Firewall Company Palo Alto Buys Stealthy Startup Formed By Ex-NSAers

alphadogg writes "Next-generation firewall maker Palo Alto Networks today announced its first acquisition, an intriguing buyout of a stealthy Mountain View start-up called Morta Security whose founders hail from the NSA. The price of the purchase was not disclosed. Morta that has been in stealth mode since 2012 and describes its founders as 'executives and engineers from the National Security Agency.' CEO Raj Shahsays he worked in the Air Force Reserve supporting the NSA. 'We have deep experience in protecting our national infrastructure,' he says. (Curious to see if more startups will start marketing their NSA heritage...)"

I don't think so.

[Frosty+Piss]

Hmmm, maybe I'll *not* buy their firewall...

Re:I don't think so.

[Hunter-Killer]

Sonicwall offers a Network Security Appliance firewall. I can hear their marketing department: "NSA? That spells security!" Good luck with that today.

Re:I don't think so.

[TheGratefulNet]

maybe I'll convince people I DON'T LIKE to buy their firewalls....

Re:I don't think so.

[Obijon70]

Now, now, Im sure the products they offer will be 100% safe and backdoor proof. Boy that was hard to type with out it getting stuck in my throat...

Re:I don't think so.

[LordLimecat]

Sonicwall sells a lot of irrelevant crap.

Re:I don't think so.

[MobSwatter]

Why not? It probably comes stock listening on TCP port 32764.

1. Buy firewall.
2. Setup sniffer.
3. Make questionably threatening statements on phone.
4. Capture traffic on firewall WAN.

Wallah! Instant keys to palace to credit card, banking industry, anything that uses RSA security, probably oil company's too!

Re:I don't think so.

[MobSwatter]

Actually I think Dell took care of that one for the spooks, they probably didn't like the option available to the end user to run in FIPS mode or not.

Re:I don't think so.

[Stormwatch]

Wallah!

It's "voilà".

Re:I don't think so.

[MobSwatter]

But it's gotta be better than trolling the NSA about an email you accidentally deleted and know they have a copy of!

Re:I don't think so.

[Aighearach]

Most of my clients need to buy these things. Lots of them. So me and my friends have $ to buy some open hardware.

Re:I don't think so.

[sconeu]

That's what he said. He's just Chekov.

Re:I don't think so.

[mwvdlee]

NSA Firewall; where nothing short of a disgruntled employee will expose all your secrets.

Re:I don't think so.

[skegg]

Wallah!

It's "voilà".

He could have been quoting Arabic ... in which case that word fits quite well.
(However I agree he probably meant "voila".)

Re:I don't think so.

You're not their target market. They intend to be government contractors.

Re:I don't think so.

[MobSwatter]

Walla! definition
[w l]
and Wala!; Wallah!; Viola!

        Voila!
        And there you have it! (All versions are misspellings or misunderstandings of the French The Viola! is a well-meant spelling error.) : exclam. , And walla! There it is. Cooked just right!

Wallah comes from the phonetic pronunciation of the french word viola. Wallah is an exclamation, it simply means “look at this”.

Now if we could just get the NSA to put this level of critical thinking and attention to detail towards the constitution we'd be all set!

Re:I don't think so.

[Jeremiah+Cornelius]

"In Roman mythology, Morta was the goddess of death... She is responsible for pain and death that occurs in a half wake half sleep time frame."

https://en.wikipedia.org/wiki/Morta_(mythology)

Firewalls with integrated...

remote access for the NSA

From the NSA? or just kinda near them...ish?

[exomondo]

> whose founders hail from the NSA

> CEO Raj Shahsays he worked in the Air Force Reserve supporting the NSA

They aren't really the same thing now are they?

Re:From the NSA? or just kinda near them...ish?

[Frosty+Piss]

CEO Raj Shahsays he worked in the Air Force Reserve supporting the NSA

They aren't really the same thing now are they?

Either way it's not really a good selling point.

Re:From the NSA? or just kinda near them...ish?

[recharged95]

Nope. Keyword is supporting.

For instance, I know a lot of BAH employees that are Reserve troops, they don't support, but basically are contractors.

Heck in the end, it's a silicon valley company. They'll say anything to get a buck or free advertising nowadays.

