its the one on the left. god told me

Posted by: bill waters at October 31, 2007 10:17 PM

I don't see a response from Mr. Krebs. Please...which one is which?!?

Posted by: SNA_Novice at September 27, 2007 10:03 AM

Does it make a difference? Just as in the Viet Nam war, we could have ended it by bombing a dam located within miles of Hanoi.
Bush won't be effective, if he wanted to be, he could give farmers in Afghanistan money to raise other than poppy crop, which is what is funding AQ.
But now one wants to do that...

Posted by: Tom at August 24, 2007 07:21 PM

My guess is the one on the left is Al Qaeda due to the multiple connections between cells, few inter-cell connections, and larger central hub.

In industry, cells/departments have specific patterns:
- Outlying clusters usually have 1 connection since there is only one manager or one external contact point.
- Leaves of a cell may connect to leaves of other cells. E.g., a developer may call a hardware tech for questions. This bypasses the central hub.
- The core is tight -- few external contacts. This is due to a core management team (e.g., CEO + VPs).

The graph on the right shows all of these features.

For terrorist networks:
- The main hub has many cross-connections. This prevents a single loss (capture/kill) from breaking the entire network. (Industry does not worry about this since subordinates are documented. Terrorists usually do not document structures since documents could compromise their network. Redundancy is used in lieu of documentation.)
- Cells may have cross-communication with parents, but are isolated from other cells. The multiple connections to parents show the communication redundancy. There is no intercommunication between cells because they do not know each other exist.

This matches the graph on the left.

Then again, I could be wrong.
A lot of this depends on the source of the data, duration of the collection, and scope of the graph. Is this a single Fortune-500 company or a department. Do the graphs span a week or a year?
Are the graphs from phone trees, network connections, IRC, IM, or something else?

Posted by: Dr. Neal Krawetz at May 17, 2006 08:59 AM

Could someone please post those graphs in the form of an adjacency matrix, it would make the analysis a little easier than trying to do it by eye. Also, there is something very dubious about these graphs, which is to suggest that all of these interactions are somehow equal in weight.
One immediate comment, is that the graph on the right at least appears to my eye to have a generally higher average degree than the graph on the left (i.e. greater average number of neighbors). At the same time the graph on the right has many more nodes of degree one.
Is it obvious that "splinter cells" have project related interactions with other cells at all? It seems that identifying the graph based on these graphs depends critically on exactly what is the definition of what creats an adjacency (a link).
Just my thoughts. It would be my opinion that there is not enough information here to make the determination without at least substantial prior knowledge about the nature of graphs of known entities (other fortune 500 companies, other clandestine networks).

Posted by: Aaron at May 16, 2006 02:57 PM

Its the cell on the left of course:)

Seriously. the cell on the left has spinter groups that are not connected and that is how I would picture a terrorist group that want to avoid all members knowing each other. The one on the right has everyone talking ot anyone - this is not secret enough.

Companies and normal social groups don't try to hide there alliances and give false trails where a secret organization would.

Posted by: J at May 16, 2006 10:28 AM

Ive been thinking about it.
It ´s strange how social webs looks like terrorist organizations, rigth it´s the correct because all the cells have been organizated with almost three persons and the staff departament of fortune only have two.
But it seems like a normal democracy social web design, it´s like a signal of how all the dinamics moves of the man , like democracy or the ancient regime, make another dinamic in the same way but in diferent direction, like terrorist or revolucionary strikes like the french revolution.
We have to take care in what are we working to stop Al quaeda dimension of operative cells, if we make another dinamics, like make a stronger state with non legal moves( "non legal" because "Auctoritas, non Veritas") because we are working at the same time in oppositte direction.

Posted by: Negroi at May 15, 2006 10:33 AM

Given that the fundamental basis of criminal or terrorist cells is that there needs to be minimal knowledge of the rest of the organisation within each cell, neither of the diagrams presented fits the model. Parts of each one do, but they are not consistent. A terrorist cell model would suggest a web of concentric circles, with very few connections between the circles, the point being that people in the outer rings can't identify the people further in.

Posted by: Tony James at May 15, 2006 08:52 AM

The left is how I picture the Islamic family/social structure. Cell.
The right looks like it would need the concept of individuals to work. Fortune500.

Posted by: Mr_Oni at May 14, 2006 03:59 PM

I predict that the model on the right is more likely to be that of Al Qaeda. There is too much communication between reference points, centrally, on the left model. That seems more in keeping with a corporate model.

But, many of the connections that we can attribute to the Al Qaeda model may be misleading. It is known that phone calls can be traced and linked. A false pattern may have been laid in order to hide a true pattern. And that would be difficult to empiricize without knowing how such a pattern is being obfuscated.

