Observations on the Surveillance that Resulted in the Capture of Salah Abdeslam

Interesting analysis from The Grugq:

Bottom Line Up Front

  • Intelligence agencies must cooperate more rapidly and proactively to counter ISIS' rapid and haphazard operational tempo.
  • Clandestine operatives must rely on support networks that include overt members of the public. These networks are easily mapped out based on metadata available to nation state level security forces.
  • Fugitives should learn to cook if they want to minimize their footprint and improve their security.
  • Exposure of clandestine networks is inevitable, given modern data sources. Only extremely disciplined non-organic organizations can hope to survive for long.

Details at the link.

That third item is related to the "unusually large" pizza order that alerted the police that there were more people in the house than should be.

The bottom bottom line is that tracking people, and tracing groups of people, has become easy because of all the unencrypted metadata we generate everywhere.

Posted on March 22, 2016 at 6:37 AM • 62 Comments


curiousMarch 22, 2016 6:53 AM

Additional bottom line: keep focussing, you might miss some major terror attacks the next day

Grouchy GuyMarch 22, 2016 7:03 AM

I going to throw a BS flag on an analysis that claims meta data will be able to track clandestine groups.

The only thing it's good for is piecing together a trail AFTER the fact on an event.

The real bad guys are going to move around, change electronics, who they see or don't see, they sure won't reveal themselves openly via rf. It's nonsense to claim otherwise.

They will make operational mistakes like criminals have always done. And they will be caught by standard investigation techniques where electronics are but one of many sources for clues.

Meta data is useless in preventing attacks. Meta data is useless in tracking someone who doesn't want to be tracked.

Meanwhile millions of citizens are victimized by oppressive governments using meta data to control our speech, our thoughts and our minds.

fajensenMarch 22, 2016 7:22 AM

So far, *all* the terrorists were well known to the police already; so, yes, they were easy to track simply because the police knew who (and what) to look for.

And - Yet, the police didn't manage to disrupt their terrorist acts.

Tracking ever more people because it is "easy" will just make the police miss even more terrorists and look even more incompetent. In fact, they busted Abdeslam & Co based on MK-II eyeball and MK-IV boots on the street - NOT metadata.

Old-school police *work* did it, not the hundreds of geeks in a bunker lined with monitors (As seen on TeeVee) ceaselessly tuning deep neural networks and tuning crappy video feeds to crisp perfection that the police say they want to have.

chuckbMarch 22, 2016 8:37 AM

While you and governments focus on encryption and metadata and hi tech analytics, ISIS seems to have moved to operations coordinated using multitudes of cheap disposable "burner" phones. KISS wins again?

Renato GolinMarch 22, 2016 8:38 AM

I'm worried your "conclusion" is going to re-entice political "leaders" to re-request ban on encryption.

If everything you have ever said before is true (and I do believe it is), tracking metadata gives them far more than they need to track you down, and far less than they need to identify your intentions, so false positives kill its usability in any scale. Not to mention privacy concerns, etc.

So, either I got the intention of your conclusion all wrong, or your account was hacked.

Grouchier guyMarch 22, 2016 8:45 AM

And if they didn't use mobiles, social networks or order 10 pizzas at a time?

Anyway, meta-data is such a silver bullet that bombs apparently aren't going off in Belgian departure lounges and metro stations.

The usefulness of the techno-wizard approach is clearly over-stated, given it seems only useful after the fact. Standard investigation techniques and clandestine operatives are clearly needed for prevention.

As admitted by Belgian authorities:

"We just don't have the people to watch anything else and, frankly, we don't have the infrastructure to properly investigate or monitor hundreds of individuals suspected of terror links as well as pursue the hundreds of open files and investigations we have," a Belgian counter-terrorism official told BuzzFeed last week. "It's literally an impossible situation and, honestly, it's very grave."

tzMarch 22, 2016 8:56 AM

They will get the suicide bomber that chickens out after much effort.

Darwin award - at this point they know if you take a suicide vest, it is either use it or get caught. If he did blow himself up there would be no point in this celebrated tracking and capture.

Big data didn't see Brussels coming.

ianfMarch 22, 2016 9:08 AM

@ Grouchy Guy […] “Metadata is useless in preventing attacks… in tracking someone who doesn't want to be tracked.

By and large correct, but that largesse isn't unlimited. There must have been cases where ongoing collection AND realtime analysis of metadata, checking for "abnormalities" in traffic patterns, was of use (it's the unbridled hoarding of metadata that is counterproductive and ultimately dangerous to liberty that is the problem, not capturing it during investigations for immediate contextual frequency etc. analysis.)

