
Cisco plans to acquire cybersecurity firm Duo Security for $2.35B - pigeonlaser
https://www.cnbc.com/2018/08/02/cisco-buys-security-start-up.html
======
yawgmoth
Congratulations to my neighbors at Duo! That's a crazy amount of money and I
hope that many Ann Arborites pay it forward in the tech scene from which Duo
came.

Lots of good tech in A2 in general - Deepfield acquired by Nokia, SkySpecs,
Trove, FarmLogs (a YC startup), LLamasoft (my employer!), IBM is here, Toyota,
Hyundai, a rapidly increasing number of medtech companies, and plenty of
boutique consulting. It makes for a healthy life - a strong tech scene drives
wages up, yet the cost of living is still fairly low (downtown A2 is very
expensive already, but you can live in the nearby areas for considerably
less). There were four companies from A2 in the who's hiring page the other
day. Take a look! :)

~~~
sampl
We maintain this list of startups in Ann Arbor :)

[http://madeina2.com/](http://madeina2.com/)

~~~
taylorhou
i love the simplicity of the site! would you consider open sourcing or selling
a license so we can do a replica of it for our community?

haha _edit_ \- i didn't scroll down. you guys rock! -
[https://github.com/MadeInA2/madeina2](https://github.com/MadeInA2/madeina2)

~~~
sampl
Actually planning on a major update soon—lmk if you end up using it!

------
niftich
Duo Press Release: [https://duo.com/about/press/releases/cisco-announces-
intent-...](https://duo.com/about/press/releases/cisco-announces-intent-to-
acquire-duo-security)

Cisco Press Release: [https://newsroom.cisco.com/press-release-
content?type=webcon...](https://newsroom.cisco.com/press-release-
content?type=webcontent&articleId=1937036)

Letter sent by Duo CEO to customers:
[https://pastebin.com/AdTMYzzH](https://pastebin.com/AdTMYzzH)

------
youdontknowtho
I really hope that Duo survives this. Cisco isn't necessarily known for
handling acquisitions well...or software...but who knows. Maybe it's the shot
in the arm that many companies will need to move to token based auth. Lot's of
enterprise IT departments take Cisco's word as divine. I have had some bad
experiences with Cisco the company, but the devices have always been really
good even if they lag behind some of the more aggressive competitors in
features or speeds.

~~~
davidu
The acquisition track record for the Cisco Security business is pretty
incredible. Like HBS Case Study good. Sourcefire, ThreatGrid, OpenDNS,
Lancope, CloudLock, Observable. Great products and teams brought to scale and
maintained. Even IronPort 10+ years later has done fantastically well.

I'm thrilled that Duo will be joining an amazing business filled with a deep
bench of security talent and wonderful customers. It's a really strong fit
with what Duo has already built and with where both teams are going, now
together.

I guess I should mention I was founder / CEO of OpenDNS, was acquired by
Cisco, previously led the Cisco Security business, and am still an executive
at Cisco. So maybe a bit biased, but still factually on the mark. ;-)

~~~
starpilot
Yo can we get some snacks in SJC15?

~~~
davidu
I'm supportive. Feel free to ping me and I'll see if I can give you some
pointers of how to make some progress on that ask.

~~~
hitekker
> Feel free to ping me and I'll see if I can give you some pointers of how to
> make some progress on that ask

Spoken like a true Cisco executive. You could have just said "I'm supportive
but it's out of my hands."

Or perhaps, no reply at all.

~~~
davidu
I take that as a compliment. I really like working with almost every single
one of my peers.

I'm not responsible for the buildings or teams in SJC15 and the OP knows that.
The people who work with me at Cisco know that when I say I'll help, I do.

~~~
hitekker
It wasn’t.

Caveating your offer of support three or four times signals hostility not
helpfulness.

Any rational actor reading that statement would assume you’d forward their
message onto HR without a real response. And make note of the complainer in
question.

If you can’t be concrete with your words, why even bother?

~~~
peterwwillis
I'm not normally one to defend upper management, but that's a dick thing to
say to someone who probably genuinely wants to help, but isn't authorized to
pay for and ship an expensive snack machine into a random building in a giant
company.

 _" I'll see if I can give you some pointers of how to make some progress on
that ask"_

probably means

 _" I'm not the god damn office facilities manager, and I'm not spending my
limited time and social capital to quarterback your request for you, but I'll
see if I can figure out who in god's name in this 70,000+ person company you
should talk to, and tips for how you might convince them to change their
budget to give you free snacks"._

------
jwhiz22
I've added 2FA to a handful of sites with Duo's product. It was a great
experience and would recommend it.

------
rman666
Congrats to Dug and Jon and the whole Duo team!

------
throwaway5752
Are they a cybersecurity company? I thought they were more about IAM. I
realize this is the CNBC headline, but I am curious if Duo does something I
was unaware of, like rev. engineering, pen. testing, etc.

ps - congrats to Duo!

~~~
johnmaguire2013
Doesn't do identity, relies on external IAM. Look into Duo Beyond.

