Ali-Reza Anghaie (Right) is a Consulting Security Engineer and Senior Analyst with Wikistrat. His varied work in engineering and security has taken him to numerous universities and Fortune 500 companies in the Defense, Energy, Entertainment, and Medical fields. You can follow Ali-Reza on Twitter and Quora. Scot Terban (Left), AKA the gonzo INFOSEC blogger Krypt3ia, blogs at http://krypt3ia.wordpress.com. You can also find him on Twitter. Both host the weekly Cloak & Swagger: Security Unhinged podcast.

John Little: Let’s start off with a Skyfall-esque word association game. Ready? “Cyber Pearl Harbor”

Ali-Reza Anghaie: Geraldo. (Yes, that’s my answer. Say `Cyber Pearl Harbor` in his voice and you’ll want to strangle yourself too.)

Scot Terban: Expletive.

John Little: Alright, so what is it about “Cyber Pearl Harbor” that sets you two, and many other infosec professionals, off? What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain?

Ali-Reza Anghaie: Lets clarify “getting wrong” – as professionals we encounter `wrong` all the time. ~Intentionally~ exaggerating and obfuscating threats is what has been happening in DC. However, it’s also politics – you never hear a politician talk about any issue in a way that satisfies the wider professional community of that issue. That’s quite intentional – as the people who really know are absolutely the people that politicians need to play ~against~ to centralize and pull power toward their own spheres of influence.

And that’s really the part that burns me – the echo chamber they’ve built is designed to accomodate just those that will work within the confines of the existing DC dynamic. And so much energy is exhausted in just that posturing that by the time you get to actual technical working groups – you’re already on the tail end of resource availability. So, if you’re lucky, you’ll get through one or two iterations of actual policy driven work before the next manufactured crises hoovers priority elsewhere.

Since this is the inevitable cycle, I suggest we move straight to the end – private industry needs to step to the plate as a competitive matter because Government, as Government always does, will punish you using whatever laws do or don’t exist as soon as it’s politically tenable. And won’t provide any solutions along the way. Why not just get it over with?

You know – I’d probably be less cynical and in a better mood if you stopped saying “Cyber Pearl Harbor”..

Scot Terban: It’s jingoism at its best. It is propaganda and a tool to get people to react in a knee jerk way.

What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain? Everything. They do not comprehend the technologies involved nor the complexities of what they are advocating as the end of the world. They need to let the professionals who deal with this technology and space give the answers. It’s akin to telling a five year old to go on to Meet The Press and explain quantum mechanics.

John Little: There are countless layers to this problem and many of them are not “technical”. There are human factors and physical security issues for example. In most cases there are no paths to 100% security. So where, from a national security perspective, should we focus or efforts and dollars? What would get us the most bang for the buck?

Scot Terban: Well, contrary to what a Dave Aitel or lately Schneier might posit, more security awareness for the general populace to start I think. This is more so for companies that are within the sights of an APT adversary but also look at what goes on with crimeware to start right? How much of this could be stopped just with making sure people understand the technology that they own and should be managing? We are all supposed to have training to drive a car and a license so why not at least have a better grasp on the PC and how things work right?

*wait’s for Ali’s head to explode*

But really, knowledge is power and unfortunately I don’t think this will happen either really. The money will all go into offensive campaigns within the CyberComm and we will lag behind on defense. Look at the EO and how the corps responded to it. “hey yeah, we would like to do less” I know Ali thinks that is all about letting the gubment take over and that is what they want but I disagree here. I think they do not want the government dictating to them nor do they want to be responsible for the security of their environments at the level of mandate because they would be held to it by assessment.

I think in the end your question is moot because nothing will be done that will help us.

Ali-Reza Anghaie: The pounding of the `do the basics` drums needs to be louder than the `sexy` drums..

However, I think the biggest things we can do at a national security lever are:

1) Admit defeat at the Government level. Make it clear – CLEAR – that if you’re waiting for Government to combat your hacking problem, you’re going to die.

2) You. Must. Compete. There is a concept called “Intellectual Property Obesity” that has ravaged the American innovators for some time. They spent too much time on Copyright, Patent, and IP theft and not enough on risk analysis, business development, existing means of competition.. concentrate on ~everything else~ that has made America less competitive on a global scale.

In the end, if we’re to suffer a `death by a thousand cuts`, it’s not because of cyber espionage from the Chinese or anyone else. That’s but a small part of the bigger picture.

Now – that speaks to national security at the economic level, which I think is most important – but some conflate this as all purely defense/military in nature. The solutions to that problem set as a bit different and, in part, require actually letting people fail. Not retroactively but put a pretty solid post in the ground that says: `Hey, if you get hacked and all the IP is stolen. Your program funding is going to take a BIG hit. We don’t want to tell you how to fix it – we (Government) doesn’t know how. Likewise, if the data gets stolen while with us (again, Government), you’re going to get a bit of automatica business helping us or influencing our direct means of securing it`.. something along those lines without the tin-foil gaps.

John Little: Although I know and respect many security professionals the ones that I encounter professionally seem to be bureaucrats rather than technical professionals. They are just lords of a massive fixed documentation process that must be completed whether I’m building a simple web page with public data or a massive mission critical enterprise system. The problem is that I can answer 500 questions about my application and get it approved but at the end of the day there’s nothing about the process that really enhances security. What are your thoughts about how the private sector utilizes InfoSec professionals?

Ali-Reza Anghaie: Firstly – I’m sorry. Really really sorry. You’ll have to file a RC269B exception to ask me this question. It’ll be rejected of course because everyone knows of the `Great RC268T Debacle` of 2012. I have my big red stamp ready to reject your request because email isn’t secure enough and the ColdFusion workflow app we had developed in Bangalore was, of course, developed by non-US Citizens so we can’t really use it. I have spoken.

There is this inherit fear of InfoSec that comes with the noise around incidents right now – similar to how auditors were perceived just after SOX went into effect. Nobody knows what to do with InfoSec except to not piss InfoSec off. Along with that come a lot of non-technical professionals or entry-level professionals enabled with copious amounts of authority and confidence over – well – nothing in particular. So, much like politics, you do exactly what you can get away with without punishment.

This is a cynical view – as my answers have trended so far – but it’s quite normal and recent trends leave me very optimistic.

We’re at the tail end of this trend and, as an industry, we’re going through it a fair bit quicker than many of our predecessors. Somewhat due to economic constraints but I sincerely believe the best of the best in InfoSec have taken more responsibility recently for knocking down their own echo chambers. They’ve seen the charlatans flourish and they know “we” created room for them with ambiguity and hand-waiving. “We” want our industry back..

So – to answer your question – I think a huge majority of the private sector is very confused in how to apply InfoSec. And it’s our fault…for now.

Scot Terban: I think we need to differentiate between the INFOSEC folks like an archaeological dig here to start. First off, not all INFOSEC’ers are built the same. I come from the pentesting side AND the policy as well. I performed many assessments that had a combination of both and understand them both well enough to see where the rubber meets the road to so speak. Unfortunately not everyone has the skill sets to see both sides of coin and to work efficiently in the space. So we have people who get into INFOSEC primarily from a “legislative or paper” side of the issue. They understand that security is necessary and there are rules that need to be in place and that is about it. They follow their checklists and once they have checked the boxes they are good. This is bad but all too often the real aegis of many folks in corporations who perform audit from SOX to other government audit standpoints.

Then there are the people who perform just pentest and who many often think that rules are just useless. Why? Because the hackers/adversary does not follow the rules and all too often rules get mired in minutiae that doesn’t matter to their attacks. I have heard way too many times, and rightly so, that SOX and other check box security measures are useless. I too have felt the same thing but, too often the pentest crowd is just dismissive of it because they are broken and not workable in their present state much of the time. So you can develop an app as you say, the “Bob’s” can come in with their checklists but in the end they have not made the product more secure because they lack the dimension of the attacker perspective.

