Thursday, August 16, 2012

Epilogue: Three men charged

I said I wouldn't post again, but I would be remiss if I didn't include the ending of the story. Raise your hand if you predicted it would be a 64 year old Scottish separatist. This is the mind-bending stuff intelligence analysts must deal with on a daily basis, especially in this 21st century cyber-crime era. From the PPG:

A 64-year-old, wheelchair-using Scottish man from Dublin, who already has served a prison sentence for emailing hoax bomb threats, was indicted Wednesday as the person responsible for emailing a series of 40 false bomb threats targeting the University of Pittsburgh during the spring semester.

Hats off to domestic and international law enforcement agencies for bringing closure to the case. I had my doubts the person would ever be found. It's like that crazy, stalker ex-girlfriend that you heard is finally getting married. You can stop looking over your shoulder and breath a sigh of relief. Although you were never totally fearful, you get the one thing you always needed: resolution.

Via PPG:

Via Trib:

Friday, April 27, 2012

Final Post: Social Media, Intelligence and Lessons Learned

The 145 bomb threats that occurred over the course of 10 weeks at the University of Pittsburgh presented a unique challenge to law enforcement officials. The investigation remains inconclusive at this time, but who the perpetrators turn out to be (if they are caught) is largely irrelevant to this final post. I want to briefly discuss some big picture topics and develop lessons learned.

The Resource-Impact Ratio

The resources that went into creating these bomb threats were negligible, but the impact was outstanding. From strictly a monetary perspective, the cost of bomb searches, increased security, and teaching hours lost will likely bump this series of threats into the million-dollar range. But considering the impact in the (very!) unlikely event of an actual bomb detonation, the University probably saw this as a fair trade-off. A good deal.

Unfortunately, not all parents are students shared this view. Perhaps even more so than the monetary loss, the emotional impact was felt even beyond campus. Students’ and parents’ emotions ranged from fear, to anger, to frustration. As the perceived likelihood of a violent act began to recede, students began questioning the reason behind evacuating every building due to what now appeared to be empty threats.

While legal liability and moral obligation certainly played a role in University policy, the ultimate problem was the warning-response threshold being incredibly, ridiculously low. Suppose there were no actual threats, but someone just suspected a threat. Evacuations would still likely be necessary. Any intelligence on a violent act at a national university must be responded to. I encourage educational institutions and law enforcement agencies to reconsider the warning-response criteria.

Social Media as an Intelligence Tool

The “Stop the Pitt Bomb Threats” blog began as a low stakes intelligence analysis exercise. I never thought it would become as big as it did. After the first week of threats, I began looking online for information about all of the bomb threats to date. Even a timeline of events would be a helpful tool for an intelligence hobbyist. Unfortunately, apart from a raw count, no media outlets were tracking this data very closely. So I decided to do it myself.

Perhaps the tool of greatest value of the blog was what users informally called the “Google Doc,” which was the publicly-accessible and publicly-editable spreadsheet of every bomb threat detailing time, day of the week, location, delivery method, and any other piece of data attached to each individual threat. By allowing multiple users to edit the document simultaneously, the data inputs were faster and more accurate than I ever could have imagined.

The result was a hit. Students and teachers, hungry for information on the threats and realizing local media outlets were not providing it, sought out the blog and Google Doc to keep abreast on new developments in the series of threats. Local and national media outlets also took notice. As stated before, the ultimate goal was not to somehow “catch” the person responsible, but rather wage a public awareness campaign against the offender using all public data available. If just one tiny shred of information provided someone with a “lightbulb moment” where they connected the dots and provided law enforcement with a credible lead, then that would make the blog a major success.

While certainly significant information was disseminated to the public from the blog, it now appears it was not helpful in catching the perpetrator. So can social media be used as an intelligence tool? Yes, for rapid compilation and dissemination of information. Unfortunately, that seems to be the extent of its usefulness.

Social Media as an Enemy of Intelligence

Richard K. Betts, a (slightly disillusioned) intelligence scholar, loves to use the phrase “enemies of intelligence.” This does not refer to external physical enemies, but rather inherent problems in the intelligence process that can yield poor analytic results. 

Social media serves as a doubled edged sword in this regard. While it was an excellent method of quickly and accurately compiling large amounts of data, this data was also easily accessible to the perpetrator making the threats. This spawned two major issues.

First, it was believed the perpetrator was targeting locations based upon data and comments from the blog. No, causality was never established, but the possibility still existed, and thus self-censorship was necessary to deny the perpetrator any additional information he or she may not have already known.

However, not all self-censorship was possible, as this brings up the second problem. As the FBI profiler and many others hypothesized, the perpetrator likely enjoyed the power rush that came with making the threats. If this was indeed the case, the perpetrator would also enjoy using social media to learn about the fear, panic, and anger his actions caused. Although Facebook, Reddit, and Twitter are useful platforms, the blog in particular allowed a user to view the full range of campus and parent emotions all in a single place. This very likely continued to feed the perpetrator’s ego.

