The FBI has hit on a splendid way of catching terrorists: you create them.
It’s not quite the “Texas sharpshooter fallacy” and it’s not exactly entrapment. The legal bar for entrapment is that the defendant has to demonstrate that they were entrapped into doing something that they would not normally do. So, if you’re a hacker and an FBI secret agent tries to hire you to break into the DNC, it’s not entrapment because it’s something you normally do. If you’re thinking “wow, that’s pretty easy to game” you’re right.
Since the beginning of the war on terror, the FBI has flung its nets pretty far, and have been doing a good job of collecting a passel of deplorables. For example, they just got this guy: [bbc]
A 23-year-old has been arrested and charged with attempting to blow up a bank in Oklahoma City, the FBI says.
Jerry Drake Varnell allegedly told undercover investigators that he hoped his actions would “cripple the government” and cause a “revolution”.
The criminal complaint alleges that shortly after midnight on Saturday he attempted to set off a fake bomb.
Speaking to undercover agents, he cited the film Fight Club and the 1995 Oklahoma City bombing as inspiration.
The FBI says that on 12 August Mr Varnell drove a cargo van – which he believed to be stolen and loaded with 1,000lbs (453kg) of explosives – to BancFirst in downtown Oklahoma City.
Days earlier, he recorded a message to be posted online after the attack, telling an undercover informant that it was important to have a statement ready to post to social media in order to prevent other groups such as the so-called Islamic State from claiming credit for the attack.
On Saturday, he parked the van in an alley beside the bank, and then attempted to dial a number with a mobile phone, thinking that would trigger the explosion, the FBI said.
Naturally, I do not approve of driving a truck loaded with explosives to blow up a bank, or anything else. I can’t think of him as a credible threat, though – if he was attempting to set off a fake bomb, that has to mean that the FBI provided him with the fake bomb. So, basically, this guy is probably some ignorant garbage human who got trolled on some anti-government bulletin board by an FBI agent using a cover identity. When I read stuff like the above, I look between the lines, too: did he really say he wanted to have a statement ready to post, or did someone give him that brilliant bit of advice? Someone like the FBI informant who provided him with the fake bomb?
Someone who thinks that blowing up a bank is going to start a revolution and cripple the government is so ignorant that you could probably tell them to blow up a bus by breathing up the exhaust pipe and he’d burn his lips trying.
There are a couple problems I have with this sort of thing. First, and foremost, it does nothing to detect and collect actual dangerous people. In fact, the dangerous people operate with impunity while the FBI is busy breeding fish to shoot in a bucket. Secondly, there is a slight danger that this guy will now learn to be actually dangerous. Or, what if he was able to figure out what was going on in time to get some real explosives and do some real harm? If he’s an anti-government “revolutionary” being trolled by the FBI is – as we can see – exactly the thing to set him over the edge. I have a problem with that: what if he realizes the FBI is trolling him and that he’s going to take the big fall, and decides to go on a shooting rampage in a shopping mall, instead? This is a problem: the FBI is stoking and priming these guys – admittedly they may already be primed – but they are not predictable. The Ruby Ridge incident was one example of where the FBI created a political and legal nightmare, so they could troll a militia member. It got people killed. The fingerprints of FBI provocateur operations are all over many such incidents, going back to the the 60s, when the Weather underground may have been penetrated by COINTELPRO; there have been questions as to if the Greenwich Village bombing was partly the responsibility of a provocateur. [wikipedia] It’s hard to know these things because we have no view into what’s going on in covert operations; what if (I am not saying this is the case, but what if…) Omar Mateen, the shooter at the Pulse Nightclub, had been frothed up by an undercover FBI agent, and he just decided to start his rampage a bit ahead of schedule, before they picked him up?
This sort of thing acts as a useful “idiot filter” for weeding out the deplorables, but it’s bottom-feeding, and it’s potentially dangerous.
I’m also concerned at the spin that has not been given to the story, yet: is this guy a white separatist or nationalist? He’s a dumb white guy who thinks he’s going to overthrow the government; is he a radical maoist, anarchist, or a fascist? I doubt the poor gomer thought that far ahead, but, what did he expect was going to replace the government after he overthrew it with his fake bomb?
Shortly after it happened, I was interviewed by Lew Koch about a computer security thing, and we had a conversation about Jose Padilla. Koch was following that case, which appears to have gone into the memory hole. Koch believed that the whole case against Padilla was the kind of spin ’em up and arrest ’em operation I’m describing. Having some familiarity with explosives and demolitions, as well as radioactive stuff, I agreed with Koch’s assessment that Padilla was a threat to nobody but himself. He was imprisoned for planning to build a dirty bomb, but he hadn’t even gotten to the point where he had “dirty” or a “bomb” – he was completely ignorant about what he was trying to do and would have probably died pretty quickly if he’d been messing with either explosives or plutonium. Koch describes the set-up here: https://shadowproof.com/2007/07/18/whose-conspiracy/ It features James Comey in a less than flattering light.