And these metadata (one word; two-word "meta data" roughly means "data about data") needn't be of cellphone kind. I am reminded of the 1981 kidnapping of U.S. general Dozier, NATO deputy chief of staff in Southern Europe, by the Brigate Rosse in Verona. C-in-C Ronald Reagan got pissed off, dispatched an AWACS plane to Italy that for political reasons couldn't acknowledge being helped here by the Yanks.

Carrying upwards of 5% of all civilian computer power in Europe at that time, the plane criss-crossed the skies above Northern Italy checking for all sorts of signal that stood out from the noise. That was well before mobile phones, but there were other kinds of "collectible data." One of the leads they developed was a sudden rise in telephone traffic to and from AND electric juice flow in an apartment block in nearby city of Padova (Padua). This observation dovetailed with Italian intelligence's own earlier interest in that particular range of flats, and led to a successful raid by a SWAT team that freed the captive after 42 days.

I don't know what kind of traffic that AWACS plane hoovered up (probably the content of, not merely metadata), the accounts that I read of it are not very forthcoming, possibly for reasons of nominal illegality of such at the time. But even if they captured the [shared informal, contextually cloaked] voice exchanges, they would hardly be plain enough to confirm the suspicions to third party listeners. So it was the comparative analysis of metadata VOLUME that provided that for the investigators.

Chris SMarch 22, 2016 9:16 AM

The claims are somewhat bogus - yes, it is easy to hoover up data and identify different networks, however the problem is still one of picking out the particular networks that one should target.

Predictions based on purchasing patterns are going to contain a huge number of false positives, again once you have your eyes on particular individuals purchasing patterns can help, but not before.

KentonMarch 22, 2016 9:17 AM

"Exposure of clandestine networks is inevitable, given modern data sources."

Hmmm, so clandestine 'government' networks (like NSA, secret police, classified government activities) will also inevitably be exposed in detail by "modern data sources" usually developed by private companies and available to those outside 'any' clandestine network ??

(... and what exactly is an "organic organization"?)

keinerMarch 22, 2016 9:29 AM

@ianf Any sources for this AWACS part of the story? Or simple telephone and electricity grip surveillance as in Germany in the 1970s?

xyzMarch 22, 2016 9:43 AM

So, who is this "the grugq"? Experienced operative? Intelligence analyst? Counterintelligence agent?

No, he's a "security researcher" with 15 years of experience. Experience in what exactly?

de La BoetieMarch 22, 2016 10:06 AM

There was a somewhat relevant reality TV type thing on the UK Channel 4 programme called The Hunt. The proposition was that a person would have to go on the run from a group of security service people (operating as a private service), but given permission to search the participant's houses, and calls made to/from their phones etc.

It was obviously very difficult to stay hidden, even though the hunters did not have the full access that the state would have. The biggest risk by far was the mobile phone, and ringing "home" to people the fugitive knew (or from phones of possible associates). There are a huge number of leads that the hunters can get, and the fugitive only needs to slip up once. The central point of the argument - that the snowstorm of metadata makes it easier to find a suspect is clear.

HOWEVER - while this might be an argument for targeted investigation (a limited number of hops), and usually the cellphone metadata is the best source, whoever this belongs to - it is emphatically not an argument for weakening encryption. Encryption of content does very little to hamper the highly useful data collection from cellphones.

Nor is it an argument for bulk surveillance - the networks they've uncovered can be the result of specific investigations or reports because that results in reasonable actionable intelligence. As it was, the police investigation was sadly exposed to the risks of this lead. Bulk surveillance would only result in far higher false positives and wasted time.

Finally, this is a hunt after the event. While it might possibly provide better current information on ISIS tactics, as Bruce is fond of pointing out, there's no particular reason to suppose that they will not change tactics or operational security details.

BMarch 22, 2016 10:34 AM

The bit about pizzas reminded me of the (possibly apocryphal) incident with the pizza place near the White House, whose owner could predict when a big announcement would be made. It turns out the President's staff would be up late working the night beforehand, and would order a bunch of pizza -- always from the same shop.

ianfMarch 22, 2016 10:54 AM

@ keiner Any sources for this AWACS part of the story?

Fair enough… I remember the AWACS mentioned briefly in that context in one of countless books on terrorism etc that I researched 20-25+ years ago. Then I was reminded of it quite recently in a half-hour episodic TV documentary about modern terrorism, 7th out of 14 installments, about The Red Brigades, on an ARTE-like edu cable canal (this week: Baader-Meinhof, I'll check the credits). The series' original title could have been "One man's terrorist is another man's freedom fighter," and it was produced OR distributed by the BBC, TLC or maybe Open University (2008?), but I couldn't find it online. Reagan's ire and the AWACS were prominent in that segment.