Re:From the NSA? or just kinda near them...ish?

[recharged95]

Also, I like the 'wildfire' play on likely the main competition, which is Sourcefire. Which really started stuff like Snort and Ethereal...

Re:From the NSA? or just kinda near them...ish?

[ArchieBunker]

Maybe he knows something we don't and plans to capitalize on it?

Re:From the NSA? or just kinda near them...ish?

according to this article
http://www.nytimes.com/2013/08/23/technology/the-pentagon-as-start-up-incubator.html

he was an air force pilot, iam sure some of the real Air force guys here can verify that he did indeed serve, wonder what company he was in ?

so many liars and fakers you gotta be careful

Re:From the NSA? or just kinda near them...ish?

[Aighearach]

Sure, it might say we've moved beyond knee-jerk racism based on names.

By "we" I mean, Americans.

Re:From the NSA? or just kinda near them...ish?

[Aighearach]

Yep. All PR is good PR... right?

Re:From the NSA? or just kinda near them...ish?

Who actually cares?

Re:From the NSA? or just kinda near them...ish?

[VortexCortex]

> whose founders hail from the NSA

> CEO Raj Shahsays he worked in the Air Force Reserve supporting the NSA

They aren't really the same thing now are they?

Hmm, you've landed upon Slashdot rather roughly. Yep, you've entered English text, so that works, but it's plainly obvious you're not from this planet. Right?
No worries, you're among friends -- takes one to know one, and all that -- better luck next time, though.
Now, if you do want to survive you'll need to read this crasher-course to get acquainted with some basics about UNIX, compilers, and the state of Earther computer security.

Quite a painless tutorial, as acceptance speeches go, eh? Now, in addition to the content of the page which is extremely germane to our topic, I want you to pay close attention to two things about this document:
0. The 'Acknowledgment' section at the bottom.
1. The publication year at the top -- keep that number in mind, if not immediately relevant it will become so soon.

You should be able to clean yourself up with your towel. Not to worry, the feeling will soon pass; Just keep repeating "mostly harmless" and failing that, read The Guide's cover.
Welcome! And remember: You're here forever.

Re:From the NSA? or just kinda near them...ish?

> whose founders hail from the NSA

> CEO Raj Shahsays he worked in the Air Force Reserve supporting the NSA

They aren't really the same thing now are they?

When the Indians claim it the world gushes over the "best and brightest". Time to roast Raj over red-hot coals to see just how deep his NSA heritage really extends. Weenie roast anyone?

Re:From the NSA? or just kinda near them...ish?

Hang out in Maryland sometime and you will find out that yes, they really are the same thing. Many of the NSA civilian employees are former Air Force. They are trained by the government and then "move up" to the civilian positions where there aren't the same pay grade restrictions. Anyone who has worked in U.S. government in the last decade knows the real money is in "consulting".

Re:From the NSA? or just kinda near them...ish?

[hubie]

he was an air force pilot, iam sure some of the real Air force guys here can verify that he did indeed serve

300,000 people in the Air Force. That's like finding out what state someone is from, then saying "hey, my friend Bill is from that state. Maybe you know him?"

Re:From the NSA? or just kinda near them...ish?

Maybe he knows something we don't

You mean, like, he knows a way to convince us that their ties to the NSA is a Good Thing?

Re:From the NSA? or just kinda near them...ish?

[jalopezp]

Racism? Social regression?

Re:From the NSA? or just kinda near them...ish?

If you talk to Bill, tell him to call me

Buy the cronies to get a right to bid on contracts

[dbIII]

When there is corruption you need to employ a former "insider" before your bids on contracts are even looked at.
Why do you think people like the person that lost the White House emails is employable by a data recovery company?

Waitwhat.

[Johann+Lau]

We have deep experience in protecting our national infrastructure

I beg your pardon? This coming from the fuckwits who insist on just about everything having unfixed holes and/or backdoors? Unless by "deep experience" they are referring to having their heads up their asses, I call BS.

What do you think would increase security more, in the long run - firewalls by the NSA, or firing squads for the NSA? Sad thing is, what starts out as a polemic rhetorical question is actually not that easy to answer, now is it.

Re:Waitwhat.

