Netwar System Community Edition

This site has been quiet the last five weeks, but many good things happened in the background. One of those good things has been progress on a small Netwar System demonstrator virtual machine, tentatively named the Community Edition.

What can you do with Netwar System CE? It supports using one or two Twitter accounts to record content on an ongoing basis, making the captured information available via the Kibana graphical front end to Elasticsearch. Once the accounts are authorized the system checks them every two minutes for any list that begins with “nsce-“, and accounts on those lists are recorded.

Each account used for recording produces a tw<name> index containing tweets and a tu<name> index containing the profiles of the accounts.

Netwar System CE Indices

The tw* and tu* are index patterns that cover the respective content from all three accounts. The root account is the system manager and we assume users might place a set of API tokens on that account for command line testing.

This is a view from Kibana’s Discovery tab. The timeframe can be controller via the time picker at the upper right, the Search box permits filtering, the activity per date histogram appears at the top, and in the case we can see a handful of Brexit related tweets.

Netwar System CE Tag Cloud

There are a variety of visualization tools within Kibana. He we see a cloud of hashtags used by the collected accounts. The time picker can be adjusted to a certain time frame, search terms may be added so that the cloud reflects only hashtags used in conjunction with the search term, and there are many further refinements that can be made.

What does it take to run Netwar System CE? The following is a minimal configuration of a desktop or laptop that could host it:

  • 8 gig of ram
  • solid state disk
  • four core processor

There are entry level Dell laptops on Amazon with these specifications in the $500 range.

The VM itself is very light weight – two cores, four gig of ram, and the OVA file for the VM is just over four gig to download.

As shipped, the system has the following limits:

  • Tracking via two accounts
  • Disk space for about a million tweets
  • Collects thirty Twitter accounts per hour per account

If you are comfortable with the Linux command line it is fairly straightforward to add additional accounts. If you have some minimal Linux administration capabilities you could add a virtual disk, relocate the Elasticsearch data, and have room for more tweets.

If you are seeking to do a larger project, you should not just multiply these numbers to determine overall capacity. An eight gig VM running our adaptive code can cover about three hundred accounts per hour and a sixty four gig server can exceed four thousand.

If you are willing to give a system like this a try, contact Neal Rauhauser on LinkedIn or DM the @NetwarSystem account.

An Analyst’s Environment

This week we had a chance to work with an analyst who is new to our environment. The conversation revealed some things we find pedestrian that are exciting to a new person, so we’re going to detail them.

Alerts

Many people use Google’s Alerts, but far fewer are familiar with the service Talkwalker offers. This company offers social media observation tools and their free alerts service seems to be a way to gather cognitive excess, to learn what things might matter to actual humans. These alerts arrive as email, or as an RSS feed, which is a very valuable format.

Feed Reading

Google Reader used to be a good feed reader, but it was canceled some years ago. Alternatives today include Feedly and Inoreader. The first is considered the best for day to day reading activity, while Inoreader gets high marks for archival and automation. The paid version, just $49 per year, will comfortably handle hundreds of feeds, including the RSS output from the above mentioned Talkwalker.

Content Preservation

Talkwalker Alerts never sleep, Inoreader provides all sorts of automation, but how does one preserve some specific aspect of the overall take? We like Hunch.ly for faithful capture. This $129 tool is a Chrome extension that faithfully saves every page visited, it offers ‘selectors’, text strings that are standing queries in an ‘investigation’, which can be exported as a single zip file, which another user can then import. That is an amazingly powerful capability for small groups, who are otherwise typically trying to synchronize with an incomplete, error filled manual process.

Link Analysis

Alerting, feed tracking, and content preservation are important, but the Hunch.ly investigation is the right quantum of information for an individual or a small group. Larger bodies of information where linkages matter are best handled with Maltego Community Edition, which is free. There are transforms (queries) that will pull information from a Hunch.ly case, but the volume of information returned exceeds the CE version’s twelve item limit.

Maltego Classic is $1,000 with a $499 annual maintenance fee. This is well worth the cost for serious investigation work, particularly when there is a need to live share data among multiple analysts.

