I said I wouldn't post again, but I would be remiss if I didn't include the ending of the story. Raise your hand if you predicted it would be a 64 year old Scottish separatist. This is the mind-bending stuff intelligence analysts must deal with on a daily basis, especially in this 21st century cyber-crime era. From the PPG:
A 64-year-old, wheelchair-using Scottish man from Dublin, who already has served a prison sentence for emailing hoax bomb threats, was indicted Wednesday as the person responsible for emailing a series of 40 false bomb threats targeting the University of Pittsburgh during the spring semester.
Hats off to domestic and international law enforcement agencies for bringing closure to the case. I had my doubts the person would ever be found. It's like that crazy, stalker ex-girlfriend that you heard is finally getting married. You can stop looking over your shoulder and breath a sigh of relief. Although you were never totally fearful, you get the one thing you always needed: resolution.
Via PPG: http://www.post-gazette.com/stories/local/neighborhoods-city/charges-put-a-face-to-pitt-bomb-threats-649107/
Via Trib: http://triblive.com/home/2416980-74/threats-busby-pitt-charged-officials-bomb-federal-irish-british-ohio
Stop the Pitt bomb threats
An intelligence forum on finding patterns, trends and exchanging ideas about how to end this problem.
Thursday, August 16, 2012
Friday, April 27, 2012
Final Post: Social Media, Intelligence and Lessons Learned
The 145 bomb threats that occurred over the course of 10
weeks at the University of Pittsburgh presented a unique challenge to law
enforcement officials. The investigation remains inconclusive at this time, but
who the perpetrators turn out to be (if they are caught) is largely irrelevant
to this final post. I want to briefly discuss some big picture topics and
develop lessons learned.
The Resource-Impact
Ratio
The resources that went into creating these bomb threats were
negligible, but the impact was outstanding. From strictly a monetary
perspective, the cost of bomb searches, increased security, and teaching hours
lost will likely bump this series of threats into the million-dollar range. But
considering the impact in the (very!) unlikely event of an actual bomb
detonation, the University probably saw this as a fair trade-off. A good deal.
Unfortunately, not all parents are students shared this
view. Perhaps even more so than the monetary loss, the emotional impact was
felt even beyond campus. Students’ and parents’ emotions ranged from fear, to
anger, to frustration. As the perceived likelihood of a violent act began to
recede, students began questioning the reason behind evacuating every building
due to what now appeared to be empty threats.
While legal liability and moral obligation certainly played
a role in University policy, the ultimate problem was the warning-response
threshold being incredibly, ridiculously low. Suppose there were no actual
threats, but someone just suspected a
threat. Evacuations would still likely be necessary. Any intelligence on a
violent act at a national university must
be responded to. I encourage educational institutions and law enforcement
agencies to reconsider the warning-response criteria.
Social Media as an
Intelligence Tool
The “Stop the Pitt Bomb Threats” blog began as a low stakes
intelligence analysis exercise. I never thought it would become as big as it
did. After the first week of threats, I began looking online for information
about all of the bomb threats to date. Even a timeline of events would be a
helpful tool for an intelligence hobbyist. Unfortunately, apart from a raw
count, no media outlets were tracking this data very closely. So I decided to
do it myself.
Perhaps the tool of greatest value of the blog was what
users informally called the “Google Doc,” which was the publicly-accessible and
publicly-editable spreadsheet of every bomb threat detailing time, day of the
week, location, delivery method, and any other piece of data attached to each
individual threat. By allowing multiple users to edit the document
simultaneously, the data inputs were faster and more accurate than I ever could
have imagined.
The result was a hit. Students and teachers, hungry for
information on the threats and realizing local media outlets were not providing
it, sought out the blog and Google Doc to keep abreast on new developments in
the series of threats. Local and national media outlets also took notice. As
stated before, the ultimate goal was not to somehow “catch” the person
responsible, but rather wage a public awareness campaign against the offender
using all public data available. If just one tiny shred of information provided
someone with a “lightbulb moment” where they connected the dots and provided
law enforcement with a credible lead, then that would make the blog a major
success.
