Category Archives: Security

To C2 or Not to C2, That is the Question

The information security industry confirmed this week it remains locked in a decades-long standoff over whether to abbreviate “command and control” as C2 or C&C, with sources describing an opinion survey as “the most important thing happening in cybersecurity” and “definitely worth the effort.”

C2, the abbreviation used by NIST, CISA, MITRE, and the entire United States military, faces stiff competition from vendors clinging to C&C, the abbreviation used by several marketing departments and a Westwood Studios game from 1995.

MITRE, which embedded C2 directly into official technique names such as “Exfiltration Over C2 Channel,” declined to acknowledge the controversy, noting that an organization does not debate a term it has already carved into a taxonomy the whole industry maps its detections to. The NIST glossary was reached for comment and, as a glossary, simply contained an entry for C2 and no entry for C&C, which observers described as “cold” and “kind of a power move.”

The Department of Defense, which coined C2 as doctrine and then spent fifty years attempting supplemental letters until it produced C4ISR, reportedly finds the civilian dispute adorable.

However, the carnival barkers and sellers of C&C remain committed. “The ampersand conveys the kind of gravitas that makes thought leadership about self-promotion,” said a vice president of content marketing at a leading endpoint security firm, gesturing at a glossary page optimized for search traffic and a podcast by two friends citing an unfinished dissertation. “Also we published four hundred blog posts with C&C in the URL and nobody here knows how to set up redirects.”

One major vendor has adopted a compromise position declaring C2, C&C, and the fully spelled-out term interchangeable, a diplomatic maneuver historians recognize as the final stage before unconditional surrender.

Expert vulnerability researchers citing Google Ngrams noted that C&C has roots that stretch back to the 1800s, suggesting Victorian threat actors maintained their own sophisticated botnet infrastructure. Closer inspection revealed the hits referred to dry goods firms, cash-and-carry arrangements, and other commercial ampersands, confirming the corpus will happily testify to anything if you call the underlying documents “sophisticated”.

Experts recommend writing “command and control (C2)” on first mention and C2 thereafter, citing the convergence of a federal glossary, federal advisory formatting, and the industry’s own taxonomy. Writers who prefer C&C are encouraged to continue, secure in the knowledge that they are backed by the full authority of a real-time strategy franchise and several websites that want to sell you an EDR agent.

At press time, the industry had moved on to arguing about whether it is spelled cybersecurity or cyber security, or cyber, a debate expected to consume the remainder of the market opening window.

Driver Kills Boston Public Official Who Worked to Stop Drivers From Killing People

She was just blocks from her government office when she was killed with a vehicle.

The Globe has identified the person who died when hit by a driver on Tremont Street at Parker Street on Mission Hill this morning as Louisa Gag, a planner for the Boston Transportation Department who once co-authored a report on “Vision Zero” – the idea of redesigning roads and transportation systems to eliminate fatal crashes on urban streets.

Louisa Gag was cycling to work early Thursday, to protect cyclists from cars, when she was killed by a vehicle on Tremont Street. Source: The Globe

Merz Buys the Tomahawk That Just Lost a War and is Out of Stock

Germany says it has made a defense deal with Trump to buy Tomahawk missiles. And, as you would expect, it’s immediately not going well.

CSIS reported in May that the US fired more Tomahawks while losing the Iran war than in any other campaign in history. Trump’s spray-and-pray attacks, directed by Palantir, wasted so many missiles to little effect that replenishing the inventory is a near-term risk for the United States.

Germany is announcing it will enter a queue behind the US Navy’s own restocking priority, for a subsonic 1970s-architecture missile, from a production line that has run at well under a hundred units a year. Someone in Germany has not been paying attention.

Delivery timeline? None.

Cost? Unstated.

Quantity? Unstated.

Germany’s leader Merz gave none of the details that make a deal a deal.

Meanwhile, Fire Point in Ukraine iterated the FP-5 from announcement to combat use in about a year, at something like a quarter of Tomahawk unit cost, delivering half a ton of explosive per warhead to destroy Russian war factories. Fire Point’s drone line has demonstrated strikes past 2,500 km, hitting the Omsk refinery in Siberia this week.

Germany acts like an old depleted 1,600 km American missile wait-list is big political news, while Germany is already funding Ukrainian long-range production directly. I mean, ELSA exists because Europe identified this dependency in 2024.

Deals involving Trump’s TLAM also means buying the broken mission-planning chain that comes with it, which is a strange hedge against an unreliable and unfriendly Washington. The strategic gap Merz says he’s closing was the sovereignty gap, and the Tomahawk Deal makes it open wider.

Germany should be embarrassed to announce any deal with Trump. But this deal in particular reads like a horrible joke.