> Folks who work at NSA (and all the other places that don't get so much press) read xkcd religiously, they go to DEF CON, they have Linux and math t-shirts, they read HN, they are reading this thread right now, and all the other threads.
I know some. I called them coworker and in some cases still call them friend.
A feel sorry for a great many of them. They are highly skilled network attack specialists, with basically no way to apply their skills other than working for the NSA. Even if they want out, they have no viable alternative. It's terrible.
That seems ripe for the usual government work to consultant career path.
Then again, maybe what you're referring to is that their knowledge falls along the lines of state secrets, and pedaling their skills outside the NSA could be considered treason?
Actually, most of the people in question are already well along that career path and working for contracting firms. It's just not a career path that that lets them leave direct or indirect government work.
Who, other than a government, is going to pay you well to find vulnerabilities in popular software? Google's Project Zero belongs to the incredibly small set of programs in that area that isn't a joke.
I read "network attack specialist" as more general than that. I imagine there's a lot of demand for network penetration testing. When it gets down to individual programs, such as email clients, etc, (this is what I think you are implying above) then yes, I agree that it's likely harder to sell the idea of those skills being useful in a consulting context to companies. In that case, I would guess your best path would be to join an established security firm, but I imagine that market is small and highly competitive.
Oh. I see. Sorry, hash collision. I'm talking about the people who perform tasks like exploit discovery and development. You're talking about the people who take that work and run it in script form.
Perhaps a better analogy would be that asking "Why not pen testing?" is like asking why gun designers don't find new jobs as infantry.
Established security firms often focus on business with... guess who? Governments. The NSA employing people directly is not really much different from the NSA hiring contractors who employ people directly.
> You're talking about the people who take that work and run it in script form.
Not entirely. It starts as that, yes, because the first thing you do when attempting to break into a house is check the front door. There are obviously levels beyond this.
> is like asking why gun designers don't find new jobs as infantry.
But it's not entirely like that. There's plenty of firms that hire out security specialists to do code reviews for internal applications. At that point, it's like a gun designing consulting for manufacturing firmson ways to make their products more resistant to small arms. The job won't be the same, but there will be commonalities and the prior experience will transfer over usefully.
Not as much as you'd think. Even if it was, it's not a better place. Now you're trapped in a slightly different sector that you can't leave because your skills don't transfer.
And your job is probably a lot less reliable, because short-term auditing or pen-testing contracts offer a lot less stability than 3-5 year government contracts.
"Help, I love designing guns, but the only people willing to pay me for that will use them for evil!"
If you're a talented "network attack specialist" then you're likely also a worthwhile network engineer. So work in that role and do the gun-design in your spare time and hopefully for a good cause.
That's a pretty poor proposition to make to someone with a family to support. It's poor enough that they're going to ignore you and go on doing work you almost certainly object to.
Also, the skills required to be an effective network attack specialist have very little relation to those required to be a network engineer. I thought I covered this up-thread.
The parent is being a bit of a dick, but he does have a point. Not every job in the world is ethical, and simply being good at something is not always enough reason to do it for a living.
This is ultimately a deeply personal choice that everyone has to make, but sometimes we really can't both have our cake and eat it too.
I also work at a government sponsored R&D lab, so I'm familiar with the conundrum (not for myself - I'm just a dumbass programmer whose skills are so pitifully generic I could go literally anywhere in the world... some of my colleagues - not so much)
I don't know why it's so important that some random HN contributor be polite about this. Isn't everyone here speaking to you, and not your friends? Why does their tone matter so much?
Given that the context is that culture matters and that HN attitudes are relevant, I'm attempting to make the point that being rude does not help shape the attitudes in the way we-the-commentariat want.
Love it or hate it, it's a huge factor in how people make decisions. If you want to shape their behavior, you have to consider how they think and what they care about.
> They are highly skilled network attack specialists, with basically no way to apply their skills other than working for the NSA.
Why is commercial "cyber" security industry not a viable option? It pays well, there's currently a notable skill shortage and they can work in "pen-testing", "red teaming" and "exploit development" areas.
I will copy/paste from the other answer I gave to this same question:
> Pen testing is a viable alternative in the same way that driving a car is an alternative to designing an engine.
"Red teaming" is little different.
Further, much of the commercial world is thinly veiled NSA work. Who do you think the biggest clients of Reversing Labs, for instance, are? They're not just any commercial firms. They're commercial firms providing services to the NSA.
Bug bounties and HackerOne are sick jokes compared to what governments pay.
Virtually none of the commercial work is thinly-veiled NSA work.
I know literally none of the people behind "Reversing Labs", your comment is the first I've heard of that company, and, examining what their product does, I can't understand how what appears to be an email antivirus product is somehow helping NSA.
Their products are very useful in a defensive context. Not all of the NSA's work comes under the heading of cyberweapons or intelligence-gathering. They do plenty of defensive development, too.
RL's Titanium Core is one of the best unpackers around, and thus incredibly valuable for anyone doing malware analysis. Couple it with Titanium Cloud (blacklisting/whitelisting of samples) and you have the core of a system that can go interesting places. Try not to cringe at the bill. Toss in a sandbox or three and you're really getting somewhere. Add in a couple of MITRE standards for requisite government headaches, obviously.
From what I've seen, a fair amount of security product companies are selling to the NSA. Doesn't work for SaaS and services, because the NSA tends to require that whatever you're selling run on their network.
It's worth remembering that the NSA isn't afraid to buy from tiny companies and In-Q-Tel exists to enable investment.
So you're talking about companies selling to NSA in the same sense as they would sell products to Allstate? As in: literally the exact same products in exactly the same packaging sold to exactly the same purchaser as would exist at Allstate?
Who cares?