Varnell is already being portrayed as schizophrenic, apparently there was an incident of domestic abuse that he wound up seeing a psychiatrist over. I wonder if this is part of the “if he’s white he’s not a terrorist” “he’s crazy” set-up.
Dunc says
In most radical / protest circles, it’s long been believed that the easiest way to spot the undercover operatives or informants in your groups is to look for the people advocating violence. It’s not just about making it look like they’re catching terrorists, or about manufacturing pretexts for arresting malcontents, it’s also about discrediting radical politics in general, and sowing dissention and distrust amongst people who are trying to organise. It’s bloody difficult to organise an effective political movement when everyone is constantly wondering which of their comrades is actually an undercover agent, and endlessly re-litigating old arguments over tactics with people who probably aren’t arguing in good faith.
And now, of course, we get to do it all on the internet too…
komarov says
The FBI could really make its life a lot simpler just by setting up a wikihow page or something among those lines:
“1. Pick a target and an allegiance (Popular causes are: Liberal, Leftist, Communist, Red and Socialist)
2. Buy explosives and a trigger. Here are some cheap, reliable vendors whose kit always works…
3.Write a detailed statement before your attack. Be sure it’s been properly proof-read, otherwise the press will laugh at you. Here’s a link to a great online service that does it for free: effbeeoy.com/evidence”
That should attract the kind of people they’re looking for.
I expect the FBI is very careful in choosing its targets to make sure they are sufficiently incompetent. Not for the public’s sake but for their own. If their target realised what was going on it would be really easy to turn the game against the FBI itself. For example that “fake bomb” might blow up when the agents show up to collect it. By the looks of it, all the FBI wants is to score some easy wins with minimal risk so they’ll do whatever they can to avoid this outcome – while still getting their wins, of course.
Besides, if what you’ve writting about hackers and the FBI here before is anything to go by, the competent bombers they find – if any – will be hired and sent off to far-away countries. Or maybe not hired but still sent off to far-away countries to facilities that are totally not under US jurisdiction.
Marcus Ranum says
Dunc@#1:
In most radical / protest circles, it’s long been believed that the easiest way to spot the undercover operatives or informants in your groups is to look for the people advocating violence.
Yup. I used to think it was COINTELPRO but it appears to have been the FBI’s methodology for longer than that. Back in the 70s when I went on a few of the antiwar protests in NYC, I remember a lot of people talking about provocateurs.
You’re also right about it being a maneuver to raise the cost of organizing. And it works. The problem is that it’s ineffective against “lone wolf” operatives, as has been amply demonstrated.
Marcus Ranum says
Komarov@#2:
2. Buy explosives and a trigger. Here are some cheap, reliable vendors whose kit always works…
Back when I was assembling chemistry for wet plate photography, I was surprised to see that there are plenty of listings for iodine on Ebay. Fortunately, I didn’t buy any (I got 10% tincture in alcohol on amazon.com instead!) because apparently the FBI sets up a lot of “canary” sellers that offer precursors for methamphetamine synthesis – anyone who buys iodine is assumed to be a naughty boy.
3.Write a detailed statement before your attack
“Here, you can use our new free ‘cloud’ terrorist statement service!”
Sad thing is, it’d probably get a couple of hits. Back in the day, a friend of mine and I were joking at a conference that the CIA should set up a free online storage service (this was back in the late 90s) and just bury “we will look at your stuff” in the terms of service… Whenever we meet up, we still laugh about that one, except it’s not funny anymore.
Dunc says
Given that you can already rent malware on a cloud service model, can terrorism-as-a-service really be that far behind?
komarov says
Re: Marcus Ranum (#4):
But that means, strictly speaking, that the US government is competing with private businesses! Judging by a quick google search that may or may not be illegal, but it certainly is a very unpopular notion. Someone ought to bring a lawsuit against the FBI. Just think of all those honest precursor-salesmen (drugs, photography and who knows what else) put out of business by big government meddling. Alert the media! Send in the lawyers!
