On Project Viglio

Tuesday, August 21, 2012

Infosec Island Admin


Once Upon A Time….

Once upon a time, not too long ago, at Defcon, a guy no one really heard of stepped up and claimed he was starting a new group and needed volunteers and money.

This was Chet Uber, and after some time, and some posts, we all thought this little group with the misspelled logo (viglio is not vigilant wink wink nudge nudge) but it seems that they just fell off the radar instead of imploding.

I had previously written about the whole debacle in the making a bit ago and gave it no more thought, that is until today when someone passed me the article linked above. It seems that they have been slinking around doing... “something” and gaining alleged members like Vint Cerf? Really Vint? You’re gonna hang your hat with Uber?

*blink blink*

Wow, stellar… Ok, so, back to the show here. This article out today seems like a bit of a play for money to me. After all, there’s the “We’re secret and we do secret attribution things but, we are running in the red...” *pulls pockets out and shows the lint*.

So, why allow an article to be written by a second rate blog cum news source online? Allowing super secret access to all their super secret bits to do a tell nothing piece?

So, who do we have listed in the super secret organization according to what “could be told” by Chet and his crack team?

"The group’s membership involves people from a wide range of disciplines and backgrounds. The current leaders who are willing to be publicly identified (other than Uber) include Mark Rasch, (General Counsel, Director of Cybersecurity for CSC), A.J. Fardella, (Director of Intelligence and Analysis, Director of Black Diamond Data and a planning commissioner for the city of Pittsburg, California), and Michael Tomasiewicz (Deputy Director and second in command to Uber, Network Specialist with ConAgra Foods). Others include Adrian Lamo who is the Assistant Director for Adversary Characterization, Doug Jacobsen (Director of Science & Technology, Professor of Electronics at Iowa State University), and Jeff Bardin (Assistant Director, Intelligence and Analysis – Middle East Desk, Chief Intelligence Officer for Treadstone 71)."

Hmmm some names are familiar, and some have the patina of being legit.. Perhaps they are just idealists. All in all though, the same problems around this “organization” still apply. What are they really doing? Who are they reporting to if anyone? What support are they to LEO’s and why, if they have such luminaries in the biz, *snort* are they not in fact funded by the government in some way?

Also, if they are all doing this kind of work, what is the clearance level like here? Is the government in fact sharing data with these folks to bird dog things? I somehow find this unlikely.

Also, the bulk of the people listed are not really overly technical so where are all the real technicians here? There are just a plethora of questions that come to mind with this feeble article on examiner.com and frankly, they open a real can of worms I think for anyone really paying attention to what’s going on with regard to attribution and general buggery that’s been going on since Stuxnet appeared.

PSYOPS, Jester, Anon BS, it’s just been a festival of stupid out there and this just adds a fouler odor to the whole thing.  The worst part about it though is that the government may in fact be paying attention to these people and taking data from them as gospel.

*baleful stare*

Really USGOV?

So yeah, the government is not saying much here but we have Uber saying that they are doing all this work and passing all this data... I really don’t see the government responding here or talking about “Project Vigilant” do you? *Cough.. Anyone?*

So, once again, I ask you, if Viglio is not getting INTEL from the government and the military, then who might their targets be? Ya know, who’d be out in the open and available to the spooky eyeball in their cheesy logo? *squints*

Hmmm... say Anonymous? Or maybe anyone on the internet who might not share their opinion? See, this would be the optimum target for a group like this. A group of non condoned individuals not cleared for national security cases but wanting to help… Or am I just a paranoid old man? Oh shut up! I know I am!

Anyway, I certainly hope the US Government takes all this with a grain of salt, that is, if they are taking this at all. Since Viglio is not telling exactly what they do, it is highly likely that they are just trawling the IRC channels looking for unsuspecting n00bs to capture with their wiles and then write nifty reports on them and pass them to their local field office… Which in fact might just throw them in the circular file… If they were smart. Unfortunately though, I suspect that there are customers for their data and in that, the fear of what they could be up to wells inside me, as it should all of you.

Given The Known Known’s… Should We Even Worry?

Ok, now that we know they are out there and we pretty much can surmise that they are not working super secret cases for the NSA, just what are they up to? As I alluded to above, I personally think they are just trolling the internet looking for hacker n00bs to turn in as would be APT. But, that’s just me huh? What? Others think so too?

Yep, they do... On background I have talked to a couple of people in the know and they have the same opinions generally. Basically everyone feels that this is some sort of charlatan-esque effort on the part of a few who may in fact think they are doing the right thing.