[ArchieBunker]

I'd call that deep experience. Most people suspected them of having some hidden backdoors or listening powers but no one had proof. I'd call their campaign pretty successful until Edward Snowden blew the doors open.

Re:Waitwhat.

[Johann+Lau]

Would you call that deep experience in securing systems, or rather deep experience in not securing them, even actively making them weaker, and not talking about that fact? It's like saying a butcher has deep experience about what animals need to be alive; technically true, but that doesn't make a butcher a great veterinarian.

Re:Waitwhat.

[ZouPrime]

The NSA does both. Beyond their SIGINT operations, they also support industries in various security initiatives.

Re:Waitwhat.

[Vitriol+Angst]

One of the number one software purchases for people who use Windows computers is something to protect them from viruses and trojan horses.

If the number one source of profits for exploits and protection from exploits is from former NSA employees, it stands to reason that there will be a feedback mechanism maintaining exploits and backdoors at the NSA. For "security" reasons of course -- not just for profit.

Re:Waitwhat.

[Vitriol+Angst]

I'd say if you can sneak in that back door -- you are going to have a good talent for preventing back doors.

Only, with ethics like this -- I don't have any sympathy for anyone procuring the services of this company if they find they've got a backdoor engineered into their system.

Providing and protecting from the same threats is a profitable business model; just ask the weapons industry.

Re:Waitwhat.

[Anne_Nonymous]

>> Silicon Valley-based Morta Security has been operating in "stealth mode," meaning it has not disclosed much information about itself in order to avoid alerting competitors about a product or other activity.

From here

Re:Waitwhat.

[sir-gold]

They only "supported" those security initatives so that they could install backdoors in them. Stuff like the Dual_EC_DRBG random number specification from NIST that isn't actually random.

"....the Dual_EC_DRBG, like many algorithms, relies on parameters labelled P and Q for security. These could be randomly generated; however, the actual choice of P and Q were dictated by those involved in the design of the algorithm — the NSA."

Re:Waitwhat.

[ZouPrime]

While what the NSA did with Dual_EC_DRBG is shit, no, it's not the only way they support civilian infrastructure. NSA provide all kind information security expertise, not just with encryption.

Re:Waitwhat.

[sir-gold]

Asking the NSA for advice on information security is like asking a convicted burglar for advice on locks. Sure, he is probably expertly qualified to tell you which locks are the hardest to break, but will he act in your best interest?

Any network startup

[Swampash]

That has any past connection, through staff or projects, with the NSA is now about as popular as cancer.

"Next-generation firewall maker..."

[oldhack]

Well, that's better. Why bother pretending to be something other than a paid-off PR/click-bait site?

Re:"Next-generation firewall maker..."

Our new firewalls now come full equipped with automatic doors!

"Back-doored for the NSA's convenience"

Must be gunning for government contracts, I don't know how many people are looking for security infrastructure that's not likely to actually *be* secure, by design?

well-named company. that Morta Security

[PopeRatzo]

"Morta" in Italian means, "dead man".

Draw your own conclusions.

Forget Left and Right, Liberal or Conservative, Republican or Democrat. We are all enemies of the State now. It's starting to look like those divisions have just been artificially put in place in order to make us easier to control. When we're fighting each other, we're not paying attention to the real bad guys. And the bad guys goal is to take everything. If you're not part of the financial/political elite, you're not in the car, you're standing on the side of the road.

Nothing can really get better - not one thing - unless we deal with this security apparatus in a lasting way. It makes us less secure, poorer and sliding down the economic scale. And today, Janet Yellin was installed as the new bursar for this apparatus, in charge of siphoning wealth to the very few.

Re:well-named company. that Morta Security

[TrollstonButterbeans]

" We are all enemies of the State now. It's starting to look like those divisions have just been artificially put in place in order to make us easier to control. When we're fighting each other, we're not paying attention to the real bad guys."

I disagree and strongly. People argue as much as ever. The NSA doesn't give a crap about your Facebook page or your dramatic political rant on Slashdot with conspiracy sprinkles and mint frosting. There are more political rants than ever and the availability and freedom to rant, think and engage in discourse has never been higher.