While certainly significant information was disseminated to
the public from the blog, it now appears it was not helpful in catching the
perpetrator. So can social media be used as an intelligence tool? Yes, for
rapid compilation and dissemination of information. Unfortunately, that seems
to be the extent of its usefulness.
Social Media as an
Enemy of Intelligence
Richard K. Betts, a (slightly disillusioned) intelligence
scholar, loves to use the phrase “enemies of intelligence.” This does not refer
to external physical enemies, but rather inherent problems in the intelligence
process that can yield poor analytic results.
Social media serves as a doubled edged sword in this regard.
While it was an excellent method of quickly and accurately compiling large
amounts of data, this data was also easily accessible to the perpetrator making
the threats. This spawned two major issues.
First, it was believed the perpetrator was targeting
locations based upon data and comments from the blog. No, causality was never
established, but the possibility still existed, and thus self-censorship was
necessary to deny the perpetrator any additional information he or she may not
have already known.
However, not all self-censorship was possible, as this
brings up the second problem. As the FBI profiler and many others hypothesized,
the perpetrator likely enjoyed the power rush that came with making the
threats. If this was indeed the case, the perpetrator would also enjoy using
social media to learn about the fear, panic, and anger his actions caused.
Although Facebook, Reddit, and Twitter are useful platforms, the blog in
particular allowed a user to view the full range of campus and parent emotions
all in a single place. This very likely continued to feed the perpetrator’s
ego.
There were many who contacted me privately asking that I
take down the blog or enact a much stronger moderation policy. These
conversations were often reasonable, well-articulated, and well argued on both
sides. I had several hesitations with shutting down the blog. First, the blog
was not the only location to find information or individuals expressing
emotions (see: Reddit, Facebook, Twitter, WPTS Radio, any other media where
comments were permitted). Additionally, if one blog is shut down, surely
another would pop up in its place. This is the nature of the internet.
Concluding Remarks
It is absolutely imperative that law enforcement both
locally and nationally take a long, hard look at this case. With bare minimal
resources, the perpetrators managed to create a disproportionately high level
of disruption. If these kinds of anonymous cyber “attacks” are executed at the
macro level, the level of disruption could be off the charts. So four important takeaways to consider:
1.
Re-evaluate the warning-response threshold
concerning bomb threats, specifically on the campus of educational
institutions.
2.
Law enforcement and university policymakers must
establish “best practices” concerning anonymous threats. This series of events
has shown beyond a doubt the homeland security instructions on how to deal with
bomb threats are grossly insufficient in the cyber age.
3.
Social media is a powerful tool to collect and
disseminate information to the public, especially in situations where the media
is unavailable to perform its duties (if indeed it is ethical to even do so).
4.
Social media is also a tool a perpetrator can
use to collect counter-intelligence. Perpetrators can also use social media to
analyze and manipulate public emotions.
Finally, I want to thank everyone for supporting the
University of Pittsburgh and the Pitt Police. The commitment that went into
collecting and analyzing data on this blog was amazing. As social media has
demonstrated, bringing together the brainpower of thousands of individuals can
yield incredible results. Hopefully the lessons learned from this situation can
help future generations become proactive in combating this kind of criminal
activity, rather than allowing institutions to fall into a resource-draining series
of unnecessary reactions.
Tuesday, April 24, 2012
Update: 4/24/12
So it appears the threats have stopped [for now]. I'll be turning off comments later this week and will only update with breaking news. The Google Doc will remain. I'll do one more sign off post later in the week.
Sunday, April 22, 2012
Facts, unknowns, and other considerations
Okay, so the most recent news was pretty important. Most people are up to speed on it. I apologize for my earlier knee-jerk reaction "huh?" reaction. It's difficult to make sense of things through certain analytic biases...and, well, emotions certainly. So here's a breakdown as I see it.