There were many who contacted me privately asking that I take down the blog or enact a much stronger moderation policy. These conversations were often reasonable, well-articulated, and well argued on both sides. I had several hesitations with shutting down the blog. First, the blog was not the only location to find information or individuals expressing emotions (see: Reddit, Facebook, Twitter, WPTS Radio, any other media where comments were permitted). Additionally, if one blog is shut down, surely another would pop up in its place. This is the nature of the internet.

Concluding Remarks

It is absolutely imperative that law enforcement both locally and nationally take a long, hard look at this case. With bare minimal resources, the perpetrators managed to create a disproportionately high level of disruption. If these kinds of anonymous cyber “attacks” are executed at the macro level, the level of disruption could be off the charts. So four important takeaways to consider:

1.      Re-evaluate the warning-response threshold concerning bomb threats, specifically on the campus of educational institutions.
2.      Law enforcement and university policymakers must establish “best practices” concerning anonymous threats. This series of events has shown beyond a doubt the homeland security instructions on how to deal with bomb threats are grossly insufficient in the cyber age.
3.      Social media is a powerful tool to collect and disseminate information to the public, especially in situations where the media is unavailable to perform its duties (if indeed it is ethical to even do so).
4.      Social media is also a tool a perpetrator can use to collect counter-intelligence. Perpetrators can also use social media to analyze and manipulate public emotions.

Finally, I want to thank everyone for supporting the University of Pittsburgh and the Pitt Police. The commitment that went into collecting and analyzing data on this blog was amazing. As social media has demonstrated, bringing together the brainpower of thousands of individuals can yield incredible results. Hopefully the lessons learned from this situation can help future generations become proactive in combating this kind of criminal activity, rather than allowing institutions to fall into a resource-draining series of unnecessary reactions.

Tuesday, April 24, 2012

Update: 4/24/12

So it appears the threats have stopped [for now]. I'll be turning off comments later this week and will only update with breaking news. The Google Doc will remain. I'll do one more sign off post later in the week.

Sunday, April 22, 2012

Facts, unknowns, and other considerations

Okay, so the most recent news was pretty important. Most people are up to speed on it. I apologize for my earlier knee-jerk reaction "huh?" reaction. It's difficult to make sense of things through certain analytic biases...and, well, emotions certainly. So here's a breakdown as I see it.

The facts:
1. A group calling themselves the "Threateners" e-mailed the Pitt news saying they have stopped the threats because Pitt met its only demand, which was to withdraw the $50,000 reward for information leading to the arrest and conviction of the threatener (take notice of the word choices and informal mannerisms).
2. The group said its threats were only those sent in e-mail, not the "earlier" threats written on bathroom walls. Again, this is what the group says. Whether or not any of this is true is undetermined. The implication seems to be these "Threateners" are attempting to protect or take the heat off of the original pranksters, who the "Threateners" call "some young kid who'd pranked the University."
4. The group accurately predicted gaps in threats throughout the series.
5. This narrative is consistent with the original findings which noted that the threats escalated after the reward was offered.
6. See the rest of the story here. Via Pitt News.

Bottom line: The motive, according to the "Threateners" (all of or most of the e-mail threats to date), has been to make the school rescind the $50,000 reward offered for information on the "original" prankster.

The unknowns:
1. Whether the "Threateners" are telling the truth. Are the "Threateners" also the original pranksters? Are there any copycats in this series of threats? How do the "Threateners" know whether the original threats were by pranksters?
Note: Objectively speaking, if they did indeed accurately predict the gaps in threats, then they are very likely telling the truth. Whether they continue to honor their end of the deal is to be determined.
2. Where we go from here. If this is indeed the end of the threats.
3. What the school, the country, and the world have learned from this incident (this will be an entirely separate post).

Other considerations:
1. There is some evidence to suggest the "Threateners" are an outside group. Consider the following:

  • Many of the buildings targeted seemed random, chosen at odd times, or chosen for no good reason (example: school for blind children, locked buildings).
  • The Pitt News is not officially a UPitt newspaper. It is an independent publication. So it is not clear why the "Threateners" chose that particular publication to send in their demands, apart from the fact it looks like the school newspaper.
2. Also, and I think this is important, a withdrawal of the reward money does not mean the investigation is over. Which is another "unknown" variable. It's not known whether the "Threateners" understand this, or if they were implying they wanted the investigation to cease as well. In any event, it seems unlikely authorities are going to stop pursuing the "Threateners" at this point.

One last caveat: When I refer to decisions the university makes, keep in mind they are probably being heavily advised by the FBI and authorities, so it's unlikely any decision comes from the university itself.

I may have missed some things. I may update as more facts come to light. If people have evidence to provide, I'll be sure to add it to this post.

FYI: If this is the end of the threats, then this blog will shut down. I will leave the Google Doc up for record keeping.