Others may be more motivated by ego and perhaps money (if there is any to be had) but generally, the feeling is that this is a pile of bad mojo. One source that I talked to said this (paraphrasing here):

“Ok, so we have a small community here and no one we know has been tapped for this duty or been asked about it? No one we know actually works with them? The odds of that within the INFOEC community are pretty that we would know several somebody’s who were actively working on it. The fact that we don’t bespeaks a problem with this organization.”

There seem to be a lot more questions about this group than there are answers and no matter how many names with brand recognition you throw out there (mind you many of them thrown out there now are once again, non technical people or charlatans) you are kinda left with a sense of feeling dirty for having thought about them.

I Hope Our National Security Doesn’t Depend On These Quacks…

*hangs head*

Once again I come to you with a rant and a peek under the incestuous blanket of INFOSEC and CYBERDOUCHERY. I am sorry for those of you with delicate dispositions, but the tales must be told for all our own good.

A group such as this, extra-legal as they seem to be and rather deliberately evasive using the rubric of “secrecy” as their cloak should set all of your spidey senses off. At best they are a group of people seeking to do good but in fact may be doing ill by carrying out poor OSINT. At worst, they are a group  of people trying to boost their ego’s by thinking that they are secret squirrels and in the know.

Either way, I would hazard a bet that nothing good is coming of their machinations and anyone out there on IRC may find their names in files that they can FOIA request that came from tips by “Project Viglio”.

This is just out of hand… I suggest people look into their background and decide for themselves…


Cross-posted from Krypt3ia

Possibly Related Articles:
Information Security
Government Cyber Security Infosec Intelligence psyops OSINT OpSec Project Viglio
Post Rating I Like this!
Jackie Singh tl;dr

I quit reading at "Assistant Director for Adversary Characterization"
Krypt3ia JACKIEEEEE Where have you been hiding? Yeah, it was quite the rediculous article huh? I had to force the bile down and give myself a frontal lobotomy with an icepick to finish it myself...
Jeffrey Carr Feeling better? :-D Good article. Here's an oldie but goodie that I wrote two years ago when Chet Uber first appeared at Defcon: "BBHC Global and Project Vigilant: Where's the Money?" http://www.forbes.com/sites/firewall/2010/08/06/bbhc-global-and-project-vigilant-wheres-the-money-2/
Krypt3ia @Jeff Yup, it was cathartic hehe.
Chet Uber This is a truly amazingly article on the subject, considering it has no factual basis and relies on references to truly credible references. Filled with innuendo, self-interviews (versus external sources), failure to contact the primary sources for the story for comment, based feelings about what is going without factual basis, and just about all the other things one would expect to find from a blogger.
Please understand that ProjectVIGILANT‘s primary guiding tenant is the Constitution of the United States. The entire project from the beginning to know was undertaken in hopes to make sure that his document and the rights its affords is around for generations to come. We specifically are proud to support the First Amendment and as per Chomsky “If we don't believe in freedom of expression for people we despise, we don't believe in it at all.”
Also it is nice to see that our counter-intelligence efforts at DEFCON 2010 were highly effective. Even you by admission seem to have been a subject to well in advanced planned human engineering. There was no "new" project. The only thing new was that the form of the entity had taken. Moving from a well documented start in 1996 that moved along over many years from user group, to club, to partnerships, and it was only to protect the increasing Intellectual Property that a corporate form was taken.
Did you actually think we recruit by tolling through irc or walking around DEFCON talking to people we don't know. Any recruiting was done through direct introductions from the conference principals and by those involved in the Meet the Fed panel. Previous attendance taught had taught me that I can indeed learn amazing things at DEFCON and local DC events, but you can't simply walk around and expect to know who you might be talking to.
FACT: I was there as an invited guest of Jeff Moss to both BlackHat and DEFCON that year. They covered the conference expenses and friends covered all my travel and incidentals (if you haven't seen another similarly outrageous blog that is how a person on disability got to an attended those two events).
As to the press conference there which is the sole source of 95% of anything ever written from 2010 to 2012, five points were highlighted and even direct answers were taken out of context and used in ways that took on every form from the bizarre to the outright belly-laughing funny (https://www.youtube.com/watch?v=AY2y_M8FHiU).
I do not think you follow me on Twitter but Attrition.org was the first group to actual take the time to ask good questions, and in response we will be releasing considerable amounts of easily validated information starting in two weeks and continuing as we move away from giving interviews and rely on using our own words.
In 2009 during a visit to check on my health a friend of the family a much maligned young man - Steven Ruhe - came to check on my health and asked what it would take to put the project back on track. I explained in great detail that it would at this point have to be formalized and things like a chain of succession would need to be implemented. The lawyer in the bunch, Mark Rasch, suggested we use the LLC format which was what SCORE at the SBA had also suggested.
Ruhe was and is just a nice middle of the road small town guy who had been a sales intern at a security firm I worked at. He was told and Steven's entire rule was to motivate me to recover faster and to gather funding to "unfreeze" everything and start it back on course. But of course his life has been damaged because some idiot thought he was running the place. Not like a hardworking owner of a small sheet Rock Company can't do simple things like he did. Whatever did happen to the value of hard working people? Oh and yes he does supplement his income with Amway, although when I spoke to him last week he had decided to go to college and told me that it played only a small part in his life.
Steven had been a member of the group doing many of the odd jobs that do not require experts. Like any group you need gophers, people to handle phone calls, stuff envelopes, etc. All he wanted to make sure 11 years of hard work didn't die if I did. The only stagnant period we have was November 2007 to July 2009.
We didn't shut down we just froze new projects. To be specific about how I became in charge at a period when I was either in a hospital bed or in my own bed is simple the person in charge went to work for the USG and this prevented them from participating. It was not until the LLC was legally formed that this responsibility which fell to me in 2008 became a reality.
For the record, my entire personal life that is relevant to the attacks trying for whatever reason to discredit PV will appear at chetuber.com and .org to give a truly factual account with a list of personnel references. This is being done to keep from answering each and every blogger who is maliciously trying to discredit me personal in hopes that this will weaken the belief that such an entity could exist.
Because people think that if you discredit me you discredit the organization. This would be wrong as starting when we formalized the group into a legal structure more than a users group, information sharing partnership, or other form which can be definitively dated back to meetings at the Omaha Byte & Bite Cybercafé and the Garden Café in August 1996. It was formed following regularly scheduled morning and lunch user groups meetings including Sun’s and many others. Initial funding was from our pockets. I was among the original group but I was in no way in charge. That did not happen until it literally was handed to me in 2008.
What will be seen is that the information (which be Screed and his friends was illegally obtained in violation of the FCRA and further used for purposes other than emploment or credit ad defamation, and yes in time those will be pursued) provided in that blog and the allusion that a disabled heart patient cannot in the modern age of virtual everything use open source and other tools like any other business to manage my managers. I don't have 500+ direct contacts I have around 11.
So where you just try to dismiss the entire concept, others are going to even more ludicrous places. Trying to explain all of this away to me being a con man. Everything he attributes to being confidence man are actually easily explained and if they bothered to look at what the liens and judgments were for it was self-evident. The closure of the corporation I was a partial owner and co-founder of required me to supply personal guarantees on leases and equipment. These are simply things that happen when a business closes/fails. But no he tried to use them to reflect on my fiduciary responsibility in any way.