So we have two camps.. Both out to secure things and neither really can because of a third camp.. Let’s call this camp the “Corporation” The corp all too often is motivated not by an innate desire to protect their data, their clients etc.. Their driver is to make as much money as possible and in doing so security spend is even today, not what it should be because it is a cost center. When looking at the options and the legal drivers we can see how it is so easy for a company to go for the check box security approach mainly because that is what the government and the laws are mandating. It is the “due diligence” mentality and in that, the only due diligence we have primarily is to have the boxes checked to insure that they can say that once they get sued or after an incident. THIS is to minimize the legal remunerations that they may incur to law suits and that’s the extent of it. Rarely have I seen a company throughout my career that was proactive about their security enough to engage true red teaming and effective policies, procedures, and audit to insure a modicum of security.

It’s mostly set and forget as well as get drones who check SOX boxes every year. Aye, there’s the rub huh? This is where you have the paper CISSP’s and others who really do not have a grasp of adversarial INFOSEC that needs to be in place to protect yourselves and this is where the engine of popularity and money have made a glut of people who don’t really have the chops to be in the business doing business. So yeah, you could create an application and the SOX types come along and ask questions but they really aren’t coders nor understand application code security right? They do their bit but they don’t see the whole picture and you, you could totally hoodwink them that your application is up to standard because this is the only appsec that they are carrying out.. Asking questions and not validating code?

To me, that says that the system is broken. What we need is a middle road where true application security people are involved in your case. In other cases I would like to see people who have a good grasp of security (defense as well as offense) in the roles of audit. Will this happen? Probably not and that is because as was lamented recently “Defense isn’t sexy” add to that the corp’s aren’t looking to do anything but be “risk averse” and you have a broken system.

John Little: So we have a system that is broken and seems bound to stay that way. With the increasing complexity and distributed nature of data and applications, the vast number of application users (a good portion of the planet now), the rapid advancement of technology, and the challenges involved in building and maintaining an even barely adequate cadre of INFOSEC professionals how will the future not become even more of a hacker’s playground?

Ali-Reza Anghaie: The problem space is going to continue to grow at an accelerating pace. We will drown in more data and we won’t ever have enough bodies to throw at the problem. Government “regulation” will likely further exasperate the staffing problems. Generally we’ve shown ourselves incapable of effective security automation. Woe is me?

There is a difference between a hacker’s playground and an unmanageable risk. Like any other type of crime, society will compensate in some areas and not in others. Some regions will do better with the same `door locks` and other regions will need `burglar bars` on all windows. So the question isn’t if the attack surface will continue to outpace us – it certainly will – the question is how will we compensate, as an industry and society, elsewhere?

This goes to the very root of competition – and we’re stuck with this idea that InfoSec is absolute. You’re either not using computers or your pwned. In no other aspect of life or society do we so readily say that to customers, through Governments, and in our daily routines.

So I would say that hackers will hack and that’s OK. If you aren’t viable and complete even under hacker fire – I’d say you were never actually viable or complete.

Scot Terban: It shall be just as it is now. The only answer is to become a new age Luddite and live in a bunker awaiting the end…

John Little: A significant portion of the cyber-chatter inside the Beltway and in the media is focused on China. How would you characterize the threat Chinese hackers (official or not) pose to the U.S. and how should we be talking about it?

Ali-Reza Anghaie: Lets be clear – the Chinese threat is real and it’s aggressive. It is also entirely irrelevant.

We’re at such an early stage of secure architecture and software that concentrating on a given foe is foolish for all but a small core of defense and intelligence agencies. Along those lines, Government emphasizing a given nation-state threat also leaves people with the false impression that these threats ~require~ a nation-state to execute. And…. wait for it… a nation-state level response.

About now big red spinning alarms should be going off in your head. THAT is the problem with “the Chinese threat” – it’s become a political football that has turned into a lobby interest that has turned into a disadvantage to an already painfully broken field. It creates whole classes of C-levels looking at the wrong problems, wrong solutions, and wrong people to deliver those solutions.

Scot Terban: How would I characterize the Chinese threat… Well, they are a threat because they are just persistent and mostly sneaky. Not all of the teams are uber ninja’s like portrayed in the news media or in a Mandiant self propaganda piece but they are pretty good (some of them) What the question really should be though is how would I characterize the attacked.. Not the attacker. We are on the whole not prepared to deal with attacks either in the MIL space or the private whatsoever. Companies are reticent to fix their infrastructures because it would cause loss of productivity, they hold on to old technologies like XP and IE6 for way too long, and they generally are not as a whole, security savvy.

So.. How hard is it for the average Chinese hacker to get someone to click on a link, pwn a machine, enter a poorly managed network, and steal them blind? Furthermore, how hard is it then to keep persistence?

Meh.

John Little: You both raise a very important point. While the debates over terminology, doctrine, and threats rage on the assets are going unprotected. We hear case after case of hackers having an easy time with their targets because of laziness, ignorance, and irresponsibility on the behalf of individual users, software developers, and network owners. It seems like we could eliminate most threats by shifting the focus away from “external” threats and back to our own behavior and business practices.

Ali-Reza Anghaie: Some years ago various groups started referring to de-perimeterisation as an inherit system design goal – that is to say that every system’s functions should act like it’s facing the “outside” world. From the outset I thought that should be the data protection goal as well – trust no one, period. Everything should have a forensic trail, least-privilege model, etc. Insiders can become your outsiders – prepare as such.

Now, that was naive of me – cost applies. So I think it comes down to appropriate risk assessments in the complete context of your business, legal, and technical resources – which is non-trivial for multinationals and small business alike.

So – the “right” answer to your question is – we still have an accountability problem period. Internally or externally the risk assessments, valuations, and models just aren’t being done appropriately on a reliable basis for most organizations. The good news is that the body of work on these topics are increasingly reliable – we can fix the overall scheme of things. Where fixing doesn’t always mean absolute security as the goal.

I’d like to thank Blogs of War for taking the time to put together this interview. It’s been great and I really enjoy your various feeds.

Scot Terban: The answer is “yes” but I would also hasten to say that it’s not just accountability but a more encompassing problem of OPSEC altogether. The point being that many people today lack understanding of the need never mind the practice of OPSEC. So we have all these private and public entities that really have no concept of the security landscape in the first place and why it is important to protect their data so how do you expect them to be aware of internal or external threats? While in the military and government space they have an idea they too suffer from lackadaisical attitudes and lack of comprehension of the technologies that they are using to manipulate, store, and use data. I tend to think of it as a human nature issue in general that we need to tackle just to bring people to the security table in the first place before we can make them aware enough to think about and secure their assets. Once people are on the same page with the technologies (not just the tech folks we all work with but the end users) then we will have a discussion over the internal versus the external threats posed.

The Boston Bombing Witch Hunt Bags Another Innocent Kid – On Monday, the New York Post doggedly stuck to its claim that 12 were killed in the Boston Marathon bombings. On Tuesday, CNN (among others) reported that a suspect had been arrested, before walking that all the way back. Today, the Post wrests back the “what the fuck are you doing?” crown by putting two “potential suspects” on the cover of the newspaper. They are most assuredly innocent.

Boston Police Commander: “I need somebody up there to get on social media…” – Shortly after the IEDs detonated in Boston (at 10:38 in the recording above), an unidentified police commander got on the radio and began giving orders. “We’re going to get the victims out, we’re then going to conduct a sweep with EOD assets… we will then get people out of the restaurants and bars. I need somebody up there to get on social media and let people know what we’re doing here–that we’re sweeping the streets to make sure it’s safe first, and then we’ll get them out of the bars once we get it swept.”

Crowdsourcing the Boston Marathon Bomber – The difference with the Reddit and 4chan crowd-sourcing is that the flow of information is not limited to the individual with information and the feds who receive the tip. Speculation is now published widely, for all to see—a dangerous idea, writes The Atlantic’s Alexis Madrigal. “They are not real cops. They are well-meaning people who have not considered the moral weight of what they’re doing,” he said. “This is vigilantism, and it’s only the illusion that what we do online is not as significant as what we do offline that allows this to go on.”