Costs Of Doing Business

We are extremely fond of FOSS tools, but there are some specialized tasks where it simply makes no sense to try to “roll your own”. This $1,200 kit of tools is a force multiplier for any investigator, dramatically enhancing accuracy and productivity.

Impressive Performance With Elastic 6.5.1 & Search Guard

After Implementing Search Guard ten days ago I was finally pushed into using Elasticsearch 6. Having noticed that 6.5.0 was out I decided to wait until Search Guard, which seems to lag about a week behind, managed to get their update done.

The 6.5.0 release proved terribly buggy, but now here we are with 6.5.1, running tests in A Small Development Environment, and the results are impressive. The combination of this code and an upgrade from Ubuntu 16.04 to 18.04 has made the little test machine, which we refer to as ‘hotpot‘, as speedy as our three node VPS based cluster.

Perflog Dashboard
Perflog Dashboard

This is a solid long term average of fully collecting over eleven accounts per minute, but the curious thing is that it’s not obvious what resource is limiting throughput. Ram utilization eventually ratcheted up to 80% but the CPU load average has been not more than 20% the whole time.

Utilization Dashboard
Utilization Dashboard

There is still a long learning curve ahead, but what I think I see here is that an elderly four core i7, if it has a properly tuned zpool disk subsystem, will be able to support a group of eight users in constant collection mode.

Kimsufi Servers
Kimsufi Servers

And that makes this page of Kimsufi Servers intriguing.  The KS-9 looks to be the sweet spot, due to the presence of SSDs instead of spindles. If our monthly hardware is $21 that puts us in a place where maybe a $99/month small team setup makes sense to offer.

There is much to be done with Search Guard before this can happen, but hopefully we’ll be ready at the start of 2019.

Implementing Search Guard

Our conversion to Elasticsearch began almost a year ago. Aided by their marvelous O’Reilly book, Elasticsearch: The Definitive Guide, we grew comfortable with the system, exploring Timesketch and implementing Wazuh for our internal monitoring. Our concerns here were the same issue we faced during prior Splunk adventures – how do we fund the annual cost of an enterprise license?

Search Guard solves the explicit cost question and it does a good job on the implicit barrier to entry problem. What you see below is the contents of the Search Guard tab on our prototype system, which more or less installed itself with single command.

Search Guard
Search Guard

The initial experience was so smooth we decided to implement Search Guard on our cluster, which has been a learning experience. The system requires Elasticsearch 6.x, but we have clung to the familiar environment of the 5.6 version of the system. The switch required a solid day of fiddling with Bash scripts and Python code in order to make everything work with the newest Elasticsearch, and then the cluster upgrade was not nearly so straightforward.

The self-installing demo reuses a PKI setup. That’s great for lowering the barrier to entry for initial experiments, but there is no way that can be used on a publicly accessible system. Having done a bit of PKI here and there, the instructions and scripts they offer are fairly smooth.

The troubles began when we moved from Elasticsearch 5.6.13 to 6.4.3. A stumble on our part during Search Guard install left us with a system that was stuck tight. Their install procedure could not continue from the state we had put the system into, while our command line tools and system knowledge were insufficient to back out of the partially completed process.

Resolving that took the better part of a day, but it proved beneficial in the end, as their voluminous documentation did not address the specific problem, but it did offer many pointers. Think: six months troubleshooting experience in an afternoon, and questions posted to their Google Group yielded authoritative answers within hours.

There are six weeks left in 2018 and during this time we are going to accomplish the following:

  • Finish converting botnetsu.press to Search Guard Enterprise
  • Index Twitter, RSS data, and one chat service for the team
  • Explore roles and permissions against real world considerations
  • Create a public facing dashboard for botnetsu.press
  • Implement Search Guard for a Wazuh system

Best of all, Search Guard offers a gratis Enterprise license to non-profits. We have applied for this for both botnetsu.press here in the U.S., as well as a similar effort in the U.K. Given just a bit of luck, we’ll have two teams active in the field by the end of first quarter, and maybe some of the commercial opportunities we are pursuing will come to fruition as well.

