Meet Project Vigilant--the Wikileaks leak

Project Vigilant is the mysterious group whose members outed Wikileaks' alleged source and want to monitor Internet attacks to find out who's behind them.

Declan McCullagh
Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
6 min read

In the last week or so, descriptions of a secretive group called Project Vigilant have ranged between dubbing it a hoax and proclaiming it to be the next big threat to Internet privacy.

Neither is quite accurate.

Highlighting Project Vigilant's role in outing an alleged Wikileaks source, a Salon.com column warned that the organization's members have "extensive, sophisticated expertise in compiling highly invasive data about individuals' Internet activities." It's been labeled a "shadowy spy group" that's "building dossiers" for the feds.

To security maven Richard Bejtlich, however, Project Vigilant is nothing but a mere "publicity stunt."

caption: Chet Uber, founder of Project Vigilant
Chet Uber, one of the principals of the controversial Project Vigilant. Courtesy Chet Uber

The facts paint a bit different and perhaps less intriguing portrait. The project is probably best described as a grand, if somewhat clandestine, idea for how to identify and fingerprint computer-based attacks by enlisting the help of Internet service providers. At the moment, Project Vigilant has scant funding and no paid staff.

The man behind Project Vigilant is Chet Uber, 47, who recently spoke with CNET at length about his plans for the organization. Uber is a longtime computer security specialist. I met him around a decade ago when I spoke at an event he organized in Omaha, Neb. I last remember corresponding with him sometime in 2006.

Uber has moved back to Omaha from Fort Pierce, Fla., and severe medical problems have put him on disability that he says brings in under $800 a month. He's living a spartan existence; after losing his razor, he said he couldn't afford to buy a new one for a while. "Today I finally got my disability check and I can finally shave," he said.

Project Vigilant, too, is run on a shoestring budget. Uber says it brings in and spends about $40,000 a year, not counting noncash donations of server space or forensics software.

"We don't need money," Uber said. "Everyone's a volunteer. We don't spend money on stuff...The amount of research we've done on no money is amazing."

Mark Rasch, a former Justice Department computer crime prosecutor who has given Uber legal advice at no cost and is listed as the group's general counsel, sums up Project Vigilant more succinctly: "A lot of it is aspirational."

Early last week, Uber showed up at the Defcon hacker conference in Las Vegas to announce Project Vigilant's existence. "Defcon was to recruit because in my mind Defcon is a national treasure," he said. "We got about 50 people that want to join."

He also got a lot more negative media attention than he had hoped. A 15-minute press conference in a room at the Riviera Hotel and Casino stretched into an hour an a half, with one reporter chasing him all the way to the security line at the airport.

Uber says that the journalists misunderstood his idea of attributing electronic attacks and "what we were trying to say we were about was turned into 'spying on Americans.'"

A Forbes.com blog post soon appeared with the headline: "Stealthy Government Contractor Monitors U.S. Internet Providers." Another report quoted Uber as bragging that he can quickly reach the "highest level people in the government." Orin Kerr, a law professor at George Washington University, wondered whether Project Vigilant is "violating the law" against wiretapping.

If the assembled members of the technology press interpreted Uber's remarks to mean he was taking a page from the National Security Agency's warrantless wiretapping manual, he may have only himself to blame.

Uber has a habit of making pronouncements that manage to be both grand and incomprehensible. Two months ago, he sent me an e-mail about Project Vigilant that said, in part: "We do not look at attribution ever as a 100 percent solution. We do see offering a high level of confidence determined by showing correlation that are consistent with perceived events in this time-space model--causality is a bitch--and then based on how that correlation was done and our view of the reliability of the sources and methods used we have a confidence interval."

In conversations over the last week, Uber dropped phrases like "we have dozens and dozens of things that are ready to go to patent pending," "we're running hundreds and hundreds of different experiments," "we've developed steganography and compression algorithms and the use of noise," and "we have the capability to monitor up to 250 million IP addresses per day."

Following the money
But verifying these claims is a different matter. Filing for a patent costs something like $10,000 for software, for instance, and up to $100,000 for worldwide rights.

How can an organization with little to no income afford this? Uber said that one of the patents "statistically is an anti-attribution bootable CD" that will "only be supplied to the police, and it will be sold for an amazingly small amount of money."

He didn't answer how an organization led by a fellow who rents a room in a five-bedroom house after being homeless for a while (Uber moved back to Omaha because "I knew I could go from couch to couch to couch") and uses a friendly lawyer's office as a mailing address could pay hundreds of thousands of dollars in patent filing fees.

Uber also didn't say how Project Vigilant possesses the "capability" to monitor nearly the entire Internet population of the United States. He did stress that "we don't use it without a court order--it's against the law," and said the monitoring devices are in place at two large Internet service providers and a few more with fewer than 5,000 subscribers. "We found ISPs whose EULAs would let us do that. It's no different than if they bought a box from Symantec or McAfee or some other service provider."

If this were the extent of Project Vigilant, far fewer people would be interested. But it became an instant point of intrigue in Internet legal circles after it was involved in turning in alleged Wikileaks source Bradley Manning. The Army intelligence specialist has been charged with leaking classified files, including a controversial video posted by Wikileaks showing troops firing on Reuters journalists.

Convicted hacker Adrian Lamo, in whom Manning had confided, reported him to the authorities. Lamo said he became Project Vigilant's associate director for adversary characterization about half a year ago. He refused to comment on the group or its activities for this article, repeatedly saying "I'm not authorized to comment on internal operational matters."

Rasch, the former Justice Department prosecutor now in private practice, says that Uber has a slew of contacts in and out of governments and elsewhere in the cybersecurity community. But in terms of working with Internet providers to monitor traffic, Rasch acknowledges, "I don't know if he's done this or it's something he's looking to do."

To him, Project Vigilant is perfectly legal. People have warned, he said, that "this is Big Brother, blah, blah, blah." But, says Rasch, that criticism is based on the assumption that the information coming from the ISPs is raw data instead of: "'We've found people attacking from Kuala Lumpur. Here's the attack pattern.' There's a huge difference between that and reading e-mails or deep packet inspection."

Uber remains optimistic about the future of Project Vigilant and its ability to work closely with the Department of Homeland Security, even though his medical problems remain serious. "I literally take 23 medications a day," Uber says. "My heart's almost gone. I have diabetes. I have asthma. I [had] quadruple-bypass open heart surgery."

Even though he wouldn't disclose the identities of any Internet providers that are participating, he did stress that any monitoring is limited: "The only thing we report is threats to national safety."