
Ex-NSA Chief’s Cybersecurity Startup Draws Funding - kungfudoi
http://www.wsj.com/articles/ex-nsa-chiefs-cybersecurity-startup-draws-funding-1445819345
======
rdl
I'm not really sure wtf KPCB was thinking here.

NSA isn't exactly the world's top defensive security organization. As a red-
team, I could see some value in ex-NSA, but for commercial information
assurance (IA), aside from "we've seen how things are done badly, by
contractors", I would consider NSA experience not just irrelevant but
negative.

In addition to being ineffective at the IA mission, NSA has entirely
unreasonable resources and imposes constraints on their users. These would be
unavailable for commercial companies, so NSA IA experience is even less
helpful.

I could sort of see putting $XX mm into a company for "halo effect" on your
other investments, but in this case there are more than enough negative
external optics which come with the decision. I personally would not want to
be associated via common investor with this.

(maybe should post as a throwaway, but w/e; I stand by this)

~~~
linkregister
You mean that it's not reasonable to expect users to do all their work on an
air-gapped system, and wait in line for the one internet-enabled terminal in
the office? ;)

~~~
rdl
Or the 1-3y pre-employment background screening, involving things which would
be illegal for a private employer.

~~~
epoxyhockey
And the results of the background screening subsequently being sent to China
via a cyber security breach.

------
Zelphyr
So let me get this straight. The guy who headed the NSA--an organization so
secure that a 30 year old contractor was walking out with classified documents
on a thumb drive during this guy's tenure--wants companies to buy his product?
I don't think so.

~~~
dsl
Snowden is actually a great example of how well compartmentalization works.

He downloaded what was effectively the brochure stand you see in the lobby of
a cheap hotel. Look, we have this for use, here is a high level overview. Come
talk to us, we will read you into the program, and provide you with the
details.

Sure it was an intelligence loss - but it was all stuff that any cleared staff
could access anyway.

~~~
hackuser
> He [Snowden] downloaded what was effectively the brochure stand you see in
> the lobby of a cheap hotel

The NSA and other government security organizations say that the information
he leaked was very damaging. The NSA also changed their security procedures in
response.

All of that could be for show, but I haven't seen evidence that it is.

------
fiatmoney
It's a convention in American governance to pay one's protection money _after_
the official's tenure, to avoid any appearance of impropriety.

------
nickpsecurity
The NSA did its best on INFOSEC back in the days of Walker's Computer Security
Initiative:

[http://lukemuehlhauser.com/wp-content/uploads/Bell-
Looking-B...](http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-Back-
Addendum.pdf)

Many systems, under A1 label, were created back then which defeated NSA
pentesters. NSA was mainly evaluator rather than developer, but developed some
interesting tech of their own. EKMS for key management and especially the
inline-media encryptor come to mind. My own IME designs were based on theirs.

[https://www.nsa.gov/ia/programs/inline_media_encryptor/](https://www.nsa.gov/ia/programs/inline_media_encryptor/)

However, most of the developments came from computer science, U.S. military
organizations, and defence contractors. They produced a lot of secure
technology. People in NSA's IAD helped where possible. Those same methods are
used on select systems today although NSA is fast-tracking everything now for
some reason at low-assurance. Probably part of BULLRUN.

Anyway, NSA could easily offer good INFOSEC by just applying what's proven to
work to various use cases as Bell said. Anyone could. Some did to varying
degrees: Sentinel's HYDRA firewall, GEMSOS's thin clients, Mikro-SINA VPN,
Secure64's SourceT OS for DNS, and so on. Each of these either had clear
security improvements or did vastly better on penetration tests with GEMSOS
and HYDRA surviving NSA pentests with much praise from evaluators.

So, people wanting security should just apply what works to every part of the
stack. Won't be easy. Will take time. Will probably be incremental.
Nonetheless, insecure protocols, monolithic kernels, C libraries... these
things have never worked and never will. Just doing the opposite of mainstream
in key areas will get one far. Imitating the best of the past will get you
really far. And the hardware is the most important battle from there as I said
in counterpoint to Dan Geer.

[https://www.schneier.com/blog/archives/2014/04/dan_geer_on_h...](https://www.schneier.com/blog/archives/2014/04/dan_geer_on_hea.html#c5598568)

So, screw Alexander's outfit. Nobody needs it: just lessons NSA and others
taught us long ago plus what we've learned in mean time. So, use them instead
and save yourself the consulting fee. You'll need it for the premium that real
security costs you. ;)

------
ejcx
Security is kind of a weird space. You can't just buy security. It's lots of
consulting and training firms with some products that enterprises buy.

I have a feeling this is going to be just like all the other ones, with some
proprietary IDS.

One interesting thing to note, being originally from NoVa/DC. No mention of a
clearance requirement in the company's job reqs. I've never seen a job req
that required a clearance without one.