Posted by: Kevin Harris at May 14, 2006 01:20 PM

That's right, there's no point in trying to spy on terrorists since the average man on the street can't tell the difference between two network diagrams. It's all for nothing, we may as well just give up now.

Posted by: John at May 14, 2006 01:15 PM

wow, I've accidentally logged on to a NSA training session! All 23 of you fail I bet. you're hired!

Posted by: lester at May 14, 2006 12:47 PM

3)If you were Osama Bin Laden in one of the two, which solution would you choose to avoid while being vulnerable to internal spies and confession by detained members?

Posted by: pedestrian at May 14, 2006 03:43 AM

Shall these facts be a hint

1)Several analysis claims a decentralized network of Al Qaida (however, I disagree with this)

2)There are multiple subgroups that operate under the Al Qaida franchise, such as Al Qaida in the land of two rivers (Al Qaida of Iraq)

Posted by: pedestrian at May 14, 2006 03:36 AM

My mathematical ineptitude is legendary but looking at the chain of communication, logic would suggest that the right model is the AQ as we've been led to believe it exists. A central command where the outside hubs don't communicate with the central authority. But the model is too symetrical. It has a sense of predictability that wouldn't be conducive to clandestine operations. It fits the corporate model better. Corporate decides on the action and then passes the commands to the outposts. I would think the project in question would be something like a coordinated as campaign for car dealers.

The left model doesn't fit my conception of how a cell would work either. The asymetrical and somewhat unclear hierarchy fits but there's entirely too much contact between the parties. It suggests a corporate software collaboration to me more so than a nefarious plot. I have the feeling it's neither but if I must choose, I'll go with the left.

Posted by: Libby Spencer at May 13, 2006 07:43 PM

Nick:

The "less-connected" Al Qaeda may well be out there -- you can't graph what you aren't aware of. To the extent that the "well-known" got that way because of their activities with others, it'd help explain the appearance of the AQ network diagram (regardless of which one that is -- I'd say it's the one on the right).

Posted by: Chris Walsh at May 13, 2006 05:22 PM

Which of them called or got calls from Afghanistan, Syria, Pakistan and/or Iran? How often? Did they place them or receive them? Did one usually call another after recieving a call from a third?

Without information on what the nodes are doing you can't do anything other then possibly determine the role they have in the organization. What he's presenting is just like a road map without the town names or indications of what kinds of roads connect them. If I claimed this edited and carefully selected image proved that road maps are useless would you believe me?

Posted by: Kevin at May 12, 2006 09:14 PM

Both go through a vp chain./.. sorry, the comments thread did not have both diagrams.

Two is still pretty even. As noted it's essentailly a trick question and elements of each are within the whole.

Now imagine the NSA spying on false leads for everyone that ever called or was called by someone bush would believe suspsicious.

Posted by: Mr.M at May 12, 2006 08:29 PM

Neither one. We keep killing the number two and number three. It's one dot, running scared, unable to stage new attacks unless it gets on the phone to Madrid or London.

That said, the fist shows one to two, and two acts like the one. Probably what the Al-Q netwrok isd like, one level repeats word for word what the operational information will be. Find who two is talking to and shut it down entirely.

The other is classic even distrubtion to the levels, a one three six, with a lot of distinction between those levels. More linear but still diffuse, but even distrubtion.

It's probably a trick question, the second graph fits between any first given or vice-versa.

Two looks like a cell on staged setting- everyone has specific jobs.

One looks like the overall body- source heavy, with several layers calling back at levels two and three to do dry runs and check awareness of being watched.

You know when AWOL needs a poll bump they let you know whatever they've got. Then the whole network tweaks its method...

It will get more difficult with time.

Most likely the second model applies to the Pakistani and Iranian nuclear programmes. The former being the top concern of proliferation outside the former Soviet.

Then again I'm not an official wonk, just looking at the numbers.

As others note- it is not hard to connect the dots when told Bin Laden determined to strike in the US.

Posted by: Mr.M at May 12, 2006 08:16 PM

On the left is the Fortune 500 group, it has more people who are many-ways connected. The one on the right has a more "cell-like" structure.

That's my guess.

Posted by: htom at May 12, 2006 04:59 PM

I've taken a few courses on networks, graph theory, etc. My guess would be that the network on the right is closer to being a traditional terrorist network (low internal connectivity except for a key group of leaders, little contact to the outside world).

However, my official response is that NEITHER networks are Al-Quaeda. Frankly, there are so many networks out there that identifying them from this little information alone is pointless; the false-positive/false negative rates would be atrocious.