The Internet Mystery-Solving Machine – a horde of amateur digital-forensic analysts have been poring over every pixel of some of the same raw material as investigators—publicly available high-resolution photos and video of the race, bombing, and aftermath,which has been scattered across the Web and broadcast by news media—hoping to see something that official investigators have not. It’s a human-powered parallel-processing machine, one with overwhelming scale that is constantly churning as it aggregates known information with new data, synthesizing the two to produce highly idiosyncratic analyses. The machine is marked by its intensity, heterogeneous composition, and its odd syntax, in which annotations are made with crude graphics, and arguments are made in the raw language of Internet forums.

Media’s description of search for ‘dark skinned’ Boston Marathon suspect shows ineptitude around race – A reporter’s work is incomplete if the only description they have for a potential suspect – particularly for a crime on the magnitude of the Boston Marathon bombing – is ”dark-skinned.” Time is of the essence. Other U.S. cities and national landmarks have been placed on high alert. If a vigilant public is to help law enforcement put together the pieces of this puzzle, they must have full descriptions, which can include race but must include more.

Obama to visit Boston amid search for suspects seen on video – President Barack Obama was due to visit Boston today to attend a memorial service for victims of the Boston Marathon bombing amid a manhunt for two suspects seen on video taken before two blasts struck near the finish line on Monday.

How Long Does it Take to Catch a Terrorist? – As the country waits for answers about who the terrorist — or terrorists — is, the reality of how long that might take was discussed Tuesday on the PBS NewsHour. Michael Greenberger, director of the University of Maryland’s Center for Health and Homeland Security, said he’s optimistic that they’ll find the perpetrator of the Boston marathon bombings eventually, but possibly not until evidence is painstakingly pored through and analyzed. “I have the unfortunate suspicion that this won’t be solved quickly,” he said in a story posted yesterday.

Social media and the Boston bombings: When citizens and journalists cover the same story – There is a reflexive reaction to pit emergent social media behavior against the traditional journalistic practices and norms. This defensive posture is counterproductive for both sides. Rather than pointing out flaws in order to uphold one model over the other, we should appreciate the interplay between them with a sense of symbiotic dependence that ultimately produces a more participatory, accurate and compelling news cycle.

Give It Arrest - A visiual guide to the CLUSTER$&K of misinformation during Wednesday afternoon’s Boston Marathon bombing news coverage.

Beware bogus Boston Marathon charity websites – One fraudster already tried to dupe the public by setting up a Twitter account minutes after the bombing that claimed to be associated with the Boston Marathon organization. The @_BostonMarathon account promised to donate $1 for every retweet. After users called it out as a fake, Twitter quickly shut the account down — but not before it received more than 50,000 retweets.

Internet Comes Up With 8.5 Million Leads On Potential Boston Bombing Suspect (satire) – While still early in the investigation, experts believe the internet is likely to uncover crucial evidence in the coming hours that will likely result in anywhere between 20 to 30 million more leads on potential bombing suspects.

Follow @Blogsofwar for continuous live updates of this story.

The limits of intelligence collection – U.S. intelligence didn’t pick up any threat stream about Boston or the marathon before the event, nor any terrorist “chatter” about the attack afterward. That doesn’t rule out al-Qaeda involvement, but this attack doesn’t resemble anything the core group or its major affiliates have done in the past. Officials can only speculate at this point about perpetrators. But the early evidence looks more like the work of a lone individual or a small group than that of a larger terror network. If it’s part of a broader terror plot, then it represents a new and cruder approach. Terror attacks that fit the same pattern are the 1995 Oklahoma City bombing, the 1996 pipe bombing at the Atlanta Olympics and the 2011 pipe-bomb plot in Spokane, Wash. In each case, the chief attackers were lone wolves.

Boston bomb investigators can’t decide: Foreign or domestic? – All of the talking heads that discuss this incident and incidents like it, if your experience and your expertise is Middle East terrorism, it has the hallmarks of al Qaeda or a Middle East group,” said former FBI assistant director Tom Fuentes, in a CNN article. He continued: But “if your experience is domestic groups and bombings that have occurred here, it has the hallmarks of a domestic terrorist like Eric Rudolph in the 1996 Atlanta Summer Olympics bombings.”

Local terrorism expert on Boston bombings: ‘Likely domestic, possible lone wolf’ – Dr. Greg Moore is the Director of the Center for Intelligence Studies at Notre Dame College. Moore said there is still an enormous amount of information to be viewed but he believes the attack is domestic terrorism.

Boston Bombing: World Reacts with Flood of Tributes – Users of China’s Twitter-like social media service Weibo reportedly praised the U.S. response to the incident. “In the face of the tragedy, we can learn a lot from the American government, media, businesses and citizens’ kind interactions,” wrote one user, according to the International Business Times.

Experts Skeptical Homegrown Terrorists Were Behind Boston Bombings – But one message from domestic terrorism experts is clear: Most of the evidence points against an antigovernment group being responsible for the attack. Several militia groups, who fiercely and sometimes violently fight to keep their Second Amendment rights, have come out against the bombings in Boston.

Boston Marathon blasts: Investigators eye ‘range of suspects and motives’ – “Importantly, the person who did this is someone’s friend, neighbor, co-worker or relative. We are asking anyone who may have heard someone speak about the marathon, or the date of April 15, in any way that indicated that he or she may have targeted this event to call us,” DesLauriers said.

Reddit Scours Photos in Search of Boston Bombing Suspects – The group, called r/FindBostonBombers, has hundreds of Redditors pointing their collective finger at several unknown people it considers suspicious based on their appearances and backpacks. Law enforcement has said the devices were contained in backpacks or large duffel bags, but authorities have provided no physical description of any suspect.

Boston Marathon bombing victims: Promising lives lost – “She was an incredible woman, always full of energy and hard at work, but never too tired to share her love and a smile with everyone,” the post said. “She was an inspiration to all of us. Please keep her and her family in your thoughts and prayers.” Even without government confirmation that Ms. Lu was killed in the bomb blast on Monday, Chinese Internet sites filled with mournful messages about a woman in her mid-20s whose ambitions took her from a rust-belt hometown of Shenyang to Beijing and then the United States. Her account on Weibo, a Twitter-like microblogging service used by tens of millions of people in China, attracted more than 10,000 messages, mostly of condolence, in the hours after Chinese media reported her death.

China Mourns the Death of a Student in Boston Blast – “You are in heaven now, where there are no bombs,” said one typical message.

Twitter Donates Promoted Trend to ‘One Boston’ – Entertainers, athletes and ordinary citizens aren’t the only ones aiding Boston residents after Monday afternoon’s deadly bombings at the Boston Marathon. Twitter lent a helping hand of its own on Tuesday in the form of a donated promoted trend on the microblogging network.

Alex Jones And His Enablers – As Jones Pushes Conspiracies About The Boston Bombings, A Look At The Politicians, Media Figures, And Outlets Who Validate Him.

Why One Californian Bought a Domain Name to Stave Off Boston Conspiracy Theorists – I saw some pretty unbelievable and disgusting statements being made almost immediately. So, I went back to my desk and quickly bought the domain for BostonMarathonConspiracy dot com and and posted a simple message saying that I purchased it only to make sure the kooks don’t get it.

Why the Conspiracy Theorists Will Have a Tough Time With Boston – The attacks in Boston lack a number of the factors they need to concoct a really compelling conspiracy theory. They’re always on the lookout for a “false flag” attack, a government-run ruse intended to bring public opinion in line. In reality, the last example they can point to of this is the Reichstag Fire; in fiction, it’s usually fun to point to Watchmen. But the Boston bombings are going to present some challenges.

The Saudi Marathon Man – What made them suspect him? He was running—so was everyone. The police reportedly thought he smelled like explosives; his wounds might have suggested why. He said something about thinking there would be a second bomb—as there was, and often is, to target responders. If that was the reason he gave for running, it was a sensible one. He asked if anyone was dead—a question people were screaming. And he was from Saudi Arabia, which is around where the logic stops. Was it just the way he looked, or did he, in the chaos, maybe call for God with a name that someone found strange?

Follow @Blogsofwar for continuous live updates of this story.