 

The Shape Of The Internet

One of the perennial problems in this field is the antiquated notion of jurisdiction, as well as increasing pressure on Westphalian Sovereignty. JP and I touched on this during our November 5th appearance on The View Up Here.  The topic is complex and visual, so this post offers some images to back up the audio there.

Regional Internet Registries

Regional Internet Registries
Regional Internet Registries

The top level administrative domains for the network layer of the internet are the five Regional Internet Registries. These entities were originally responsible for blocks of 32 bit IPv4 addresses and 16 bit Autonomous System numbers. Later we added 128 bit IPv6 addresses and 32 bit Autonomous System numbers as the original numbers were being exhausted.

When you plug your home firewall into your cable modem it receives an IP address from your service provider and a default route. That outside IP is globally unique, like a phone number, and the default route is where any non-local traffic is sent.

Did you ever stop to wonder where your cable modem provider gets their internet service? The answer is that there is no ‘default route’ for the world, they connect at various exchange points, and they share traffic there. The ‘default route’ for the internet is a dynamic set of not quite 700,000 blocks of IP addresses, known as prefixes, which originate from 59,000 Autonomous Systems.

The Autonomous System can be though of as being similar to an telephone system country code. It indicates from a high level where a specific IP address prefix is located. The prefix can be thought of as an area code or city code, it’s a more specific location within the give Autonomous System.

There isn’t a neat global map for this stuff, but if you’re trying to make a picture, imagine a large bunch of grapes. The ones on the outside of the bunch are the hosting companies and smaller ISPs, who only touch a couple neighbors. The ones in the middle of the bunch touch many neighbors and are similar in position to the big global data carriers.

Domain Name Service

Once a new ISP has circuits from two or more upstream providers they can apply for an Autonomous System number and ask for IP prefixes. Those prefixes used to come straight from the RIRs, but any more you have to be a large provider to do that. Most are issued to smaller service providers by the large ones, but the net effect is the same.

Having addresses is just a start, the next step is finding interesting things to do. This requires the internet’s phone book – the Domain Name System. This is how we map names, like netwarsystem.com, to an IP address, like 95.173.136.70. There is also a reverse DNS domain that is meant to associate IP addresses with names. If you try to check that IP I just mentioned it’ll fail, which is a bit funny, as that’s not us, that’s kremlin[.]ru.

Domain Name Registrars & Root DNS Servers

How do you get a DNS name to use in the first place? Generally speaking, you have to pay a Registrar a fee for your domain name, there is some configuration done regarding your Start Of Authority, which is a fancy way of saying which name servers are responsible for your domain, then this is pushed to the DNS Root Servers.

There are nominally thirteen root servers. That doesn’t mean thirteen computers, it means there are twelve different organizations manage them (Verisign handles two), and their addresses are ‘anycast’, which means they originate from multiple locations, while the actual systems themselves are hidden from direct access. This is sort of a CDN for DNS data, and it exists due to endless attacks that are directed at these systems.

Verisign’s two systems are in datacenters on every continent and have over a hundred staff involved in their ongoing operation.

Layers Of Protection

And then things start to get fuzzy, because people who are in conflict will protect both their servers and their access.

Our web server is behind the Cloudflare Content Distribution Network. There are other CDNs out there and they exist to accelerate content as well as protect origin servers from attack. We like this service because it keeps our actual systems secret. This would be one component of that Adversary Resistant Hosting that we don’t otherwise discuss here.

When accessing the internet it is wise to conceal one’s point of origin if there may be someone looking back. This is Adversary Resistant Networking, which is done with Virtual Private Networks, the Tor anonymizing network, misattribution services like Ntrepid, and other methods that require some degree of skill to operate.

Peeling The Onion

Once you understand how all the pieces fit together there are still complexity and temporal issues.

Networked machines can generate enormous amounts of data. We previously used Splunk and recently shifted to Elasticsearch, both of which are capable of handling tens of millions of datapoints per day, even on the limited hardware we have available to us. Both systems permit time slicing of data as well as many other ways to abstract and summarize.