~~~
milge
If you think about not having security clearance, it makes sense. You'd
usually have clearance to see certain data. By not requiring it, you're
replicating how anyone else would try breaking into secure systems.

~~~
vonmoltke
The way most agencies work, the vulnerabilities would be considered classified
information. So, the testers would not have access to classified information
prior to the evaluation, but what they find during the evaluation would become
classified.

------
crucini
The DIRNSA isn't really an NSA staff member. He's a general or admiral that
represents the agency to Congress, etc.

This is relevant to whether NSA experience is a pro or con in the commercial
space - he doesn't have the type of NSA experience you're probably thinking
of.

~~~
nickpsecurity
Yet, he and Hayden were the reason it got where it did. Further, Alexander has
Masters in Business, Electronic Warfare, and _Physics._ His Master's thesis
was technical enough that I'm thinking he plays dumb in public. It's probably
a hold-over from how he talks to laypeople in military and Congress.

In any case, even if he isn't technical, his staff is. Especially his right-
hand, James Heath, that led the creation of many technical capabilities. If he
went with Alexander, then the two could accomplish plenty in INFOSEC (mainly
detection/response) at corporate levels and with easy government contracts.

------
gnu8
How exactly is this guy able to raise money, as a practical matter? He lied
his ass off under oath, testifying before Congress. It's likely he'll
disappear overnight with all of his investors' funds.

~~~
ionised
As far as raising money goes, liars tend to be really good at it.

------
mtgx
How will this even work? Will he tell his company's developers to develop
software that will protect against all the vulnerabilities he learned about
while being the head of NSA and hacking into everyone's networks? That
seems...wrong somehow?

~~~
lotharbot
he'll probably spend a lot of time having the devs write software based on DoD
standards. It's surprising how much of security is "make sure you've
configured everything correctly".

~~~
qb45
_It 's surprising how much of security is "make sure you've configured
everything correctly"._

Or "don't accept _' or 1=1 --_ as a password", for that matter. Internet-
facing web system with several thousand users, just a year ago or so. Made me
feel like I'm back in the '90s.

~~~
bqe
There's nothing inherently wrong with that password as long as your code isn't
vulnerable to SQL injection, which is trivial to do nowadays.

~~~
qb45
Sure SQL injection is trivial to do nowadays; it's always been.

I mean, of course I meant this _was_ an SQL injection.

~~~
rylee
It's trivial to _not_ be vulnerable to SQL injection.

~~~
thephyber
That's not what "trivial" means. Trivial means the simplest possible example,
which in almost every web framework involves passing input as received to the
DB driver without knowing its contents and without escaping/sanitizing it.

Only by using frameworks and DB drivers correctly (RTFM) is one able to
accurately avoid SQLi. I would argue that "using software correctly" is by no
means trivial and rarely happens in most systems that have less than NASA
quality safeguards.

I would agree that most modern frameworks which are adopted by at least a few
hundred developers tend to use best practices and a "security by default"
mindset, but that's far from saying that "avoiding SQLi is trivial".

------
badpenny
_To Read the Full Story, Subscribe or Sign In_

~~~
adrianmacneil
Clickthrough: [https://www.google.com/search?q=Ex-
NSA+Chief%27s+Cybersecuri...](https://www.google.com/search?q=Ex-
NSA+Chief%27s+Cybersecurity+Startup+Draws+Funding)