Your post is an example of the unprecedented freedom to rant on the internet, making much ado about nothing. Your behavior is virtually normal in the modern age, don't you know?

Re:well-named company. that Morta Security

[3.5+stripes]

Actually, morta would be referring to the feminine, dead man is uomo morto.

Re:well-named company. that Morta Security

[Bert64]

Because if you deny people the freedom to rant, then they will still do so but hide their actions and you lose track of them...

If you give people the freedom to rant in public then you know exactly who is saying what, and you can keep track of them as well as anyone who listens to them. Also the apparent freedom acts to placate some who might want to rant.
If anyone's opposing views ever become too widespread it is much easier to keep them under control and discredit them if you know exactly who they are.

Re:well-named company. that Morta Security

[tomhath]

There's an old saying: "Dead men tell no tales".

Re:well-named company. that Morta Security

[PopeRatzo]

I disagree and strongly. People argue as much as ever.

Sure, but isn't it interesting that the US, for example, has become so precisely a 50-50 nation? Every election is close, congress so evenly split, all political media promoting division.

I think the biggest worry of the 1% is that the Occupy people and the Tea Party people and the union people and the poor people will all realize that they have very similar interests in the things that matter most: economics.

It's also interesting the way all the big divisive political issues are the ones that are furthest away from the economics. Gay marriage. Abortion. Guns. Religion. Things that split people very nearly down the middle but have nothing to do with the reality of their daily lives. Hot-button issues that avoid the biggest issue of all.

Re: well-named company. that Morta Security

Well, actually in italian morta means dead when regarding to a female subject or object.

My 0.02 euro, being Italian

Cost Saver

[hagrin]

What a great way to save on $10 million dollar backdoor fees - have your ex-employees build the devices themselves!

They still work for the NSA

Not fooled.

ITT

[Luke+has+no+name]

People who don't actually work in cybersecurity.

NSA and the firewall ..

[DTentilhao]

Surely the NSA have a number of means of bypassing the firewall by now ...

i can smell Rajs bullshit from here

"Morta Security, another of the start-ups, was founded by Raj Shah, a former F-16 fighter pilot for the Air Force in Iraq. He described himself as âoea policy adviserâ to the N.S.A. before moving to Silicon Valley to establish the company this year with two former analysts. Mortaâ(TM)s work is in such âoestealth mode,â in valley parlance, that the company has said nothing about what it is working on. Nor would Mr. Shah describe fully what his two co-founders were doing at the agency before they formed the company. "

An Air force pilot? really ? no history ? nothing anywhere on the web including the seclists /waves hand....charlatans everywhere

Re:i can smell Rajs bullshit from here

[vbraga]

There's something that calls itself 'Princeton Alumni Weekly' that lists Raj Shah as a F-16 fighter pilot.

This seems to match his mini resume in AngelList:

CEO of Morta Security. Strong business (McKinsey, private equity) and government (@USAF F-16 pilot, DoD, NSA) background. @Wharton MBA, @Princeton undergrad.

Re:i can smell Rajs bullshit from here

[McGruber]

An Air force pilot? really ? no history ? nothing anywhere on the web including the seclists /waves hand....charlatans everywhere

AC's allegation about Raj Shah being a charlatan really intrigued me, so I just wasted two hours doing a little digging... and I now suspect Raj Shah is lying about having been a USAF F-16 pilot. Here are a few different versions of Raj Shah's CV:

Khabar: Georgian Raj Shah Wins Soros Fellowship for New Americans (April 2007)

Raj Shah is among 31 finalists in the 10th annual competition for the Paul & Diasy Soros Fellowships for New Americans (immigrants and children of immigrants). They were selected from over 800 applicants representing 141 nationalities and 360 colleges and universities. Shah is currently the Special Assistant to the Deputy Undersecretary of Defense for International Technology Security in the US Department of Defense. He plans to attend Wharton in the fall to study business. Shah holds an AB from the Woodrow Wilson School at Princeton University. Upon graduating from Princeton, he took a job at McKinsey and Company but left 4 months after 9/11 to join the United States Air Force. Shah flew eighteen combat missions in Iraq as a captain and F-16 pilot. After four years of active duty, he transitioned to the reserves and rejoined McKinsey & Co.; from there he embarked on his present work.