Data visualization can permit one to see relationships that are impenetrable to a manual examination. We use Paterva‘s Maltego for some of this sort of work and we reach for Gephi when there are larger volumes to handle.

Some of the most potent tools in our arsenal are RiskIQ and Farsight. These services collect passive DNS resolution data, showing bindings between names and IP addresses when they were active. RiskIQ collects time series domain name registration data. We can examine SSL certificates, trackers from various services, and many other aspects of hosting in order to accurately attribute activity.

Conclusion

The world benefits greatly from citizen journalists who dig into all sorts of things. This is less than helpful when it comes to complex infrastructure problems. Some specific issues that have arisen:

  • People who are not well versed in the technologies used can manage to sound credible to the layman. There have been numerous instances where conspiracy theorists have made comical attribution errors, in particular geolocation data for IPs being used to assert correlations where none exists.
  • There is a temporal component that arises when facing any opponent with even a bit of tradecraft and freely available tools don’t typically address that, so would-be investigators are left piecing things together, often without all of the necessary information.
  • Free access to quality tools like Maltego and RiskIQ are both intentionally limited. RiskIQ in particular cases problems in the hands of the uninitiated – a domain hosted on a Cloudflare IP will have thousands of fellows, but the free system will only show a handful. There have been many instances of people making inferences based on that limited data that have no connection to objective reality.

We do not have a y’all come policy in this area, we specifically seek out those who have the requisite skills to do proper analysis, who know when they are out on a limb. When we do find such an individual who has a legitimate question, we can bring a great deal of analytical power to bear.

That specific scenario happened today, which triggered the authoring of this article. We may never be able to make the details public, but an important thing happened earlier, and the world is hopefully a little safer for it.

 

Domestic Extremist? Or Something Else?

What does this site say to you at first glance?

patrioticfreedomfighter[.]com
patrioticfreedomfighter[.]com
This is one of nearly two dozen sites pushing fringe right wing views that are all associated with Mark Edward Baker, as detailed in this story by McClatchy. When I first heard of this the initial thought was that something so slippery could be a foreign influence operation. I came to a much different conclusion, but it took many hours of digging.

Here are the full list of domains involved:

1776christian[.]com

americangunnews[.]com

americanlibertyreport[.]com

americanviralheadlines[.]com

christianpatriotdaily[.]com

conservativezone[.]com

factsnotmemes[.]com

financialmorningdigest[.]com

firearmdaily[.]com

freedomnewsreport[.]com

frontpagepatriot[.]com

healthiervideos[.]com

liberalliedetector[.]com

libertyplanet[.]com

libertyvideonews[.]com

memesorfacts[.]com

nationalgunnetwork[.]com

patrioticfreedomfighter[.]com

patrioticviralnews[.]com

readytofirenews[.]com

uspoliticsandnews[.]com

wealthauthority[.]com

The physical plant for this is a circus – 434 unique IP addresses and they all seem to be tied to the operation.

Mark Edward Baker Internet Footprint
Mark Edward Baker Internet Footprint

A simpler exam of the SOA for each domain yielded a deeper clue in the form of the [email protected] address used for registration. It’s connected to another cluster of domains.

gomarkb@gmail.com domains
[email protected] domains

We are not going to revisit the merry chase this guy provides – fire up hunch.ly and go at it. He uses the alias Mark Bentley, be on the lookout for LOP, which is short of League of Power, and his wife Jennifer is a signatory on some of the paperwork. He has at least half a dozen PO boxes in Florida and a similar setup in Reno, Nevada, which appears to he his origin. Once I was sure I had a real name, I was more interested in what his business model is and if there were any foreign ties.

If you poke around for League of Power you’ll find complaints about his $27 scam work from home DVD. This guy’s ideology is getting other people’s money and providing little to nothing in return. This is pretty common to see on both sides of the aisle – grifters working the earnest, but naive masses. This guy clearly focuses on the right – different skills are needed to run a similar game against the left.