The facts:
1. A group calling themselves the "Threateners" e-mailed the Pitt news saying they have stopped the threats because Pitt met its only demand, which was to withdraw the $50,000 reward for information leading to the arrest and conviction of the threatener (take notice of the word choices and informal mannerisms).
2. The group said its threats were only those sent in e-mail, not the "earlier" threats written on bathroom walls. Again, this is what the group says. Whether or not any of this is true is undetermined. The implication seems to be these "Threateners" are attempting to protect or take the heat off of the original pranksters, who the "Threateners" call "some young kid who'd pranked the University."
4. The group accurately predicted gaps in threats throughout the series.
5. This narrative is consistent with the original findings which noted that the threats escalated after the reward was offered.
6. See the rest of the story here. Via Pitt News.
Bottom line: The motive, according to the "Threateners" (all of or most of the e-mail threats to date), has been to make the school rescind the $50,000 reward offered for information on the "original" prankster.
The unknowns:
1. Whether the "Threateners" are telling the truth. Are the "Threateners" also the original pranksters? Are there any copycats in this series of threats? How do the "Threateners" know whether the original threats were by pranksters?
Note: Objectively speaking, if they did indeed accurately predict the gaps in threats, then they are very likely telling the truth. Whether they continue to honor their end of the deal is to be determined.
2. Where we go from here. If this is indeed the end of the threats.
3. What the school, the country, and the world have learned from this incident (this will be an entirely separate post).
Other considerations:
1. There is some evidence to suggest the "Threateners" are an outside group. Consider the following:
One last caveat: When I refer to decisions the university makes, keep in mind they are probably being heavily advised by the FBI and authorities, so it's unlikely any decision comes from the university itself.
I may have missed some things. I may update as more facts come to light. If people have evidence to provide, I'll be sure to add it to this post.
FYI: If this is the end of the threats, then this blog will shut down. I will leave the Google Doc up for record keeping.
UPDATE (from Anthony): A Wall Street Journal article sheds some light into Pitt's current actions. It also reveals that the Rutger's threatener from the 70s was actually caught. But because the WSJ article seems to be subscription only, here is a Pittsburgh Post-Gazette article detailing the same.
The facts:
1. A group calling themselves the "Threateners" e-mailed the Pitt news saying they have stopped the threats because Pitt met its only demand, which was to withdraw the $50,000 reward for information leading to the arrest and conviction of the threatener (take notice of the word choices and informal mannerisms).
2. The group said its threats were only those sent in e-mail, not the "earlier" threats written on bathroom walls. Again, this is what the group says. Whether or not any of this is true is undetermined. The implication seems to be these "Threateners" are attempting to protect or take the heat off of the original pranksters, who the "Threateners" call "some young kid who'd pranked the University."
4. The group accurately predicted gaps in threats throughout the series.
5. This narrative is consistent with the original findings which noted that the threats escalated after the reward was offered.
6. See the rest of the story here. Via Pitt News.
Bottom line: The motive, according to the "Threateners" (all of or most of the e-mail threats to date), has been to make the school rescind the $50,000 reward offered for information on the "original" prankster.
The unknowns:
1. Whether the "Threateners" are telling the truth. Are the "Threateners" also the original pranksters? Are there any copycats in this series of threats? How do the "Threateners" know whether the original threats were by pranksters?
Note: Objectively speaking, if they did indeed accurately predict the gaps in threats, then they are very likely telling the truth. Whether they continue to honor their end of the deal is to be determined.
2. Where we go from here. If this is indeed the end of the threats.
3. What the school, the country, and the world have learned from this incident (this will be an entirely separate post).
Other considerations:
1. There is some evidence to suggest the "Threateners" are an outside group. Consider the following:
- Many of the buildings targeted seemed random, chosen at odd times, or chosen for no good reason (example: school for blind children, locked buildings).
- The Pitt News is not officially a UPitt newspaper. It is an independent publication. So it is not clear why the "Threateners" chose that particular publication to send in their demands, apart from the fact it looks like the school newspaper.
One last caveat: When I refer to decisions the university makes, keep in mind they are probably being heavily advised by the FBI and authorities, so it's unlikely any decision comes from the university itself.