Times of India: Business honcho bombed Iraq for US Air Force

He flew US Air force F-16 over Iraqi air space in 2006 and as recently as in March to May in 2010 for nearly 200 hours in 38 combat missions at a speed of Mac 2 (twice the speed of sound). Thirty-three-year-old Gujarati American Raj Shah, then a combat pilot, said, "The biggest fear in a pilot's mind is the fear of making a mistake. If we err, innocent people die." This Wharton School MBA, now vice-president of a defence focused investment firm, is a battle hardened soldier turned business executive.

"From 500 feet above the sea level to 50,000 feet, I flew as per the requirement. The altitude depended on the targets and in Iraq we flew very low for precision target hitting," said Raj, who joined the US Air Force in 2000 and took his first flight school in December, 2001.

He flew every third day on missions in Iraq and volunteered himself at Airport Theatre Hospital at Bagdad to help out the medical teams.

"In January 2006, it was 3 am in Bagdad when the US Air Force base sirens went off. I was sleeping in my flight suit. I ran to the jet and and in five minutes was flying 500 feet over Bagdad where a number of people were trying to block the path of US-Iraqi troops, who were on rescue mission," he said.

Those quotes about his missions are really strange.... and the the timeline in the 1st article (joined USAF 4 months after 9/1) contradicts the timeline in the 2nd (joined USAF in 2000). Also, in the first article (from 2007), he is described as having flow 18 combat missions, but in the next piece, posted four years later, he claims he flew 38 combat missions:

NetIP: Vote for Raj Shah (August 2011)

A reserve F-16 Pilot in the US Air Force, Raj is also is the Vice President of Federal Systems, a defense-focused investment firm. Now in its 6th year, Nanubhai impacts 8,000 students in rural India and has sent over 25 American teachers to India. In the USAF, Raj served two tours of duty in Iraq flying 38 combat missions. Raj has also worked as a Special Assistant in the Office of the Secretary of Defense. Previously Raj worked at McKinsey & Co. serving both private and public s

Supported the NSA?

"Good evening Mr. Sir, I am being your Microsofts supporting person. My name is being Raj Shah and I am being afraid I must inform you that your Windows is being having a virus..."

Re:Supported the NSA?

haha thats funny coz he has an indian name.

*slaps thigh*

Re:Supported the NSA?

Hey, I'm Indian and I laughed. My father sounds exactly like that when he's excited and speaking English.

Re:Supported the NSA?

Hey you forgot to include "Oh blimey, goodness gracious me!" to round out the racist stereotype.

Bad ex-bosses

[Stormwatch]

What's the big deal? I mean, do you think Wernher von Braun's later work was bad just because his former boss wasn't the nicest guy in the world?

Re:Bad ex-bosses

Nuclear weapon delivery systems ... definitely a good thing.

Fools Device

I never understood firewalls, especially firewall appliances.

Engineer #1: Our application has a ton of security holes.
Engineer #2: Hey, I have an idea. Let's put another application in front of our other application to hide the bugs.
[later]
Engineer #1: Our firewall application has bugs
Engineer #2: Hey, I have an idea. ....

It's doubly retarded for all Linux shops, because most firewall appliances are running Linux these days. Which means you add precisely nothing by slapping another appliance into the mix. Your web application is still accessible, and your outward facing "firewall" is running the same network stack. (Okay, some appliances run FreeBSD; their network stack may be different, but hardly any less complex and bug-free.)

All "firewalls" do is add more tinder to burn--in other words, increases your attack surface. This is especially true for "application firewalls" which try to filter requests, because they're probably running more code underneath the covers than your own web application. Firewall manufacturers can't magically ship bug free code anymore than you can. If your CEO won't spend the money on competent engineers, he's not gonna fork over the money it would take for an appliance manufacturer to similarly hire competent engineers. (Think about it. Mere specialization won't help much here for myriad reasons.) Ultimately, it's difficult to do much better than simply managing your ports--e.g. don't let dumb software listen on an external interface. Problem... solved. Plus, imagine the gajillion of hours saved not twiddling your thumbs when IT's super-1337 firewall rules break the network.