Here is the one image that more or less sums up what he is doing:

Mailgun Usage
Mailgun Usage

You would have to be in the business of examining attribution resistant hosting to notice this, but it was like a flashing neon sign for me. Domains that don’t want to be traced typically have no email handling at all. This guy’s business model is list building, which he’ll use for maybe some political stuff, but it will be an ongoing bulk mail target after the election.

 

What about foreign influence being behind this? The article mentions that conservativezone[.]com[.]com had been used. That’s a spearphishing move. It resolves to these geniuses:

conservativezone[.]com[.]com
conservativezone[.]com[.]com
What is AS206349? A dinky autonomous system in Bulgaria with a history of IP address hijacking. Baker got some service from these guys, but it wasn’t anything he wanted to receive. The may have noticed he was gathering lists of the easily duped and decided this would be a good phishing hole for them.

 

People who are way into the bipolar politics in the U.S. tend to judge things as either on their side, or the opposition. There are nuances on that spectrum that get ignored, foreign influence, weird cyberstalker types, and just outright fraud, like we’re seeing here. Don’t jump to sticking a red or blue label on something until you’ve had a good chance to inspect it and conjure up some alternate theories.

Russian Infrastructure, Domestic Threats

Let’s take a look at a curious thing in RiskIQ – the October 22nd registration for the 0hour1[.]com domain.

0HOUR1 Registration
0HOUR1 Registration

The nameservers at westcall[.]ru are part of a large ISP in St. Petersburg. The registrant’s trail is an intentional mess, but lets see what we can find on Brian Durant. It’s helpful to know his birth name –  Fiore DiPietrantonio.

Durant came to my attention because his crew are bothering a CVE researcher I know, and threatening a man in Brooklyn that they mistakenly identified as them. There is a decent Threadreader on Durant from @trebillion that provided me a starting point.

Achtung! If you choose to pursue this, you must turn your OSINT tradecraft up to eleven. The name change is an attempt to leave behind a shady past, there is intentional deception at work prior to the politics, and don’t chase after a pretty face on a largely empty persona.

As a sign of how much of a hassle this backtrail was, take a look at my hunch.ly case for it. And this is the second one – the first draft had so much crud in it I found it easier to just start over and revisit the stuff I confirmed.

Brian Durant Investigations
Brian Durant Investigations

About that empty female persona … here is where it starts.

rowdypolitics[.]com
rowdypolitics[.]com
Which of these do you think are legitimate?

Meghan Thompson
Meghan Thompson

If you picked only #1 and #2, which a faint urge to check #3, give yourself a gold star.

Three Domains & Hosting
Three Domains & Hosting

I got distracted writing this and spent half an hour playing with the RiskIQ response to the Maltego Domain Analysis transform. GoDaddy is a terrible swamp that typically reveals nothing, so I collapsed it to a point to better see the other things. The westcall[.]ru nameserver mistake only showed in the registration, they caught it before it started turning up in  passive DNS. So what are these three other things we see?

192.169.82.86 is part of The Swamp – the tiny allocations in 192.0.0.0/7 that were handed out for free back in the eighties. RiskIQ shows over 9,000 names for it, Maltego finds 552, ARIN says it’s a point to point link from Limestone Networks to a customer. It’s been passed around for thirty years or more and I don’t think it tells us much. The reverse lookup is the last one someone carded to enter and those don’t seem to matter much on shared servers. Make a mental note to come back, only if all else fails.

86.106.93.230 is a European address, you can tell just by the leading octet, and with a little poking we find it’s in AS44901 – BelCloud Hosting, but it’s listed with over 10,000 other names.