The AWACS representing > "5% of all civilian computer power in Europe in 1981" was my addition/ assessment based on an article I once wrote about the über fast pace of technical progress.

@ xyz who is this "the grugq"? A "security researcher" with 15 years of experience. Experience in what exactly?

    Listen, there are more salonfähig ways of vouchsafing your ignorance in this forum than by going after the grugq. I'll tell you who the grugq is: he's the guy who doesn't want you (yes, specifically: you) obsessing over his identity.
@ B, these "pizzas to the White House always from the same place" can but be apocryphal. Because, if true, it would have represented a humongous threat vector: just place an agent in that pizzeria, wait, and then poison any dream team that the president assembled for some key talks or something. Besides, there is a 24hr kitchen and cafeteria in the West Wing, the office portions of the WH. Any pizzas ordered from outside would have to undergo security checks and risk getting cold. So those that are catered are probably "chaperoned" all the way in by Your Tax Dollar$ At Work.

AdamMarch 22, 2016 10:57 AM

I'm not sure learning how to cook would have helped here. If the woman was bringing in shopping of any kind it might have tipped anyone watching to the number of people inside.

Best precaution would be to stockpile the food beforehand. That or pick an enormously fat accomplice to allay suspicion as to the size of the pizza order.

Clive RobinsonMarch 22, 2016 11:01 AM

@ Bruce,

That third item is related to the "unusually large" pizza order that alerted the police that there were more people in the house than should be.

For those that watch films there is a bit in the Godfather about "learning to cook" when hidden up from a crime or hit.

All I can realy say is "it's old advice" that is going to be invalid in the near future due to your "white goods ratting you out" via the Internet of Things.

Likewise the other electrical items like entertainment systems TVs and radios.

All are "doing an ET" and "phoning home" with all your viewing / listening data. And your watching patterns / behaviour, just looking for changes to data mine a selling advantage. And due to US politicos making the "share all data and don't get the FBI cralling up your 455" legislation, they will be mining it to.

"Welcome to the goldfish bowl society"

Oh and if you think "using old kit" will remove the IoT issue, don't forget those smart meters, that can tell from the energy signitures what you are doing...

wiredogMarch 22, 2016 11:07 AM

It's pretty well known in the DC area that calls to Dominoes and other pizza delivery places from the Pentagon spike while something is happening. It's been written up in The Washington Post

BMarch 22, 2016 11:30 AM

@ianf Actually White House staff order take-out quite often, at least according to the news media:


Poisoning the dream team is possible, though I suspect that the staff we're talking about are much lower profile than that. As far as I know the majority of White House staff do not receive protection by the Secret Service, other than what they receive by virtue of being in the White House (but not e.g. when they are at home). The threat also seams a bit questionable -- who would seek to kill White House staff? Surely any nation-state or large/powerful organization would prefer to turn staff into spies than to kill them, so presumably we are talking about terrorists. I am not sure terrorists would gain much from quietly poisoning even the senior staff, as opposed to something more dramatic (e.g. involving bombs or guns). It also seems doubtful that terrorists would be interested in the majority of "big announcements" from the White House, most of which would have nothing to do with whatever some terrorist group is fighting for (why should ISIS care about a Supreme Court nomination, or the staff involved in preparing that announcement?).

Could it happen? Sure. Anyone could just be a psychopath who wants to murder a bunch of people. We all face that possibility every day, regardless of where we work, and personally I would rather take on the risk that my local Chinese take-out place has a psychopathic chef than avoid ordering their deliciously unhealthy food (and I suspect that White House staff feel the same way about their take-out)...

Milo M.March 22, 2016 11:36 AM


AWACS is designed to detect and track aircraft using Airborne Moving Target Indication (AMTI) radar. It is not a SIGINT platform.


Less expensive assets were used in the Dozier rescue.


"An ISA SIGINT team was sent to Italy, and in conjunction with other Army SIGINT and counter-intelligence units, employed aerial and ground-based SIGINT systems to monitor and geo-locate terrorist communications."

Michael Smith, "Killer Elite: The Inside Story of America's Most Secret Special Operations Team"

"While the caribinieri swamped the area between Verona and Venice with roadblocks, the Activity's Sigint specialists got to work trying to track down the Red Brigades' communications networks. . . . A Bell UH1 Huey helicopter, fitted out by ISA's own knob-turners with the latest frequency-scanning radio sets and electronic direction-finding equipment, flew circuits up and down looking for the walkie-talkie-style radio sets the brigatisti were believed to be using. 'The helicopter was a standard Huey,' one former member of the intelligence team said. 'The equipment was a test-set build within the unit. The approach was recommended, and developed by one of our warrant officers. A portable package that could be quickly put into an available aircraft was the goal. The army and intel community lacked such a capability.' . . .