P.S. I'm a principal engineer--and a few months removed from founding engineer--at one of the largest firewall appliance companies in Silicon Valley. So, please, keep your trite "best practice" advice to yourself. I understand all the counter-arguments. IMNSHO, the internet would be a more secure place if we spent more time fixing bugs (in code and in design) and less time building a house of cards to hide them. And this is true collectively as well as individually. The fewer systems and devices on your network, the easier it will be to manage them securely.

Re:Fools Device

If I understand you correctly you are suggesting that fewer locks are better.

~childo

Re:Fools Device

[3.5+stripes]

I thought the primary reasoning behind firewall "appliances" was the reduced amount of non essential software they run, compared to your average server.

Re:Fools Device

[Bert64]

So now you have the small amount of software running on the firewall, PLUS all the software running on the server (unless you advocate removing the server and having only the firewall?)... You've not decreased the amount of software you're running, you have increased it.

Re:Fools Device

[datapharmer]

I think a review of the meaning of "attack surface" is due here. The idea here is to keep the bad guys out. If you can't physically secure your infrastructure (including some level of trust in your employees) you are guaranteed trouble. For that reason most networks are guaranteed trouble, but that aside a proper firewall does reduce the attack surface on the WAN by limiting traffic to what you want exiting and entering your network. Does a security guard also make a bank less secure because it increases the "robbery" surface?

Re:Fools Device

[davidhoude]

So you think each internal device should be responsible for its own access control on the network? You want the application server to implement layer 7 filtering? What about ASIC's? Are you adding custom silicon to your application servers so they can filter at high speeds? Are you going with a hardware loadbalancer? Your arguments don't make sense in the real world.

Re:Fools Device

[Bert64]

If your hosts are sensibly configured, then a firewall only serves to prevent external users from sending traffic to closed ports on your server... There isn't a huge risk involved with users being able to send traffic to closed ports.

If a port is open then it should be open for a reason, and you will configure your firewall to allow that service through anyway.

By adding a firewall you've increased your hardware costs, increased your hosting (rackspace, power) costs, increased your maintenance costs, decreased throughput, increased latency, added additional potential failure points... And for what?

Firewalls are often used by people who are too lazy or incompetent to configure their servers properly, so you have a grossly insecure webserver running telnet, smb, ftp etc where the firewall only permits access to http. A properly configured webserver would only allow http in the first place.

Re:Fools Device

[davidhoude]

>If your hosts are sensibly configured, then a firewall only serves to prevent external users from sending traffic to closed ports on your server. I had a real LOL at this. What about virus protection? What about identifying an infected client and blocking communication with command and control servers? What about web browsing policy, and blocking L7 traffic on known good ports (Think SSH Tunnel on port 443)? While I completely understand your arguments when talking about Layer 3 firewalls, this is not what we are talking about. These Palo Alto firewalls have ASIC's that scan for virus definitions on dedicated hardware in real time. This is just one of their many features. While a firewall is no replacement for a properly configured server, acting like firewalls have no use is laughable.

Re:Oh Noes!

[MobSwatter]

NSA live this one down? The people will not have it.

Fake name

Either "Raj Shahsays" is a ghost, or the name is fake.
http://lmgtfy.com/?q=%22Raj+Shahsays%22

Re:Fake name

His name is Raj Shah. There was a space missing between "Shah" and "says".

To be honest...

I really don't know what's wrong with decently spec'd commodity blade server running OpenBSD and pf. Does everything you need it to and it's trustworthy -- written by a team that truly know what they are doing. The code audits are reassuring. I've never, ever had an issue with OpenBSD. No one else has their track record. Why complicate matters with expensive hw/sw, licensing issues, dodgy network compatibility.

Disclaimer: IT guy with almost two decades of experience in BSD/Linux/Windows systems administration and security.

Re:To be honest...