What about 149.56.202.49? Looking at the times it was active we find that it had the system to itself, running what looks to be WordPress under cPanel.

magaforamerica[.]com
magaforamerica[.]com
This is turning into a common theme – people trying to do their own hosting and then giving up after a couple days.  The DNS tab provided another interesting clue that I just noticed as I was drafting this article.

videowhispers@gmail.com
[email protected]

And what’s going on here? Every time I look at this thing I find another eastern European/Russian link.

videowhispers[.]com
videowhispers[.]com

 

So … I thought this was going to be a declaration and instead it’s a problem statement – there is more digging to do here. But there is one piece of digging that is done – the ID of Brian Durant’s associate who threatened me when I first started probing is within easy reach. Check the DM that @NetwarSystem received on October 17th and the menacing voicemail from October 27th.

This “very reasonable dude” is @MistaBRONCO, which has been a stable alias for him for at least six years. It was on his Flickr account, where a close inspection of cat photos turned up this gem. Handsome boy, isn’t he?

BRONCO, International Cat Of Mystery
BRONCO, International Cat Of Mystery

So our internet tough guy who cleverly pressed *69 before he left me a message on a Google Voice number that hasn’t a phone attached to it in five years is laid low by the ol’ surname & multiple phone numbers on a pet’s nametag. Amateur hour here – stable name, personal details all over the place. This is all recorded in hunch.ly and the good bits of the YouTube channel that put the voice with this cat are safe, too.

So I’ve got a voice threat, another guy that this genius misidentified as Ca1m has received threats, the source lives on Long Island, the target is in Brooklyn. Since these are both covered by the NYC FBI field office and I was pointedly told to “come correct”, I had the following exchange with the counter-terrorism SA in that office, whom I’ve known since Occupy days.

Alerting Agent Smith
Alerting Agent Smith

That’s as correct as I can play it in the wee hours of a Friday right before a midterm in which Russian influence is certainly still a problem.

How’d I do?

 

A Small Development Environment

The early version of the Netwar System ran with a handful of Twitter accounts and a flat file system. Today we use a 64 gig Xeon with 48 Twitter accounts for internal studies and a trio of 16 gig VPSes for botnetsu.press, our semi-public service. The requirements for an R&D system exceed a virtual machine, unless you’ve got a Xeon grade desktop.

We happen to have a Dell m4600 laptop and eight unallocated Twitter accounts, so this has been built out as an R&D environment. The system has a four core i7, 16 gig of ram, and in addition to the system volume there is a 60 gig msata SSD and a 500 gig spindle in the disk carrier that fits in the CD/DVD bay. This is essentially a miniature of our larger Xeon system.

Disk performance has always been our problem with Elasticsearch, so the msata drive was split into cache and log space for a 465G ZFS partition.

Disk /dev/sdb: 55.9 G

/dev/sdb1 28G

/dev/sdb2 27.9G

Disk /dev/sdc: 465.8 G

/dev/sdc1465.8G

 

The final configuration looks like this:

 

               capacity     operations    bandwidth

poolalloc free readwrite readwrite

—————————————-

zorp 612K 464G .   0 0 3.44K 5.37K

sdc1 612K 464G .   0 0 1.89K 4.32K

logs——

sdb2 4K .  27.7G .      0 0 1.55K 1.05K

cache ——

sdb1 40.5 . K28.       0G 0 0150 96

—————————————-

The following software is needed:

Once you’ve got them all installed you’ll see the following ports in use.

Elasticsearch

127.0.0.1:9200

127.0.0.1:9300

Kibana

127.0.0.1:5601

Neo4j

127.0.0.1:7687

127.0.0.1:7473

127.0.0.1:7474

Netdata

127.0.0.1:8125

0.0.0.0:19999

Redis

127.0.0.1:6379

A few caveats, first be sure these are the final lines in /etc/security/limits.conf or you will quickly learn to hate Elasticsearch.

elasticsearch – nofile 300000

root – nofile 300000

Next, examine the configurations for Elasticsearch and Kibana in /etc. You’ll want to ensure there is more than the default 2 gig for the JVM and modify the Kibana config so you can reach port 5601 from elsewhere.

 

We have come to the point where we must release configuration advice and some Python code in order for others to learn to use the system. We’re going to trust that the requisite system integration capabilities, analytical tradecraft, and team management skills are going to limit the number of players who can actually do this. There isn’t a specific Github repository for this just yet, but there will be in the coming days.

