Unmasked - Ars Technica [28]
But concerns arose about obtaining and using social media data, in part because sites like Facebook restricted the “scraping” of its user data. An employee from the link analysis firm Palantir wrote Barr at the end of August, asking, “Is the idea that we’d want to ingest all of Facebook’s data, or just a targeted subset for a few users of interest?”
The more data that was grabbed from Facebook, the more chance a problem could arise. The Palantir employee noted that a researcher had used similar tools to violate Facebook’s acceptable use policy on data scraping, “resulting in a lawsuit when he crawled most of Facebook’s social graph to build some statistics. I’d be worried about doing the same. (I’d ask him for his Facebook data—he’s a fan of Palantir—but he’s already deleted it.)”
Still, the potential usefulness of sites like Facebook was just too powerful to ignore, acceptable use policy or not.
Feeling twitchy
While Barr fell increasingly in love with his social media sleuthing, Hoglund still liked researching his rootkits. In September, the two teamed up for a proposal to DARPA, the Defense Advanced Research Projects Agency that had been instrumental in creating the Internet back in the 1960s.
DARPA didn’t want incrementalism. It wanted breakthroughs (one of its most recent projects is the “100-Year Starship Study”), and Barr and Hoglund teamed up for a proposal to help the agency on its Cyber Insider Threat (CINDER) program. CINDER was an expensive effort to find new ways to watch employees with access to sensitive information and root out double agents or disgruntled workers who might leak classified information.
So Barr and Hoglund drafted a plan to create something like a lie detector, except that it would look for signs of “paranoia” instead.
“Like a lie detector detects physical changes in the body based on sensitivities to specific questions, we believe there are physical changes in the body that are represented in observable behavioral changes when committing actions someone knows is wrong,” said the proposal. “Our solution is to develop a paranoia-meter to measure these observables.”
The idea was to take an HBGary rootkit like 12 Monkeys and install it on user machines in such a way that users could not remove it and might not even be aware of its presence. The rootkit would log user keystrokes, of course, but it would also take “as many behavioral measurements as possible” in order to look for suspicious activity that might indicate wrongdoing.
What sort of measurements? The rootkit would monitor “keystrokes, mouse movements, and visual cues through the system camera. We believe that during particularly risky activities we will see more erratic mouse movements and keystrokes as well as physical observations such as surveying surroundings, shifting more frequently, etc.”
The rootkit would also keep an eye on what files were being accessed, what e-mails were being written, and what instant messages were being sent. If necessary, the software could record a video of the user’s computer screen activity and send all this information to a central monitoring office. There, software would try to pick out employees exhibiting signs of paranoia, who could then be scrutinized more closely.
Huge and obvious challenges presented themselves. As the proposal noted:
Detecting insider threat actions is highly challenging and will require a sophisticated monitoring, baselining, analysis, and alerting capability. Human actions and organizational operations are complex. You might think you can just look for people that are trying to gain access to information outside of their program area of expertise. Yet there are legitimate reasons for accessing this information. In many cases the activity you might call suspicious can also be legitimate. Some people are more or less inquisitive and will have different levels of activity in accessing information outside their specific organization. Some of the behaviors on systems vary widely depending on function. Software developer behavior will