The scanners on board the Huey helicopter raced through the frequencies looking for the ones the terrorists were on. Once they found them they could lock on to them and follow the Red Brigades' radio nets up and down the wavebands as they changed frequency. Other members of the Sigint team were on the ground in vehicles and in static locations looking for the terorists' communications links, searching through any type of means of communicatoin that might be in use. Details of all the frequencies, and the terrorist networks that were using them, were passed back to the National Security Agency at Fort Meade, Maryland, which tasked an Aquacade spy satellite above the Mediterranean to monitor the signals and help to pinpoint the Red Brigades' covos, their safe houses. . . .

Given the rough locations of districts where the US general might be held, the Acitivity's intelligence analysts carried out a study of electricity usage in recent months in all of the local houses and apartments, tapping the telephones of any house or apartment using unusual amounts of electricity. Eventually, on Tuesday 25 January, they found an apartment in Guizza where the power usage had suddenly increased on the day Dozier was kidnapped."

CamilleMarch 22, 2016 12:09 PM

"I'm not sure learning how to cook would have helped here. If the woman was bringing in shopping of any kind it might have tipped anyone watching to the number of people inside."

The crooks may eventually have to learn to cook each other to obfuscate not only shopping habbit but also shear number. Perhaps, the best moral lessoned learned here is don't commit crimes.

Mike FoleyMarch 22, 2016 12:23 PM

I'm a bit bothered at the European intelligence agencies sharing so many details. Like after the Paris bombing they talked about finding phones in the trash and now large orders of pizza... These are habits I'd prefer they don't share with the public so that the criminals keep repeating them making it easier to find them.

It's like burning a 0 day. Some things you might not want to share.

Anyways, JMHO....

TatütataMarch 22, 2016 12:30 PM

The AWACS representing > "5% of all civilian computer power in Europe in 1981" was my addition/ assessment based on an article I once wrote about the über fast pace of technical progress.

Aw come on, I don't believe it.

In 1981 there were certainly more than 20 state-of-the-art computing centres in Western Europe with IBM 370s, Amdahl, CDC big iron, European made and designed machines (Bull, ICL, Siemens, Olivetti, etc., and yes, IBM), probably several Crays, and quite a few 16 bit general purpose and process control machines. It shouldn't take that much effort to count of the actual users of such computing power (universities, railways, weather offices, utilities, PTT operators, research centres, etc.) in BE, FR, NL, CH, IT, UK, LU and DE.

My first paid job as a teenager in precisely that year was to produce a report from a tape of the computing centres running a certain hardware and software configuration. A friend of my father was into systems programming, and needed leads to sell his stuff. He bought a dataset on tape, but had the problem that it couldn't be read on his system. I could help thanks to my JCL-damaged brain. The report was quite sizeable.

And you mean to say that an AWACs carried the equivalent of, say, ONE high-end IBM 370 with peripherals, despite the space and heat dissipation limitation of an avionics platform, which must be shared with the radar and the interactive consoles? Probably Area 51 technology...

The AWAC platform isn't made for SIGINT. It's basically more something of a flying ATC centre. This is the impression when I walked through one on display at an air show 20 years ago.

Slime Mold with MustardMarch 22, 2016 12:37 PM

@ Clive Robinson

Re: Smart Meters

Any brilliant schemes for throwing their data all askewer? The power company has gotten around to us out in the woods. I need to run considerable, constant power over a period of weeks, stop, then repeat. I am not growing dope. Still, I would like to avoid documenting the odd pattern. I know how to bypass the meter, it's just that theft is not my style. I'll do it if I have to. Since the whole point of "Smart Meters" is to dismiss meter readers, nobody would notice a jump right at the box.

I've seen speculations about hacking the signal. More risk than benefit.

Your genius would be appreciated.

Anonymous CowMarch 22, 2016 12:47 PM

For those commenting on the AWACS: likely that was the published story. The actual aircraft likely deployed would have been either an EC-135 or an RC-135, both of which had a number of variants ("Looking Glass" being the best known). Both had variants that are electronic "hoovers" and the military did not - and still doesn't - like to talk about.

tyrMarch 22, 2016 1:24 PM

If I recall correctly in 1981 the TRS-80 Model 1
outnumbered all other computers on earth put
together. As is usual you probably can't even
find one in a museum today.

The military puts a lot of odd equipment into the
air. Sometimes it even works and sometimes the
fail is quite spectacular.