You dodged part of my comment. Once again: virtually none of the commercial security work --- or even the offensive security work --- is thinly veiled NSA work. Virtually none of it.
What on earth led you to believe you'd be able to defend such a statement?
That I've seen enough of it firsthand. They may offer the same product to Allstate, but the products are developed with government customers in mind. I'd cite Sandvine, but I'm not personally aware of them selling to the NSA - although it wouldn't surprise me. I've also sat in the room as people discuss the best way to do business with the NSA, and the consensus was that for some kinds of products the best approach is to develop the thing and sell it as a packaged product without a care given about selling to anyone else.
Sure, they might sell to someone else, but nobody involved cares about that.
What I've seen suggests that there are really two commercial security sectors. One centered on the west coast and focused on the private sector. The other is centered on the east coast and centered on the US government. It's all commercial, after a fashion, but the two don't typically interact very much. Each tends to think of itself as "the security sector".
Well. Except when Mandiant decides to point fingers. Then there's briefly lots of interaction.
What you're doing now is re-answering a question I posed upthread without addressing the question I just asked.
Yes, of course, every enterprise product company in the world --- in security, disaster response, configuration management, issue tracking, document management, what-have-you, every single one --- sells to FedGov. They all have special teams to do it. And FedGov has special requirements; for instance, Common Criteria certification.
Now: can you answer my actual question? How on earth did you feel you'd be able to defend your statement that most commercial security work is thinly-veiled NSA work? That's not just not true, it's almost literally the opposite of true.
Is your answer "there's this East Coast sector of the security industry that sees itself as the whole security industry that is almost entirely thinly-veiled NSA work"? If so: can you name 3 companies in that East Coast security sector? I've worked in security for just about 20 years now and can name many, many East Coast companies, and very few of them have ever done work for NSA, or, for that matter, done work that would be interesting to NSA.
Leidos, ManTech, and Endgame (provided you're willing to allow Atlanta) come to mind. All do substantial amounts of security work. Mandiant, too, though they're now owned by FireEye.
Two giant government contractors that happen to have small security teams, and one tiny boutique firm. The funny thing is you didn't mention Raytheon or Lockheed, both of which have teams that I suspect are larger than the three teams you mentioned put together. All of them are dwarfed by the commercial security industry. Most of them are backwaters nobody in the field thinks about when they think about security.
This is an embarrassing admission: I couldn't remember how to spell Raytheon.
I do know that the people in those fields tend to think of themselves as "the security industry". They also don't generally work on material that the more private-sector-focused industry cares about or gets exposed to, like how to secure a network when you have brain-damaged political network policies.
I think you need to be more careful about how you word this.
It is a true but very uninteresting statement to say that "most government contracting work is thinly veiled government work".
Obviously, you don't feel like that's what you're saying. But to defend the statement that much of security in general is thinly veiled USG work, you cite SAIC, ManTech, and (now) Raytheon. Giant government contractors.
The security industry as a whole is enormous. It includes big chunks of Cisco, IBM, EMC, Symantec, Intel, and HP, and literally hundreds of companies the likes of Duo, Cloudflare, Accuvant, and Lookout.
The clear implication of your comment upthread is that most commercial security work is not only done for the USG, but is offensive work done for NSA. That's why you compared it to HackerOne and called their rates a "sick joke". Not only would that statement still not be true if most commercial offensive work was done by NSA (government rates on vulnerabilities are not as lucrative as extragovernmental rates are), but it is itself not true at all. Ironically, the numbers get even worse for your argument when we narrow the security industry down to offensive work.
I might lose an argument about how much bogus "defensive" security product stuff gets sold through GSA teams to NSA and DoD in general. But most of my experience --- apart from the four years I spent working for what was at the time Sandvine's biggest competitor, where we never once had a discussion about selling to NSA --- is on the offensive side. Virtually none of the commercial offensive security work that is done is done to benefit NSA.
> much of the commercial world is thinly veiled NSA work
While security agencies of various governments are on the buy-side on the "zero day" vulnerability market, majority of commercial "cyber" security companies are not dealing in "cyber weapons" and are not involved with NSA. There are plentiful examples of successful "white hats": H. D. Moore, Dan Kaminsky, Tavis Ormandy, Michał Zalewski, even our own Colin Percival and tptacek etc. You don't have to do work for government to play in this area.
It's less of an excuse and more of a statement about the current state of reality. Are there examples and counter-examples and so on? Absolutely. Do any of them change the state of reality by existing? No. Is a very sizable portion of private-sector work today paid for by the NSA, directly or otherwise, including both defensive and offensive capabilities? You bet.
As a result, saying people should go to the commercial world isn't actually much of a change. It's not an alternative to the current reality because it is the current reality.
It's worth remembering that you probably don't hear about the big players very much in places like this. Endgame, MITRE, Leidos, etc. They tend to stay out of the limelight while still employing substantial numbers of people.
Pen testing is a viable alternative in the same way that driving a car is an alternative to designing an engine.
When your specialty is in finding novel exploits, there's not much of a market for you outside the government-o-sphere. In practical terms, pen tests are typically not focused on finding novel exploits.
Nevermind the vast difference in career expectations between salaried government work and consulting.
Ex military often have trouble finding jobs that match their skillsets as well. Not many civilian jobs encourage you to annihilate the denizens of under-developed, resource rich regions.
There's actually quite a lot of value in finding and fixing exploits. It's just that many companies prefer the illusion that $1k is a reasonable bounty for SQLi.
I know some. I called them coworker and in some cases still call them friend.
A feel sorry for a great many of them. They are highly skilled network attack specialists, with basically no way to apply their skills other than working for the NSA. Even if they want out, they have no viable alternative. It's terrible.