I may have missed some things. I may update as more facts come to light. If people have evidence to provide, I'll be sure to add it to this post.
FYI: If this is the end of the threats, then this blog will shut down. I will leave the Google Doc up for record keeping.
UPDATE (from Anthony): A Wall Street Journal article sheds some light into Pitt's current actions. It also reveals that the Rutger's threatener from the 70s was actually caught. But because the WSJ article seems to be subscription only, here is a Pittsburgh Post-Gazette article detailing the same.
Saturday, April 21, 2012
Quick update (4/22/12. 11:00AM)
I know it's been awhile since I've done any actual analysis. This is intentional. Bear with me.
I think this blog has gotten away from its true intent, which was to be a forum on data analysis, patterns, trends, and anything else that would be of value to the public. It's now become a place for ranting, venting, and thoughtless speculation. I encourage everyone to take a deep breath and think critically before posting a comment. This blog is reserved for examination of the data and facts (and to a degree, the law enforcement processes). Rants, raves, and frustrations can be expressed on the Facebook page.
With that said, I don't intend to be a scold, I just want to refocus the blog.
UPDATE (from Anthony): KDKA is reporting that the reward for information leading to the capture of the person behind the bomb threats has now been withdrawn. The University has declined to comment on why. Does this represent a break in the case, the escalating cost of the investigation, or something else?
This update comes as a second search warrant has been executed on the couple who has been at the center of recent investigations. There is no official confirmation or proof that the two are connected. But both represent significant developments in the case.
UPDATE (from Anthony): The PittNews, the University's campus student run newspaper is reporting that the $50k reward was dropped after an anonymous email was received saying that if the reward was dropped, the threats would stop. Of note, the email uses the term "we", rather than the singular "I". Does this indicate a group is behind this, or perhaps just an individual wanting to believe a group is behind this? Also of note, the University said in the past that it would not negotiate, but has now changed its stance.
UPDATE (from Andrew): This really is an unbelievable turn of events. It's so confusing it's hard to make sense of it. Just because the reward is dropped doesn't mean the investigation ends too...does it? Does this group aim to "protect" every prankster who makes bomb threats? Or every situation where a reward is offered for someone's arrest? And why use more bomb threats as a weapon to protect a bomb threatener? As if that's going to bring clarity to the situation.
And let's not forget these people evacuated a school for blind children. And several dormitories in the middle of a freezing night. And now they're lecturing the school on justice and righteousness? It makes me sick. (Sorry. I tend to avoid rants, see above, but I may have to commit a post just to the utter hypocrisy of this).
I'm also surprised all of this information was made public. I guess it was the Pitt News's call, but still, it's weird that all of this comes to a head now. I'm going to need time to sort through all of this. I won't make a new post until I have something conclusive.
I think this blog has gotten away from its true intent, which was to be a forum on data analysis, patterns, trends, and anything else that would be of value to the public. It's now become a place for ranting, venting, and thoughtless speculation. I encourage everyone to take a deep breath and think critically before posting a comment. This blog is reserved for examination of the data and facts (and to a degree, the law enforcement processes). Rants, raves, and frustrations can be expressed on the Facebook page.
With that said, I don't intend to be a scold, I just want to refocus the blog.
UPDATE (from Anthony): KDKA is reporting that the reward for information leading to the capture of the person behind the bomb threats has now been withdrawn. The University has declined to comment on why. Does this represent a break in the case, the escalating cost of the investigation, or something else?
This update comes as a second search warrant has been executed on the couple who has been at the center of recent investigations. There is no official confirmation or proof that the two are connected. But both represent significant developments in the case.
UPDATE (from Anthony): The PittNews, the University's campus student run newspaper is reporting that the $50k reward was dropped after an anonymous email was received saying that if the reward was dropped, the threats would stop. Of note, the email uses the term "we", rather than the singular "I". Does this indicate a group is behind this, or perhaps just an individual wanting to believe a group is behind this? Also of note, the University said in the past that it would not negotiate, but has now changed its stance.