The value of network analysis is not in identification, but in action. Knowing the network structure is key to disabling communication. In essence, divide and conquer by taking out the most connected nodes.

Posted by: Ben W. at May 12, 2006 04:56 PM

Two graphs isolated from existing previous knowledge do not yield much info of value. Insteak, take the set of previously known Al-Qaeda operatives and see if any of them map into either of the two graphs. The cell of bad guys would stand out and it would be easier to "connect the dots".

Posted by: Dale at May 12, 2006 03:14 PM

Corp is right, Al Q on the left - it being less centrally controlled and less evenly distributed. The right has such lovely arcs of hierarchy.

Posted by: LauraN at May 12, 2006 02:48 PM

Timothy's comment sent a mouthful of lunch flying across the room.

Posted by: christian herold at May 12, 2006 02:47 PM

duh....to make myself clear, I meant Al Qaeda is on the right.......

Posted by: PSD at May 12, 2006 02:44 PM

I'm thinking the one on the right with the deadenders (i'm with you, DS).
None let's see if I've watched enough spy movies and read enough spy books.......

Posted by: PSD at May 12, 2006 02:38 PM

I'm guessing left for the Al Qaeda network and right for the Fortune 500 - no particular reason, it just looks like that there are layers of middle-management on the right-hand diagram.

Posted by: dan at May 12, 2006 02:20 PM

But where is the link between the two?? :D

Posted by: Timothy at May 12, 2006 01:37 PM

I'm gonna go with the one on the right as the 'Al Qaeda' network. My reasoning is this: After operatives or cells are established, there is going to be very little communication between those individual operatives in the traditional sense. Maybe through a single email account, but certainly not by cellphone or traditional communication. So that, to me, would explain the 'dead ends' at the outer edge of the network on the right. Also, remember that alot of those operatives would not be coming back from their mission.

Posted by: DS at May 12, 2006 01:13 PM

I'd like to know a little more about the kinds of communications that were included in building these diagrams. Did the net pick up everything, or were personal contacts filtered out?

I make that point because, if they were not filtered out, then the diagram on the right makes more sense to me. Fortune 500 companies are often hierarchical structures with geographically and socially disparate (and sometimes almost distinct) segments. You wouldn't expect must personal or business-related contact between lower level personel in different segments of the organization in different geographic locations.

Terror networks, on the other hand, include relatives and are built through social and often familial networks. Despite a "cell-based" operational structure, designed to restrict the flow of operational information and limit the penetrability of the organisation, you would expect those social and familial connections to maintain their significance, creating more "inter-cell" chatter.

So if social and familial "chatter" is included in the set of information used to create the diagram, my vote is for the one on the right. Otherwise, my vote is for the one on the left.

Posted by: CPetelle at May 12, 2006 12:24 PM

Does it matter which is which as long as they are properly labeled?

The reason I say that is because from an IT Security Perspective, both diagrams are giving me useful information to exploit. Whether looking from a penetration or central hub perspective, the diagram gives me information regarding starting points and major distribution points within the network, where i can probe without much intrusion, and where I can probe with and gather the most useful information.

Without more information and using this example I would say it looks to me like the NSA is actually doing its job, and I'm not even sure I think it is legal.

Either way, I think DefenseTech is taking the right approach, this issue needs to be evaluated in depth from an IT perspective, because I myself have generated reports very similar to both shown above for over a decade within my very large organization, and it continues to be a useful tool with useful information.

My first impression given the very little information we actually know to date is, I wonder which vender the NSA uses for their network modelling, because a NSA endorsement isn't exactly a bad thing.

Posted by: Raymond at May 12, 2006 11:51 AM

I'm with JJ. There's a reason we call them "splinter cells."

Corporate America doesn't trust its workers enough to act on their own.

Posted by: Scott Ross at May 12, 2006 11:18 AM

The one on the right looks a little less centralized. So I'll say that's Atta & Co.

Posted by: Noah Shachtman at May 12, 2006 11:17 AM

The one on the left seems to be Al-Qaeda because it seems to be demonstrate more of the sleeper/splinter cell mentality than the one on the right. The one on the right shows more of a centrality in the bottom-center section of the graph.

Posted by: JJ at May 12, 2006 11:15 AM

No guess from me, I can't tell the difference and I don't feel like taking credit or blame for a coin flip. However...

I would have expeced a difference. Naiive me would have expected Al Quaeda to be significantly less connected, in order to aid in operational security. (in the security vs control tradeoff).

But thats why I'm the ignorant moron.

Posted by: Nicholas Weaver at May 12, 2006 11:14 AM