all types of voice and data communication on all networks.' The joint venture exited the business that included the monitoring equipment, what it called 'intelligence solutions,' at the end of March, by selling it to Perusa Partners Fund 1 LP, a Munich-based investment firm, Mr. Roome said. He said the company determined it was no longer part of its core business." The NSN system followed on purchases by Iran from Secure Computing Corp. earlier in the decade.[27] Questions have been raised about the reporting reliability of the Journal report by David Isenberg, an independent Washington, D.C.-based analyst and Cato Institute Adjunct Scholar, specifically saying that Mr. Roome is denying the quotes attributed to him and that he, Isenberg, had similar complaints with one of the same Journal reporters himself in an earlier story.[28] NSN has issued the following denial: NSN "has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran."[29] A concurrent article in The New York Times said the NSN sale had been covered in a "spate of news reports in April [2009], including The Washington Times," and reviewed censorship of the Internet and other media in the country, but did not mention DPI.[30] [edit]DPI and net neutrality

See also: network neutrality People and organizations concerned about privacy or network neutrality find inspection of the content layers of the Internet protocol to be offensive,[7] saying for example, "the 'Net was built on open access and non-discrimination of packets!"[31][who?] Critics[who?] of network neutrality rules, meanwhile, call them "a solution in search of a problem" and say that net neutrality rules would reduce incentives to upgrade networks and launch next-generation network services.[32] [edit]Software

Opendpi[33] is the open source version for non obfuscated protocols, PACE includes obfuscated/encrypted protocols like Skype or encrypted BitTorrent.[34] The open source community offers a wide array options for performing deep packet inspection functions, a comprehensive list is maintained by the dPacket.org community [35] [edit]See also

Common carrier Deep packet capture Firewall Foreign Intelligence Surveillance Act Golden Shield Intrusion prevention/detection systems Network neutrality NSA warrantless surveillance controversy Stateful firewall ECHELON [edit]