[tikums]

> They are highly skilled network attack specialists, with basically no way to apply their skills other than working for the NSA.

Why is commercial "cyber" security industry not a viable option? It pays well, there's currently a notable skill shortage and they can work in "pen-testing", "red teaming" and "exploit development" areas.

[Kalium]

I will copy/paste from the other answer I gave to this same question:

> Pen testing is a viable alternative in the same way that driving a car is an alternative to designing an engine.

"Red teaming" is little different.

Further, much of the commercial world is thinly veiled NSA work. Who do you think the biggest clients of Reversing Labs, for instance, are? They're not just any commercial firms. They're commercial firms providing services to the NSA.

Bug bounties and HackerOne are sick jokes compared to what governments pay.

[tptacek]

Virtually none of the commercial work is thinly-veiled NSA work.

I know literally none of the people behind "Reversing Labs", your comment is the first I've heard of that company, and, examining what their product does, I can't understand how what appears to be an email antivirus product is somehow helping NSA.

[Kalium]

Their products are very useful in a defensive context. Not all of the NSA's work comes under the heading of cyberweapons or intelligence-gathering. They do plenty of defensive development, too.

RL's Titanium Core is one of the best unpackers around, and thus incredibly valuable for anyone doing malware analysis. Couple it with Titanium Cloud (blacklisting/whitelisting of samples) and you have the core of a system that can go interesting places. Try not to cringe at the bill. Toss in a sandbox or three and you're really getting somewhere. Add in a couple of MITRE standards for requisite government headaches, obviously.

From what I've seen, a fair amount of security product companies are selling to the NSA. Doesn't work for SaaS and services, because the NSA tends to require that whatever you're selling run on their network.

It's worth remembering that the NSA isn't afraid to buy from tiny companies and In-Q-Tel exists to enable investment.

[tptacek]

So you're talking about companies selling to NSA in the same sense as they would sell products to Allstate? As in: literally the exact same products in exactly the same packaging sold to exactly the same purchaser as would exist at Allstate?

Who cares?

You dodged part of my comment. Once again: virtually none of the commercial security work --- or even the offensive security work --- is thinly veiled NSA work. Virtually none of it.

What on earth led you to believe you'd be able to defend such a statement?

[Kalium]

That I've seen enough of it firsthand. They may offer the same product to Allstate, but the products are developed with government customers in mind. I'd cite Sandvine, but I'm not personally aware of them selling to the NSA - although it wouldn't surprise me. I've also sat in the room as people discuss the best way to do business with the NSA, and the consensus was that for some kinds of products the best approach is to develop the thing and sell it as a packaged product without a care given about selling to anyone else.

Sure, they might sell to someone else, but nobody involved cares about that.

What I've seen suggests that there are really two commercial security sectors. One centered on the west coast and focused on the private sector. The other is centered on the east coast and centered on the US government. It's all commercial, after a fashion, but the two don't typically interact very much. Each tends to think of itself as "the security sector".

Well. Except when Mandiant decides to point fingers. Then there's briefly lots of interaction.

[tptacek]

What you're doing now is re-answering a question I posed upthread without addressing the question I just asked.

Yes, of course, every enterprise product company in the world --- in security, disaster response, configuration management, issue tracking, document management, what-have-you, every single one --- sells to FedGov. They all have special teams to do it. And FedGov has special requirements; for instance, Common Criteria certification.

Now: can you answer my actual question? How on earth did you feel you'd be able to defend your statement that most commercial security work is thinly-veiled NSA work? That's not just not true, it's almost literally the opposite of true.

Is your answer "there's this East Coast sector of the security industry that sees itself as the whole security industry that is almost entirely thinly-veiled NSA work"? If so: can you name 3 companies in that East Coast security sector? I've worked in security for just about 20 years now and can name many, many East Coast companies, and very few of them have ever done work for NSA, or, for that matter, done work that would be interesting to NSA.

[tikums]

> much of the commercial world is thinly veiled NSA work

While security agencies of various governments are on the buy-side on the "zero day" vulnerability market, majority of commercial "cyber" security companies are not dealing in "cyber weapons" and are not involved with NSA. There are plentiful examples of successful "white hats": H. D. Moore, Dan Kaminsky, Tavis Ormandy, Michał Zalewski, even our own Colin Percival and tptacek etc. You don't have to do work for government to play in this area.

[Kalium]

It's less of an excuse and more of a statement about the current state of reality. Are there examples and counter-examples and so on? Absolutely. Do any of them change the state of reality by existing? No. Is a very sizable portion of private-sector work today paid for by the NSA, directly or otherwise, including both defensive and offensive capabilities? You bet.

As a result, saying people should go to the commercial world isn't actually much of a change. It's not an alternative to the current reality because it is the current reality.

It's worth remembering that you probably don't hear about the big players very much in places like this. Endgame, MITRE, Leidos, etc. They tend to stay out of the limelight while still employing substantial numbers of people.