Downtown Boston Remains a Crime Scene – Downtown streets that normally would be clogged at rush hour were largely deserted Tuesday except for a cold wind and a few runners out for a morning jog. “It’s very surreal,” said Mary Ollinger, 32, who works at Wentworth Institute of Technology. “The streets are empty and the Common is filled with media trucks.”

Boston Marathon Explosions: Revere Apartment Searched – Police and federal agents searched an apartment building on Ocean Avenue in nearby Revere late Monday night in connection with the bombings. Agents searched this complex for 9 hours after the marathon bombing. CBS News Senior Correspondent John Miller reported Tuesday morning the apartment search was related to a man who is reportedly under guard at Brigham and Women’s Hospital. Miller reported the man is a Saudi national who is in the United States on a student visa. Police and federal officials exit an apartment complex in Revere with a possible connection to the earlier explosions during the Boston Marathon. Several bags were removed from the scene around 2 a.m. Tuesday, but authorities would not comment on the search.

Boston Marathon bombings: Security experts weigh in on potential culprits, motives – Former Homeland Security Secretary Tom Ridge says the absence of intelligence might suggest the attacker is not affiliated with a larger terrorist group: “It may lead to the fact that this was not connected to a major jihadist organization. This might very well may have been a domestic terrorist or lone wolf, as you might want to describe it.”

Twitter and news: The canary down the mine – Twitter has often been touted as the “first with news”. From the miniscule to the massive. From Stephen Fry being stuck in a lift, to the Arab Spring rippling across North Africa, it is the instant source of a story, the first gurgle from a tap. The only way to find out what’s really happening, according to some. But I’m beginning to think that so-called truth is losing some of its polish.

Social Media Shapes Boston Bombings Response – Terrorism experts said the proliferation of photos and video on the web through social media might also help authorities identify the perpetrators of the attack. “All the media provides a tremendous asset for the forensic evaluation of the explosion event,” said Roman. “Authorities can start examining the pictures and tapes looking for individuals near the receptacles where the bombs were found and individuals not fitting the profile of the general spectator can be identified.”

Social media to the forefront in Boston – ‘Authorities have recognized that one [of] the first places people go in events like this is to social media, to see what the crowd is saying about what to do next. And today authorities went to Twitter and directed them to traditional media environments where authorities can present a clear calm picture of what to do next.’

Boston’s tweeters offer aid to marathon runners – Gestures as small as offering a drink of orange juice and use of a home bathroom were recounted on Twitter on Monday in an ongoing online recollection of the fellowship that emerged in the wake of Monday’s devastation.

Public Shaming – Minutes after the explosions, internet tough guys and girls were already pointing the blame and ready to kill.

Follow me on @Blogsofwar for continuous live updates of this story.

Jon Iadonisi is the founder of White Canvas Group (Twitter) and leads the innovation and application of new products and solutions for all clients. He blends over 15 years of diverse experience in computer science, cyber security, and applied creativity into solving tomorrow’s challenges. He is regularly sought by the Department of Defense, various Intelligence agencies, members of the US Congress, industry conventions and popular media outlets to provide expert opinion and briefings on information age unconventional warfare. Prior to joining the private sector, Jon served as a Navy SEAL, where he designed, planned and led various combat operations that integrated innovative technologies and tactics into the operating environment, ultimately creating new capabilities for the Special Operations Community and Central Intelligence Agency. He is a combat-wounded and decorated veteran who earned a B.S. in Computer Science from the US Naval Academy, and M.S. in Homeland Security from San Diego State University. He is currently pursuing a PhD in Criminal Justice from the University of New Haven, focusing his research on the emerging field of cyber crime. Jon is a guest lecturer at San Diego State University and Georgetown Law School and is an academic and athletic all-American who participated in the 2000 Olympic Rifle team trials.

Tim Newberry is the co-founder of White Canvas Group and is responsible for day-to-day operations and sustained client engagement. Tim’s 15 years of identifying, developing, and executing projects in areas ranging from computer science to nuclear engineering has helped him hone a process-oriented delivery model that ensures clients’ objectives are met on time and on budget. Prior to joining the private sector, Tim spent eight years as a Naval Submarine Officer and Nuclear Engineer. He has a master’s degree in engineering from Catholic University, and a bachelor’s degree in computer science from the U.S. Naval Academy. Tim is currently pursuing a PhD in Criminal Justice from the University of New Haven in Connecticut, with an emphasis on understanding the intersection between cyber technologies and new age media with justice.

John Little: White Canvas has been involved in lot of interesting projects from crowdsourced crisis communications products like GridMeNow, to social media analysis, to your longtime involvement in the hacker conference scene. Can you briefly tell us where White Canvas is devoting most of its energy at the moment and where you see yourselves headed in the next 3-5 years.

Jon Iadonisi and Tim Newberry: John, first, thank you for hosting us in this forum. We’ve been a big fan of yours over the years and actually think we’ve got quite a bit in common with your content pursuits. As you allude to in the question above, we’ve been accused at times of being a bit unfocused and spreading ourselves too thin. We couldn’t disagree more.

Everything we do, day in and day out, now coming to the end of our fifth year, connects. It connects by focusing our efforts at an intersection between technology and people. Behind every social media account, keyboard, and mobile phone is a person. Our expertise is technology development but our focus is to serve people with that technology, with each one of our projects combining elements of design, science, and functional solutions.

Right now, we’re focusing on a handful of projects. We like to describe ourselves as a privatized DARPA (most of your readers will probably understand that analogy), except we like to produce a bit faster and be a bit more practical in solving tomorrow’s problems today. You’ll see GridMeNow spin off into its own company in the coming months as customer growth and demand warrants. 2013 will also see a renewed focus for WCG on the human factor in cyber security and digital operations for private and government customers. Our other significant energy focus will be an elite performance training system for military and law enforcement personnel, customizing systems currently used by professional and Olympic athletes.

Clients contact us regularly seeking other paradigm-shifting solutions, and we’re dedicated to evaluating those potential opportunities for future growth.

John Little: I know you guys were looking at the national security implications of social media, especially web video, well ahead of the Arab Spring. Has the marketplace for these concepts changed completely over the last three years or is it still an uphill battle with some customers?

Jon Iadonisi and Tim Newberry: Both. The Arab Spring undoubtedly caused global shifts in power but more critically, it caused a shift in the perception of what power is and who has it. Social media certainly helped those events transcend local boundaries onto the global stage; and the pressure of that elevated visibility shaped public opinions and corresponding ground action in near real time.

Video social media is the most important form of user-generated content when influencing someone to do something. That journey from being compelled or inspired to do something to taking action on that inspiration happens much quicker with video as opposed to just text, pictures, or audio. Video compels, inspires, incites action. That’s why we focus there, because it is the most potent form of influence, whether you use it for marketing or organizing. Further, the social technologies at play in these cases (YouTube, Vimeo, etc.) offer a transformative experience for the user/viewer because they instantly provide context (via comments, likes and shares), and connect users/viewers to wider online audiences via their own social presence. The video footage of the January 25 Tahrir Square protests in Egypt compelled a global audience in seconds. You personally could watch the event unfold via social media virally while other 1.0 organizations usually tasked with monitoring and analyzing these events (e.g. intelligence agencies, news bureaus, etc.) totally missed the boat. And in this case, the compulsion caused by the social video experience resulted in a united narrative promoting a regime change.

It’s still an uphill battle—that’s going to be the case for years, and unfortunately more so within the confines of government. But, we’re getting better at it – after all, the Internet is only about 20 years old.

John Little: It seems like with all the hype around social media and the internet in general that mobile gets overlooked as a driver. Twitter and Facebook wouldn’t be full of compelling real time content from Tahrir Square without the global spread of affordable hardware and networks. It’s really the convergence and ubiquitous nature of these technologies that is creating something special isn’t it?

