Something I wrote up for Dave Farber’s Interesting-People list. This is part of a discussion about a Washington Post article on terrorist’s use of the web.

Agreed that the Post article was long on fear-mongering and short on facts. But there are some really interesting dynamics going on here. I did some work with a researcher in the field a year or so ago, which I never had time to follow up. Here were my initial impressions reviewing some of the terrorist sites:

• Across the board, the sites that I saw showed a level of technical competence that would put most decentralized nonprofit networks to shame (which I think is the closest analog in the noncriminal space). Granted that I don’t think the best and the brightest CSS designers are al-Qaeda operatives, but this also wasn’t FrontPage 97 work.
• Pursuant to that observation was a clear separation of form from content. Several sites had digital photography taken from the POV of the insurgents, posted within 24 hours of being taken. (At least, so it was claimed; I’m not qualified to confirm that these weren’t months-old photos.) Some of this could have been done with a zoom lens by someone who was on the outskirts, but some other photos seemed to only be possible if the photographer was under fire or at least in the thick of the attack. This raised several interesting points:
  1. that al-Qaeda had propaganda networks in place sufficient to motivate people to risk their lives for such material;
  2. that these networks were capable of moving the product from early-2004 Iraq to a location where they could be sent over the Internet. I’m presuming here that the public Internet cafes are not a safe location to do this, so that would mean private operatives with satellite communications, or a conduit to move the data storage physically outside of the country. (Naturally, as Iraq’s infrastructure improves, this problem resolves itself.)
  3. again inferring from the competence of these sites, the webmasters are almost certainly not in a danger zone, meaning either combat or fear of being detected or interrupted. The sites are not published in haste. Which implies a sophisticated system of combining “combat journalists” with a home desk.

• Many of these websites are highly transient; a site can be taken down in the space of days by the ISP when its content is reported (or may be taken down by the authors before the authorities can find them). The nontransient sites are the ones that tend to have the scary propaganda of the “we will bury you” variety; it’s the short-lived sites that have the red meat, such as bomb plans. Since the network relies on these transient sites, that implies a darknet P2P system, probably by IM or email to equally transient addresses, to spread the word about where to go for information. I’m guessing here a structure similar to the infrastructure supporting 1980s BBS systems used to disseminate child pornography; they thrived, but there wasn’t a text file you could download giving out those phone numbers. And they had similar consequences for the users, and transience of the “web sites”.
  1. Corollary: sites that can be found by a Haifa researcher or the Washington Post can also be found by DHS and similar international agencies. This is known to the wiser people in the audience of these websites, who also know that in some cases they may risk incarceration or death by being identified as part of its readership. It’s safe to assume, then, that the less transient and better-known the site, the less likely it will actually attract the more dangerous terrorists. Tracing these connections can have a honeypot effect to trap the new converts, the careless, or the ignorant—which is valuable, but should also be recognized for its limitations.
  2. given the sophistication I’m reading into the publication process, one then wonders why some sites, with some dangerous information, are not transient. That is, a legitimate terrorist site that remains available must be known to be under surveillance by any intelligent criminal publisher. But some inflammatory sites do remain live. AFAIK, this never occurred in the child porn systems I mentioned earlier. Potential reasons:
     1. these are published by the stupid criminals. It’s a bell curve, somebody’s got to be on the short side.
     2. these are published as honeypots by law enforcement groups to see who shows up.
     3. these are published as honeypots by terrorists to allow them to do counter-espionage and see what tools are used to watch them.

As I said, after a few days of meetings with the researchers whom I met, I was distracted from follow-up, so all of the above is complete conjecture with little actual data to back it up. Criticism and factual evidence for or against greatly appreciated.