The Man Who Put Al-Qaeda on the Web
This isn’t really weird tech news, but Barry Levin of NewsFactor.Com has done some extensive research of on how al-Qaeda got to use the Internet for their evil deeds. It’s a great read.
The Man Who Put Al-Qaeda On The Web
Like radar in the last century, the Internet is a radical new tool that is helping to redefine the dimensions of warfare. For al-Qaeda, the shadowy terrorist organization behind 9/11, the Net is helping it to be everywhere and nowhere.
But there are real people, in real space, maintaining what is, in effect, al-Qaeda's I.T. department. Last October, the most important member of that group so far -- the man who has been called "the Godfather of cyber-terrorism" -- was arrested. He is a 22-year-old Muslim immigrant to
On that cold autumn morning, police raided the
The three suspects were reportedly discovered at least in part as the result of intelligence obtained in previous busts in
Although he may have been part of those cells, Tsouli was not your ordinary terrorist. By all indications, it appears that he was the most visible al-Qaeda Internet operative so far, better known by his screen name: Irhabi007.
Radar brought pinpoint tracking to the age of centralized warfare. By contrast, the Internet, in this distributed age, is helping to decentralize warfare. And like many decentralized franchises, al-Qaeda has come to use the World Wide Web for marketing, distribution, research, fund raising, recruiting, and, on occasion, operations.
Marketing Terrorism
But, at first, the Internet was only a means for al-Qaeda to distribute its equivalent of brochures. "Initially, before 9/11, [al-Qaeda] appeared to be using the Net primarily as a marketing tool," says Ned Moran, an intelligence analyst at the
Shortly after 9/11, Almeda.com and others were attacked by unknown hackers and shut down. It was about the time that al-Qaeda was being pushed out of
At that point, Moran says, "They were forced to innovate." On the Internet, al-Qaeda undertook two big innovations.
First, like any organization that wants to secure a loyal base, al-Qaeda wanted to increase its online "stickiness" and cultivate its market, and so it started to use community-building tools. Bulletin boards, chat rooms, and other mechanisms -- sometimes under passwords and mostly in Arabic -- became key attractions.
And, second, the Internet operations began to repeat themselves. Many sites were launched, and content was cross-posted between several dozen of them. Al-Qaeda's Internet operations began to mirror its replicating terrorist cells, multiplying as soon as some were destroyed. But all the while, the Net was a key unifier. The Internet operation, Moran says, was "the central pole in the tent holding up the organization."
Al-Qaeda became, in the words of a BBC2-TV series last year, "a global brand driven by the power of the World Wide Web."
But Aaron Weisburd, the head of an anti-terrorist group called Internet Hagganah, downplays the number of al-Qaeda sites. "The 'proliferation of jihadist Web sites' is not quite the problem it is made out to be," he says. "There are really only a handful of Web sites of significance, and the rest are peripheral, though as Web sites fall, some in the periphery may gain more significance."
Weisburd contends that, behind the curtain, "There are only a relatively small number of people responsible for much of what we see online."
License to Kill
It was in this murky scene -- al-Qaeda emerging in various forms on the Net, but with no dominant personalities -- that a character known by the screen name of Irhabi007 emerged.
Posting and boasting his way to prominence, Irhabi007 started appearing on radical Islamist bulletin boards and in chat rooms. He had no apparent reluctance in melding "irhabi," which means "terrorist" in Arabic, to the code number of the world's most famous, albeit fictional, British secret agent.
In addition to his proclamations, Irhabi007 frequently posted low-level, apparently stolen documents, such as a purportedly official Israeli map program, complete with serial number, and a U.S. Army Handbook on Intelligence for Combat Commanders. He was also posting training tips about the Internet for other jihadists.
Irhabi007 "put a face and a name to al-Qaeda's Internet presence" for the first time, Moran says.
According to Internet Hagganah, Irhabi007 was not a native speaker of Arabic, and, when posting in that language, he used translation software. But English was often his language of choice. "We all know some Yankees recentely [sic] got back from Iraq," went a typical posting, as quoted by Internet Hagganah, "and we all know these idiots tend to tape on camera anything so im [sic] sure in a couple of weeks we might see personal home pages displaying footages from Iraq giving us � a little insight into how things go."
