55 comments

[ 3.5 ms ] story [ 98.5 ms ] thread
How will this even work? Will he tell his company's developers to develop software that will protect against all the vulnerabilities he learned about while being the head of NSA and hacking into everyone's networks? That seems...wrong somehow?
he'll probably spend a lot of time having the devs write software based on DoD standards. It's surprising how much of security is "make sure you've configured everything correctly".
It's surprising how much of security is "make sure you've configured everything correctly".

Or "don't accept ' or 1=1 -- as a password", for that matter. Internet-facing web system with several thousand users, just a year ago or so. Made me feel like I'm back in the '90s.

There's nothing inherently wrong with that password as long as your code isn't vulnerable to SQL injection, which is trivial to do nowadays.
Sure SQL injection is trivial to do nowadays; it's always been.

I mean, of course I meant this was an SQL injection.

I'm pretty sure GP was saying making sure your code isn't vulnerable to SQL injection is trivial to do nowadays, not that SQL injection is trivial to do.
It's trivial to not be vulnerable to SQL injection.
That's not what "trivial" means. Trivial means the simplest possible example, which in almost every web framework involves passing input as received to the DB driver without knowing its contents and without escaping/sanitizing it.

Only by using frameworks and DB drivers correctly (RTFM) is one able to accurately avoid SQLi. I would argue that "using software correctly" is by no means trivial and rarely happens in most systems that have less than NASA quality safeguards.

I would agree that most modern frameworks which are adopted by at least a few hundred developers tend to use best practices and a "security by default" mindset, but that's far from saying that "avoiding SQLi is trivial".

This:

> "don't accept ' or 1=1 -- as a password"

(the way that it's stated) implies that one should be checking input for possible SQL injection attacks and dropping the request, rather than sanitizing input so that the attack doesn't work, but the password is valid.

I'm guessing he'll just apply stuff they developed in NSA for NIDS, patch deployments, etc. Just a good HIPS (esp whitelisting) and patching knocks out 75% of so-called APT's per Australia's DSD. Good monitoring catches many of the rest eventually. Those by themselves, combined with NSA's improvements, would dramatically improve security for organizations that had little of it but lots of money.

Probably sells them on an image and liability benefit, too: "bank shouldn't be liable because we even went so far as putting former director of NSA in charge of our security. What more could we have done!?" Trying to counter liability in courts or with lobbying is main security model for big business. So, something like this is undoubtedly a benefit.

Prediction: They'll build tools/services which are broadly similar to existing security technologies (IDS / log analysis / etc) and then their sales team will mention - at opportune moments - that they have an ex-NSA founder who oversees the technology.

If pressed there probably won't be a huge amount of details on what extra security / insight that might provide vs their competitors, but there'll be implicit suggestions that it's because what he knows is classified and nation-state level and that it actually filters down to the way they design and implement the services.

Is there real magic technology previously unknown to security that they'll be able to add? And would it be wise to expose it via a small startup if so? Personally doubt both, but probably doubt the former more so.

Meanwhile a basic product will develop, sales will flow, it's probably a safe-ish bet for the early investors/founders, the sun will continue to rise in the east and set in the west, etc.

"Will he tell his company's developers to develop software that will protect against all the vulnerabilities he learned about while being the head of NSA"

Not only what he learned while he was there; it seems his original plan was to continue to receive a steady stream of intelligence info even after he'd left:

https://fcw.com/articles/2014/10/22/nsa-cto-moonlight-gig-en...

When this info first came out - I was under the impression that he was going to have fairly exclusive access to license some tech that the NSA had made - and a bunch of people balked at this as NSA is technically a public entity and as such, should not preclude anyone else from gaining access to the same IP -- further, it was argued that as a public entity they should not be charging fees to access the IP.
I am going to bet that he doesn't actually know the details of any of those vulnerabilities. He was the head of the entire agency, not a technical guy. He probably know that something was done, but not how it was implemented on a technical and usable level.
Security is kind of a weird space. You can't just buy security. It's lots of consulting and training firms with some products that enterprises buy.

I have a feeling this is going to be just like all the other ones, with some proprietary IDS.

One interesting thing to note, being originally from NoVa/DC. No mention of a clearance requirement in the company's job reqs. I've never seen a job req that required a clearance without one.

If you think about not having security clearance, it makes sense. You'd usually have clearance to see certain data. By not requiring it, you're replicating how anyone else would try breaking into secure systems.
The way most agencies work, the vulnerabilities would be considered classified information. So, the testers would not have access to classified information prior to the evaluation, but what they find during the evaluation would become classified.
There are plenty of cases of working on unclassified systems in classified environments where you need a clearance primarily to get to the point of doing your work. Less true as a contractor building products, less true in the US vs. deployed.
You can't just buy it, but you also can't afford to build all your tools in house.

It probably will be some new detection technology, since that's the direction the industry is going (if you can't prevent all breaches, you need detection anyway) and I don't think we've exhausted the space of possible approaches to detection yet.