~~~
mtgx
Duo Beyond was a very smart move on their part, taking Google's enterprise
security architecture and turning it into a third-party turnkey solution for
enterprise customers. They did it before Cloudflare, too. I bet that is a big
part of the reason why Cisco is paying so much now.

~~~
hb3b
There isn't anything particularly innovative about Duo Beyond. Inspect the
Docker containers and you'll see they simply rebranded simplesamlphp and wrote
a custom ngx_http_auth_request_module handler for NGINX for their
authenticated reverse proxy product.

If Cisco paid 2 billion dollars for this, my mind is really blown. I'm
struggling to figure out how they ended up at 2 billion because I don't see it
in anything material -- perhaps the patents or a play against Okta for
recurring revenue from smaller companies which might not have Cisco gear?

~~~
trhway
Cisco didnt pay $2B for simplesamlphp, they paid it for "Duo Security provides
cloud-based tools to prevent security breaches on devices." :)

------
paulie_a
Considering Cisco's history you will probably be able to use default
credentials. I no longer would trust duo.

~~~
daxorid
Trying to understand the downvotes to this comment. Cisco's been caught _on
multiple occasions_ including backdoors in their products.

Expressing skepticism of their stewardship of a _security company_ is
perfectly reasonable.

~~~
paulie_a
Cisco, Adobe and Oracle seem to be having a competition of who can release the
most security vulnerabilities.

I personally and professionally will never want to touch their products.

------
tialaramex
Duo's "Duo Push" push based second factor says it "can protect against man-in-
the-middle (MITM) attacks" but I don't see how this type of push system can do
that.

Does anybody have an explanation, or is this claim in fact entirely hollow and
a real world MITM would work just fine but they're pretending to believe real
users would do stuff like verify their IP address in a phone message?

~~~
dangoor
I know some of the Duo folks and they are serious security nerds and I don't
think they would make this up. That said, I don't have any knowledge of the
implementation. I did find this[1]:

> Duo Push technology employs asymmetric encryption to sign and verify
> communications between Duo's servers and a smartphone running the Duo Push
> app

I'm thinking this is saying something like they sign the contents of the push
notification with a key that the app knows and that the man in the middle
wouldn't have. So, they're not just relying on the provider of the push
notification service.

[1]: [https://searchsecurity.techtarget.com/answer/Do-two-
factor-a...](https://searchsecurity.techtarget.com/answer/Do-two-factor-
authentication-vulnerabilities-outweigh-the-benefits)

~~~
tialaramex
Yeah, this doesn't help with a MITM because what happens is the victim is at
Mallory's site thinking it's their real sign on site, Mallory is taking to
their real sign on service. The victim types in real credentials, and says OK
let's use Duo Push... Mallory now has their credentials and does Duo Push. The
push is securely sent to the victim's phone, and they press OK because they
really are trying to sign in. Mallory is allowed in.

FIDO tokens break this attack because the token is talking to the victim's web
browser, and that's not visiting the real site so it doesn't work. If Mallory
lets the victim's browser talk to the real site, sign in works but Mallory is
cut out of the loop.

It's a Confused Deputy problem. Push 2FA assumes that if you confirm that
you're trying to sign in at 9:14 and there's an attempted sign in at 9:14 then
that's one event, but unlike U2F the only thing connecting the two is the
timing, which Mallory can choose.

~~~
djrogers
Why would Duo Push allow Mallory's site to initiate a Duo Push for
RealSite.com without either a shared secret or certificate validation?

You present an obvious problem that has been solved securely many times over
many products and act as if a group of IAM and 2fa professionals ignored or
just hadn't thought of it before...

~~~
paranoidrobot
Because mallory.com (who's impersonating valery.com by ripping off the site
design, and has a valid certificate for mallory.com) is running a full-up copy
of Chrome in a VM, and is clicking the signin link just like a user would do.

I assume what Duo is referring to, though, is that they send through the IP
address that your push request is coming from.

So if a user is observant and knows their public IP, they should see the
difference.

------
segmondy
I'm so excited for Duo, amazing folks with amazing products.

This is another solid proof that one doesn't have to be in the Bay to build
Unicorn, amazing companies or have fantastic exit.

------
thickice
Looks like Duo provides a 2FA for accessing any application ? Does it work for
any random app ? Are there any details online about the technical details on
how that works ?

------
sakshyamshah
we offer similar Trusted Access and Session Analytic Platform -
[https://seknox.com/trasa](https://seknox.com/trasa)

We have been successfully offering on-premise solution to local financial
institutes here in Nepal and we are working on launching our SaaS offering
(it's currently in beta with few users). If you are interested for beta
access, drop me a message at sakshyam[at]seknox.com

Disclosure: I am founder of this startup.

------
alexmaddenuk
At least it isn't Oracle.

------
starpilot
Unbelievable. I went to school with Jon and talked to him a few times.

------
jiveturkey
ah, no wonder they are completely unresponsive to pre-sales inquiries. they
have been busy getting acquired.

good on them, since their product is largely uncompetitive today. (they had
their moment but it has passed)

------
karpodiem
Congrats to Duo!

------
wytian
Google, Duo, who's next? Clinc?