UPDATE (from Anthony): A Wall Street Journal article sheds some light into Pitt's current actions.  It also reveals that the Rutger's threatener from the 70s was actually caught.  But because the WSJ article seems to be subscription only, here is a Pittsburgh Post-Gazette article detailing the same.

Saturday, April 21, 2012

Quick update (4/22/12. 11:00AM)

I know it's been awhile since I've done any actual analysis. This is intentional. Bear with me.

I think this blog has gotten away from its true intent, which was to be a forum on data analysis, patterns, trends, and anything else that would be of value to the public. It's now become a place for ranting, venting, and thoughtless speculation. I encourage everyone to take a deep breath and think critically before posting a comment. This blog is reserved for examination of the data and facts (and to a degree, the law enforcement processes). Rants, raves, and frustrations can be expressed on the Facebook page.

With that said, I don't intend to be a scold, I just want to refocus the blog.

UPDATE (from Anthony): KDKA is reporting that the reward for information leading to the capture of the person behind the bomb threats has now been withdrawn.   The University has declined to comment on why.  Does this represent a break in the case, the escalating cost of the investigation, or something else?

This update comes as a second search warrant has been executed on the couple who has been at the center of recent investigations.  There is no official confirmation or proof that the two are connected.  But both represent significant developments in the case.

UPDATE (from Anthony): The PittNews, the University's campus student run newspaper is reporting that the $50k reward was dropped after an anonymous email was received saying that if the reward was dropped, the threats would stop.  Of note, the email uses the term "we", rather than the singular "I".  Does this indicate a group is behind this, or perhaps just an individual wanting to believe a group is behind this?  Also of note, the University said in the past that it would not negotiate, but has now changed its stance.

UPDATE (from Andrew): This really is an unbelievable turn of events. It's so confusing it's hard to make sense of it. Just because the reward is dropped doesn't mean the investigation ends too...does it? Does this group aim to "protect" every prankster who makes bomb threats? Or every situation where a reward is offered for someone's arrest? And why use more bomb threats as a weapon to protect a bomb threatener? As if that's going to bring clarity to the situation.

And let's not forget these people evacuated a school for blind children. And several dormitories in the middle of a freezing night. And now they're lecturing the school on justice and righteousness? It makes me sick. (Sorry. I tend to avoid rants, see above, but I may have to commit a post just to the utter hypocrisy of this).

I'm also surprised all of this information was made public. I guess it was the Pitt News's call, but still, it's weird that all of this comes to a head now. I'm going to need time to sort through all of this. I won't make a new post until I have something conclusive.

Friday, April 20, 2012

Threats Overnight Bring Total to 147 + Saturday Morning to 155

Overnight, more threats forced the evacuations of major dorms at Pitt, including Litchfield Towers A, B, C, Sutherland, Bruce, Lothrop, PA, Holland, and Panther Halls.  The threats came in at 2:29 AM.

Twitter user Jocelyn (@jcolex0) tweeted this picture, giving those on the outside an idea into what it is like for the evacuating students who are forced out  to the Pete in the middle of the night. (Photo credit: @jcolex0)

From the University of Pittsburgh, a web page dedicated to the bomb threats. Not great, but it's a start.

UPDATE (from Anthony): Thanks to Mark for pointing this out to me.  According to the Google Doc, yesterday's threat, number 131 to Alumni Hall at 1:51PM was found written on the mirror in a men's room bathroom.  This report comes from credible eyewitnesses, but no official media confirmation has been given.  Is this a copycat incident?

In other news, the couple who were subpoenaed last Friday testified regarding the Pitt case.  

In addition, more details are coming out now about the FBI's seizure of a MayFirst People's Link server in the on-going efforts to catch the person sending the anonymous emails that have promoted most of the evacuations. 

UPDATE (from Anthony): Saturday morning around 10:00AM Litchfield Towers, Salk Hall, the Cathedral, PA Hall, Ruskin Hall, and Scaife Hall received threats.  They are currently being evacuated and cleared.  I'll let Andrew handle the next formal blog update in case he has any more to say.  This brings the total count to 155 (counting each Tower as one).

Thursday, April 19, 2012

Threats 113-128

Litchfield Towers (3), Sutherland, Bruce, Lothrop, Pennsylvania Halls. 8:02 AM.
Alumni Hall. 1:52 PM.
Cathedral, Posvar, Barco, Chevron, Benedum. 4:29 PM
William Pitt Union, University Club. 6:38 PM

UPDATE (from Anthony):
With the flurry of threats and the lack of a capture or information causing frustrations to build amongst parents and students alike,  many users here and on the Facebook group have expressed a desire to contact their elected officials.   Click here for a publicly editable Google Doc that contains contact information for officials.  Feel free to add any contact information for state, local, or national officials you feel would benefit the community.  Because all of this information is publicly available online anyway, I'm not concerned about it.