[davidhoude]

I know you are posting as Anonymous, so chances are you will not read this. I am just curious where you get this idea of dodgy network compatibility? I also have a hard time believing that in 20 years of administration, you don't see the good side of firewall appliances. I too am a BSD administrator, running countless pf, ipfw, ipfilter, iptables systems. Just because you like and/or use one thing doesn't mean it is the be all end all of the networking world. If you knew anything about these Palo Alto firewalls, you would know the benefits to using them over BSD. I have nothing against BSD firewalls, but you simply cannot compare the two. The PA firewall has customer silicon that processes layer7 data in real time. I have seen L7 filtering with pf and relayd, but come on now, it is not what pf was meant to do. I am sure you can add customer chips to a BSD box and get something similar, hell I wouldn't be surprised if the PA is based off some sort of the OS. I just don't see the point in dismissing what many would argue as 'state of the art' firewalls as being obsolete because you can do the same with open source. There is a reason why people choose VMWare licensing over running purely KVM/BHyve... By the time you factor in enough staff to get the open source platform working, paying workers comp, unemployment, and benefits...you might be better off licensing a turn-key product. I'm not in favor of one or the other, but rather use the right tool for the job.

Re:To be honest...

[davidhoude]

And by customer I mean customer..doh I mean custom.

Re:To be honest...

I will respond as I'm the above AC. Yes, I see and respect your position, but I've used FW appliances before and didn't like them. I don't like the proprietary aspects of differing appliances, nor do I like the licensing fees and usage restrictions. I've administered several proprietary appliances and the restrictions were such that I always went back to OpenBSD and recommend the same. OpenBSD is mature, stable, changes are slow enough to digest, the license is right, and I'm uber-comfortable with command line environments vs strange and myriad GUIs.

A certain appliance vendor actually had the ridiculous restriction of only allowing one class C behind the device. Really? What if that doesn't suit me? OpenBSD and pf have no such restrictions and nor should they. I dictate my own terms. Granted, I'm not supporting fortune 100 companies. But I have supported and support large enough organizations that it would matter should their security not be what it is. I'm an open source bigot. I try and avoid anything where the license and terms of use are not what I think they should be, and for me and my customers, the BSD and sometimes GPL licenses work just fine. A commodity box a couple of NICs and I'm away. People think they need more than they do. Security is a process, not a product. You know this. I tell my people that VPNs are easy, even one with a few spokes is trivial. You don't need the fancy, wallet-draining appliances to handle basic firewall and proxy duties.

Re:Oh Noes!

[couchslug]

I'm not indignant, just amused.

Re:Oh Noes!

[Johann+Lau]

It's not our fault that just about anything coming from that general direction makes everybody else seem like a super intelligent saint. Your jealousy is duly noted.

Re:LOL "Raj Shahsays"

I know I risk troll feeding, but another cretin who can't tell Indian from Arab names. There should be a space between Shah and says. The CEO's name would be Raj Shah

Chaper than $10M

[eli384]

So now, instead of paying 10 mil to "security companies" and having all those nasty paper trails, the NSA just implants its ex-employees in those same "security companies" so that they can add backdoors by hand? That... is actually a pretty good idea, because it gives them a broader reach and is more cost effective.

bad analogy

[circletimessquare]

you can build rockets for hitler, or you can build rockets for truman. they're both still rockets. you can test the rocket, make sure it works, you can separate the creator of the tech from the tech

but security is not like that. it's an ongoing trust relationship. you have to trust the people involved

and if your previous job was secretly sabotaging all security to a govt, this is probably not someone you want to trust your company's security to. when the NSA breaches your system, they have an ally already inside your system. if you didn't have a problem working for the NSA before, you probably still don't have any problems with their behavior, the defilement of our foundational rights

Re:thank you drlawrencespelltemple@hotmail.com

Yeeeaah... no. Fuck off.

You've got to laugh

Its just shows that Palo Alto's acquisition team don't know what they are doing. A firewall product is a firewall product, what makes the difference is code quality and third parties not being forced to backdoor their equipment through the introduction of random remote exploits.

The idea that these guys worked at the NSA and thus have some mysterious knowledge in regards to security, is well, complete bullshit.

Re:You've got to laugh

[davidhoude]

Hey look, this anonymous guy on the internet says that Palo Alto doesn't know what they are doing based on something he read on the internet. Can't argue that...

Or partner with China

They already have at least one ex-NSA employee named Snowden as a consultant.

Stealthy?

[BisuDagger]

Not stealthy enough apparently. Rumor also has it that they are going to sell human sized fly-paper traps that way the ex-NSA-ers could stick it to the man.

Ill never...

Will never buy one of their firewalls then...