Jon Iadonisi and Tim Newberry: The quick, simple answer is “absolutely” – I think we’ve heard recently that in many parts of Africa, cell phones and internet connectivity are more prevalent than running water. But the harder-to-measure second and third order effects this creates involve how PEOPLE are changing with this new dynamic. This is where we at White Canvas Group spend most of our time: helping people to navigate this new digital world order. Consider the fact that reliable, real-time information is being delivered via an underground Skype connection in Syria, which is then broadcast by the global news network powerhouses. It’s an inversion of power and influence. Many people don’t buy goods or services based solely on advertisements: they spend money based on peer recommendations or social network validation. These changes are only enabled by the convergence and spread of affordable connectivity. We think we’ll start seeing many more innovative uses of mobile technology in the future as burgeoning youth population bubbles reach critical mass inside the regions you mention and others.

John Little: You have a long history of participation in the hacker community through events such as DEFCON. And lately I’ve seen the two of you discussing cyber security on Fox Business News, CBN News, Government Computer News, C-SPAN and other media outlets. Cyber has been a beltway buzzword for some time now but it seems like, especially in the political arena, the threat is often hyped or mischaracterized, while real vulnerabilities are overlooked. It drives a lot of the information security professionals I know crazy. How can we move beyond the extremes of hype and apathy to implement the kind of broad and sustained effort needed to secure our digital infrastructure?

Jon Iadonisi and Tim Newberry: This transition will be lengthy, and in many ways similar to the societal adjustment towards terrorism post-9/11. Simply put, a broad sustained effort will not be embraced until either a generational change in the political landscape or a 9/11-scale cyber event. Until then, private businesses, institutions and individual American citizens will have to hold their own. We hate to be the bearers of doom and gloom, but the fact that those inside this professional industry are more focused on the context of a word instead of the practical manifestations of that word frankly says quite a lot about how much most people in this community care about it. Towards that end, and in the context of what the “industry” deems cyber security, we’re focused on providing tools, technologies, and perspectives that will help to fill that void; hopefully enabling individuals, companies, and organizations that are taking it seriously the ability and confidence to hold their own.

John Little: I know you guys are always looking forward and you can find opportunity almost anywhere. Are there any anticipated technological/social developments on the near horizon that you’re really excited about?

Jon Iadonisi and Tim Newberry: Unfortunately, innovation is a cliched term these days. We really enjoy following the modern day Da Vincis and Edisons. People who aren’t afraid to challenge the norm and risk changing the world. For example: Salvatore Iaconesi, diagnosed with brain cancer who instead of giving up hope, coded his medical records in a structured format, enabling thousands of people to help him successfully find a cure, which he did. Stories like his remind us that computing power, when used as a tool, enables creators a chance to globally impact our world. We’ve got a couple of promising projects we’d like to launch against Leukemia, and perhaps have a chance to impact the world. Until then, all we can do is fearlessly dream, and that begins like all of our projects: on a white canvas.

I have a Kindle in my hand fairly often and wanted a way to check in on key national security issues without switching to another device so I threw this together. It’s easy enough to do with Kindle’s experimental browser but does require some specific adjustments in refresh frequency and formatting. It’s not nearly as robust as the 400+ live feeds on Covert Contact but it is pretty handy for briefly checking in on important topics and could come in very handy if other access isn’t available during an emerging event. It’s unreleased for now but that might change once I tweak it a bit and if there’s some interest.

Occupy Eyes the Drones
“Occupy Wall Street activists claim they are being tracked, whether they were arrested at a protest or not, just for showing up at an OWS activity. A combination of overhead drones picking up cell-phone pings and GPS tracking software included in every Apple and Android phone is able to create a government database of everyone and anyone who ever went near an Occupy protest.”

Meet Ayoub: The Muslim drone
“Though The Jerusalem Post has proclaimed Ayoub’s voyage evidence of Israel’s “increasingly brazen and confrontational enemies”, rational observers might see it instead as part of an effort to deter a brazen and confrontational neighbour presiding over a cycle of murderous violence in Lebanon. Given the preponderance of the Israeli state lexicon, however, according to which self-defence against Israel is provocative terrorism and Israeli military slaughter is self-defence, the cycle is far from over.”

Iran: Israel can expect 100s more UAV infiltrations
“He added that the infiltration reflected only a small part of Hezbollah’s capability, and that it had dealt a significant blow to Israel, according to Fars. A number of senior Iranian officials have already remarked that the move proved Israel’s air defense systems were inadequate. Iran’s Defense Minister Ahmad Vahidi said last week that the drone infiltration has “shown the weakness of the Zionist regime’s Iron Dome,” while the deputy coordinator for Iran’s Islamic Revolutionary Guard Corps Jamaluddin Aberoumand said the incident indicated that the Iron Dome system “does not work and lacks the necessary capacity.” The Iron Dome system, jointly funded with the United States, is designed to shoot down short-range guerrilla rockets, not slow-flying aircraft. Former Lebanese prime minister Fouad Siniora claimed that the UAV that flew over Israel was sent at Iran’s behest, and that Hezbollah leader Hassan Nasrallah did not consult with the Lebanese government before sending the drone. Last week, UN Secretary- General Ban Ki-moon said that Hezbollah’s decision to send the UAV into Israeli airspace could risk stability in Lebanon by prompting Israeli retaliation.”

UK to double number of drones in Afghanistan
The UK is to double the number of armed RAF “drones” flying combat and surveillance operations in Afghanistan and, for the first time, the aircraft will be controlled from terminals and screens in Britain. In the new squadron of unmanned aerial vehicles (UAVs), five Reaper drones will be sent to Afghanistan, the Guardian can reveal. It is expected they will begin operations within six weeks. Pilots based at RAF Waddington in Lincolnshire will fly the recently bought American-made UAVs at a hi-tech hub built on the site in the past 18 months.

How Russia and Georgia’s ‘little war’ started a drone arms race
“Meanwhile, the fate of the drone deals between Georgia and Israel played a major factor in the quick deterioration of what Caucasus expert Michael Cecire described as a “love affair” turned “messy divorce.” Pre-2008, Israel enjoyed arguably its strongest ties in the region with the pro-Western government of Georgian President Mikheil Saakashvili. Israel sold Georgia 40 drones, anti-aircraft equipment, and trained Georgian infantry through private defense firms. In the run-up to the war, however, Russia put heavy pressure on Israel to cancel its arms deals with Georgia, and publicly implied it would consider selling advanced equipment to Israel’s enemies if it did not give in. Israel acquiesced two days before the start of the conflict, a move that Georgian Minister for Reintegration Temur Yakobashvili, now ambassador to the US, slammed as “a disgrace.”

Alameda County Sheriff plans to buy a surveillance drone
“The units can be outfitted with high-powered cameras, thermal imaging devices, license plate readers and laser radar. Police and sheriffs already use some of those tools. However, combined with a hard-to-detect drone, they offer authorities unprecedented capabilities for mass surveillance using militarized equipment.”The law hasn’t caught up with the technology,” said Trevor Timm of the Electronic Frontier Foundation, a privacy rights group. “There are no rules of the road for how they operate these things.”

This Eagle-Eyed Heron UAV Can See From Tel Aviv to Cyprus
“The Heron 1 (Shoval) is a Medium-Altitude Long-Endurance (MALE) drone, capable of staying aloft for up to 52 hours with an operational ceiling of 35,000 feet. Developed by the Malat (UAV) division of Israel Aerospace Industries, the Heron 1 measures 79 feet long with an 86-foot wingspan and weighs 8,800 pounds. A single Pratt & Whitney PT6A 1,200-hp engine propels the drone along at a brisk 130 MPH. The Heron is capable of flying completely autonomously in all weather conditions—including takeoff and landing—over a pre-programmed flight path using its internal GPS receiver, or can be flown manually by a remote operator. “I can say we are flying above Gaza to the south, the West Bank to the east, in the north [possibly over Lebanon and Syria] and in the west [over the Mediterranean] without being detected,” said Maj. G, an executive officer of the IAF’s 200 Sqdn, told Aviation Week. “It is not stealthy, but it is silent and very discrete.”

Meet the SQ-4 Recon UAV, a $32K Remote-Control Surveillance Drone
“British-company BCB International yesterday unveiled its SQ-4 Recon UAV (Unmanned Aerial Vehicle), a miniature aerial surveillance drone that’s small enough to fit in the palm of your hand. The company says the UAV can fly up to 30 minutes on a full charge, and it is capable of operating at a distance of more than 1.5 miles away from its remote control.”