The comment about running in the red assumes things not in evidence, but then so does your entire blog. It is difficult to have financing for purely scientific endeavors and we do not accept funding from anyone that is not a member of the group - outside of work performed under contract. So for years this was a self-funded project. But hey you never asked -- like with everything else you just simply guessed with motive to discredit.
Our long term goal has been clearly stated, and it is our conclusion at this time that the ARPA Attribution model (yes I worked on an ARPA BAA in Attribution as did many members of our team from 2003-4) that Attack Attribution can only be done with the full support of a nation state operating the system of systems needed. We currently do Applied Scientific Research (and have just recently started to realize that we have skill sets that can also be used to provide professional services – something that will move us out of the red).
The "secrecy we have" and why we continue to run counter-intelligence is for only two reasons. Protection of our staffs identifies and the protection of our Intellectual Property.
80% of our staff are all full-time Academics or Practitioners with onerous employment contracts. This is why they are designated volunteers. They could not participate otherwise. Some of them have no issue as was demonstrated by people like Dr. Doug Jacobson or Director of Science & Technology. Oh maybe you failed to actually read the article to the end and missed the part about the second half that ran on the 23rd? The rest are either younger people doing work that someone has to do (folding letters, mailings, editing) or people that are retired and just want to continue to be a productive part of something bigger than them.
We did not reach out to the Examiner they reached out to us. The story was the culmination of five weeks of interviews with over 25 of our own staff and many people outside our organization. The writer you discredit actually has a 30 year IT background and has a nine-year syndicated TV series on Technology. We agreed to talk to him because he honors on and off the record and he confirmed all the sources - including Vint Cerf and every other person. No one named allegedly is associated. The are officially associated. Whether you believe it or not those are the facts. Simply go to our website and write the address there.
I look forward to your continuing sagas of fluff and conjecture. As I have openly told Attrition additional information for the sake of transparency will be added beginning in two weeks on our web sites.
I will confirm that the National Security of the United States does not rely on us, but we certainly on many occasions have provided information that has strengthened it, and our public safety. So all your conjecture that any kind of reliance of our national security relies on what we do is in your own mind. The article clearly states that is the GOAL!