Paying attention to events sometimes make me feel
like Cassandra, seeing the future and no way to
make the changes to steer it into a better path.

There is a better path.

Dirk PraetMarch 22, 2016 1:34 PM

@ xyz

So, who is this "the grugq"?

Nice try, James Comey, but we can't help you either with that. Perhaps you should ask th3j35t3r ?

Tony H.March 22, 2016 4:59 PM

@Slime Mold with Mustard

@ Clive Robinson
Re: Smart Meters

I'm not Clive, but...

Any brilliant schemes for throwing their data all askewer? The power company has gotten around to us out in the woods. I need to run considerable, constant power over a period of weeks, stop, then repeat. [...] I know how to bypass the meter, it's just that theft is not my style. I'll do it if I have to. Since the whole point of "Smart Meters" is to dismiss meter readers, nobody would notice a jump right at the box.

Thing is, there is plenty of data available to the smart meters beyond just what your ongoing consumption is. F'rinstance, they can (indeed must) measure the supply voltage, and they can compare that with the voltage measured by neighbouring meters. And there are regional meters that measure an entire neighbourhood feeder. So... a simple application of Ohm's and Kirchhoff's laws. Match up the voltage at each point with a knowledge of the wiring topology in the area and the measured consumption at each meter, and the readings for a given meter can be inferred pretty accurately from all the others. Or to take the other view, if your meter's reported numbers don't match those calculated from what the others report, you may get an undesired visit from an actual human. One who is a little more educated in these things than your usual meter reader.

I am not growing dope. Still, I would like to avoid documenting the odd pattern.

You could ask that nice Mr. Musk to install one of his big battery packs for you to smooth things out. But of course then your data would go to him, as well as to the power company.

I've seen speculations about hacking the signal. More risk than benefit.

Yup - don't even go there. There's no point in doing some dumb DOS attack, and the mind boggles at the amount of subtle behaviour change you'd have to implement (at the same time) across all your neighbours' meters as well as your own to give a big picture view that doesn't ring any alarm bells.

BuckMarch 22, 2016 5:49 PM

@Slime Mold with Mustard, @Tony H.

If you can avoid hooking into the mains, use big batteries and a gas generator... Buy the gas in regular intervals, and consider installing some thermal shielding and soundproofing, depending on how paranoid you are ;-)

DanMarch 22, 2016 6:33 PM

@Slime Mold with Mustard, @Tony H,@Buck
Use a backup power supply + a generator. At my house, we have several backup power supplies(most of which are unused) and a generator. I have seen electric panels that let you run some circuits on mains and some on the generator (so that you can tell when power is back on, for instance). Run most of your circuits on mains and the secret device(s) on the generator. Or you can install solar panels (and battery for the night) instead of the generator. Go green, it's cheaper :-)

Dirk PraetMarch 22, 2016 6:51 PM

In the wake of today's Brussels bombings, there are couple of additional takeaways for terrorist organisations:

1) Get reliable personnel. Like Salah Abdeslam in Paris, one of the Brussels airport attackers chickened out at the last moment and ran off, leaving one suitcase bomb unexploded. It was later detonated in a controlled way by a sappers team.

2) Organise your own transport. This afternoon, LE raided an appartment in the Brussels suburb of Schaarbeek, and where they found Da'esh material, another nail bomb and chemicals for explosives. They were tipped off by a cab driver who earlier that day had driven three suspicious men to the airport and who had made a gigantic fuss about not being able to stuff two additional suitcases into the car. They had also insisted he didn't touch their luggage in any way.

Which means only two out of five suitcase bombs eventually went off at the airport. Had these operatives been just a bit more competent, the carnage would have been much bigger.

DanMarch 22, 2016 7:04 PM


The proper strategy is to buy the ingredients in advance. The long-term operator of the safe house should buy slightly more food than he/she actually needs(make sure it has a long shelf life) and accumulate the needed supplies over time. The operator should also frequently cook his/her meals and live in the same way he/she would live when someone comes over. These procedures would close several side-channels that might exist in a safe house.

BuckMarch 22, 2016 7:25 PM


Yeah, I'd go green too! If you're trying to be secretive though, you might have to reduce your down-time power consumption a lot too... How to explain such a large solar energy source when your grid-power usage stays about the same..? You're gonna need a really big battery!

sukau22321March 22, 2016 9:49 PM

@xyz...the first question in The Grugq club...is we do not talk about The Grugq club.

stineMarch 22, 2016 10:23 PM

Re: Smart Meters

Determine what your max load is going to be, and just run a dummy load in its place when the actual load isn't connected. Granted, your bill will be higher, but really, if you're going to just blow yourself up in 6 months....who cares.