Drones may soon buzz through local skies
“Peverill and Woodworth’s start-up, Rotary Robotics, is just one of several local groups working to demilitarize drone aircraft. While the armed forces have deployed unmanned aerial vehicles in Afghanistan, Iraq, and Libya that cost millions and are sometimes armed with Hellfire missiles, this new fleet will be small, cheap, and geared to tasks like evaluating farm crops, finding missing children, or inspecting bridges. Many expect that the domestic UAV industry is about to take off, and the Federal Aviation Administration has estimated that 30,000 drones could be aloft by 2020. “We’re in a rapid spool-up phase now, where we’re thinking about going from producing tens of aircraft per month to a thousand or more,” says Tom Vaneck, vice president of space technologies at Physical Sciences Inc. in Andover.”

So what’s Mitt Romney’s take on cyber security?
“Mitt Romney has promised to make cybersecurity a top priority early in his administration,” said a campaign spokeswoman when Killer Apps asked if the candidate has more detailed plans than what was outlined in the white paper. “He will order the formulation of a national cybersecurity strategy, to deter and defend against the growing threats of militarized cyber-attacks, cyber-terrorism, and cyber-espionage. Once the strategy is formulated he will determine how best it can be implemented.”

“Live-fire” cyberwar-in-a-box tests mettle of military, IT pros
“In August, a collection of military, government, and nongovernmental humanitarian organizations from 22 countries in the Pacific gathered in Singapore for Pacific Endeavor 2012, a joint exercise to test how quickly and how well they could communicate in the face of a disaster. While the simulated mission was peaceful, some of the participants were put through a separate, more hostile test—Cyber Endeavor, a full-on “live fire” cyberwarfare exercise focused on “protecting information in a collaborative environment, “with both innocent bystanders and hostile attackers.”

Anonymous hacktivists to launch TYLER: “WikiLeaks on steroids!”
“In an exclusive interview to the Voice of Russia a member of Anonymous talks about the conflict that revolves around the coercive fund raising techniques and a lack of transparency regarding WikiLeaks. He also mentions the possible release of a list of what they view as WikiLeaks ethical violations. On December 21, 2012 Anonymous are planning to launch a secure, no cost and decentralized online leaks release platform called TYLER to circumvent to problems inherent in WikiLeaks and to continue to disclose information that governments, including US, are hiding from people.”

WikiLeaks and Anonymous: Will they kiss and make up?
“Anonymous has pulled support for WikiLeaks, Julian Assange has met with Lady Gaga, I have interviewed dozens of WikiLeaks supporters, WikiLeaks number 2 has gone incommunicado and Bradley Manning is facing the beast on his own. Those are just some of the developments in the case of Julian Assange and WikiLeaks that Voice of Russia is commenting on.”

Russian Opposition Votes for Leaders Online amidst Hacker Attacks
“Electronic voting to the coordination council of Russia’s street opposition was temporarily suspended Saturday over a hacker attack, the movement’s central election committee said via Twitter Saturday. “It is possible that the online voting has been affected by DDoS attacks,” the committee said, referring to a Distributed Denial-of-Service attack, a common form of hacking that denies users access to targeted websites.”

The Threat Is Real and Must Be Stopped: Clarifications And Rebuttal by An INFOSEC Professional
“At the end of the day though, all my community see’s is just another government official overstating the facts concerning a new and scary “warfare” in our ever increasing security state in hopes of passing legislation with their name on it. There are no hard facts here in your opinion piece other than the names of tools and players in recent acts of hacking. There has been a trend in the government and the military circles since the presence of Stuxnet was revealed to the world of a great “Cyber-land-grab” of sorts that I and others have been watching and worrying about though. You, and others within the government are now beating the war drum over terms like “Cyber War” when you really do have very little comprehension of what that really means and this is the scariest thing for us all to watch. So much so that now, since the senate and house could not agree on measures for “cyber security” the president is seeking a unilateral method of protection in an “Executive Order” There have been stories about how such an order could “Shut down the internet” and frankly, that’s just a bad idea.”

DARPA-Funded Radio HackRF Aims To Be A $300 Wireless Swiss Army Knife For Hackers
“Pretty much any wireless device that you can think of would be in the frequency range covered by HackRF,” says Ossmann.”Just from observing [a signal] over the air, you can reverse engineer it completely to figure out the information transmitted over the network, and potentially inject your own transmissions onto that network. All of that can be done with one HackRF device and a laptop.” With HackRF in the hands of hackers or security researchers, in other words, no wireless signal would remain secure just by virtue of using a unique, unfamiliar frequency. Ossmann says that tools like HackRF mean wireless communications will need to evolve beyond the “security through obscurity” model of protecting communications that has long been considered outmoded in the wired computing world.”

Classified Information Plays Central Role in Both 9/11, WikiLeaks Cases
“Pretrial hearings for two major court cases – one involving the alleged perpetrators behind the 9/11 terror attacks and the other involving the soldier charged with the largest intelligence leak in U.S. history – are converging this week as attorneys operating in two very different legal systems focus on the issue of classified information in the courtroom. The pre-trial hearing for Khalid Sheik Mohammed, who has confessed to planning the 9/11 attacks “from A to Z,” and four others who allegedly trained, financed or arranged transportation for the 19 hijackers entered its fourth day today at Naval Air Station Guantanamo Bay, Cuba. Mohammed’s codefendants in the case are his nephew, Ali Abdul Aziz Ali; Walid Muhammad Salih Mubarak bin Attash, charged with selecting and training some of the hijackers; and Ramzi Binalshibh and Mustafa Ahmed Adam al Hawsawi, accused with helping finance the attacks. Meanwhile, here at Fort Meade, the second day of pre-trial hearings continued for Army Pfc. Bradley Manning. He is an Army intelligence specialist accused of downloading and transmitting classified information to the whistle-blowing group WikiLeaks while he was deployed to Iraq.”

Alleged hacker worked for House, RCMP
“According to the RCMP, the hack originated from the House of Commons network when someone gained administrative privileges and then used them to upload a malicious program to the government of Quebec’s website. The break-in on April 27 crashed the site for two days. The alleged hacker was working for the House of Commons at the time of the attacks, the Mounties said. The man also worked for the RCMP on contract.”

New wave of cyber attacks mostly target energy firms
Threats against the energy industry are progressively increasing during a constantly evolving threatening landscape. Security operations will be forced to continuously adapt to these variety of challenges including economic, criminal, political, as well as homeland security constraints. Against this backdrop, the 8th Middle East Energy Security Forum will be held on Dec. 4-6 at Habtoor Grand Resort and Spa in Dubai. The forum is all set to reveal the latest cyber security techniques, risk management and assessment, maritime critical infrastructure and hostile reconnaissances.

Iran defense minister confirms Hezbollah drone was Iranian
“Whatever we have at our disposal will be used at the proper time in defending the Muslim community and Islamic territories and that’s natural,” Brigadier General Ahmad Vahidi said on Sunday adding, “Given the Zionist regime’s frequent incursions into the Lebanese airspace, we see it as the natural right of Lebanon’s Hezbollah to fly its drone above the Occupied Territories.” The minister added that the flight of the Hezbollah drone proved the weakness of the Jewish entity’s iron dome. “The so-called iron dome of the Zionist regime’s defense space collapsed by this action and it became clear that the Zionist regime could not be safe from the fury of the Muslim community,” Vahidi said.”

Former Lebanese PM: UAV not a state decision
Former Lebanese Prime Minister Fouad Siniora said that the Hezbollah-dispatched unmanned aerial vehicle that flew over Israel was sent at Iran’s behest, and was not a Lebanese decision, a statement issued by Siniora’s press office said on Sunday. “Sending the drone over Israel is not a Lebanese decision, however the move was made at an Iranian behest. Such act needs techniques only available in Iran,” Lebanese news site The Daily Star quoted Siniora as telling his visitors at his Sidon’s office.