Why don't you read the mission statement and consider that we have never stated that our mission was complete. We state clearly that we are still working on hypothesis, building models, and running simulations on some of the largest simulators available.
We do Scientific Research and we use major Universities and highly credible researchers to do that.
Our main focus is to help to organize the field of Attack Attribution. We made not claims about having achieved a comprehensive solution. Not scientist would do that without proof.
As you spend a lot of time alluding to things related to the government. It is common practice for firms like ours to attend things like the annual DOD Cyber Crime Conference, where myself and our staff have numerous unclassified communications with the many officials there attempting to determine in a broad sense what they need to accomplish their mission. Other members of the staff are retired from careers (more than one form every single agency that is involved in this area of work) help to leverage their contacts. But given the only way to get these things into the US Government is through the BAA and other means that every firm like ours has at their disposal.
We are DUNS and CCR registered. We have a CAGE code for work with our government and the ORCA/FARS needed for our allies. Further we monitor and pursue FedBizOps for things in our rubric; and we use the methods given to indicate on what we will bid, we attend the meetings that are scheduled. So this makes us a budding, as we state in the article we have one subcontract and no it is not with the DOD, Federal contractor in the disciple we have chosen.
So I have one question for you. What was your goal other than the obvious one to try to discredit us?
Please continue your stellar blogging/non-journalism it gives us things to laugh about when we get stuck on hard problems.
It has been a pleasure to brain dump as I am extremely tired and could not do much productive work. I thought I would break one of my own rules and comment on something written by a blogger. I must say it was nice to get stuff off my chest.
Finally I will say this. If you or any of your readers actually ever want to understand what we are doing, you might try asking. You just might find like others who bother to ask that we are extremely reasonable people doing what we personally feel is right.
The above comments and opinions are those of Chet Uber and are not the official position of ProjectVIGILANT LLC. Official Statements are only released in writing on our website and can be validated as they posses industry standard digital signatures.

Finally it is like 0446 and I have been up since yesterday morning, I am sure there is something in here that is grammatically or typographically incorrect. Please excuse these.
Chet Uber Interesting that the spacing went away, but I wanted to be clear on one thing - in the article it says in plain ENGLISH that Vint Cerf is NOT A MEMBER. He happens to know a great deal about the project as he and I happen to have a long standing friendship. I have on occasion asked him about things releasing enough information for him to make an informed decision. I was surprised and delighted to see that he had something truly beneficial to contribute. The field of Attribution is a two-edged sword and we do have technologies to deal with both sides. A number of others in the interview are also in plain English not to be members.
Jeffrey Carr Chet, I'd like to hear you answer the questions that I raised in this article about BBHC Global in 2010; especially the one having to do with it being a Veteran-owned business and which owner, if not you, is a veteran? http://www.forbes.com/sites/firewall/2010/08/06/bbhc-global-and-project-vigilant-wheres-the-money-2/

Krypt3ia Ok Foghorn Leghorn... TLDR as well as useless drivel.
Lisa Simpson If I had to call it something, I'd call it industrial espionage - given the players involved.
Jackie Singh What a bizarre, frothy, foamy-at-the-mouth reaction from Mr. Uber.
Chet Uber Mr. Carr it has been the long standing policy of ProjectVIGILANT and all the predecessors to not comment on anything written by writers or bloggers. We would spend all our time doing so, and like here it accomplished nothing - you want to know about something from a company that has been closed for over a year.

Our current Public Relations Officer is on vacation. I acted as I did because I had so many members upset after we opened up to a reporter with both a long-running column and a nine-year running Technology TV series for several weeks (allowing unprecedented access to anyone he requested) that prior to the second part of the column running people were simply dismissing things. It is my understanding that Mr. Albertson as he did in 2010 checked all facts he was presented and contacted numerous people not in the project, but who knew about it and I saw several of them went on the record. All of them were highly credible well known individuals.

Given that the website address was given in the first article he wrote, and the splash page and Director's page provide email addresses available for questions and comments - and invited them the hard working volunteers were simply outraged at the continuing disbelief that we exist.

This afternoon I was told by the Board of Managing Members (11 members of which I am one) and at whose pleasure I serve stated that I should not have posted anything, and except inside the confines of what I was told I will not further compound this by continuing engage people outside our own forums. I was specifically asked to return to this page and to provide a statement guiding people to the web site.