Oh, and you should put a couple of window units in your back windows and cut their ceiling vents off in the attic to keep it a ?normal? daily temperature.

Clive RobinsonMarch 23, 2016 12:46 AM

@ Buck,

... consider installing some thermal shielding and soundproofing, depending on how paranoid you are ;-)

Unfortunately they are very limited in what they can do, as the waste energy from the inefficient generation process has to go somewhere...

Soundproofing is at best a misnomer, what it actually does is convert the mechanical energy of sound waves into heat over a limited frequency range. It won't stop the mechanical vibration of the gas generator propagating out past the "soundproofing" through concrete floors etc... Sail boat owners are well aware of this problem as they can feel and hear their hulls and rigging vibrate, and can on quiet nights can hear other boats over a mile away.

The solution is to mount the entire "soundproofed" generator chamber on appropriate absorbing mounts, which is both difficult and expensive. Modern active systems use "anti-sound" or sound cancelling techniques, but these have issues as well.

As for thermal shielding eventually it heats up as well, the laws of entropy require this in a closed system. The solution is to disipate the heat over as large a surface as possible and get it to radiate into the air etc. The problem is modern thermal imaging equipment used in LEO helicopters can detect fractional differences quite easily. Enough to spot somebody who is hiding in a garden shed garage or other outhouse. Worse with the increase of indoor cannabis farming the operators of the equipment are getting to recognise all the easy heat energy hiding tricks.

But unlike cannabis heat lamps a gas generator also produces quite unpleasant and deadly exhaust gasses. Normally their heat is what takes the gasses quickly away from those using the generator. If however you remove the heat, the gasses don't rise and disipate into the air, they hang around to poison / kill you, which is probably not what you want...

Speaking of cannabis growers and the police, not so long ago there were red faces all round in a UK police force. They had used a helicopter with thermal imaging to look for those growing in their lofts and used the image of one new build house as probable cause to get a warrant and mount a raid... Only to discover the house had been recently moved into by a female police officer and her family... A real "opps moment" because the press had been involved for some reason. The female police officer and her family were quite upset, but... are now in "hot pursuit" of the builder to find out why so much heat was "going out the roof" of the new build... Atleast she won't have to pay for getting evidence as the thermal image from the police helicopter is not likely to be challenged in court should it go that far. Not that the builder is "coming quietly" he's already told the press that the house was built and certified to the required regulations...

jellydonutMarch 23, 2016 3:23 AM

It's interesting to note that the same kind of error got El Chapo netted in Mexico - a large takeout order being delivered.

fajensenMarch 23, 2016 3:26 AM

@Dirk Praet:

It's a tuff task to get "reliable personnel" - who are also ready to blow up at short notice. I doubt one will get many candidates with a full deck of cards.

One can speculate on the terrorist who ran off in the airport: Maybe someone told the suckers that there was a "2 minute timer on that thing, plenty of time to get away clean" - and it turns out there wasn't.

Clive RobinsonMarch 23, 2016 4:56 AM

@ fajensen,

Maybe someone told the suckers that there was a "2 minute timer on that thing, plenty of time to get away clean".

Whilst it is possible, it's very unlikely. In recent times in WASP and other areas outside of the ME the only people to survive are those where incompetence was involved or one case of an undercover operative (underpats2) and one apparent coward (Paris).

In the ME however things appear different if recent press reports over arguments over wages in IS are to be believed.

It would thus appear that recruiters may well be specifically looking for certain types of young men in "ghetto" like areas to be suicide bombers, in much the same way the FBI have been alleged to do for their patsies.

At a guess those of a lower IQ that suffer from a Dunning-Krueger like inability to recognise their deficiencies, and a simplistic outlook on life that places them dead center in their world view. Almost a "I would have been someone if I had the money" type. They are usually quite malleable as far as who they blaim and respond to even tiny amounts of "ego food". If grouped with similar their mental outlook tends to suffer from downwards group think. It only takes a little pushing and minimal resources to start them on a track where they will find having their name written in every newspaper in their own blood desirable to an otherwise failed life and one where they betray the group etc.

It's one of the problems with strongly patriarchal societies where the development of a personal moral compass is considered far less important than doing what you are told by elders and leaders of community and religion. As for the leaders of religion in the case of suicide bombers, it's highly likely that the "preachers" they came into contact with were bought and paid for by the Saudi's, on Western and more recently Chinese Petro Dollars.

WaelMarch 23, 2016 5:05 AM

Just like the raid on el Chapo Guzman was triggered by a large food order, it seems Salah’s capture was based on too many pizzas. Maybe fugitives might want to consider cooking at home, rather than ordering delivery.