Suggested Reading: Complex Network Analysis in Python

Complex Network Analysis in Python
Complex Network Analysis in Python

There has been a gap in the social network analysis world since @ladamic stopped offering her excellent class via Coursera. I received my copy of Complex Network Analysis in Python earlier today, devoured the first five chapters, and I am pleased to report this book is a quality alternative to the class.

The book presumes you have enough Python to load stuff with pip and some pre-existing motivation to explore networks. Some key things to know:

  • The features and performance considerations of four Python network analysis modules are explained in detail; invaluable for those who are trying to scale up their efforts.
  • The visualization package Gephi is introduced in a very accessible fashion and advice regarding how to move data between it and your Python scripts is clear and simple.
  • There are a variety of real world examples included

The thing that is missing is Twitter – which is mentioned just once in passing on page 63. This seems like a good opening – the Complex Network Analysis Github repository is going to contain the Twitter related code we produce as we work through the examples in this text.

Making America Grey Again

The initial wave of NPCs were taken out by Twitter, about 1,500 all together according to reporting. A small number lingered, somehow slipping past the filter, and now they are regrouping. A tweet regarding the initial outbreak collected several new likes, among them this group of five:

Five NPCs
Five NPCs

And their 740 closest friends are all pretty homogenous:

NPCs: Diversity Through Conformity
NPCs: Diversity Through Conformity

A fast serial collection of these 740 accounts they follow was undertaken. Their mentions reveal some accounts that are early adopters, survivors of the first purge, or otherwise influential. 735 of them came through collection, the missing were empty, locked, or suspended.

These accounts made 469,889 mentions of others.  First we’ll look at 285,102 mentions of normal accounts, then we’ll see 184,787 mentions of Celebrity, Media, and Political accounts. Given that there are 67,000 accounts involved in this mention map, we’ll employ some methods we don’t normally use. This layout was done with OpenOrd rather than Force Atlas 2 and the name size denotes volume of mentions produced.

Many NPC Mentions
Many NPC Mentions

The large names here are based on Eigenvector centrality – they are likely popular members of the group, or in the case of Yotsublast, a popular content creator aligned with NPC messaging.

Popular NPC Accounts & Allies
Popular NPC Accounts & Allies

Usually we filter CMP – Celebrities, Media, and Politicians. These accounts are actively seeking attention so it is interesting to see who they reach out to in order to achieve that in these 184,787 mentions to about 18,500 others.

 

NPC Messaging Targets
NPC Messaging Targets

Attempting different splines with Eigenvector centrality leads to, after several tries, this mess.

Smaller Messaging Targets
Smaller Messaging Targets

Beyond the core at the bottom, Kathy Griffin, Alexandra Ocasio-Cortez, and Hillary Clinton are singled out for attention.

K-brace Filter Level 4
KBrace Filter Level 4

Mentions are directed but the best way to handle them at this scale seems to be treating them as undirected and using the KBrace filter. This is a manageable set of accounts to examine and the groupings make intuitive sense.

The 742 accounts were placed into our “slow cooker” but only 397 were visible. It isn’t clear why 350 were missed, but Twitter’s quality filter may have something to do with that.

NPC Creation Times
NPC Creation Times

Unlike the group of accounts in yesterday’s A Deadpool Of Bots, this wake/sleep cycle over the last ten days looks like humans making their own accounts to join in the fun. Given a good sized sample of tweets, an average adult will only consistently be inactive from 0200 – 0500, so those empty three hour windows, except for the first day, are a pretty convincing sign.

NPC Hashtags
NPC Hashtags

Their hashtag usage is entirely what one would expect.

NPC Daily Hashtag Use
NPC Daily Hashtag Use

Given the tight timeframe it was interesting to look at an area graph of their daily hashtag use for the last ten days.

 

As a society we have barely begun to adapt to automated propaganda, and now we’re facing a human wave playing at being automation. This is an interesting, helpful thing, as it provides a perfect contrast to what we explored in A Deadpool Of Bots.