Irhabi007 was also becoming known for ratcheting up al-Qaeda's use of the Internet for propaganda, rapidly posting documents and media. For instance, he gained notoriety for quickly posting the gruesome video of American Nicholas Berg's beheading, as well as many videos.
The Berg decapitation was reportedly downloaded half a million times in 24 hours. As was his specialty, Irhabi007 made sure that it was cross-posted at other sites, in order to handle the traffic. He was, Moran says, "sort of al-Qaeda's super administrator."
The 2004 Berg video in particular became a model. It showed a masked man purporting to be none other than Abu Musab al-Zarqawi as the executioner. Killed in June by an American air assault, al-Zarqawi was the apparent leader of the al-Qaeda contingent in
In fact, it was Irhabi007's speed in posting information and media relating to attacks, especially those in
The Net-distributed videos and proclamations became an important part of al-Zarqawi's outreach to the faithful. Osama Bin Laden was known for using Al Jazeera, the Arab world's most prominent TV network, to get his message out. But beginning with a communiqu� posted on a jihadist forum in 2004, al-Zarqawi began to cultivate the Internet to distribute pronouncements and media.
Al-Zarqawi discovered, for instance, that when he allowed a video scene to be posted showing his face for the first time, within hours followers had posted translations of his words into several languages. If the Web was pumping up the global brand of al-Qaeda, that brand was hot in certain circles.
And Irhabi007 was its PR guy.
"He facilitated a lot of online activities," Weisburd says, "often committing crimes along the way. He was always part of a bunch of guys all working on similar projects, not all of whom are in custody." Far from being a tech mastermind, Weisburd says, Irhabi007 "was more a problem solver than a great hacker."
"He seemed to have had an energizing role, in that videos started to regularly appear," says Mark Burgess, director of the World Security Institute's office in
Binary Bread Crumbs
According to Internet Hagganah, by mid-2004 Irhabi007 had established a pattern of behavior that included posting Web pages on free hosting sites, sometimes with downloadable materials. He was regularly posting on jihadist forums like al-Palsm and al-Erhap and, when those forums ended, on another called Muntada al-Ansar al-Islami. The al-Ansar forum in particular was connected to al-Zarqawi.
Irhabi007 was beginning to attract his own following, with terrorist wannabes sometimes attaching "007" to the end of their screen names. By the fall of 2004, he was able to post videos of suicide bombings faster and more efficiently than most others, and received a clear mark of distinction: public praise from an aide to al-Zarqawi. According to the
Internet Hagganah said it kept after Irhabi, getting the free Web and FTP sites he was using to shut down. "The point of that effort was not to silence Irhabi007," the group reported later on its site, but "to keep him busy. This increased the chance of him making a mistake that would allow us to locate him. The plan worked better than expected."
"There's an old saying: In jungle warfare, the jungle is neutral," says Burgess of the World Security Institute. "Like anything else, the Net has its vulnerabilities. [Terrorists] can spread their ideology, but potentially they can be tracked down."
In mid-2004, Irhabi007's brazenness began to work against him. In July, he became an FBI target for the first time when he tried to use an FTP server that belonged to the State of Arkansas Highway Department.
He even registered www.irhabi007.org as a domain, using the name and address of an American first lieutenant stationed in
When, at one point in 2004, Weisburd and his group succeeded in getting Irhabi's service provider to shut him off, Irhabi hit the roof. He posted threats in chat rooms of how he was going to slice up Weisburd. Weisburd, who acknowledges that he always keeps a loaded gun nearby, reported the threat to the FBI.
But then Irhabi started to leave a trail. On a site he was developing to post threats against targets in
Then, Weisburd says, his group did a little fishing. Internet Hagganah posted a notice on its site warning that Irhabi's files were infected.
His wounded pride as an Internet administrator must have affected his judgment, because, in reply, Irhabi became even more careless. As part of an effort to show that his files were not infected, Weisburd says, Irhabi posted a screen shot that included a third IP address -- but it was only partially blurred out.
According to Weisburd, all three IP addresses pointed to the Ealing area of
Since Tsouli's arrest, no one has posted using that screen name.