Re: Dunc (#5):
So long as terrorist attacks still tend to involve suicide or very long prison sentences the rent model probably won’t take off. But just wait until armed drones become commercially available products. No doubt someone in the US will argue that it’s a constitutional right to own one to protect yourself, etc. asf.. Then I’m sure anybody can rent or buy a couple (a cloud?) of those and do whatever they like with it. Strafe a mall, an abortion clinic or maybe a local school or some protesters. The sky’s the limit. That and battery capacity. (This is why it’s important that everyone has a right to buy armed drones. Remember: Only a good guy with an armed drone can stop a bad guy with an armed drone!)
Siobhan says
@komarov
Sounds about
whiteright.Marcus Ranum says
komarov@#6:
the US government is competing with private businesses!
The invisible little hands of the market!
WRT to terrorism as a service; it’s already (sort of) being done – there are DDOS-as-a-service if you look in the right place. Terrorism as a service? I forget what Blackwater calls themselves nowadays but mercenaries go waaaay back. All this stuff comes back to “plausible deniability as a service”
There was a spammer who filed a lawsuit claiming that their first amendment rights were being violated. Hmmmm…. I wonder what the judge wrote on that decision, it may be relevant whenever someone yells “freeze peach!”
komarov says
Oh right, mercenaries. I admit, whenever I think of mercenaries my brain automatically frames the context as “war”, rather than “terrorism”. At this moment I am not quite sure what the difference is. “The thing the US does instead of terrorism” might fit but is, as a definition, very unhelpful. Not least because the US seems willing to do pretty much anything as long as a reason or excuse can be cooked up.
And it brings up another lapse I suffer from: I don’t (yet) associate hacking with terrorism either. I’m well aware that attacks can have huge impacts but it doesn’t quite fit in the same mental category as bombing a temple or shooting up a school. On the other hand I can see it easily enough when critical services / infrastructure are disrupted (e.g. UK’s NHS). I’m really behind the times on terrorism, aren’t I? Hostage-taking is obsolete, in the future you’ll just ransom your victims’ smart homes.
Marcus Ranum says
komarov@#9:
I don’t (yet) associate hacking with terrorism either. I’m well aware that attacks can have huge impacts but it doesn’t quite fit in the same mental category as bombing a temple or shooting up a school. On the other hand I can see it easily enough when critical services / infrastructure are disrupted (e.g. UK’s NHS). I’m really behind the times on terrorism, aren’t I? Hostage-taking is obsolete, in the future you’ll just ransom your victims’ smart homes.
Back in the early oughts I did a talk at Cornell about hacking and terrorism – not that they were specifically related but rather that the force dynamics are the same; in today’s terms we’d say they’re both asymmetric in that the cost to the attacker is much lower than to the defender, and the defender can suffer very disproportionate damage compared to the attackers’ costs. There were some security notables in the audience (including Ross Anderson) who poo poo’d my talk, and I kind of dropped that train of thought. Fast forward to 2001, reading Paschall’s Lic 2010 I realized that there are professional military thinkers who have always seen this sort of thing as low intensity conflict (“LIC”) and have been expecting it for a long time. The problem is that, inherent in “asymmetric warfare” is the “asymmetric” part – if you’re in a conflict of any sort where the costs aren’t balanced: you’re going to lose. What is it that the computer said at the end of War Games? The only way to win is not to play.
Edit: Back in the early oughts, the government made a big show of equating hacking to terrorism, because that way they could use anti-terror provisions of certain laws in order to monitor hackers. Clever, huh?
jrkrideau says
# 8 komarov
Only a good guy with an armed drone can stop a bad guy with an armed drone!
Really komarov, you are so out of date. The natural method is far superior though one may have to watch out for PETA.
http://time.com/4675164/drone-hunting-eagles/
Dunc says
Actually, most terrorist attacks don’t involve either of those. Sure, those particular features make the news, particularly if they happen in “the West”, but if you look across the rest of the world*, it’s mostly small arms, mortars, and emplaced IEDs, invovling people who never get caught. Suicide bombings and / or long prison sentences are just what tends to happen when amateurs try and play, which is a big part of the the attraction of the service model. Just like with IT infrastructure, if you try and do it yourself you’re probably going to fuck it up, so you’re better off paying specialists to do it for you.
(*Or a little bit further back into history, like to the IRA campaigns that were all over the news when I was growing up.)
komarov says
Re: jrkrideau (#11):
The very moment a drone manufacturer first read about drone-hunting eagles was probably the moment they initiated a “research project” into countermeasures. Possible solutions might range from really sharp rotor blades to drone-to-avian tailfeather-seeking missiles, depending on how much the customer wants to pay. Sadly nature tends to lose such arms races (unless you take the long view*).
Re: Dunc (#12):
You’re right, of course. I have no idea what I was / wasn’t thinking there, but thanks for the correction. It’s been added to my list of lapses.
*Either way the eagles still lose.