[tptacek]

So you're talking about companies selling to NSA in the same sense as they would sell products to Allstate? As in: literally the exact same products in exactly the same packaging sold to exactly the same purchaser as would exist at Allstate?

Who cares?

You dodged part of my comment. Once again: virtually none of the commercial security work --- or even the offensive security work --- is thinly veiled NSA work. Virtually none of it.

What on earth led you to believe you'd be able to defend such a statement?

[Kalium]

That I've seen enough of it firsthand. They may offer the same product to Allstate, but the products are developed with government customers in mind. I'd cite Sandvine, but I'm not personally aware of them selling to the NSA - although it wouldn't surprise me. I've also sat in the room as people discuss the best way to do business with the NSA, and the consensus was that for some kinds of products the best approach is to develop the thing and sell it as a packaged product without a care given about selling to anyone else.

Sure, they might sell to someone else, but nobody involved cares about that.

What I've seen suggests that there are really two commercial security sectors. One centered on the west coast and focused on the private sector. The other is centered on the east coast and centered on the US government. It's all commercial, after a fashion, but the two don't typically interact very much. Each tends to think of itself as "the security sector".

Well. Except when Mandiant decides to point fingers. Then there's briefly lots of interaction.

[tptacek]

What you're doing now is re-answering a question I posed upthread without addressing the question I just asked.

Yes, of course, every enterprise product company in the world --- in security, disaster response, configuration management, issue tracking, document management, what-have-you, every single one --- sells to FedGov. They all have special teams to do it. And FedGov has special requirements; for instance, Common Criteria certification.

Now: can you answer my actual question? How on earth did you feel you'd be able to defend your statement that most commercial security work is thinly-veiled NSA work? That's not just not true, it's almost literally the opposite of true.

Is your answer "there's this East Coast sector of the security industry that sees itself as the whole security industry that is almost entirely thinly-veiled NSA work"? If so: can you name 3 companies in that East Coast security sector? I've worked in security for just about 20 years now and can name many, many East Coast companies, and very few of them have ever done work for NSA, or, for that matter, done work that would be interesting to NSA.

[Kalium]

"Most" was never my contention. I used "much", which implies a significant amount (dollar-wise, true) without contending a majority.

[tptacek]

And I said virtually none of it is, rebutting your claim, which I think is farcical. Can you defend it with specifics?

[Kalium]

Leidos, ManTech, and Endgame (provided you're willing to allow Atlanta) come to mind. All do substantial amounts of security work. Mandiant, too, though they're now owned by FireEye.

[tptacek]

Two giant government contractors that happen to have small security teams, and one tiny boutique firm. The funny thing is you didn't mention Raytheon or Lockheed, both of which have teams that I suspect are larger than the three teams you mentioned put together. All of them are dwarfed by the commercial security industry. Most of them are backwaters nobody in the field thinks about when they think about security.