Mr. Carr, based on what you are asking please simply cut and paste you request and send it to historian@projectvigilant.us.

That will reach a dedicated staff of individuals whose job it is to provide current members with complete details of all events in the timeline. Non-members are given answers to the best of their ability, based on the guidelines for disclosure of things like individuals names.

Please understand that we have been talking to other disbelievers/detractors who have are asking questions about the firm that exists and went to the site and contacted us or used the social media sites.

If you feel that your question is something that is related to the current operations of ProjectVIGILANT LLC simply send it to business@projectvigilant.us.

Please note, that different volunteers monitor business@, and if you sent a historical request to business@ they will just kick it back to you and give you the address I already provided.

(This same text or something similar will appear at the formal hard launch of the web site in mid September)

That address if you did not follow the link in the story is

There is little content there now, but the last time I looked they had completed the menu stock planned pages and placeholders.

I did contribute a Director's letter to the WebDev Team and it invites people to use the Social media and send in questions to the business@ address. Given that I see people want historical answers I will ask to have that address added to my letter.

Please understand that we are a CLOSED group. We do not feel the need to answer to anyone outside the regulatory bodies that govern us, which we do almost daily - Federal, State and Local.

I made an error in judgement in thinking that providing any additional input outside what has been authorized for the website that we might get more constructive feedback. I will admit that at 0400 I was indeed upset, tired and could have been more polite. There are literally hundreds of posts like this one from 2010 but given that neither I nor anyone has ever replied to a blog in the name of either firm understand I did so because I was angry as are our members.

Which I know you don't care about.

I will state that things like Lance Miller's reply and Krypt3ia's reply are exactly the reasons we do not engage people. They have nothing to contribute that would make our program better, and they may indeed be world class members of the INFOSEC or other related fields. I will not compound me error by upon returning and seeing the posts that are here in addition to the original one.

I will simply right them off as free speech to what was not a bizarre, but indeed frothy" reply, to an indeed irrelevant original post.

Mr. Carr since we have never publicly stated we don't ever reply to anyone I encourage you to please send that to the address I provided.

We are required like all firms to follow the rules. We do are not required to engage in defending or explaining ourselves, this is why the Board voted to have material related to Transparency and other issues placed in the public realm to the extent necessary hopefully to answer these kinds of questions.

I have no further comments, nor will I make any anywhere outside our site.
Michael Johnson Okay, so an intelligence setup with no premises, assets or turnover? One which practically nobody in the infosec community has even heard of(to my knowledge)? One which has no literature or research papers to its name? I call walt.
Krypt3ia Chet Uber Mr. Carr it has been the long standing policy of ProjectVIGILANT and all the predecessors to not comment on anything written by writers or bloggers.

Please follow your own alleged rules Foghorn.
Jackie Singh "I will state that things like Lance Miller's reply and Krypt3ia's reply are exactly the reasons we do not engage people. They have nothing to contribute that would make our program better, and they may indeed be world class members of the INFOSEC or other related fields."

Sounds like a world-class business. Good luck to you and your colleagues in all your endeavors.
Krypt3ia Jackie,
You're right.. Best path to take there. Chet, good luck with your.. Whatever it is.
Jeffrey Carr Chet, you acknowledged that your firm must follow the rules. One of the rules which you must follow is that you cannot file as a veteran-owned company if you are not a veteran. So please honor your own statement and reply with a simple yes or no. Are you a military veteran?
Jackie Singh Jeffrey, it appears that Mr. Uber added two other members (owners) to his LLC between last year and this one, per currently available data from the State of FL: http://sunbiz.org/scripts/cordet.exe?action=DETFIL&inq_doc_number=L11000118242&inq_came_from=NAMFWD&cor_web_names_seq_number=0000&names_name_ind=&names_cor_number=&names_name_seq=&names_name_ind=&names_comp_name=PROJECTVIGILANT&names_filing_type=

With that said, one of those other individuals may be 51% owner and a veteran which would give the business's claims some legitimacy. However, since ProjectVigilant LLC is not registered with vetbiz.gov, they still don't qualify for contracting set-asides, as their status has not been verified (unless they're doing business through another state, and the filing in FL is simply a false flag).

Have a great day.

Krypt3ia False flag you say... Interesting....
Jackie Singh Hm, I posted the wrong link. Here: http://sunbiz.org/corinam.html

Type in "PROJECTVIGILANT LLC", it's the first result.
Krypt3ia I'd like to see some financials...
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.