Well, I don't believe this part! This is disinformation at its worst. The ph**ers likely ordered a large quantity of lamb and Moroccan cuscus tagine. What really happened is the following: they got hungry one day, and they wanted the recipe genius to cook, but he only knows how to cook pipe-bombs, and the last time he cooked, he added nails and scrap iron to the dish which got their stomachs a little upset and got them constipated. They opted out for food delivery...

Moral of the story? Don't order too many pizzas, it's reason for suspicion! If you have Middle Eastern guests at your house, and you order pizza for them, then you'd better have a good lawyer and enough money for bail.

Prosecutor: And exhibit (a), your honor: they ordered 15 goddamn pizzas on that night, a-a-and we have the meta-data to prove they called the pizza place from their cell phone.
Jury: Holly sh*t! 15 Pizzas? Guilty as sin, your honor! Th-th-this is a clad iron proof beyond a "shadow of a doubt".

JacobMarch 23, 2016 5:33 AM

It's being reported that the third suspect from the Brussels' AP bombing was captured by police - in a Pizzeria.

It might be wise for the FBI, instead of going after the mythical "Encryption" stuff, to just open Pizza Parlors in various suspected places and within hours to scoop up all the terrorists in the area. Better than the Pied Piper of Hamelin.

Clive RobinsonMarch 23, 2016 7:23 AM

@ Wael,

Don't order too many pizzas, it's reason for suspicion!

You left the word "articulable" out... Remember this is being used to get warrants and the like, so realy is going up before a magistrate / judge for inking.

Thus it's now probably usable in "civil cases" as evidence on "balance of probability". Which means give it a short while and it will be used as "circumstantial evidence" in criminal cases such as "conspiracy to..."

I suspect the solution is establosh a "legand" or historical behaviour alibi, by getting a large flat screen TV and start with "big game nights" and then have the odd "movie nights" and make sure there is "beer in the bong" and fridge etc...

Then whilst some are watching and cheering/jeering or making other in articulate noises, you can sneak into another room to hold your "People's Front of Judea" revolutionary meeting...

Clive RobinsonMarch 23, 2016 7:29 AM

@ Jacob,

Better than the Pied Piper of Hamelin.

First or second time he led the "merry dance". Mind you there are a few places in London where the youth behaviour is such you would get both for the price of one ;-)

Dirk PraetMarch 23, 2016 9:44 AM

@ Wael, @ Clive, @ Jacob, @ Mike Foley, @ wiredog, @ ianf

Re. Pizza

Actually, the story is a bit different. The terrorists were smart enough not to order the pizzas themselves, but had them ordered by a known associate, then delivered to their door by the shops's delivery boy. Unfortunately for them, the associate was under surveillance and one of the monitors found it rather weird that he was regularly ordering large quantities of pizza to be delivered to another address and on really strange times of the day. At which point they decided to go check out that delivery address since only one person was registered there. When they arrived, they immediately got shot at ...

The obvious takeaway here is that your opsec is just as good (or bad) as that of the people you're dealing with.

@ fajensen

Maybe someone told the suckers that there was a "2 minute timer on that thing, plenty of time to get away clean" - and it turns out there wasn't.

Perhaps, but that's hardly the usual MO with jihadi bombings.

Clive RobinsonMarch 23, 2016 10:11 AM

@ Dirk Praet,

The obvious takeaway here...

Is not the pizza ;-)

More seriously, as any army commander will tell you "logistics is your main worry". Not only does an army march on it's stomach, everything else is either carried in or supplied. What can be carried is extreamly limited and will run out. Thus break the supply line and it's fairly quickly game over.

The same applies to covert operations, whilst establishing a good covert OP is important, getting resources in and out is a major threat to it's staying covert.

It's a lesson that the "self taught" criminals and worse tend to learn the hard way. As has often been noted befor "You need to mind your Ps" and many are familiar with "P155 Poor Planning and Preperation leads,to P155 Poor Performance".

As an excercise people should work out just how much they use of everything in a day and what's needed to keep healthy as well as take the waste away. Just one flush of a toilet is around ten kilos of water with about a couple of cubic feet of volume, add another ten for a realy quick shower and a couple of kilos for drinking and upto another couple for food prep and cooking... That's more than most people can carry on their backs...

Keith GlassMarch 23, 2016 11:21 AM

RE: Pizza as an indicator of activity at the Pentagon. Back in the late 1990s, there was a pizza place just outside the Navy Annex, on Columbia Pike in Arlington. They were the primary beneficiary of the "Pentagon Pizza Meter", because they were close enough that the pie would still be at least warm by the time it finally made it through security.