Most of the development could easily be done with a bunch of uncleared individuals. It would only takes a few cleared people to implement the technologies on the classified systems, which could be a different job req.
I'm not really sure wtf KPCB was thinking here.

NSA isn't exactly the world's top defensive security organization. As a red-team, I could see some value in ex-NSA, but for commercial information assurance (IA), aside from "we've seen how things are done badly, by contractors", I would consider NSA experience not just irrelevant but negative.

In addition to being ineffective at the IA mission, NSA has entirely unreasonable resources and imposes constraints on their users. These would be unavailable for commercial companies, so NSA IA experience is even less helpful.

I could sort of see putting $XX mm into a company for "halo effect" on your other investments, but in this case there are more than enough negative external optics which come with the decision. I personally would not want to be associated via common investor with this.

(maybe should post as a throwaway, but w/e; I stand by this)

What are the worlds top defensive security organizations?
Google is pretty high up there. For a commercial enterprise, they'd be my largest, most accessible hiring/investment pool.

"Developed and implemented X meaningful control at Google" is close to auto-investable, IMO.

There are some pharma (drug discovery) and prop-trading firms I'd respect highly, too. Not high street banks but smaller or more focused entities. Knowing which is hard.

For big companies which are "obviously" good: Apple's not bad internally. FB, Amazon, Microsoft aren't bad. The hard part is identifying who is good internally out of large teams. (Yahoo! has also traditionally had good infosec relative to everything else, although perhaps sacrificed business to it.)

LV casinos as a sector seem to be ok.

For harder bets: There are few tougher environments today than the bitcoin ecosystem. A lot of those companies are shitshows staffed by people with zero infosec background, but there are exceptions.

Also of course some of the most elite consultancies (iSEC, IOActive, Cylance, etc.) have great people. There are individual good people in large big-N consultancies too, but as a blanket statement, not as good to recruit from.

(For offense: Israel/8200/etc. are probably the best recruiting pool, due to cost relative to skill. There are good people in the NSA ecosystem as well, for offense, although largely contractors, and expensive. I don't buy that extreme competence at actually implementing widely-known-but-we-didnt-think-people-would-actually-go-that-far vulnerabilities makes you a stronger defensive player, though; developing fundamentally new attacks, or finding vulnerabilities, sure, but spending $5b to do the attack everyone had identified as a possibility is just an engineering and economic exercise.)

(In SV today, startups in security are probably the best pool of talent, hence acquihire. I probably know a pool of ~200 good to great people in the general security ecosystem at any given time from a bunch of companies who are recruitable or buyable.)

FB has had somewhat of a revolving door with NSA security, though [0] -- so given your negative perception of this, how do you feel about what FB does and the NSA does that overlap enough to have employees come/go between the two?

http://www.thewire.com/technology/2013/06/facebooks-former-s...

Old -- but there are other articles about it as well...

By "revolving door" you appear to mean that one executive, who hadn't previously worked for NSA, left Facebook for a job at NSA.

It would be hard to imagine more prominently anti-NSA security executive than Alex Stamos, their current CSO.

My understanding was that an NSA employee came to FB, then left FB to go back to NSA.. I could be totally incorrect though...
Etsy, of all organizations, is considered to be one of the best. It has the most rigorous security measures in a usable internet-connected network I've ever heard of.

And the ones listed by @rdl.

Are you joking? Not trying to be critical, I just can't tell if you're serious. Why would Etsy have the most rigorous security measures?
They had (have?) a security team entirely larger and more competent than I'd expect (or, honestly, really choose to seek to have) in an org their size. I think they were just lucky to get a couple great people early on and doubled down.
Etsy is a weird case. I'd never, ever have thought there's so many such good people in a company that initially seemed to me to be a random eBay-like store for selling trinkets. And yet, it turns out they have serious talent and post a lot of very interesting tech stuff.
They aren't joking. How? Because they went out of their way to hire very good appsec people to build their team. There's a geography and right-place right-time element to what they did, too.

They're a pretty good case study for how the right senior hires at the right time can set the tone for a security organization for many years after those people leave.

You mean that it's not reasonable to expect users to do all their work on an air-gapped system, and wait in line for the one internet-enabled terminal in the office? ;)
Or the 1-3y pre-employment background screening, involving things which would be illegal for a private employer.
And the results of the background screening subsequently being sent to China via a cyber security breach.
While at the same time all rats in HVAC vents go crazy because of the ultrasonic noise of a mesh network created out of employees' pwned smartphones.
You seem to undermine the power of network
I would guess for a start-up to be successful it is not necessarily to have a market, a good idea, a product etc. But to find a investor dumber than they are to bankroll them.

NSA name sounds important, cool, and carries powerful connotations. I bet even if he said he is making flux capacitors, he'll find some investors to throw a few millions his way.

I have a feeling you and I would define "success" differently.
So let me get this straight. The guy who headed the NSA--an organization so secure that a 30 year old contractor was walking out with classified documents on a thumb drive during this guy's tenure--wants companies to buy his product? I don't think so.
There are many start ups, which serve 3 letter agencies. This guy will sell his product to those agencies, make big bucks.
Yap common path for ex-heads and high ranking people from those agencies. His friends will funnel business his way. While they make friends there, retire, start business so those friends can now funnel business their way.
Snowden is actually a great example of how well compartmentalization works.