Israel unveils enhanced drone
As part of Sunday’s showcase, held in central Israel, the Shoval drone flew towards the sea and identified a commercial vessel on the Mediterranean, dozens of kilometers away from Israeli shores. Live footage displayed in HD quality on the control screens showed foreign reporters virtually every detail on the ship, including its Japanese flag, the name on its front and the sailors walking on board. The drone can also identify aircraft flying over the sea and determine whether they are suspicious. Its radar, which has a 300km (190 mile) range, can reach as far as Cyprus, Turkey and Egypt. “The system can inquire and intercept any object within just a few minutes,” a senior IAI official said. The UAV weighs 1,200 kilograms (2,645 pounds) and can carry 256 kilograms (565 pounds) in surveillance cargo. “The Shoval has satellite communication abilities, which means any footage it takes will be broadcasted online to distant location like Paris. This capability allows it to operate during bad weather, in which case it will fly under cloud height and will not be affected by the rain,” the official said.

Iran to Use New Drone for Air Defense, Bombing Missions
A senior Iranian military commander said that the country’s newly unveiled Haazem (Determination) drones are multi-purpose and multi-range vehicles with air-defense, reconnaissance and aerial bombardment capabilities. Commander of Khatam ol-Anbia Air Defense Base Brigadier General Farzad Esmayeeli stressed that Iran’s defense industries enjoy a high capability in designing and producing Unmanned Aerial Vehicles (UAVs), and stated that Haazem is a drone designed and manufactured by Iranian air defense experts in three short, mid and long range models and for air defense missions. He said that the drone can be used as a target for air defense systems and also for reconnaissance missions. Esmayeeli said the UAV can also be equipped with missiles and used for aerial bombardments as well.

Hezbollah drone photographed secret IDF bases
The Hezbollah drone that infiltrated the Negev last week beamed back live images of secret Israeli military bases, the Sunday Times reported on Sunday. According to the report, the drone was airborne for three hours before being intercepted by an F-16I jet. It is believed to have transmitted pictures of preparations for Israel’s joint military exercise with the US, as well as ballistic missile sites, airfields and, perhaps, the nuclear reactor in Dimona, the Sunday Times reported.

Israel terrified by outlook of future Iran, Hezbollah combat UAVs: Analyst
“The fear of Israelis is that these UAVs, Iran or Hezbollah can develop them to become combat UAVs meaning [having] the capability of launching missiles or themselves being used as guided missiles against targets in Israel. So personally, I think we will see it more in any future conflict between Hezbollah and Israel,” CEO and founder of the Institute for Near East and Gulf Military Analysis (INEGMA), Riad Kahwaji said in a Press TV interview.

Israel’s IAI wins $958M India drone deal
Israel Aerospace Industries, flagship of the Jewish state’s defense sector, is reported to have secured a $958 million contract from India’s military to upgrade its IAI-built Heron and Searcher unmanned aerial vehicles. UAVs are one of the biggest money-spinners for Israel’s defense industry and India, which is engaged in a massive multiyear rearmament program, is a key customer. Israel’s Globes business daily cited Indian media reports that the deal covers some 150 UAVs acquired from IAI since the 1990s that are operated by India’s army, air force and navy.

South Korea’s Kamikaze UAV Could Scare the Ojom Out of Kim Jong-un
South Korea’s aptly named the Devil Killer fits that bill; it’s a portable kamikaze UAV currently under development by Korea Aerospace Industries in conjunction with Konkuk and Hanyang Universities. It measures five feet in length and weighs approximately 55 pounds. When unfolded, its boasts a four foot wingspan. The Devil Killer will be powered by an electric motor and reportedly reach speeds in excess of 250 MPH, allowing it to strike North Korean targets up to 25 miles away in just 10 minutes.

Photo: Lockheed Martin Cormorant

It’s the same content you get here for free but you get the convenience of the Kindle and, if you like what I do here, subscribing also drops a few pennies in my pocket each month. You can even try it free for 14 days.

Panetta Sounds Alarm on Cyber-War Threat
Panetta came to the nation’s financial hub – New York City – to issue his battle cry. The city is the brightest bulls-eye on the American target for foes wishing to cripple the U.S. economy with computerized “worms” and “malware” that can infect computer networks via the Internet or insider sabotage. “It is the kind of capability that can basically take down a power grid, take down a water system, take down a transportation system, take down a financial system,” he told Time editors. “We are now in a world in which countries are developing the capability to engage in the kind of attacks that can virtually paralyze a country.”

MOFCOM GOV CN (Chinese Ministry of Commerce) PWNED
On October 11th, 2012, Anonymous gained access to the servers of the Chinese Ministry of commerce and extracted 374mb of documents. A lot of them contain details about deals with Russia, Ukraine and Belarus. The documents are partly in English, Russian and Chinese.
See also: Hackers claim to have cracked servers Chinese representation in Belarus

Is ‘cyberwar’ another harmless buzzword, or an impending threat of nuclear proportions?
Is the whole thing being overstated as a threat? When people like Richard Clarke, the former head of counterterrorism in the US, warn that the cyber war could already be lost you may want to unplug your PC and run for the hills. But you have to take it with a pinch of salt from a man who now runs a cyber-security company, which would no doubt love a big contract.

Cyber War? Bring It On!
We’ve been warned again. The USA and all its citizens are under threat of “a cyber-Pearl Harbor!” Find a desk to hide under. Look for cover. Make it a place where the whole family can meet up so you can do a head count and see who is missing. No seriously, a cyberattack is imminent and could happen any minute! I need to get in on some of this action by becoming a consultant.

U.S.: Hackers in Iran Responsible for Cyberattacks on Oil, Gas Companies
U.S. authorities believe that Iranian-based hackers were responsible for cyberattacks that devastated Persian Gulf oil and gas companies, a former U.S. government official said. Just hours later, Defense Secretary Leon Panetta said the cyberthreat from Iran has grown, and he declared that the Pentagon is prepared to take action if American is threatened by a computer-based assault.

So much outrage, so little time
This morning, hoping to get some discussion going (and somehow turning it into something blogworthy) I asked the question: Of all the missteps you see daily in infosec, what outrages you the most and why?

Hacking Google: The three Israeli white hats rooting out the web’s security holes
All three work at Israeli security company Avnet, which, among other things, tests enterprise websites in Israel for vulnerabilities. The Google work is a sideline for the three hackers – but a very lucrative one that has earned each several thousands of dollars, given that Google pays between $500 and $3,000 for each bug discovered. The three white hats have each earned that kind of money despite the fact that hundreds of hackers around the world participate in the programme – Google is so large, there are more than enough security lapses to go around.

Google rewards a hacker with $60,000 for breaking Chrome
Google confirmed that the winner of the contest – which was the second of its kind, part of the Hack In The Box conference in Kuala Lumpur, Malaysia – was a pwner named “Pinkie Pie”, who was the only participant with a successful entry.

U.S. Bank Hacks Expand; Regions Financial Hit
Still, the attacks have been notable because even with attackers’ prior warning, they’ve managed to disrupt the websites of some of the country’s largest financial firms, including Bank of America, JPMorgan Chase, PNC, U.S. Bank, and Wells Fargo. As that skill and sophistication suggest, the bank attacks haven’t been launched by just one individual, or using a single tool, but rather by multiple well-organized groups wielding a variety of tools, according to Prolexic.

Cyberwar, Cyberdouchery, and Where the Rubber Meets the CyberRoad
Well, so here we are, we are in the age of the “Cyberwars” as much as the term might stick in the craw of many in the community. I would put it to you that as a person with anything online, you are a target. Whether it be the cyberwarfare of the state, or the cyber machinations of the criminal gang seeking to steal your money or your data, we all are under the same threats. Infrastructure as well as your personal PC are targets within a larger game of digital Stratego. Face the fact, live with it a while, and then think about what you can do to insulate yourselves a bit better.