It no longer seems to be there, and in any case, since the Pentagon Renovation, beginning 1997 or so, a 24-hour pizza place was added to the Pentagon.

So, for the most part, the Pentagon Pizza Meter is no longer all that reliable a gauge of activity. . .

Slime Mold with MustardMarch 23, 2016 12:20 PM


RE: Smart Meters

Thank you for your input. I guess the simple solution is to fill a couple of the oldest refrigerators I can find with soda and beer, then switch the load right at the circuit breaker box. It will take a fair deal of tinkering to get the right match. It is not unusual for Americans to have a dedicated beer fridge in the garage. Two? I'll think of something.


Marcos El MaloMarch 23, 2016 2:50 PM

The U.S. authorities were able to tip off the Mexican police in the "Affluenza Teen" fugitive case after pizza was ordered on a monitored U.S. phone in Puerta Vallarta. I'm not surprised that a rich spoiled kid and his enabling mother would have crappy opsec, but c'mon. Burner phones are around $10 in Mexico.

Sancho_PMarch 23, 2016 5:30 PM

Re “war on encryption”

How could I be that dense …
When I was still chewing on the “electronic comm not found = they used encryption” enlightenment of our LEOs (and media) I was reminded to my childhood when we used diluted lemon juice as invisible ink (@Clive had a similar story?).
But I couldn’t transpose that idea to IT, how would they use lemon juice to write their email?

This is unbreakable encryption:
foreground color = background color
We have to ban html - email, otherwise our LE will be going dark :-(


Re “war on Pizzas”

- Wait a moment before banning pizzas:

Pizza isn’t causing the terror.
Pizza is a traditional, cultural food, not evil.
Pizza will not radicalize people - when combined with good red wine!

So let’s compel the pizza service to offer wine on delivery -
and to report those who refuse …

It is a cultural issue.
Same as the desire to be the world’s imperator, which is the real cause of terror.

userMarch 23, 2016 10:08 PM


If you're referring to hiding messages by making the text colour the same as the background colour, LE have been long aware of this.


Marcos El MaloMarch 24, 2016 1:59 AM


It's a really small amount of extremist pizzas. We mustn't forget that the great majority of pizzas are pieceful. Pizza actually means "peace" in Italian.

Did you also use the strip of paper wrapped around a dowel gimmick?

@user -- were you born that sharp or did you have to go to spoon school?

Mmmmmh DonutsMarch 25, 2016 1:37 PM

Can there be such a thing as Halal pizza?

Forty years ago I was aboard a northbound CNR passenger train in Canada that never made it to its destination, as the southbound train ahead of us derailed with a a couple thousand tons of pulp and paper products.

We were blocked for three days in the middle of nowhere until the train could back up the line.

Arriving at the first outpost of "civilization" at La Tuque, the conductor went around the train asking "pizza or chicken?". Two restaurants in town got the absolutely largest and oddest order in their existence.

That must have been REALLY suspicious. And there were also quite a few fully armed (and hungry) hunters on board.

WaelMarch 26, 2016 12:21 AM

@Mmmmmh Donuts,

Can there be such a thing as Halal pizza?

Of course, that's an easy one! There is also Halal pizza with bacon and pepperoni which can be gobbled down Halal wine and Halal beer! You probably had one of them and didn't even know ;)

If the owner of the pizzeria is a practicing Muslim then bacon, ham, and pepperoni are probably pork free. They are likely made out of either turkey or beef! You might want to check next time :)

Horst H. von BrandMarch 27, 2016 8:28 PM

Sure it will point out would-be-bombers. And also a group of teenagers taking advantage that the parents are away to plot a heinous party. Or finals looming over a class, getting together to cram for Computer Security. There will the hundreds of thousands of "weird behaviours", not just in pizza ordering but paint buys and excess laundry and high Internet use and whathaveyou. 99.973% of them perfectly benign. Of the non-benign ones, you'll have an overwhelming majority of "husband cheating on wife" and similar, a few criminal ones, and the very occasional terrorist plot.

Dirk PraetMarch 28, 2016 5:37 PM

@ Horst H. von Brand

There will the hundreds of thousands of "weird behaviours", not just in pizza ordering but paint buys and excess laundry and high Internet use and whathaveyou. 99.973% of them perfectly benign.

I think you're not entirely getting the point. Intelligent police work consists in correlating several in itself innocent looking pieces of data that combined give an entirely different picture. In the Abdeslam case, police was monitoring a known, radicalised associate who regularly ordered strange amounts of pizza at really weird hours to be delivered to a different location than where he was ordering from.

That's arguably something different than raiding a live music venue where the promoter is regularly ordering pizza for the band and their groupies.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.