UPDATE (from Andrew): This really is an unbelievable turn of events. It's so confusing it's hard to make sense of it. Just because the reward is dropped doesn't mean the investigation ends too...does it? Does this group aim to "protect" every prankster who makes bomb threats? Or every situation where a reward is offered for someone's arrest? And why use more bomb threats as a weapon to protect a bomb threatener? As if that's going to bring clarity to the situation.
And let's not forget these people evacuated a school for blind children. And several dormitories in the middle of a freezing night. And now they're lecturing the school on justice and righteousness? It makes me sick. (Sorry. I tend to avoid rants, see above, but I may have to commit a post just to the utter hypocrisy of this).
I'm also surprised all of this information was made public. I guess it was the Pitt News's call, but still, it's weird that all of this comes to a head now. I'm going to need time to sort through all of this. I won't make a new post until I have something conclusive.
Friday, April 20, 2012
Threats Overnight Bring Total to 147 + Saturday Morning to 155
Overnight, more threats forced the evacuations of major dorms at Pitt, including Litchfield Towers A, B, C, Sutherland, Bruce, Lothrop, PA, Holland, and Panther Halls. The threats came in at 2:29 AM.
Twitter user Jocelyn (@jcolex0) tweeted this picture, giving those on the outside an idea into what it is like for the evacuating students who are forced out to the Pete in the middle of the night. (Photo credit: @jcolex0)
Twitter user Jocelyn (@jcolex0) tweeted this picture, giving those on the outside an idea into what it is like for the evacuating students who are forced out to the Pete in the middle of the night. (Photo credit: @jcolex0)
From the University of Pittsburgh, a web page dedicated to the bomb threats. Not great, but it's a start.
UPDATE (from Anthony): Thanks to Mark for pointing this out to me. According to the Google Doc, yesterday's threat, number 131 to Alumni Hall at 1:51PM was found written on the mirror in a men's room bathroom. This report comes from credible eyewitnesses, but no official media confirmation has been given. Is this a copycat incident?
In other news, the couple who were subpoenaed last Friday testified regarding the Pitt case.
In addition, more details are coming out now about the FBI's seizure of a MayFirst People's Link server in the on-going efforts to catch the person sending the anonymous emails that have promoted most of the evacuations.
UPDATE (from Anthony): Saturday morning around 10:00AM Litchfield Towers, Salk Hall, the Cathedral, PA Hall, Ruskin Hall, and Scaife Hall received threats. They are currently being evacuated and cleared. I'll let Andrew handle the next formal blog update in case he has any more to say. This brings the total count to 155 (counting each Tower as one).
Thursday, April 19, 2012
Threats 113-128
Litchfield Towers (3), Sutherland, Bruce, Lothrop, Pennsylvania Halls. 8:02 AM.
Alumni Hall. 1:52 PM.
Cathedral, Posvar, Barco, Chevron, Benedum. 4:29 PM
William Pitt Union, University Club. 6:38 PM
UPDATE (from Anthony):
With the flurry of threats and the lack of a capture or information causing frustrations to build amongst parents and students alike, many users here and on the Facebook group have expressed a desire to contact their elected officials. Click here for a publicly editable Google Doc that contains contact information for officials. Feel free to add any contact information for state, local, or national officials you feel would benefit the community. Because all of this information is publicly available online anyway, I'm not concerned about it.
Alumni Hall. 1:52 PM.
Cathedral, Posvar, Barco, Chevron, Benedum. 4:29 PM
William Pitt Union, University Club. 6:38 PM
UPDATE (from Anthony):
With the flurry of threats and the lack of a capture or information causing frustrations to build amongst parents and students alike, many users here and on the Facebook group have expressed a desire to contact their elected officials. Click here for a publicly editable Google Doc that contains contact information for officials. Feel free to add any contact information for state, local, or national officials you feel would benefit the community. Because all of this information is publicly available online anyway, I'm not concerned about it.
Subscribe to:
Posts (Atom)