UAVs autonomously refuel in flight during DARPA demo
“On Oct 5, DARPA’s two-year Autonomous High-Altitude Refueling (AHR) program, which concluded Sep. 30, explored the ability to safely conduct fully autonomous refueling of UAVs in challenging high-altitude flight conditions. During its final test flight, two modified Global Hawk aircraft flew in close formation, 100 feet or less between refueling probe and receiver drogue, for the majority of a 2.5-hour engagement at 44,800 feet, said the agency.”

Canberra rescue drone wins $10,000 prize
“A Canberra team has won $10,000 for developing an un-manned aerial vehicle (UAV) which could help rescue stranded bushwalkers. Leader Stephen Dade and his team ‘Canberra UAV’ claimed first prize at the Outback Rescue Challenge after their UAV successfully located a dummy bushwalker.”

With Israel’s Destruction of Drone, the Region’s Dynamics Have Changed Significantly
“In the long run, however, manned fighter jets will be a very poor choice for defending against hostile UAV incursions. UAVs will eventually gain the advantage in agility and maneuverability—and in the ability to dodge and weave to avoid missiles intended to destroy them. Given that the entire country of Israel may now be within easy reach of Iranian UAVs launched from southern Lebanon, that’s a technology trend that has the potential to fundamentally alter the dynamics of the region.”

Govt to prioritize development of drones
“As an archipelago sitting on the Pacific Ring of Fire, the Indonesian government is currently prioritizing the development of its own unmanned aerial vehicles (UAV) to cover the many volcanoes located throughout the country, according to Research and Technology Minister Gusti Muhammad Hatta.”

Iran has a new toy: Drone proliferation continues
“The Shahed-129 unmanned aerial vehicle (UAV) is Iran’s newest domestically made drone, capable of reaching targets up to 2,000 kilometers away, which includes just about anywhere in the Middle East, as well as Israel. This model doubles the range of previous drones, but bears some similarities to the US RQ Sentential UAV that crashed on Iranian territory in 2011.”

Video: IAF Interceps UAV in Israeli Airspace
“DIY ISR and weapon delivery platforms are likely to remain just an annoyance for some time. The value of the intelligence they generate is questionable at best. And if the aim is to kill or destroy the impact will be minimal unless someone gets extremely creative with the payload. In most cases these platforms are more likely to benefit conventional forces, rather than non-state actors, who can deploy them with greater frequency and effectiveness.”

U.S. Security Agency Begins Small UAS Testing
“The U.S. Department of Homeland Security (DHS) will begin testing and evaluating small unmanned aircraft systems (UAS) this month near Lawton, Oklahoma, under a federal and state initiative to study UAS applications for emergency response. The DHS is also considering the use of small UAS by its constituent organizations: the Coast Guard and the Customs and Border Protection (CBP) agency.”

Space: the new cyber crime frontier touches on some important, and quite reasonable, concerns about vulnerabilities in our space architecture such as space junk, general overcrowding, and so on. However, one concern (the sexiest one from a headline grabbing perspective of course) is a bit overblown:

Mark Roberts, who pioneered the introduction of cyber elements into the war games that the MoD runs, hypothesised a scenario in which hackers take control of one or multiple redundant satellites and use them to crash into more vital ones.

“There are lots of satellites in orbit at the moment that have been taken off line,” he explained. “They still have propulsion, they have the ability to be restarted. Somebody particularly nasty could hack one of these things and then start to manoeuvre it.”

Now, I would never say never when it comes to technical vulnerabilities but I will say that, having actually worked on satellite control systems a little, that this is not something that keeps me up at night. I touched on this last year:

In 2000 I was CEO of a wireless company that partnered with Lockheed-Martin to demonstrate a COTS solution for remote satellite control. In six weeks we did something nearly impossible. We used a wireless Palm VII PDA, hopped through commercial networks to NASA, and actually sent real-time commands to the WIRE spacecraft. We did this from Johnson Space Center’s Mission Control building but we could have done it from anywhere. Let me assure you that clearing the massive security hurdles for this project was no simple task. Our proposed architecture required input from engineers and executives at Palm Computing, AT&T, NASA, Lockheed-Martin, and one other agency that won’t be named. Not only was it secure, but the system was only live for a brief demonstration period before connections to commercial networks and the Internet were severed.

As I said in that piece there are vulnerabilities (and those are increasing) but I doubt anyone short of state sponsored hackers would have much chance to not only gain full control but to also successfully steer a compromised satellite into another “vital” craft. That is not only an immensely complicated operation but it is also beyond the maneuverability capabilities of most satellites. SIGINT vulnerabilities, space junk, overcrowding, and solar flares all pose more likely threats.

It is just a matter of time:

“Before they were blind, deaf and dumb,” Mark Maybury, chief scientist for the U.S. Air Force, told AFP. “Now we’re beginning to make them to see, hear and sense.”

Ronald Arkin, a professor at the Georgia Institute of Technology, believes that drones will soon be able to kill enemies on their own independently.

“It is not my belief that an unmanned system will be able to be perfectly ethical in the battlefield, but I am convinced that they can perform more ethically than human soldiers are capable of,” Arkin told AFP.

These stories make for great headlines and feed a lot of silly drone paranoia but I think they are essentially accurate. The killer drones of science fiction will become a reality but probably not on a massive scale and probably not soon.

I think the real story and ultimate benefit is in the development of greater drone autonomy in virtually every other (non-lethal) aspect of their operation. We are not terribly far off from being able to build drones and support systems that autonomously synthesize vast amounts of battlefield intelligence, self-launch, fly to potential targets, and notify human specialists of their intent or target opportunities. We are laying the groundwork for much of that right now. However, in most cases, it will still make sense to allow that human specialist final decision making authority at the execution phase even while the mechanics of flight, targeting, and firing can be fully handled by the drone itself.

When full offensive autonomy does come I think it could initially be in an air superiority role where it is easier to envision fully autonomous drones being turned loose for tasks such as enforcing no-fly zones. That is typically a less complex set of rules than say chasing down two guys with RPGs in the middle of Baghdad. Not easy – but easier. Either way, there are countless applications for this technology and many ways that these capabilities can be implemented short of the “fully autonomous killer drones” that are so effective at capturing imaginations and headlines.

I was able to streamline much of the production and account maintenance processes and requests are coming in for custom monitors. This means that I am able to restructure the subscription system and slash prices. So starting this week the three-tiered plan system is gone. All subscribers now have Covert Contact Pro level features and the price, which was $99 a month, has been slashed to only $10 per month. That is an amazingly low price for over 350 international relations, political, and national security live streams. I’m constantly fine tuning the streams and adding more as news breaks. To keep up with developments follow Covert Contact on Twitter or the Covert Contact blog.

This is an exciting change and not one that I thought I would be able to make so quickly. This gets Covert Contact as close to being “free” as possible and hopefully back into the hands of many observers. I hope you will give it a look and subscribe.

Yeah it’s a month away (July 26-29th) but there is already plenty of chatter on Twitter. This collection of streams is pulling in mentions of Defcon, tweets about various talks and panels, and of course – the parties.

If you’re not familiar with this conference this Wired story on it’s twenty year history is a pretty good place to start.

Visit the official conference site for speakers, events, and other info.

I’m not much of a Facebook fan but in the interest of getting Blogs of War updates to you wherever you may want to receive them I’ve reactivated the Blogs of War Facebook Page.

The launch of the Agni V on Thursday, which can carry nuclear warheads and has a range of 5,000 km, will thrust the country into an elite club of nations with intercontinental nuclear defence capabilities.

The launch of the Indian-made Agni V, if successful, would be the crowning achievement of a missile programme developed primarily to counter any threat from China.

Only the UN Security Council permanent members – China, France, Russia, the United States and Britain – have such long-range weapons.

An India Monitor has been added to ThreatStream to track developments.

The summit runs through the 27th in Seoul. You can see a detailed schedule of events here. The monitor built for this event includes three live streams looking at:

• The Summit – Aggregating related hashtags and any mentions of the summit itself.
• Nuclear Material Security – Looks beyond the summit to and tweets related to nuclear material security.
• Nuclear Programs – Any mentions of nuclear programs. North Korea and Iran seem to be dominating the discussion.

Launch the Nuclear Security Summit 2012 Monitor.