He downloaded what was effectively the brochure stand you see in the lobby of a cheap hotel. Look, we have this for use, here is a high level overview. Come talk to us, we will read you into the program, and provide you with the details.

Sure it was an intelligence loss - but it was all stuff that any cleared staff could access anyway.

> He [Snowden] downloaded what was effectively the brochure stand you see in the lobby of a cheap hotel

The NSA and other government security organizations say that the information he leaked was very damaging. The NSA also changed their security procedures in response.

All of that could be for show, but I haven't seen evidence that it is.

I kind of see your point in that he mostly got things like slideshows, rather than detailed memos, code, operational details. Yeah, without compartmentalization, it could have been worse, but unless they intended to allow someone to mass-exfiltrate all that, there's still a pretty bad security failure.
He only had access to stuff lots of people were cleared for. I predicted that early on and further guessed that most of capabilities were in SAP's for stronger protection. That was confirmed later with ECI leaks which specifically reference the SAP's. People kept getting confused, esp over ECI vs SCI, so I explained how the classification system worked and how it applies to Snowden here:

https://www.schneier.com/blog/archives/2014/10/nsa_classific...

Anyone wanting to know about how thoroughly SAP's are protected can start with the NIPSOM Industrial Security Manual(s):

http://fas.org/sgp/library/nispom.htm

They start with that stuff as a framework and use specialists for categories demanding it. Much better than CISSP as it covers papers, personnel, INFOSEC, COMSEC, OPSEC, EMSEC... the works. My own framework built on it plus what I learned in privacy guides (eg Eden Press), spy/military nonfiction, and writings of crooks. All kinds of useful techniques to draw on when filling in the blanks of the framework for a given organization. INFOSEC turned into the most fun of the rabbit holes. Mostly solved and just not reaching mainstream, but still stuff to figure out for pro level and high assurance sector. Many, many surprises await.

Yeah, but "Mr. Alexander was known for modeling an NSA command center after the interior of Star Trek’s USS Enterprise."
The NSA did its best on INFOSEC back in the days of Walker's Computer Security Initiative:

http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-B...

Many systems, under A1 label, were created back then which defeated NSA pentesters. NSA was mainly evaluator rather than developer, but developed some interesting tech of their own. EKMS for key management and especially the inline-media encryptor come to mind. My own IME designs were based on theirs.

https://www.nsa.gov/ia/programs/inline_media_encryptor/

However, most of the developments came from computer science, U.S. military organizations, and defence contractors. They produced a lot of secure technology. People in NSA's IAD helped where possible. Those same methods are used on select systems today although NSA is fast-tracking everything now for some reason at low-assurance. Probably part of BULLRUN.

Anyway, NSA could easily offer good INFOSEC by just applying what's proven to work to various use cases as Bell said. Anyone could. Some did to varying degrees: Sentinel's HYDRA firewall, GEMSOS's thin clients, Mikro-SINA VPN, Secure64's SourceT OS for DNS, and so on. Each of these either had clear security improvements or did vastly better on penetration tests with GEMSOS and HYDRA surviving NSA pentests with much praise from evaluators.

So, people wanting security should just apply what works to every part of the stack. Won't be easy. Will take time. Will probably be incremental. Nonetheless, insecure protocols, monolithic kernels, C libraries... these things have never worked and never will. Just doing the opposite of mainstream in key areas will get one far. Imitating the best of the past will get you really far. And the hardware is the most important battle from there as I said in counterpoint to Dan Geer.

https://www.schneier.com/blog/archives/2014/04/dan_geer_on_h...

So, screw Alexander's outfit. Nobody needs it: just lessons NSA and others taught us long ago plus what we've learned in mean time. So, use them instead and save yourself the consulting fee. You'll need it for the premium that real security costs you. ;)

It's a convention in American governance to pay one's protection money after the official's tenure, to avoid any appearance of impropriety.
How exactly is this guy able to raise money, as a practical matter? He lied his ass off under oath, testifying before Congress. It's likely he'll disappear overnight with all of his investors' funds.
As far as raising money goes, liars tend to be really good at it.
The DIRNSA isn't really an NSA staff member. He's a general or admiral that represents the agency to Congress, etc.

This is relevant to whether NSA experience is a pro or con in the commercial space - he doesn't have the type of NSA experience you're probably thinking of.

Yet, he and Hayden were the reason it got where it did. Further, Alexander has Masters in Business, Electronic Warfare, and Physics. His Master's thesis was technical enough that I'm thinking he plays dumb in public. It's probably a hold-over from how he talks to laypeople in military and Congress.

In any case, even if he isn't technical, his staff is. Especially his right-hand, James Heath, that led the creation of many technical capabilities. If he went with Alexander, then the two could accomplish plenty in INFOSEC (mainly detection/response) at corporate levels and with easy government contracts.