April 18, 2008
It Doesn’t Take an Einstein…

…to figure this Bush program out. So the Headless Nail has done it for you:


The Bush administration is quietly but firmly trying to set in place the capability to monitor, intercept, and analyze all visits to federal government web sites. It's called the Einstein program, which no doubt has the old civil libertarian and FBI target spinning in his grave.

Once such a system is pounded into place, it becomes, like me, a headless nail in the bureaucratic machinery. Both of us are almost impossible to pull out. So here's what you have to look forward to:

If you visit any government web site, the government could monitor your visit, know all of the pages you have seen, and capture and analyze any information you send or receive — all in real time. It would be like having your very own Big Brother, looking over your shoulder at your very own screen.

And taking notes as you surf.

This program, known as “Trusted Internet Connection” would require that all federal agencies access the web through portals approved and controlled by the Department of Homeland Security.

At each portal, DHS would install an “intrusion detection system” — Einstein. Details about Einstein are sketchy, but it will capture at least all traffic flow, source and destination IP information, and data sent or received.

In all probability this electronic gatekeeper would allow Homeland Security to spy on government employees too, which will be handy for tracking down whistleblowers.

The ostensible reason for the program is, of course, protecting us against terrorist hackers. DHS officials won’t say much about how they will use this capability, so you’ll just have to trust them when they say that the “program is not intended to collect information that will be retrieved by name.” [italics added]

But then neither did the DHS intend to force airline passengers to remove nipple rings with pliers. Nevertheless that is exactly what its agents did to a woman in Lubbock last month. By the time even the best of intentions reaches the bottom rungs of a huge bureaucracy, the result can defy logic and common sense. To say nothing of common decency.

Although the Administration wants this program in place by June (unlikely for technical reasons), DHS has not provided the legally-required Privacy Impact Assessment for the project. So we don’t know what personal information will be collected, how it will be used, or what (if any) safeguards against spying on citizens will be required.

All government web sites are required to post privacy policies, and in my experience government webmasters take this responsibility seriously. Under the Bush plan, these protections would become meaningless, as DHS would position Einstein between the citizen and the government site.

Note that the Einstein program does not require the cooperation of any private partners (such as phone companies or ISPs) and is not subject to any routine judicial supervision — helpful if you want to avoid any embarrassing leaks or disclosures about how it is actually being used.

In summary, the Bush Administration proposes to acquire a powerful new domestic electronic spy network, and citizens are supposed to trust the good intentions of Bush's DHS and Justice officials that these powers will not be misused. Domestic political opponents, whistleblowers, and ordinary citizens who don’t want the government spying on their web visits will be forgiven for their skepticism.



Posted by Jerome Doolittle at April 18, 2008 11:53 AM
Email this entry to:

Your email address:

Message (optional):


I already assume that any visits to government websites are monitored. It doesn't take an Einstein for that, just "cat /var/log/httpd/http_access.log". The interesting thing about "Einstein" is its ability to monitor *outgoing* access from the network, useful for finding instances of those pesky government employees sending out top secret data like, say, the names and prison location of "disappeared" Americans who've been vanished into the gulag insofar as where they're shuffled amongst the prisons of the gulag in order to outrun their lawyers. (No, I am not joking, this actually has happened in the case of protesters arrested on bogus "domestic terrorism" charges).

Now, a little disclaimer here. I design the hardware and software that is used for systems like this in the corporate world, but currently we don't have any government sales of our systems (maybe later -- it can take a couple of years between RFP and actual contract award for some of these things). But anyhow, to get back to what I was saying... what it sounds like is that they're going to set up "transparent" firewalls. These are firewalls that set up at layer 1 as bridges from the internal network to the external network but internally inspect the packets as IP packets (and block non-IP packets). They aren't easily detected except when they stop traffic dead, and given the rather ad-hoc nature of the federal networks and the fact that so many of the federal networks expose their internal IP addresses to the world (sort of like many university networks), this is really the only feasible way to do it. Unauthorized access to federal systems has always been a troubling issue -- see, e.g., the repeated shutdowns of the BLM trust fund systems due to security holes that jeopardize the integrity of the trust funds -- and it's about time someone did something about it. Setting up a proper firewall at each site has always been troublesome because of the fact that many of the federal networks pre-date NAT and thus have public IP addresses for their members, but we now have the technology to deal with this in a reasonably transparent manner. It's about time it was done.

Now, the question is, will the DHS do it properly? And how much information will DHS keep? Well, that's a good question (both of them). Given the incompetence of the DHS, I seriously doubt that they'll keep anything other than normal intrusion and visit logs that any firewall keeps, and which the NSA already logs from the Internet backbone (what, you don't see their boxes on the network? Duh, I already told you how that's done). As for whether they'll properly configure the firewalls... well, I'm sure they'll hire a contractor to do this, and five years and $5 billion dollars later, give up and start a *new* process to install these. And the contractor they hire will of course be a major campaign contributor to various powerful Senators and Presidential candidates, and the contracting officer will resign a couple of years later and go on staff with the contractor for a six-figure salary... but that's all just the normal stuff, sigh.

In short: Assume that *any* traffic is logged, and if you don't want it logged, use an encrypted proxy setup such as Tor to get there and don't log in or allow cookies. As for "Einstein", while the Feds are trying to scare people into thinking they can collect more data than they really can, the reality is that "Einstein" is nothing more than currently-existing technology that is already in place at pretty much every Fortune 500 company in America (and many smaller companies) and it's highly unlikely that the DHS contractor will be competent to actually get the stuff installed and configured in the way you fear, I've dealt with these guys and all they're competent at doing is sucking at the government teat (disclaimer: I used to work at a government contractor. Been there, done that). In short, I ain't gettin' my panties in a wringer about it...

- Badtux the Security Geek Penguin

Posted by: Badtux on April 18, 2008 7:07 PM

A little checking around and I have a few more details for you: Einstein is run by US-CERT, not by DHS. Not all federal agencies are part of it. It has been active since 2004. It is similar to Argus in the data it collects and analyzes, according to a source with knowledge of the actual program. To quote the Argus home page:

"Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.

"Argus can be used to analyze and report on the contents of packet capture files or it can run as a continuous monitor, examining data from a live interface; generating an audit log of all the network activity seen in the packet stream. Argus can be deployed to monitor individual end-systems, or an entire enterprises network activity. As a continuous monitor, Argus provides both push and pull data handling models, to allow flexible strategies for collecting network audit data. Argus data clients support a range of operations, such as sorting, aggregation, archival and reporting."

I am familiar with what this Argus product can do -- my employer sells a similar (but we believe more powerful) product -- and it's basically a tool for performance monitoring and intrusion detection, not for the nefarious purposes you imply. The only unusual thing here is that Einstein provides this service for multiple Federal agencies and thus gets to look for intrusion patterns across a wider range of networks and applications. Given CERT's overall mission, which is to provide security information to a wide audience in order to protect the integrity of the Internet as a whole -- this is a Good Thing. The information they can derive from having such an unusually large sample of first-hand data available means they can provide better descriptions of security exploits currently ongoing "in the wild" and therefore better guidance to security professionals worldwide attempting to protect themselves from these exploits. And unless you're a hacker attempting to disrupt computer networks worldwide, that's a Good Thing.

In short, there are things our federal government does which you should be alarmed about. This isn't one of them.

- Badtux the Security Penguin

Posted by: Badtux on April 20, 2008 11:49 PM
Post a comment

Email Address:



Remember info?