People in the patriot movement spend a lot of time talking about their patriot activities on social media. Here at PHS and over at Order of the White Rose, I’ve covered why this is a bad idea over and over, and will continue to do so. In the midst of the meme-sharing, ranting and planning various activities, however, there’s something else going on every day: Social engineering.
Social engineering is defined as “an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” For people in the movement, that breaks down to “an attack that tricks you into giving up critical information.” There is almost no easier way to trick patriots into giving up information than Facebook. It’s a tactic used by federal agents and assets, but in many cases they don’t even need to engage in social engineering because patriots are doing it to themselves and each other without even realizing it—and with the best of intentions. In these cases, someone merely needs to swing by and collect the information left out for them to find by careless people. While I won’t use names of individual people or groups, I’ll paste some actual comments from real-life examples. If you recognize one of these comments as your own, then I encourage you to take the energy you want to spend trashing me, and use it to think about what I’m saying. Let’s get started.
How It Works: The Commander or Member of Random Patriot Group posts a roll call thread, and asks members who are active to post a comment, and calls for each of the other members to report in by codename. Members respond with that codename or callsign in their comments. The commander goes on to announce that he wants people to think about a face to face meeting with the following:
We all need to get together real soon. Hell boy. Ogre, reaper,widow maker, pharaoh, sasquatch, loonatic, watchtower. You all down for a get together?
What just happened? What can be linked together? In the 20 comments on that particular thread, ten of the members of that group are now identified by name and matched to their callsign/codename. From there it’s a simple exercise to go to their pages and start collecting more information about their schedules, personalities, and more—all of which can be used for further engineering attempts.
Another party in another thread asks for people to comment with “name and zone.” People respond—130 comments worth—with names, locations, and positions. Some of them give extra information, such as what they’re trained in. Within the thread, some post a comment saying their location is “classified,” and are promptly chastised by the leadership for not following the directive. Perhaps the most disturbing part is when the leadership denigrates those who choose not to comment as being “inactive” or “not dedicated.” Anyone can simply take the state map, thoughtfully provided by the leadership so members can figure out what zone they belong to, and start making notes. How many people are in each zone? Where are the leadership of that group located? What is the group’s response capability to a specific area in the state?
Many argue that, “We only do that in our closed/private FB groups.” Two things you need to be aware of: 1) If it’s on Facebook in any capacity, it is NOT private. 2) If your vetting process for allowing members into your closed and “private” groups is checking out their Facebook page, you are failing.