Barr is back in business. Aaron Barr, the former CEO of HBGary Federal, memorably had his corporate e-mail exposed to the world by Anonymous earlier this year after attempting to expose the group's "leadership." Based on our reporting, comedian Stephen Colbert memorably summed up the encounter: "To put this in hacker terms, Anonymous is a hornet's nest, and Barr said, 'I'm going to stick my penis in that thing.'"

Barr eventually resigned from HBGary Federal after weeks in the spotlight—and after revelations emerged that he helped form dubious plans to attack Wikileaks, fake documents, and identify critics of the US Chamber of Commerce using "link analysis" technology.

But he resurfaced a few months later as the director of cyber security for government contractor Sayres and Associates. This week, he dusted off an old presentation on "Social Media and Evolving Cyber Threats" and made one of his first public presentations after the HBGary Federal debacle. We stopped by Barr's presentation to find out whether the criticism of Barr's own desire to play "offense" in cyberspace had changed his perspective. It had not.

"More money needs to be spent, in my opinion, on offense," Barr said during the talk. "Offense is a controversial topic but it's one that, unfortunately, we have to deal with more and more, because defense doesn't work."

Freak out



Despite the beating that Barr's reputation took in public after the Anonymous incident, his warnings about social media and the power of link analysis are clearly worth hearing. He gave the example of Apple employee Gray Powell, the man who lost an iPhone 4 prototype in a California bar. Powell's LinkedIn page notes that he is currently in "iPhone Sw [software] engineering at Apple" and that he does "performance validation" on the device. A malicious attacker, hoping to get her hands on an iPhone prototype, could search LinkedIn for this sort of information, then go to a location-based site like Foursquare to find out where Powell "checks in regularly." With that information in hand, the attacker could track Powell and try to swipe the phone from him at one of those locations. Corporate espionage has never been so easy.

Barr said that he was sometimes hired to run "social media pen tests" for companies to illustrate vulnerabilities of their executives. In one case he recounted, a top exec was well protected on social media sites, but his wife exposed far more information. Barr used the wife's Facebook profile to see her friends list, and he was able to use the web of connections to figure out where the couple had attended school. He then went to classmates.com, created a fake profile pretending to be a known friend from that school, and used it ping his target, saying he wanted to get back in touch. The man accepted—and Barr suddenly had a direct, trusted connection to his target.

This sort of thing used to be a staple of Barr's work; alarming top executives was always good for the security business. (When Barr once sent such information on a law firm partner unsolicited, he was told by one exec, "Thanks. I am not sure I will share what you sent last night—he might freak out.")

Indeed, it's what got Barr into trouble. As the HBGary Federal business ran into difficulties bringing in government cash, HBGary CEO Greg Hoglund told Barr in an e-mail, "It hasn't really been a success... You guys are basically out of money and none of the work you had planned has come in."

Barr then tried to make a big splash that would put his company on the map by outing the main players in Anonymous. He took his "scoop" to the Financial Times ahead of his conference presentation on the topic, but the result so annoyed Anonymous that hackers broke into HBGary Federal's computers, took Barr's e-mails, and exposed them to the world.

Hacks aside, was Barr right? Our own reporting suggests that his list of top Anons had serious problems, as did his attempts to tie those screen names to real people, but the basic ideas had merit. Barr tried to make his connections using social media analysis—for instance, a favorite technique was trying to link IRC posting times to Facebook users who also wrote things about Anonymous. If both were active at exactly the same time, it might be the same person.

Barr's presentation sounds the (fairly obvious) warning against the rise of personal information online and the ways in which it can be exploited. Even if you want to keep your identity private, it's hard—friends may tag you in Facebook photos, documents and webpages may contain relevant metadata on where you work, check-in services like Foursquare can make you easier to track.

Barr's two key bits of advice are "hide your friends list" and "don't list where you currently work." He noted that "the most frightening website out there is LinkedIn, by far" because people see a real benefit—jobs and career connections—from posting information and so freely divulge workplaces, job duties, location, education, and more. For someone looking to mount a targeted attack on an individual, this can be a gold mine.

Let's play offense



The controversy in Barr's case didn't involve the main points he was making about security, but his more offensively minded strategies and his willingness to deploy them against all sorts of people. For instance, Barr was willing to turn his link analysis expertise on US-based critics of the Chamber of Commerce by setting up a "corporate information reconnaissance service." He had an idea to "create two fake insider personas, using one as leverage to discredit the other while confirming the legitimacy of the second." He was willing to attack WikiLeaks electronically and then forge documents to discredit them. He seemed willing go after civil liberties writers like Salon.com columnist Glenn Greenwald, saying, "These are established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause."

Barr doesn't see himself as a bad guy, or even a rah-rah military/industrial booster. No, as he said this summer after attending the DEFCON security conference in Las Vegas, "I have always been and still consider myself a liberal." He even "helped to lead a protest against Walmart in 2005 from putting up a store in my small town" (and lost), and he opposed the Iraq war.

But his liberal impulses are tempered by pragmatism and "necessity." "I believe that sometimes circumstances require more aggressive tactics in order to maintain stability," he wrote. "But I’m also aware that such tactics can run dangerously close to the line, and are susceptible to corruption."

Still, despite the danger of corruption—something Barr arguably got caught up in himself—he still says more "offense" is needed when it comes to cybersecurity. As Barr tweeted on September 11, "Do politicians understand when they talk of getting ahead of the cyber threat that it requires more offense? I doubt it."

Such tactics aren't the sorts of things one talks about in the open at conferences, but Barr did admit that government "should be the only ones allowed to do certain types of offense." Something needs to be done, though, because playing defense simply doesn't work any more. The Chinese and Russians are becoming sophisticated cyber-attackers, Barr said—and he worries that the US is getting left behind.

As for Barr, if you want to find him, Foursquare says he's the "mayor" of the Shell gas station near his home in Mclean, Virginia.