Calculated Risks
Although Irhabi007 seems to have been involuntarily retired, the Net-based terrorist subculture could yield another star. There have even been online competitions, according to Burgess, in which prospective terrorists can display their skills, such as a competition to fire a rocket and hit a
But this isn't American Idol. If it's a War on Terrorism, why aren't the sites being forced to shut down by Western authorities?
"While these sites can present a danger, they give us a great window into [terrorists'] mindset," says Moran, the intelligence analyst. As an example, he cites a recent, foiled plot to blow up buildings in
There has also been speculation that some of the al-Qaeda sites are actually "honey pots" -- fake sites set up by Western intelligence agencies as part of a Net-based sting operation, in order to capture such information as the credit card numbers used to buy videos.
Some have wondered if, by not immediately trying to shut down sites that post information about making bombs and poisons, authorities aren't taking a fatal risk in the name of acquiring intelligence about a bigger plan. Not to worry, says George Smith, a senior fellow at the public-policy and research organization GlobalSecurity.org. Smith dismisses the effectiveness of al-Qaeda's online training information. "The level of sophistication is equivalent to what teenagers were distributing about 10 or 15 years ago," he says.
While al-Qaeda and its sympathizers see the Internet as another weapon in the hands of radical Islam, it is in fact "a double-edged sword," Moran says. Terrorists can recruit, propagandize, even exchange tactical information, he says, but they are also vulnerable. "They can be tracked down."
As in the jungle, successfully tracking down targets requires that they leave a trail.
Some observers believe that al-Qaeda Internet operatives are not much more than serious amateurs, unable to hide their activities very well. Moran notes that in discovering a reported plot targeting commuter trains in
GlobalSecurity.org's Smith describes the general level of Internet security maintained by al-Qaeda as "really lousy," and says that its sites are routinely invaded by people within
But primitive can be deadly. After all, primitive box cutters and a basic understanding of how to fly a plane brought down the
It means that it will be much harder to track and decipher the terrorist network, Moran says. For example, if al-Qaeda ever mastered heavy encrypting of communications, he says, it could lead to major problems. "And al-Qaeda might only need that info to stay encrypted for 24 hours. NSA (the National Security Agency) might be able to decode it, but maybe not fast enough."
Moran says he believes al-Qaeda is trying out new tactics, such as saving communications as "drafts" within free e-mail accounts but never sending them. If the message is never sent, it can never be tracked. But anyone can log onto a free e-mail client with a screen name and password and read the information contained in the draft.
There have also been unconfirmed reports that al-Qaeda has used steganography, the process of writing hidden messages that only the intended recipient will recognize. Al-Qaeda's particular brand of steganography encodes media files -- such as a photo -- with secret messages that can be seen only at the binary level, when the photo is reduced to its bits and analyzed.
Not all observers believe that al-Qaeda's Internet operations are junior-grade. Some experts, such as terrorist researcher Evan Kohlmann, have said that al-Qaeda is quite sophisticated in its use of the Internet. And another terrorism expert, Bruce Hoffman of the Rand Corporation, recently testified before Congress that not enough is being done to counter al-Qaeda's propaganda on the Net.
Finally Paying Attention
Regardless of al-Qaeda's level of expertise, there are indications that Western authorities are finally paying serious attention to what might collectively be referred to as al-Qaeda.com.
They apparently now realize that al-Qaeda's use of the Internet, as described in a 2003 study by the U.S. Army War College, constitutes "an outstanding command-and-control mechanism." And at least some authorities realize the obstacles the West faces in bringing down such a mechanism, including a lack of native Arabic speakers who are also computer experts.
"The tipping point might have been the
A tipping point seems to have been reached by al-Qaeda as well, in that the Net has become invaluable in both the ideological and actual war against the West. Tsouli, his presumptive alter ego Irhabi007, and al-Zarqawi are now out of the Internet business. But they have helped to establish the notion of online jihad as war by other means.
By the end of World War II, the Allies had the upper hand in radar and planes, and we owned the sky. Whoever owned the sky, won the war.
But no one owns the Internet. And, at this point in history, it is not yet clear if the online War on Terrorism will ever fall off the radar.